1. Operational risk management in the public & private sectors
IMT587
SPRING 2014
UNIVERSITY OF WASHINGTON INFORMATION SCHOOL
WEEK #1
APRIL 3, 2014

2. Welcome
Office hours are Thursdays from 3:30-4:20pm in MGH Commons or by appointment off campus
Please review syllabus carefully for policies on
Academic Integrity and Proper Citations
Copyright
Privacy
Schedule and Assignments
Standard Manuscript Format (on home page)
“Retrieving Canvas Assignments Feedback (home page)
All assignments submitted from Canvas. Announcements or discussions are also handled from Canvas.

3. My background Owned my own computer hardware firm for 15 years.
10 years at Washington Mutual -- from enterprise technology architect to senior exec in charge of enterprise operational risk services.
My firm has both a consulting side and an Institute for Research(ASA) and Innovation, which publishes research on current risk topics.
I am author of one book for general public and publisher of two volumes in the “Reflections on Risk” series for operational risk executives & managers.
ASA’s work focuses on four private and two public critical infrastructure sectors: banking and finance, energy, IT, communications, public health and emergency services.
CV and other details are on the iSchool’s faculty page.
@anniesearle = Twitter
Annie Searle & Associates = Facebook
= website

4. My expectations That you will be present and participate actively.
That you’ll monitor the world over the next 10 weeks and bring in examples of operational risk you see.
That you will complete all assignments and show me what you are learning as we go.
That your papers will not simply be an assemblage of research you have done, but will have your own conclusions and recommendations as well.
That your final written presentation will be of such quality and so polished that it could be published.
That the work we do in this course could be passed along to federal agencies or private sector coalitions.

5. Risks you face
You may not have taken the prerequisite, called “Information and Operational Risk.” See me if you want a longer reading list that would cover concepts in depth.
You’re in a classroom with 20+ other people
Illness is always a risk especially from time spent in public places
To avoid the flu:
Wash your hands frequently – and carry hand sanitizer if you can.
If you have a cough or sneeze, cover it with your elbow.
If you have a cough or sneeze and decide to come to class, then please sit away from other students.
If you are too sick to come to class, please send me a note.
Identify the evacuation exits from this classroom in case of a campus emergency.

6. Class format As envisioned, each class will consist of three parts:
60 minute guest speaker during most weeks. Speaker is selected for expertise and for relevance to topics being discussed that week.
60 minute lecture, during which I expect to be asked questions or to clarify remarks I am making – lecture will be focused primarily on the reading assignments. Its PowerPoint will be posted after class on the website.
60 minute facilitated discussion, with 2-3 of you speaking each week, using power point format.

7. Lectures
The lectures make sense if you have read the assignment in advance of the class.
The material is dense. Leave yourself enough time to do the readings and any additional searches for additional information.
COSO Enterprise Risk Management is the foundational text for this course, supplemented by the articles and websites listed in each week’s readings assignments.
Each you will facilitate discussions. Since there are 20+ students in the course, and 8 weeks of discussions, 2-3 students volunteer to take on topics on the week of their choice.

8. Class introductions

9. Facilitated discussions (3-4 persons each) looking at differences in response in private and public sector
Today An introduction to operational risk
April 10 DHS agencies and the private sector (Uma, Pragati, Niketan, Sanchit)
April Regulatory impact on private sector companies (Ted, Fei, Shweta, Aman)
April 24 Current privacy v. security threats (Aaron, Brooke, Abhaya, Prerak)
May 1 Vendor risk in public and private sectors (Pavani, Akhila, Anupama, Natsal)
May 8 The new cybersecurity framework issues (Nishita, Resche, Smita)
May 15 Optimized crisis response (Malavika, Krista, Panali, Ajinkya)
May Business continuity, info security practices (Arpita, Rutul, Varun)
May Insider Threats (John, Aloka, Chandran, Nihar)

10. Of special note
Your final project includes both a longer paper and a power point executive summary of the paper. Those oral presentations will be made in Week 10 (June 5 at 2:30pm).
We have eight outside guest speakers starting April 10th. Please familiarize yourself with their biographies, posted on the site, and prepare at least one question to ask each speaker.
I will be inviting all MSIM students to attend the guest lecture portion of the course each week.

11. Global Framework

12. Operational risk failures = one or more of these areas = financial loss
People – human error, failure to follow procedures
Process – inadequate or failed processes and procedures
Systems – inadequate systems or breakdown of automated systems, especially in technology infrastructure
External – Mother Nature, critical dependencies on other sectors, vendors
Enterprise risk management sets tone from the top via the risk control environment, then it’s a cycle:
Actively manage (identify, assess, mitigate)
Monitor on ongoing basis
Disclose issues or control failures or gaps (39)

13. Seven Categories of Operational Risk
Internal Fraud
Losses due to acts of a type intended to defraud, misappropriate property, or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party.
External Fraud
Losses due to acts of a type intended to defraud, misappropriate property, or circumvent the law, by a third party.
Employment Practices and Workplace Safety
Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events.
Clients, Products, and Business Practices
Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.
Damage to Physical Assets
Losses arising from loss or damage to physical assets from natural disaster or other events.
Business Disruption and System Failures
Losses arising from disruption of business or system failures.
Execution, Delivery, and Process Management
Losses from failed transaction processing or process management, from relations with trade counterparties and vendors.
Annex 9, International Convergence of Capital Measurement and Capital Standards: A Revised Framework, Bank for International Settlements (2004)

14. Exercise Look at today’s newspaper and identify
three more events than these two
that meet the definition of operational
risk. Identify these two Northwest events.
Operational risk is
real world risk.

15. Other Examples of Operational Risk
Fraud (Ken Lay, Bernie Madoff,)
Unauthorized trading (Nick Leeson/Barings, Société General)
Insider trading (Raj Rajaratnam, SAC Capital)
Technological failures (Knight Capital, Nasdaq Facebook IPO, anonymous cyber-attacks)
Weather catastrophes (hurricanes, tsunamis, earthquakes)
Man-made events (weaponized anthrax, car bombers, suicide bombers, other chemical events)

16. The Basel II Framework (Banking Sector)
“Describes a more comprehensive measure and minimum standard for capital adequacy that national supervisory authorities are now working to implement through domestic rule-making and adoption procedures.
It seeks to improve on the existing rules by aligning regulatory capital requirements more closely to the underlying risks that banks face.
In addition, the Basel II Framework is intended to promote a more forward-looking approach to capital supervision, one that encourages banks to identify the risks they may face, today and in the future, and to develop or improve their ability to manage those risks.
As a result, it is intended to be more flexible and better able to evolve with advances in markets and risk management practices.”

17. Basel II
International Convergence of Capital Measurement and Capital Standards: A Revised Framework
Published by the Bank for International Settlements in Europe in 2004.
New risk rules for internationally active financial institutions that wished to continue to do business in Europe. The rules:
Included enhanced requirements for management and capital measurement of market and credit risk.
Introduced a new capital requirement for operational risk.
Laid out new qualitative requirements for operational risk management.

18. Basel II Major Changes Pillar 1 New capital adequacy rules Credit risk
Must hold capital for assets in the holding company, so as to prevent banks from avoiding capital by moving assets around within its corporate structure.
A bank must hold capital reserves of at least 8% of their total credit, market, and operational risk weighted assets.
Credit risk
Three possible approaches to calculating credit risk:
Standardized approach
Foundation Internal Ratings Based (IRB) approach
Advanced IRB approach
Market risk
Value at risk (VaR) approach
Operational risk
New category of risk

19. Basel III The impact of the financial crisis
Had Basel II failed?
Christopher Cox “in March 2008, I formally requested that the Basel Committee address the inadequacy of the Basel capital and liquidity standards.”
The Group of Twenty (G20)
A Financial Stability Board (FSB) formed
To make recommendations for change.
Strengthening the Resilience of the Banking Sector and International Framework for Liquidity Risk Measurement, Standards and Monitoring.
An increase in Tier One capital.
Additional capital for derivatives, securities financing and repo markets.
Tighter leverage ratios.
Setting aside revenue during upturns to protect against cyclicality of markets.
Minimum 30-day liquidity standards
Enhanced corporate governance, risk management, compensation practices, disclosure and board supervision practices.

20. European Response to the Crisis
The Committee of European Banking Supervisors (CEBS) produced:
“Guidelines on the Management of Operational Risk in Market-Related Activities” in October 2010.
Supplemented earlier “Guidelines on the Scope of Operational Risk and Operational Risk Loss.”
Emphasis on strong corporate governance.

21. U.S. Response to the Crisis
End of CSE* status and SEC oversight of Basel II
Of the original five investment banks that had opted for CSE status with the SEC, three no longer existed by 2009: Bear Stearns, Lehman Brothers, and Merrill Lynch.
The remaining two, Goldman Sachs and Morgan Stanley, changed their structures to Bank Holding Companies under Federal Reserve.
June 2011, Interagency Guidance on the Advanced Measurement Approaches for Operational Risk.
Federal Reserve
Federal Deposit Insurance Corporation
Office of the Comptroller of the Currency
Office of Thrift Supervision
Dodd-Frank Act, 2009.
*Consolidated Supervised Entity

22. The Run-up to Dodd-Frank Act, 2009
President Barack Obama: A New Foundation: Rebuilding Financial Supervision and Regulation, on June 17, 2009.
Numerous acts were proposed to deal with different aspects of the crisis and its perceived causes.
Restoring American Financial Stability Act of 2009:
Introduced into the Senate by Senator Christopher Dodd (D-CT) and into the House of Representatives by Rep. Barney Frank (D).
Renamed the “Dodd-Frank Wall Street Reform and Consumer Protection Act.”
President Obama signed the bill into law on July 21, 2010.
An act to promote the financial stability of the United States by improving accountability and transparency in the financial system, to end "too big to fail,” to protect the American taxpayer by ending bailouts, to protect consumers from abusive financial services practices, and for other purposes.

23. Dodd-Frank Highlights 1
Consumer Protections with Authority and Independence:
“A new independent watchdog, Consumer Financial Protection Bureau, housed at the Federal Reserve, with the authority to ensure American consumers get the clear, accurate information they need to shop for mortgages, credit cards, and other financial products, and protect them from hidden fees, abusive terms, and deceptive practices.”
Ends Too Big to Fail:
“Ends the possibility that taxpayers will be asked to write a check to bail out financial firms that threaten the economy by: creating a safe way to liquidate failed financial firms; imposing tough new capital and leverage requirements that make it undesirable to get too big; updating the Fed’s authority to allow system-wide support but no longer prop up individual firms; and establishing rigorous standards and supervision to protect the economy and American consumers, investors and businesses.”
Advanced Warning System:
“Creates a council to identify and address systemic risks posed by large, complex companies, products, and activities before they threaten the stability of the economy.”
Transparency and Accountability for Exotic Instruments:
“Eliminates loopholes that allow risky and abusive practices to go on unnoticed and unregulated––including loopholes for over-the-counter derivatives, asset-backed securities, hedge funds, mortgage brokers, and payday lenders.”

24. Dodd Frank Highlights 2 Federal Bank Supervision:
“Streamlines bank supervision to create clarity and accountability and protects the dual banking system that supports community banks.”
Executive Compensation and Corporate Governance:
“Provides shareholders with a say on pay and corporate affairs with a nonbinding vote on executive compensation.”
Protects Investors:
“Provides tough new rules for transparency and accountability for credit rating agencies to protect investors and businesses.”
Enforces Regulations on the Books:
“Strengthens oversight and empowers regulators to aggressively pursue financial fraud, conflicts of interest and manipulation of the system that benefit special interests at the expense of American families and businesses.”
Source: Senate Committee on Banking, Housing, and Urban Affairs. (2009). Summary: Restoring American Financial Stability.

25. Key Points
The Basel Accords were developed by The Bank of International Settlements (BIS) to ensure capital adequacy.
Basel II was first published in 2004 and its full title is International Convergence of Capital Measurement and Capital Standards, A Revised Framework.
Basel II required operational risk management and measurement for the first time.
There are three approaches to calculating capital for operational risk under Basel II: the Basic Approach, the Standardized Approach, and the Advanced Measurement Approach.
In 2008, the Federal Reserve, OCC, FDIC, and OTS issued a joint requirement for mandatory Basel II rules for large United States banks, and opt-in provisions for noncore banks.
In 2009 and 2010, CEBS issued guidance on operational risk management and measurement.
In 2011, U.S. regulators issued the Interagency Guidance on the Advanced Measurement Approaches for Operational Risk.
The United States enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act in July 2010.
The areas addressed by the act are:
Consumer protections with authority and independence.
Ends Too Big to Fail.
Advanced warning system.
Transparency and accountability for exotic instruments.
Federal bank supervision.
Executive compensation and corporate governance.
Protects investors.
Enforces regulations on the books.

26. Banks Have Adopted the Definition
“Operational risk is the risk of loss resulting from inadequate or failed processes or systems, human factors, or external events.”
JPMorgan Chase & Co., Annual Report, 2008, p. 117
“Operational risk is the potential for failure (including the legal component) in relation to employees, contractual specifications and documentation, technology, infrastructure and disasters, external influences, and customer relationships. Operational risk excludes business and reputational risk.”
Deutsche Bank Financial Report, 2011, p. 110
“Operational risk is the risk of loss resulting from inadequate or failed internal processes, systems, or human factors, or from external events. It includes the reputation and franchise risk associated with business practices or market conduct in which Citi is involved.”
Citi Annual Report, 2011, p. 106

27. Key Points
The Basel Accords were developed by The Bank of International Settlements (BIS) to ensure capital adequacy.
Basel II was first published in 2004 and its full title is International Convergence of Capital Measurement and Capital Standards, A Revised Framework.
Basel II required operational risk management and measurement for the first time.
There are three approaches to calculating capital for operational risk under Basel II: the Basic Approach, the Standardized Approach, and the Advanced Measurement Approach.
In 2008, the Federal Reserve, OCC, FDIC, and OTS issued a joint requirement for mandatory Basel II rules for large United States banks, and opt-in provisions for noncore banks.
In 2009 and 2010, CEBS issued guidance on operational risk management and measurement.
In 2011, U.S. regulators issued the Interagency Guidance on the Advanced Measurement Approaches for Operational Risk.
The United States enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act in July 2010.
The areas addressed by the act are:
Consumer protections with authority and independence.
Ends Too Big to Fail.
Advanced warning system.
Transparency and accountability for exotic instruments.
Federal bank supervision.
Executive compensation and corporate governance.
Protects investors.
Enforces regulations on the books.

28. Five Key Regulatory Requirements
Identifying operational risks
Assessing the size of operational risks
Monitoring and controlling operational risks
Mitigating operational risks
Calculating capital to protect from operational risk losses

29. Quantitative and Qualitative Approaches
Basel II requires capital to be held for operational risk.
Several possible calculation methods for that capital.
Qualitative
Must also demonstrate that they are effectively managing their operational risk.
Pillar 2 of Basel II:
736. Operational risk: The Committee believes that similar rigour should be applied to the management of operational risk, as is done for the management of other significant banking risks …
737. A bank should develop a framework for managing operational risk and evaluate the adequacy of capital given this framework. The framework should cover the bank’s appetite and tolerance for operational risk, as specified through the policies for managing this risk, including the extent and manner in which operational risk is transferred outside the bank. It should also include policies outlining the bank’s approach to identifying, assessing, monitoring, and controlling/mitigating the risk.

30. Qualitative Elements Risk Appetite Policies ORM Tools
Policies must be written that outline the bank’s approach to “identifying, assessing, monitoring, and controlling/mitigating” operational risk.
ORM Tools
Loss data collection programs
Risk and controls self-assessments
Scenario analysis activities
Key risk indicators
Reporting

31. Drivers of Operational Risk Management
Three main sources
Regulators
Senior management
Be fully informed of the risks that face the firm, including operational risk exposures.
Avoid bad surprises.
Make strategic business decisions fully informed of the operational risk implications.
Third parties
Ratings agencies, investors, and research analysts.
Often ask for evidence that:
An effective operational risk framework is in place.
Sufficient capital is being held to protect a firm from a catastrophic operational risk event.

32. Enterprise Risk Management = All Three

33. Overview of the Operational Risk Framework
An operational risk program should ensure that operational risk is:
Identified
Assessed
Monitored and controlled
Mitigated

34. “Sound Practices for the Management and Supervision of Operational Risk”
Guidelines for best practices for operational risk departments.
Framework should:
Fit with the culture of the bank.
Reflect best practice in the industry.
Sound Practices for the Management and Supervision of Operational Risk, Risk Management Group of the Basel Committee on Banking Supervision (2011),

35. Framework Elements
The main data building blocks of an operational risk framework are:
Loss data collection
Risk and control self-assessment
Scenario analysis
Key risk indicators
The framework must also address:
Governance
Policies and procedures
Change
Risk appetite
Capital modeling
Risk reporting

36. An Operational Risk Framework
Scenario Analysis
Policies and Procedures
Key Risk Indicators
Culture and Awareness
RCSA
Internal
Loss Data
External Loss Data
Measurement and Modeling
Reporting
Governance and Organization
Risk Appetite
* Risk and Control Self-Assessment

37. The Foundations of the Framework
Governance:
Escalation of risk
Who owns the operational risk functions?
What do the operational risk functions own?
Culture and awareness:
Training, marketing, and building a brand for the operational risk function.
Policies and procedures
Risk appetite
Scenario Analysis
Policies and Procedures
Key Risk Indicators
Culture and Awareness
RCSA
Internal
Loss Data
External Loss Data
Measurement and Modeling
Reporting
Governance and Organization
Risk Appetite

38. The Four Data Building Blocks
Loss data collection
Internal loss data
External loss data
Risk and control self-assessment
Scenario analysis
Key risk indicators
Scenario Analysis
Policies and Procedures
Key Risk Indicators
Culture and Awareness
RCSA
Internal
Loss Data
External Loss Data
Measurement and Modeling
Reporting
Governance and Organization
Risk Appetite

39. The Outputs of the Framework
Measurement and modeling
Reporting
Scenario Analysis
Policies and Procedures
Key Risk Indicators
Culture and Awareness
RCSA
Internal
Loss Data
External Loss Data
Measurement and Modeling
Reporting
Governance and Organization
Risk Appetite

40. Key Points
The main building blocks of an operational risk framework are:
The foundations:
Governance
Culture and awareness
Policy and procedure
The four data elements:
Loss data collection including
Internal loss data
External loss data
Risk and control self-assessment
Scenario analysis
Key risk indicators
The key outputs:
Measurement and modeling
Reporting
The framework operates under the firm’s stated risk appetite.

41. Real world: JPMorgan Chase
The London Whale Event

42. Real World examples Earthquakes Volcanic ash
Haiti
Chile
Japan
Pacific Northwest
Volcanic ash
East Coast power grid failure/Hurricane Sandy
Joplin tornadoes
Times Square bomb
BP Gulf oil spill
Hurricane Katrina
2008, 2011Mumbai hotel bombs
Financial trading
Leeson/Barings, Galleon, SocGen, MH
Stewart, Bosky

43. JPMorgan Chase: 2012
JPMC had no treasurer in place to oversee the Chief Investment Office for five months…previous treasurer had expressed concern about size of the bets (NYT, FT, Bloomberg)
Chief Investment Officer contracted Lyme Disease and was out of office on sick leave – in house fighting in her absence (NYT)
Irvin Goldman, who was installed as chief risk officer for the Chief Investment Office this past February before being relieved of his duties this month, suffered between $10 million and $15 million in losses on one bet in 2008 in his prior role as a trader for the bank, these people said. J.P. Morgan halted Mr. Goldman's trading in late 2008 and put him on leave when it learned that regulators were separately probing trading practices at Cantor Fitzgerald, where Mr. Goldman had served as an executive until late 2007, the people said (WSJ, 2013).

44. JPMorgan Chase 2012, continued
It caused a crisis of confidence in CEO Jamie Dimon, which in turn has caused the stock to fluctuate.
It shook the banking sector as well as regulators, since JPMC has been opposed to most portions of the Volcker Rule and has resisted much of the new regulation around Dodd Frank.
It shows dramatically how operational risk can burst into flames, particularly when executives (Dimon, Ina Drew) take their eyes off operations – she moved up to the 42nd floor, a good metaphor for what happened.
As of the end of 2013, JPMC had $6.2 billion loss and paid $920 million in penalties.
Regulators continue to find other problems to fine or settle with the bank on.

45. JPMC Example: how much risk to take?
Board and executives set the tone
Integrity
Ethical values
Brand differentiators (competence)
Establish and communicate risk management principles and objectives
Approve an Operational Risk Management (ORM) structure with policies, procedure and governance
Set risk appetite – what will the company not do is as important as what it will do

46. Why do we care about large banks?
Our government handles general safety & security, including public health and emergency services
Expectation = that government will ensure that critical infrastructure works via oversight or regulation
But private sector owns or controls 85% of the critical infrastructure, therein the conundrum
Electricity, natural gas, oil
Water, waste, sanitation
Telecom & IT
Shelter and food
Financial services

47. The federal government
With thanks to “Ben’s Guide to U.S. Government”

48. Organizational chart: US Government Source=Washburn University School of Law

49. Three branches of government*
U.S. Constitution defines the three branches of government
Executive – Article 2 defines the president’s powers
Judicial – Article 3 role of Supreme Court
Legislative – Article 1 vests powers in Congress
“Separation of powers” since each branch operates independently,
“Checks and balances” to prevent concentration of power in any one branch and to ensure rights of citizens
President can veto Congress’ bills
President nominates judiciary
Supreme Court can declare law unconstitutional
Congress can impeach the president and judges
“This system of establishes a strong central government while ensuring a balance of power.” (Ben’s Guide)
*With thanks to “Ben’s Guide to U.S. Government”

50. Executive departments & agencies
Department heads advice the president on policies
Independent agencies help execute policy or provide special services
Cabinet heads (Secretaries) run departments
Agriculture
Commerce
Defense
Education
Energy
Health & Human Services
Homeland Security
Housing & Urban Develop.
Interior
Justice
Labor
State
Transportation
Treasury
Veterans Affairs

51. Judicial Branch: Supreme and Lower Courts
Only the Supreme Court was created in the Constitution.
Congress deemed lower courts necessary and established them using their powers.
Courts rule on
Meaning of laws
How laws are applied
Do they violate the Constitution? (judicial review—implied power)
In this course, we will be interested in how court decisions affect regulation and oversight of operational risk challenges.

52. Legislative Branch: Senate and House of Representatives
It took a great deal of discussion and debate to create Congress in a bicameral formation to ensure checks and balances.
One house (Senate) has representation that is considered equal. Two senators per state. Number of senators change only if new states are added.
The other house (Representatives) has representation that is based on population.
Members of both houses
are elected by citizens of
their state.
Legislative Agencies
Architect of the Capitol
Congressional Budget Office
Government Accountability Office
Government Printing Office
Library of Congress

53. National versus State Government
This is important to understand because private sector must comply with both federal and state laws and regulations.
Prior to the Constitution, each of the 13 colonies governed themselves based on what they had lived under in England – a king, and a strong central government.
State only government was not sufficient for survival, so the Constitution outlines the limits of national government, the relationship between state and national government, and the rights of citizens no matter where in the United States they live.
Certain central benefits (common currency) but individual states make decisions on some issues (death penalty, marriage, taxes)

54. Coso Enterprise risk management
Establishing Effective Governance, Risk and Compliance Processes
Second Edition
Robert R. Moeller

55. The textbook Moeller has 25+ years of internal audit experience.
COSO internal controls framework established after the failure of Enron led to Sarbanes Oxley (SOX) regulations that apply to all publically traded companies.
COSO internal controls framework updated after the 2008 financial crisis to create a COSO Enterprise Risk Management (COSO ERM) framework that was published in 2011.
Moeller focuses on related pieces: Governance, Risk and Compliance (GRC).
Moeller also creates an example company: Global Computer Products, to be with us through the book.

56. Standards, Controls and Audit
Neither government agencies or private corporations can operate in today’s hyper-environment without compliance to standards that are set externally.
Most large companies have an internal audit group, and their financial statements are also audited by external audit firms such as Deloitte or PWC so that shareholders can be confident that their investments are being well managed in compliance to Generally Accepted Accounting Principles (GAAP) and inside the guard rails of government regulation.
Internal controls are critical to good risk management and effective governance. The foundation of internal controls is the COSO internal control framework.

57. Chapter 1 --Treadway Commission Report
1970s-80s Increasing number of corporate financial failures
High inflation
High interest
“Creative” accounting techniques
Most significant issue = external auditors signed off on falsified financial statements to show both financial health and positive earnings.
National Commission was sponsored by five professional financial organizations. Commission named after its chair, James C. Treadway.
Entire name – Committee of Sponsoring Organizations of the Treadway Commission= COSO

58. COSO Internal Controls Framework
Original focus in the COSO 1987 Treadway Commission Report
was on internal control problems
Asked management to report on the effectiveness of their internal control systems
“…it emphasized the key elements of an effective system of internal controls including a strong control environment, a code of conduct, a competent and involved audit committee, and a strong management function.” (3)
“…consistent definition of internal control” and later published those definitions in 1992 as “Internal Control-Integrated Framework.”
Throughout book, Moeller refers to this as COSO Internal Controls.

59. COSO Internal Controls Framework
2007 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Report, “Guidance on Monitoring Internal Control Systems.” Three dimensional model.
First and foremost, COSO is focused on processes, and then associates information and controls with those processes.
Created for Treadway by Coopers & Lybrand before IT security and technology became such large issues. Precedes COBIT.
CFO – SOx – COSO relationship.

60. COSO Internal Control Elements (5-14)
The Control Environment
1. Integrity and Ethical Values (sample code on p.7)
2. Commitment to Competence
3. Board of Directors and Audit Committee
4. Management’s Philosophy and Operating Style
5. Organization Structure
6. Assignment of Authority and Responsibility
7. Human Resources Policies and Practices
Risk Assessment
1. Estimate the significance of the risk
2. Assess the likelihood or frequency of the risk occurring
3.Consider how the risk should be managed + actions to take

61. Three major inflection points: GRC
Definitions varied on what constituted “risk management” so COSO contracted in 2001 with PricewaterhouseCoopers to develop a consistent definition. Result was COSO ERM framework, which works along with the earlier COSO Internal Controls framework. (This is “r” portion of GRC)
Corporate or enterprise government: “set of processes, customs, policies, laws and institutions affecting the way an enterprise or corporation is directed, administered or controlled.” (15) [This is the “g” portion of GRC.]
Enterprise compliance: “being in accordance with some established guidelines, specifications or legislation.” (16) [This is the “c” portion of GRC.]

62. Chapter 2 – GRC Principles
Governance becomes more important as companies get larger.
Rules and laws exist not only inside a particular industry or profession but also at the city, state and federal level.
GRC Principles are strong tools for ERM.
Governance = taking care of business with clear stakeholder expectations.
Risk = risks are natural part of corporate growth. They need to be identified at the outside and then managed.
Compliance = ensuring that controls work and are based on laws and regulation
Each principle has four components: strategy, processes, technology, people (ORM= people, process, systems, external events)

63. COBIT technology framework
“The purpose of COBIT is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.” -- ISACA

64. Moeller: Compliance Challenges(26-28)
New regulations keep coming along (compliance is expensive)
Vaguely written regulations that need interpretation (Dodd-Frank is an example)
No consensus on best practices
Regulations overlap
Reinterpreted or changing regulations that you already comply with
Benefits of compliance:
Reduced total cost of ownership (invest across multiple regulations)
Flexibility (central management)
Competitive advantage (compliance architecture, Figure 2.4)

65. Next week:
We’ll look at governance on the federal side first, with readings and presentations from and about the Department of Homeland Security and its 22 agencies, including FEMA:
Where does the agency fit?
Where does its authority come from?
How does FEMA work with the private sector?
Please do all the reading, including the reading from this week.
Please send me a short autobiography – where did you get your degree, where have you worked/interned, where would you like to be five years from now?
Let me know if you have questions.
This has been a long class, to bring everyone up to speed.
Immersion now = clarity down the road.