USDA 2016 Financial Management Training Transforming Shared Services USDA, Financial Management Services USDA 2016 Financial Management Training Transforming Shared Services Enterprise Risk Management – The Basics Presented by Lynn Moaney and Annie Walker
USDA, Financial Management Services Session Objective To provide participants with a basic understanding of Enterprise Risk Management and what is required. Source: Shutterstock.com USDA Transforming Shared Services
What is Enterprise Risk Management USDA, Financial Management Services What is Enterprise Risk Management Risk – the effect of uncertainty on objectives Risk Management – a coordinated set of activities and methods that are used to direct and control challenges or threats to achieving an organization’s goals and objectives Enterprise Risk Management – is an enterprise-wide, strategically-aligned portfolio view of organizational challenges to provide better insight on how to prioritize resource allocation to ensure successful mission delivery Sources: Praxiom Research – ISO Plain English OMB Circular No. A-11, Section 270.24 OMB Circular A-123 (final draft 2-16-2016) USDA Transforming Shared Services
Implementing ERM Benefits and Barriers USDA, Financial Management Services Implementing ERM Benefits and Barriers Benefits Proactive response to risk Value Creation Improved Reputation Potential to embed into existing planning processes Identify gaps, overlap, and redundancy in existing risk functions Barriers Lack of Executive level buy-in and support Overcoming a culture of caution Silo mentality Lack of education about ERM Demonstrating the value of ERM Source: 2015 Public Sector Survey - PwC USDA Transforming Shared Services
ERM vs. Internal Control What’s the difference? USDA, Financial Management Services ERM vs. Internal Control What’s the difference? Governance includes setting of goals, objectives, and strategies; optimizing performance; and providing oversight. It covers how the organization is directed and managed. This includes the consideration and management of risk. Internal control is an important part of governance and ERM to ensure that processes are carried out according to management’s directives and that risk responses are in place and operating effectively. Sources: COSO (diagram) and Norman Marks – Governance, Risk Management and Audit (2011) USDA Transforming Shared Services
Widely Used ERM Frameworks USDA, Financial Management Services Widely Used ERM Frameworks Similarities COSO vs. ISO 31000 Framework Both frameworks require: Adoption of an enterprise approach, with executive level sponsorship and defined accountabilities Structured process steps, oversight and reporting of the identified risks Understanding and accountability for defining risk appetite and acceptable tolerance boundaries Formal documentation of risks in risk assessment activities Establishment and communication of risk management process goals and activities Monitored treatment plans Source: RIMS Executive Report – The Risk Perspective Source: COSO Source: ISO USDA Transforming Shared Services
Widely Used ERM Frameworks USDA, Financial Management Services Widely Used ERM Frameworks Differences COSO vs. ISO 31000 Framework COSO ERM framework is complex ISO provides a more streamlined approach COSO model is control and compliance based ISO is based on a management process COSO was authored by auditors, accountants, and financial experts ISO was authored by risk management practitioners and international standards experts COSO focuses mainly on the negative aspects of risk ISO focuses on negative and positive Source: IIA -The New International Standard on the Practice of Risk Management – A Comparison of ISO 3100:2009 and the COSO ERM Framework Source: COSO Source: ISO USDA Transforming Shared Services
New Requirements - OMB Circular A-123 USDA, Financial Management Services New Requirements - OMB Circular A-123 Based on “Final Draft” dated February 16, 2016 Title Change: “Management’s Responsibility for Internal Control and Risk Management” Key Dates and Deliverables: September 15, 2016: CFO Act agencies to develop plans for implementing ERM, including Governance, Risk Appetite, and Risk Profile January 20, 2017: Develop initial Risk Profile May 15, 2017: Complete Risk Profile for discussion with OMB September 15, 2017: Provide assurance on internal controls associated with Risk Profile as part of the Annual Financial Report (AFR) USDA Transforming Shared Services
An Illustrative ERM Model USDA, Financial Management Services An Illustrative ERM Model Key Elements Principles and Concepts Establish Context – Internal and External Initial Risk Identification – Top-Down and Bottom-Up Analyze and Evaluate Risks – Use Standard Criteria Develop Alternatives Respond to Risks – 4 options Monitor and Review Continuous Risk Identification Source: The Orange Book, Management of Risk – Principles and Concepts, October 2004, HM Treasury USDA Transforming Shared Services
Risk Management Dictionary Key ERM Concepts and Terms USDA, Financial Management Services Risk Management Dictionary Key ERM Concepts and Terms Term Definition Risk Appetite The broad-based level of risk that an organization is prepared to accept in pursuit of its objectives, and before action is deemed necessary to reduce the risk. Risk appetite guides an organization’s approach to risk and risk management. Must be approved by the Deputy Secretary (COO). Risk Profile A written description of the portfolio of risk for an enterprise. Profiles should include 7 components: Objectives, Risks, Inherent and Residual Risk Assessments, Risk Response, Proposed Action and Proposed Action Category (per OMB guidance). Risk Assessment The process that includes: risk identification, risk analysis, and risk evaluation. Risk Tolerance The acceptable level of variation in performance relative to the achievement of objectives. Aligns with risk appetite. Risk Response The action taken to manage or treat the risk. Responses include: Acceptance, Avoidance, Reduction and Sharing. Inherent Risk The exposure arising from a specific risk before any action has been taken to manage it beyond normal operations. It is measured by impact and likelihood. Residual Risk The exposure remaining from an inherent risk after action has been taken to manage it. (Uses the same assessment criteria used for inherent risk.) Risk Criteria Terms of reference that are used to evaluate the likelihood and impact of an organization’s risk. They are used to determine whether a specified level of risk is tolerable. Risk Evaluation The process of comparing risk assessment results to determine if the level of risk is acceptable. USDA Transforming Shared Services
Displaying Risk Assessment Results Heat Map USDA, Financial Management Services Displaying Risk Assessment Results Heat Map Medium High Likelihood/Frequency Low Medium-High Impact/Significance USDA Transforming Shared Services
USDA, Financial Management Services Key Success Factors Embrace the change Engage top-level support Embed ERM in everyday management Consider yourself a risk manager Get started USDA Transforming Shared Services
USDA, Financial Management Services Questions USDA Transforming Shared Services
USDA, Financial Management Services Contact Information Annie Walker, Director, Internal Control Division Office of the Chief Financial Officer 1400 Independence Avenue, SW Rm. 3440-S Washington, D.C. 20250 Email: annie.walker-bradley@cfo.usda.gov Office Phone: 202-720-9983 USDA Transforming Shared Services