#127 – Risk Management Basics Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.
2 Overview Internal Control and Risk Management COSO and ERM – What, Who, Why Relevance to the Organization Risk Management Segments Risk Identification Prioritizing the Risks
3 What and Who is COSO? COSO, the Committee of Sponsoring Organizations of the Treadway Commission, is a private sector initiative established in 1985 by five financial professional associations: –The Institute of Internal Auditors –American Institute of Certified Public Accountants – American Accounting Association – Institute of Management Accountants – Financial Executives Institute
4 Why was COSO established? COSO’s goal is to improve the quality of financial reporting through a focus on corporate governance, ethical practices and internal control. Savings and Loan Crisis of the 1980’s Report of the National Commission on Fraudulent Financial Reporting – October 1987
5 Internal Control – Integrated Framework Familiar Cube Three objective categories Five Components Entity and organizational units
6 Definition of Internal Control A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.
7 Objective Categories Effectiveness and efficiency of operations –Performance and profitability goals –Safeguarding resources Reliability of financial reporting –Preparation of reliable published financial statements Compliance with applicable laws and regulations –To which the entity is subject
8 Five Interrelated Components 1.Control Environment –Sets the tone and influences control consciousness –Foundation for all other components –Provides discipline and structure –Factors include: Integrity and ethical values; competence Management’s philosophy and operating style Assignment of authority and responsibility Organizational structure and development of staff Attention and direction provided by the Board
9 Five Interrelated Components 2.Risk Assessment –Identification and analysis of relevant risks –Aids in the achievement of objectives –Forms a basis for managing the risks –Special risks associated with change: Economic Industry Regulatory Operating conditions
10 Five Interrelated Components 3.Control Activities –Policies and procedures that help ensure management objectives are carried out –Necessary actions are taken to address risk and achieve objectives –Occur at all levels and include: Approvals Authorizations Verifications Reconcilations Security of assets Segregation of duties
11 Five Interrelated Components 4.Information and Communication –Identification, capture and communication of information –Information systems Internally generated data External events Reporting –Communication streams
12 Five Interrelated Components 5.Monitoring –Assesses the performance quality of a system of internal control over time –Ongoing monitoring activities Regular management and supervisory activities –Separate evaluations Scope and frequency depend on –Risk assessment –Effectiveness of ongoing monitoring –Deficiencies should be reported upstream
13 Enterprise Risk Management A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
14 Fundamental Concepts Process –A means to an end –Not an end in itself Effected by people –Not merely policies, surveys and forms –Involves people at every level of the organization –Applied in strategy setting
15 Fundamental Concepts Applied across the enterprise –Every level and unit –Entity level portfolio view of risks Manages risks –Within entity’s risk appetite –Identifies events and potential effect
16 Fundamental Concepts Provides reasonable assurance –To Board –To management –To other stakeholders Focuses on achievement of objectives –Separate categories –Overlapping
17 ERM Integrated Framework Expands the original cube Four objective categories Eight Components Entity and organizational units
18 Objective Categories Within the entity’s control: –Reliability of financial reporting –Compliance with applicable laws and regulations Achievement depends on how well the entity’s related activities are performed Not always within the entity’s control: –Strategic objectives –Operational objectives Reasonable assurance based on timely notification
19 Eight Interrelated Components 1.Internal Environment –Foundation for all other components –Influences: Strategy and objectives Risk identification and assessment Design and function of control activities Information and communication systems Monitoring activities
20 Eight Interrelated Components 2.Objective Setting –Must exist before events can be identified –Must be aligned with and linked to strategy –Must be consistent with the entity’s risk appetite –Four categories: Strategic Operations Reporting Compliance
21 Eight Interrelated Components 3.Event Identification –External factors that affect event occurrence: Economic and business Natural environment Political and social Technological –Internal Factors: Reflect management’s choices Infrastructure, personnel, process, technology
22 Eight Interrelated Components 4.Risk Assessment –Considers how events might affect achievement of objectives –Two perspectives: Likelihood Impact –Applied to inherent risk Risk to the entity in the absence of any actions to alter likelihood or impact –Residual risk is remainder after risk response activities
23 Eight Interrelated Components 5.Risk Response –Fall into four categories: Avoidance Reduction Sharing Acceptance –Residual risk will always exist Scarce resources Inherent future uncertainty and limitations
24 Eight Interrelated Components 6.Control Activities –Policies and procedures that help ensure risk responses are properly executed –Increased focus on information systems General controls: –IT management, infrastructure, security, software acquisition, development and maintenance Application controls: –Completeness, accuracy, authorization validity of data capture and transaction processing
25 Eight Interrelated Components 7.Information and Communication –Information is needed at all levels of the organization Identify, assess and respond to risks Run the organization and meet objectives –Entity captures and uses historical and current data Information is the basis for communication Must meet expectations of various groups –Enables the flow of risk-based information across: Business units Processes Functional silos Externally
26 Eight Interrelated Components Monitoring –Assesses the performance quality of a system of internal control over time Ongoing monitoring activities –Regular management and supervisory activities Separate evaluations –Scope and frequency depend on »Risk assessment »Effectiveness of ongoing monitoring Deficiencies should be reported upstream, including Board –Additional focus on appropriate level of documentation
27 Integrated Frameworks: Internal Control vs ERM ERM does not replace Internal Control Enables companies to expand on what they have already put in place ERM links: –Value –Risk Strategy –Objective Setting –Performance Measurement –Risk Response –Control Processes
28 Determining and Prioritizing Risk Management Segments Combined view of business units and financial statement line items Apply ERM –Internal environment –Materiality –Events and identified risks –Risk assessment
29 Internal Environment Organizational structure –Functional units vs geographic units –Foreign and domestic –Financial processes at different locations Assignment of authority and responsibility –Centralized vs decentralized Human resources policies and practices
30 Materiality Impact Prioritization Scope Timing and nature of planned audits
31 Events and Identified Risks Company history –Private/public –Mergers and acquisitions –Organic growth –Legal issues Current state and beyond –Strategy and competition –Regulatory changes
32 Risk Assessment Initial risk assessment –High level –Gather information via inquiry, examination –Benchmarking Should be quick –Size of entities –Culture Risk appetite Agile vs slow
33 Using the ERM Framework Risk assessment –Apply the ERM components –Determine risk drivers in each area –Use weighted score to quantify Audit approach –Highest risk given highest priority –Scope and nature of testing based on risk
34 Risk Drivers – Internal Environment Risk management philosophy –Value –Communicate in words and actions Risk appetite –Value –Qualitative –Quantitative –Linked to strategy Risk culture –Independent –Active –Involved Board of Directors –Independent –Active –Involved Integrity and ethical values –Standards of behavior –Prerequisite –CEO example –Incentives
35 Risk Drivers – Internal Environment Human resource policies and practices –Qualified –Training –Compensation –Incentives and Discipline Differences in environment –Management preferences –Value judgments –Management styles Management philosophy and operating style –Formal vs informal –Conservative vs aggressive –Aligned Organizational structure –Reporting lines –Centralized/decentralized –Matrix/function/geography Assignment of authority and responsibility –Empowerment –Accountability
36 Risk Drivers – Objective Setting Strategic Objectives –High-level goals –Support mission/vision –Strategic choices Related Objectives –Operations –Reporting –Compliance –Safeguarding of assets Selected Objectives –Align and support –Management decision Risk Appetite –Growth, risk and return –Resource allocation –People, process and infrastructure Risk Tolerance –Acceptable variance –Unit of measure of objective
37 Risk Drivers – Event Identification Events –Incident –Positive and/or negative impacts Factors Influencing strategy and Objectives –Internal –External Methodology and techniques –Ongoing –Periodic –Past and future –Supporting Event inter-dependencies –Triggering events –Interrelate Event Categories –Common groupings Risks and Opportunities –Negative impact: risks –Positive impact: opportunity; offsets to risks
38 Risk Drivers – Risk Assessment Inherent and Residual Risk –Before management actions –After management actions –Expected and unexpected Likelihood and Impact –Expected, worse-case, distribution –Time horizons –Unit of measure –Observable data Qualitative and Quantitative Methodologies and Techniques –Qualitative –Quantitative –Inherent and residual basis Correlation –Sequence of events –Categories –Stress testing –Scenarios
39 Risk Drivers – Risk Response Identify risk responses –Avoid –Reduce –Share –Accept Evaluate Possible Risk Responses –Impact Likelihood –Cost versus benefit –Innovative responses Select response –Management decision Portfolio View –Entity level –Business unit level –Inherent and residual basis
40 Risk Drivers – Control Activities Integration with risk responses –Build directly into management processes –Interrelate Types of control activities –Policies –Procedures –Preventative –Detective –Manual –Automatic Entity-specific –Entity specific strategies and objectives –Operating environment –Complexity of the entity General controls –IT management –IT infrastructure –Security management –Software development and maintenance Application controls –Completeness –Accuracy –Authorization –Validity
41 Risk Drivers – Information and Communication Information –Internal –External –Manual –Computerized –Formal –Informal –Information systems architecture Strategic and integrated systems –Strategic –Operational –Past and current –Level of detail –Timeliness –Quality Communication –Internal –External –Entity-wide –Expectations and responsibilities –Framing –Means of transmission
42 Risk Drivers - Monitoring Ongoing –Real-time –Built-in –Day-to-day operations Separate Evaluations –Scope –Frequency –Self-assessments/Internal auditors –Extent of documentation Reporting Deficiencies –Ongoing –External parties –Protocols –Alternative channels
Open Discussion and Examples
Questions?
45 For More Information: Deborah Frazer, CPA, CISA, CISSP Senior Director, Internal Audit PalmSource, Inc.
Thank you!