Download presentation
Presentation is loading. Please wait.
Published byEmil Stephens Modified over 7 years ago
1
Operational risk management in the public & private sectors
IMT587 SPRING 2014 UNIVERSITY OF WASHINGTON INFORMATION SCHOOL WEEK #1 APRIL 3, 2014
2
Welcome Office hours are Thursdays from 3:30-4:20pm in MGH Commons or by appointment off campus Please review syllabus carefully for policies on Academic Integrity and Proper Citations Copyright Privacy Schedule and Assignments Standard Manuscript Format (on home page) “Retrieving Canvas Assignments Feedback (home page) All assignments submitted from Canvas. Announcements or discussions are also handled from Canvas.
3
My background Owned my own computer hardware firm for 15 years.
10 years at Washington Mutual -- from enterprise technology architect to senior exec in charge of enterprise operational risk services. My firm has both a consulting side and an Institute for Research(ASA) and Innovation, which publishes research on current risk topics. I am author of one book for general public and publisher of two volumes in the “Reflections on Risk” series for operational risk executives & managers. ASA’s work focuses on four private and two public critical infrastructure sectors: banking and finance, energy, IT, communications, public health and emergency services. CV and other details are on the iSchool’s faculty page. @anniesearle = Twitter Annie Searle & Associates = Facebook = website
4
My expectations That you will be present and participate actively.
That you’ll monitor the world over the next 10 weeks and bring in examples of operational risk you see. That you will complete all assignments and show me what you are learning as we go. That your papers will not simply be an assemblage of research you have done, but will have your own conclusions and recommendations as well. That your final written presentation will be of such quality and so polished that it could be published. That the work we do in this course could be passed along to federal agencies or private sector coalitions.
5
Risks you face You may not have taken the prerequisite, called “Information and Operational Risk.” See me if you want a longer reading list that would cover concepts in depth. You’re in a classroom with 20+ other people Illness is always a risk especially from time spent in public places To avoid the flu: Wash your hands frequently – and carry hand sanitizer if you can. If you have a cough or sneeze, cover it with your elbow. If you have a cough or sneeze and decide to come to class, then please sit away from other students. If you are too sick to come to class, please send me a note. Identify the evacuation exits from this classroom in case of a campus emergency.
6
Class format As envisioned, each class will consist of three parts:
60 minute guest speaker during most weeks. Speaker is selected for expertise and for relevance to topics being discussed that week. 60 minute lecture, during which I expect to be asked questions or to clarify remarks I am making – lecture will be focused primarily on the reading assignments. Its PowerPoint will be posted after class on the website. 60 minute facilitated discussion, with 2-3 of you speaking each week, using power point format.
7
Lectures The lectures make sense if you have read the assignment in advance of the class. The material is dense. Leave yourself enough time to do the readings and any additional searches for additional information. COSO Enterprise Risk Management is the foundational text for this course, supplemented by the articles and websites listed in each week’s readings assignments. Each you will facilitate discussions. Since there are 20+ students in the course, and 8 weeks of discussions, 2-3 students volunteer to take on topics on the week of their choice.
8
Class introductions
9
Facilitated discussions (3-4 persons each) looking at differences in response in private and public sector Today An introduction to operational risk April 10 DHS agencies and the private sector (Uma, Pragati, Niketan, Sanchit) April Regulatory impact on private sector companies (Ted, Fei, Shweta, Aman) April 24 Current privacy v. security threats (Aaron, Brooke, Abhaya, Prerak) May 1 Vendor risk in public and private sectors (Pavani, Akhila, Anupama, Natsal) May 8 The new cybersecurity framework issues (Nishita, Resche, Smita) May 15 Optimized crisis response (Malavika, Krista, Panali, Ajinkya) May Business continuity, info security practices (Arpita, Rutul, Varun) May Insider Threats (John, Aloka, Chandran, Nihar)
10
Of special note Your final project includes both a longer paper and a power point executive summary of the paper. Those oral presentations will be made in Week 10 (June 5 at 2:30pm). We have eight outside guest speakers starting April 10th. Please familiarize yourself with their biographies, posted on the site, and prepare at least one question to ask each speaker. I will be inviting all MSIM students to attend the guest lecture portion of the course each week.
11
Global Framework
12
Operational risk failures = one or more of these areas = financial loss
People – human error, failure to follow procedures Process – inadequate or failed processes and procedures Systems – inadequate systems or breakdown of automated systems, especially in technology infrastructure External – Mother Nature, critical dependencies on other sectors, vendors Enterprise risk management sets tone from the top via the risk control environment, then it’s a cycle: Actively manage (identify, assess, mitigate) Monitor on ongoing basis Disclose issues or control failures or gaps (39)
13
Seven Categories of Operational Risk
Internal Fraud Losses due to acts of a type intended to defraud, misappropriate property, or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party. External Fraud Losses due to acts of a type intended to defraud, misappropriate property, or circumvent the law, by a third party. Employment Practices and Workplace Safety Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events. Clients, Products, and Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events. Business Disruption and System Failures Losses arising from disruption of business or system failures. Execution, Delivery, and Process Management Losses from failed transaction processing or process management, from relations with trade counterparties and vendors. Annex 9, International Convergence of Capital Measurement and Capital Standards: A Revised Framework, Bank for International Settlements (2004)
14
Exercise Look at today’s newspaper and identify
three more events than these two that meet the definition of operational risk. Identify these two Northwest events. Operational risk is real world risk.
15
Other Examples of Operational Risk
Fraud (Ken Lay, Bernie Madoff,) Unauthorized trading (Nick Leeson/Barings, Société General) Insider trading (Raj Rajaratnam, SAC Capital) Technological failures (Knight Capital, Nasdaq Facebook IPO, anonymous cyber-attacks) Weather catastrophes (hurricanes, tsunamis, earthquakes) Man-made events (weaponized anthrax, car bombers, suicide bombers, other chemical events)
16
The Basel II Framework (Banking Sector)
“Describes a more comprehensive measure and minimum standard for capital adequacy that national supervisory authorities are now working to implement through domestic rule-making and adoption procedures. It seeks to improve on the existing rules by aligning regulatory capital requirements more closely to the underlying risks that banks face. In addition, the Basel II Framework is intended to promote a more forward-looking approach to capital supervision, one that encourages banks to identify the risks they may face, today and in the future, and to develop or improve their ability to manage those risks. As a result, it is intended to be more flexible and better able to evolve with advances in markets and risk management practices.”
17
Basel II International Convergence of Capital Measurement and Capital Standards: A Revised Framework Published by the Bank for International Settlements in Europe in 2004. New risk rules for internationally active financial institutions that wished to continue to do business in Europe. The rules: Included enhanced requirements for management and capital measurement of market and credit risk. Introduced a new capital requirement for operational risk. Laid out new qualitative requirements for operational risk management.
18
Basel II Major Changes Pillar 1 New capital adequacy rules Credit risk
Must hold capital for assets in the holding company, so as to prevent banks from avoiding capital by moving assets around within its corporate structure. A bank must hold capital reserves of at least 8% of their total credit, market, and operational risk weighted assets. Credit risk Three possible approaches to calculating credit risk: Standardized approach Foundation Internal Ratings Based (IRB) approach Advanced IRB approach Market risk Value at risk (VaR) approach Operational risk New category of risk
19
Basel III The impact of the financial crisis
Had Basel II failed? Christopher Cox “in March 2008, I formally requested that the Basel Committee address the inadequacy of the Basel capital and liquidity standards.” The Group of Twenty (G20) A Financial Stability Board (FSB) formed To make recommendations for change. Strengthening the Resilience of the Banking Sector and International Framework for Liquidity Risk Measurement, Standards and Monitoring. An increase in Tier One capital. Additional capital for derivatives, securities financing and repo markets. Tighter leverage ratios. Setting aside revenue during upturns to protect against cyclicality of markets. Minimum 30-day liquidity standards Enhanced corporate governance, risk management, compensation practices, disclosure and board supervision practices.
20
European Response to the Crisis
The Committee of European Banking Supervisors (CEBS) produced: “Guidelines on the Management of Operational Risk in Market-Related Activities” in October 2010. Supplemented earlier “Guidelines on the Scope of Operational Risk and Operational Risk Loss.” Emphasis on strong corporate governance.
21
U.S. Response to the Crisis
End of CSE* status and SEC oversight of Basel II Of the original five investment banks that had opted for CSE status with the SEC, three no longer existed by 2009: Bear Stearns, Lehman Brothers, and Merrill Lynch. The remaining two, Goldman Sachs and Morgan Stanley, changed their structures to Bank Holding Companies under Federal Reserve. June 2011, Interagency Guidance on the Advanced Measurement Approaches for Operational Risk. Federal Reserve Federal Deposit Insurance Corporation Office of the Comptroller of the Currency Office of Thrift Supervision Dodd-Frank Act, 2009. *Consolidated Supervised Entity
22
The Run-up to Dodd-Frank Act, 2009
President Barack Obama: A New Foundation: Rebuilding Financial Supervision and Regulation, on June 17, 2009. Numerous acts were proposed to deal with different aspects of the crisis and its perceived causes. Restoring American Financial Stability Act of 2009: Introduced into the Senate by Senator Christopher Dodd (D-CT) and into the House of Representatives by Rep. Barney Frank (D). Renamed the “Dodd-Frank Wall Street Reform and Consumer Protection Act.” President Obama signed the bill into law on July 21, 2010. An act to promote the financial stability of the United States by improving accountability and transparency in the financial system, to end "too big to fail,” to protect the American taxpayer by ending bailouts, to protect consumers from abusive financial services practices, and for other purposes.
23
Dodd-Frank Highlights 1
Consumer Protections with Authority and Independence: “A new independent watchdog, Consumer Financial Protection Bureau, housed at the Federal Reserve, with the authority to ensure American consumers get the clear, accurate information they need to shop for mortgages, credit cards, and other financial products, and protect them from hidden fees, abusive terms, and deceptive practices.” Ends Too Big to Fail: “Ends the possibility that taxpayers will be asked to write a check to bail out financial firms that threaten the economy by: creating a safe way to liquidate failed financial firms; imposing tough new capital and leverage requirements that make it undesirable to get too big; updating the Fed’s authority to allow system-wide support but no longer prop up individual firms; and establishing rigorous standards and supervision to protect the economy and American consumers, investors and businesses.” Advanced Warning System: “Creates a council to identify and address systemic risks posed by large, complex companies, products, and activities before they threaten the stability of the economy.” Transparency and Accountability for Exotic Instruments: “Eliminates loopholes that allow risky and abusive practices to go on unnoticed and unregulated––including loopholes for over-the-counter derivatives, asset-backed securities, hedge funds, mortgage brokers, and payday lenders.”
24
Dodd Frank Highlights 2 Federal Bank Supervision:
“Streamlines bank supervision to create clarity and accountability and protects the dual banking system that supports community banks.” Executive Compensation and Corporate Governance: “Provides shareholders with a say on pay and corporate affairs with a nonbinding vote on executive compensation.” Protects Investors: “Provides tough new rules for transparency and accountability for credit rating agencies to protect investors and businesses.” Enforces Regulations on the Books: “Strengthens oversight and empowers regulators to aggressively pursue financial fraud, conflicts of interest and manipulation of the system that benefit special interests at the expense of American families and businesses.” Source: Senate Committee on Banking, Housing, and Urban Affairs. (2009). Summary: Restoring American Financial Stability.
25
Key Points The Basel Accords were developed by The Bank of International Settlements (BIS) to ensure capital adequacy. Basel II was first published in 2004 and its full title is International Convergence of Capital Measurement and Capital Standards, A Revised Framework. Basel II required operational risk management and measurement for the first time. There are three approaches to calculating capital for operational risk under Basel II: the Basic Approach, the Standardized Approach, and the Advanced Measurement Approach. In 2008, the Federal Reserve, OCC, FDIC, and OTS issued a joint requirement for mandatory Basel II rules for large United States banks, and opt-in provisions for noncore banks. In 2009 and 2010, CEBS issued guidance on operational risk management and measurement. In 2011, U.S. regulators issued the Interagency Guidance on the Advanced Measurement Approaches for Operational Risk. The United States enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act in July 2010. The areas addressed by the act are: Consumer protections with authority and independence. Ends Too Big to Fail. Advanced warning system. Transparency and accountability for exotic instruments. Federal bank supervision. Executive compensation and corporate governance. Protects investors. Enforces regulations on the books.
26
Banks Have Adopted the Definition
“Operational risk is the risk of loss resulting from inadequate or failed processes or systems, human factors, or external events.” JPMorgan Chase & Co., Annual Report, 2008, p. 117 “Operational risk is the potential for failure (including the legal component) in relation to employees, contractual specifications and documentation, technology, infrastructure and disasters, external influences, and customer relationships. Operational risk excludes business and reputational risk.” Deutsche Bank Financial Report, 2011, p. 110 “Operational risk is the risk of loss resulting from inadequate or failed internal processes, systems, or human factors, or from external events. It includes the reputation and franchise risk associated with business practices or market conduct in which Citi is involved.” Citi Annual Report, 2011, p. 106
27
Key Points The Basel Accords were developed by The Bank of International Settlements (BIS) to ensure capital adequacy. Basel II was first published in 2004 and its full title is International Convergence of Capital Measurement and Capital Standards, A Revised Framework. Basel II required operational risk management and measurement for the first time. There are three approaches to calculating capital for operational risk under Basel II: the Basic Approach, the Standardized Approach, and the Advanced Measurement Approach. In 2008, the Federal Reserve, OCC, FDIC, and OTS issued a joint requirement for mandatory Basel II rules for large United States banks, and opt-in provisions for noncore banks. In 2009 and 2010, CEBS issued guidance on operational risk management and measurement. In 2011, U.S. regulators issued the Interagency Guidance on the Advanced Measurement Approaches for Operational Risk. The United States enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act in July 2010. The areas addressed by the act are: Consumer protections with authority and independence. Ends Too Big to Fail. Advanced warning system. Transparency and accountability for exotic instruments. Federal bank supervision. Executive compensation and corporate governance. Protects investors. Enforces regulations on the books.
28
Five Key Regulatory Requirements
Identifying operational risks Assessing the size of operational risks Monitoring and controlling operational risks Mitigating operational risks Calculating capital to protect from operational risk losses
29
Quantitative and Qualitative Approaches
Basel II requires capital to be held for operational risk. Several possible calculation methods for that capital. Qualitative Must also demonstrate that they are effectively managing their operational risk. Pillar 2 of Basel II: 736. Operational risk: The Committee believes that similar rigour should be applied to the management of operational risk, as is done for the management of other significant banking risks … 737. A bank should develop a framework for managing operational risk and evaluate the adequacy of capital given this framework. The framework should cover the bank’s appetite and tolerance for operational risk, as specified through the policies for managing this risk, including the extent and manner in which operational risk is transferred outside the bank. It should also include policies outlining the bank’s approach to identifying, assessing, monitoring, and controlling/mitigating the risk.
30
Qualitative Elements Risk Appetite Policies ORM Tools
Policies must be written that outline the bank’s approach to “identifying, assessing, monitoring, and controlling/mitigating” operational risk. ORM Tools Loss data collection programs Risk and controls self-assessments Scenario analysis activities Key risk indicators Reporting
31
Drivers of Operational Risk Management
Three main sources Regulators Senior management Be fully informed of the risks that face the firm, including operational risk exposures. Avoid bad surprises. Make strategic business decisions fully informed of the operational risk implications. Third parties Ratings agencies, investors, and research analysts. Often ask for evidence that: An effective operational risk framework is in place. Sufficient capital is being held to protect a firm from a catastrophic operational risk event.
32
Enterprise Risk Management = All Three
33
Overview of the Operational Risk Framework
An operational risk program should ensure that operational risk is: Identified Assessed Monitored and controlled Mitigated
34
“Sound Practices for the Management and Supervision of Operational Risk”
Guidelines for best practices for operational risk departments. Framework should: Fit with the culture of the bank. Reflect best practice in the industry. Sound Practices for the Management and Supervision of Operational Risk, Risk Management Group of the Basel Committee on Banking Supervision (2011),
35
Framework Elements The main data building blocks of an operational risk framework are: Loss data collection Risk and control self-assessment Scenario analysis Key risk indicators The framework must also address: Governance Policies and procedures Change Risk appetite Capital modeling Risk reporting
36
An Operational Risk Framework
Scenario Analysis Policies and Procedures Key Risk Indicators Culture and Awareness RCSA Internal Loss Data External Loss Data Measurement and Modeling Reporting Governance and Organization Risk Appetite * Risk and Control Self-Assessment
37
The Foundations of the Framework
Governance: Escalation of risk Who owns the operational risk functions? What do the operational risk functions own? Culture and awareness: Training, marketing, and building a brand for the operational risk function. Policies and procedures Risk appetite Scenario Analysis Policies and Procedures Key Risk Indicators Culture and Awareness RCSA Internal Loss Data External Loss Data Measurement and Modeling Reporting Governance and Organization Risk Appetite
38
The Four Data Building Blocks
Loss data collection Internal loss data External loss data Risk and control self-assessment Scenario analysis Key risk indicators Scenario Analysis Policies and Procedures Key Risk Indicators Culture and Awareness RCSA Internal Loss Data External Loss Data Measurement and Modeling Reporting Governance and Organization Risk Appetite
39
The Outputs of the Framework
Measurement and modeling Reporting Scenario Analysis Policies and Procedures Key Risk Indicators Culture and Awareness RCSA Internal Loss Data External Loss Data Measurement and Modeling Reporting Governance and Organization Risk Appetite
40
Key Points The main building blocks of an operational risk framework are: The foundations: Governance Culture and awareness Policy and procedure The four data elements: Loss data collection including Internal loss data External loss data Risk and control self-assessment Scenario analysis Key risk indicators The key outputs: Measurement and modeling Reporting The framework operates under the firm’s stated risk appetite.
41
Real world: JPMorgan Chase
The London Whale Event
42
Real World examples Earthquakes Volcanic ash
Haiti Chile Japan Pacific Northwest Volcanic ash East Coast power grid failure/Hurricane Sandy Joplin tornadoes Times Square bomb BP Gulf oil spill Hurricane Katrina 2008, 2011Mumbai hotel bombs Financial trading Leeson/Barings, Galleon, SocGen, MH Stewart, Bosky
43
JPMorgan Chase: 2012 JPMC had no treasurer in place to oversee the Chief Investment Office for five months…previous treasurer had expressed concern about size of the bets (NYT, FT, Bloomberg) Chief Investment Officer contracted Lyme Disease and was out of office on sick leave – in house fighting in her absence (NYT) Irvin Goldman, who was installed as chief risk officer for the Chief Investment Office this past February before being relieved of his duties this month, suffered between $10 million and $15 million in losses on one bet in 2008 in his prior role as a trader for the bank, these people said. J.P. Morgan halted Mr. Goldman's trading in late 2008 and put him on leave when it learned that regulators were separately probing trading practices at Cantor Fitzgerald, where Mr. Goldman had served as an executive until late 2007, the people said (WSJ, 2013).
44
JPMorgan Chase 2012, continued
It caused a crisis of confidence in CEO Jamie Dimon, which in turn has caused the stock to fluctuate. It shook the banking sector as well as regulators, since JPMC has been opposed to most portions of the Volcker Rule and has resisted much of the new regulation around Dodd Frank. It shows dramatically how operational risk can burst into flames, particularly when executives (Dimon, Ina Drew) take their eyes off operations – she moved up to the 42nd floor, a good metaphor for what happened. As of the end of 2013, JPMC had $6.2 billion loss and paid $920 million in penalties. Regulators continue to find other problems to fine or settle with the bank on.
45
JPMC Example: how much risk to take?
Board and executives set the tone Integrity Ethical values Brand differentiators (competence) Establish and communicate risk management principles and objectives Approve an Operational Risk Management (ORM) structure with policies, procedure and governance Set risk appetite – what will the company not do is as important as what it will do
46
Why do we care about large banks?
Our government handles general safety & security, including public health and emergency services Expectation = that government will ensure that critical infrastructure works via oversight or regulation But private sector owns or controls 85% of the critical infrastructure, therein the conundrum Electricity, natural gas, oil Water, waste, sanitation Telecom & IT Shelter and food Financial services
47
The federal government
With thanks to “Ben’s Guide to U.S. Government”
48
Organizational chart: US Government Source=Washburn University School of Law
49
Three branches of government*
U.S. Constitution defines the three branches of government Executive – Article 2 defines the president’s powers Judicial – Article 3 role of Supreme Court Legislative – Article 1 vests powers in Congress “Separation of powers” since each branch operates independently, “Checks and balances” to prevent concentration of power in any one branch and to ensure rights of citizens President can veto Congress’ bills President nominates judiciary Supreme Court can declare law unconstitutional Congress can impeach the president and judges “This system of establishes a strong central government while ensuring a balance of power.” (Ben’s Guide) *With thanks to “Ben’s Guide to U.S. Government”
50
Executive departments & agencies
Department heads advice the president on policies Independent agencies help execute policy or provide special services Cabinet heads (Secretaries) run departments Agriculture Commerce Defense Education Energy Health & Human Services Homeland Security Housing & Urban Develop. Interior Justice Labor State Transportation Treasury Veterans Affairs
51
Judicial Branch: Supreme and Lower Courts
Only the Supreme Court was created in the Constitution. Congress deemed lower courts necessary and established them using their powers. Courts rule on Meaning of laws How laws are applied Do they violate the Constitution? (judicial review—implied power) In this course, we will be interested in how court decisions affect regulation and oversight of operational risk challenges.
52
Legislative Branch: Senate and House of Representatives
It took a great deal of discussion and debate to create Congress in a bicameral formation to ensure checks and balances. One house (Senate) has representation that is considered equal. Two senators per state. Number of senators change only if new states are added. The other house (Representatives) has representation that is based on population. Members of both houses are elected by citizens of their state. Legislative Agencies Architect of the Capitol Congressional Budget Office Government Accountability Office Government Printing Office Library of Congress
53
National versus State Government
This is important to understand because private sector must comply with both federal and state laws and regulations. Prior to the Constitution, each of the 13 colonies governed themselves based on what they had lived under in England – a king, and a strong central government. State only government was not sufficient for survival, so the Constitution outlines the limits of national government, the relationship between state and national government, and the rights of citizens no matter where in the United States they live. Certain central benefits (common currency) but individual states make decisions on some issues (death penalty, marriage, taxes)
54
Coso Enterprise risk management
Establishing Effective Governance, Risk and Compliance Processes Second Edition Robert R. Moeller
55
The textbook Moeller has 25+ years of internal audit experience.
COSO internal controls framework established after the failure of Enron led to Sarbanes Oxley (SOX) regulations that apply to all publically traded companies. COSO internal controls framework updated after the 2008 financial crisis to create a COSO Enterprise Risk Management (COSO ERM) framework that was published in 2011. Moeller focuses on related pieces: Governance, Risk and Compliance (GRC). Moeller also creates an example company: Global Computer Products, to be with us through the book.
56
Standards, Controls and Audit
Neither government agencies or private corporations can operate in today’s hyper-environment without compliance to standards that are set externally. Most large companies have an internal audit group, and their financial statements are also audited by external audit firms such as Deloitte or PWC so that shareholders can be confident that their investments are being well managed in compliance to Generally Accepted Accounting Principles (GAAP) and inside the guard rails of government regulation. Internal controls are critical to good risk management and effective governance. The foundation of internal controls is the COSO internal control framework.
57
Chapter 1 --Treadway Commission Report
1970s-80s Increasing number of corporate financial failures High inflation High interest “Creative” accounting techniques Most significant issue = external auditors signed off on falsified financial statements to show both financial health and positive earnings. National Commission was sponsored by five professional financial organizations. Commission named after its chair, James C. Treadway. Entire name – Committee of Sponsoring Organizations of the Treadway Commission= COSO
58
COSO Internal Controls Framework
Original focus in the COSO 1987 Treadway Commission Report was on internal control problems Asked management to report on the effectiveness of their internal control systems “…it emphasized the key elements of an effective system of internal controls including a strong control environment, a code of conduct, a competent and involved audit committee, and a strong management function.” (3) “…consistent definition of internal control” and later published those definitions in 1992 as “Internal Control-Integrated Framework.” Throughout book, Moeller refers to this as COSO Internal Controls.
59
COSO Internal Controls Framework
2007 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Report, “Guidance on Monitoring Internal Control Systems.” Three dimensional model. First and foremost, COSO is focused on processes, and then associates information and controls with those processes. Created for Treadway by Coopers & Lybrand before IT security and technology became such large issues. Precedes COBIT. CFO – SOx – COSO relationship.
60
COSO Internal Control Elements (5-14)
The Control Environment 1. Integrity and Ethical Values (sample code on p.7) 2. Commitment to Competence 3. Board of Directors and Audit Committee 4. Management’s Philosophy and Operating Style 5. Organization Structure 6. Assignment of Authority and Responsibility 7. Human Resources Policies and Practices Risk Assessment 1. Estimate the significance of the risk 2. Assess the likelihood or frequency of the risk occurring 3.Consider how the risk should be managed + actions to take
61
Three major inflection points: GRC
Definitions varied on what constituted “risk management” so COSO contracted in 2001 with PricewaterhouseCoopers to develop a consistent definition. Result was COSO ERM framework, which works along with the earlier COSO Internal Controls framework. (This is “r” portion of GRC) Corporate or enterprise government: “set of processes, customs, policies, laws and institutions affecting the way an enterprise or corporation is directed, administered or controlled.” (15) [This is the “g” portion of GRC.] Enterprise compliance: “being in accordance with some established guidelines, specifications or legislation.” (16) [This is the “c” portion of GRC.]
62
Chapter 2 – GRC Principles
Governance becomes more important as companies get larger. Rules and laws exist not only inside a particular industry or profession but also at the city, state and federal level. GRC Principles are strong tools for ERM. Governance = taking care of business with clear stakeholder expectations. Risk = risks are natural part of corporate growth. They need to be identified at the outside and then managed. Compliance = ensuring that controls work and are based on laws and regulation Each principle has four components: strategy, processes, technology, people (ORM= people, process, systems, external events)
63
COBIT technology framework
“The purpose of COBIT is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.” -- ISACA
64
Moeller: Compliance Challenges(26-28)
New regulations keep coming along (compliance is expensive) Vaguely written regulations that need interpretation (Dodd-Frank is an example) No consensus on best practices Regulations overlap Reinterpreted or changing regulations that you already comply with Benefits of compliance: Reduced total cost of ownership (invest across multiple regulations) Flexibility (central management) Competitive advantage (compliance architecture, Figure 2.4)
65
Next week: We’ll look at governance on the federal side first, with readings and presentations from and about the Department of Homeland Security and its 22 agencies, including FEMA: Where does the agency fit? Where does its authority come from? How does FEMA work with the private sector? Please do all the reading, including the reading from this week. Please send me a short autobiography – where did you get your degree, where have you worked/interned, where would you like to be five years from now? Let me know if you have questions. This has been a long class, to bring everyone up to speed. Immersion now = clarity down the road.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.