BOARD of GOVERNORS State University System of Florida
BOARD of GOVERNORS State University System of Florida Enterprise Risk Management Integrating with Strategy and Performance: The Auditor’s Role Joe Maleszewski, Inspector General and Director of Compliance May 17, 2018 www. flbog. edu BOARD of GOVERNORS State University System of Florida 1
Presentation Outline • Risk • COSO • Risk Management Frameworks • Role of Audit • COSO ERM Framework • Examples • Q&A www. flbog. edu BOARD of GOVERNORS State University System of Florida 2
RISK: AS OLD AS TIME www. flbog. edu BOARD of GOVERNORS State University System of Florida 3
Risk Defined Risk is the probability that an event will occur and adversely affect the achievement of objectives. www. flbog. edu BOARD of GOVERNORS State University System of Florida 4
Types of Risk Strategic Operational Financial Hazard www. flbog. edu • Mission • Strategic Objectives • Internal Processes • Systems • People • Legislative Budget Request • Financial Management • Asset Loss • Accounting Issues • Political Issues • Legal Issues • Public Relations • Terrorism/Natural Disasters BOARD of GOVERNORS State University System of Florida 5
Risk Assessment Defined Risk Assessment is the identification and analysis of risks to the achievement of an organization's objectives for the purpose of determining how those risks should be managed. www. flbog. edu BOARD of GOVERNORS State University System of Florida 6
Risk Assessment: You’re Doing it Wrong! www. flbog. edu BOARD of GOVERNORS State University System of Florida 7
Risk Assessment: The Right Way! www. flbog. edu BOARD of GOVERNORS State University System of Florida 8
www. flbog. edu BOARD of GOVERNORS State University System of Florida 9
About COSO. . . • Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought > 600, 000 leadership through the development of professionals frameworks and guidance on enterprise risk management (ERM), internal control, and fraud deterrence. www. flbog. edu BOARD of GOVERNORS State University System of Florida 10
COSO Thought Leadership www. flbog. edu BOARD of GOVERNORS State University System of Florida 11
www. flbog. edu BOARD of GOVERNORS State University System of Florida 12
www. flbog. edu BOARD of GOVERNORS State University System of Florida 13
Renewed Focus on ERM • Economic Recessions and Corporate Scandals • Constant Change in Operational Environment – New Threats and Vulnerabilities • Increasing Public Scrutiny • Increasing Expectations from Government (Do More with Less) • Increasing Compliance Requirements www. flbog. edu BOARD of GOVERNORS State University System of Florida 14
ERM Milestones YEAR www. flbog. edu MILESTONE BOARD of GOVERNORS State University System of Florida 15
ERM Milestones YEAR 1900 s MILESTONE Risk Management: Logical, disciplined approach to future uncertainties www. flbog. edu BOARD of GOVERNORS State University System of Florida 16
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle www. flbog. edu BOARD of GOVERNORS State University System of Florida 17
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report on Fraudulent Financial Reporting www. flbog. edu BOARD of GOVERNORS State University System of Florida 18
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report of Fraud in Financial Reporting 1992 COSO: Internal Controls: Integrated Framework Cadbury Report: Financial Aspect of Corporate Governance Co. Co: Canadian Institute of Chartered Accountant’s Criteria for Control Framework www. flbog. edu BOARD of GOVERNORS State University System of Florida 19
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report on Fraudulent Financial Reporting 1992 COSO: Internal Controls: Integrated Framework Cadbury Report: Financial Aspect of Corporate Governance Co. Co: Canadian Institute of Chartered Accountant’s Criteria for Control Framework 1993 Chief Risk Officer www. flbog. edu BOARD of GOVERNORS State University System of Florida 20
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report on Fraudulent Financial Reporting 1992 COSO: Internal Controls: Integrated Framework Cadbury Report: Financial Aspect of Corporate Governance Co. Co: Canadian Institute of Chartered Accountant’s Criteria for Control Framework 1993 Chief Risk Officer 1995 First Risk Management Standard: AS/NZS 4360 www. flbog. edu BOARD of GOVERNORS State University System of Florida 21
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report on Fraudulent Financial Reporting 1992 COSO: Internal Controls: Integrated Framework Cadbury Report: Financial Aspect of Corporate Governance Co. Co: Canadian Institute of Chartered Accountant’s Criteria for Control Framework 1993 Chief Risk Officer 1995 First Risk Management Standard: AS/NZS 4360 1996 COBIT: IT Governance www. flbog. edu BOARD of GOVERNORS State University System of Florida 22
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report on Fraudulent Financial Reporting 1992 COSO: Internal Controls: Integrated Framework Cadbury Report: Financial Aspect of Corporate Governance Co. Co: Canadian Institute of Chartered Accountant’s Criteria for Control Framework 1993 Chief Risk Officer 1995 First Risk Management Standard: AS/NZS 4360 1996 COBIT: IT Governance 1999 GAO: Standards for Internal Control in Federal Government www. flbog. edu BOARD of GOVERNORS State University System of Florida 23
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report on Fraudulent Financial Reporting 1992 COSO: Internal Controls: Integrated Framework Cadbury Report: Financial Aspect of Corporate Governance Co. Co: Canadian Institute of Chartered Accountant’s Criteria for Control Framework 1993 Chief Risk Officer 1995 First Risk Management Standard: AS/NZS 4360 1996 COBIT: IT Governance 1999 GAO: Standards for Internal Control in Federal Government 2004 COSO: ERM – Integrated Framework www. flbog. edu BOARD of GOVERNORS State University System of Florida 24
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report on Fraudulent Financial Reporting 1992 COSO: Internal Controls: Integrated Framework Cadbury Report: Financial Aspect of Corporate Governance Co. Co: Canadian Institute of Chartered Accountant’s Criteria for Control Framework 1993 Chief Risk Officer 1995 First Risk Management Standard: AS/NZS 4360 1996 COBIT: IT Governance 1999 GAO: Standards for Internal Control in Federal Government 2004 COSO: ERM – Integrated Framework 2009 ISO 31000: Suite of Risk Management Standards www. flbog. edu BOARD of GOVERNORS State University System of Florida 25
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report on Fraudulent Financial Reporting 1992 COSO: Internal Controls: Integrated Framework Cadbury Report: Financial Aspect of Corporate Governance Co. Co: Canadian Institute of Chartered Accountant’s Criteria for Control Framework 1993 Chief Risk Officer 1995 First Risk Management Standard: AS/NZS 4360 1996 COBIT: IT Governance 1999 GAO: Standards for Internal Control in Federal Government 2004 COSO: ERM – Integrated Framework 2009 ISO 31000: Suite of Risk Management Standards 2016 OMB: Circular A-123 requires Federal Agencies to implement ERM and Internal Controls www. flbog. edu BOARD of GOVERNORS State University System of Florida 26
ERM Milestones YEAR MILESTONE 1900 s Risk Management: Logical, disciplined approach to future uncertainties 1974 Gustave Hamilton Risk Management Circle 1987 COSO: Report on Fraudulent Financial Reporting 1992 COSO: Internal Controls: Integrated Framework Cadbury Report: Financial Aspect of Corporate Governance Co. Co: Canadian Institute of Chartered Accountant’s Criteria for Control Framework 1993 Chief Risk Officer 1995 First Risk Management Standard: AS/NZS 4360 1996 COBIT: IT Governance 1999 GAO: Standards for Internal Control in Federal Government 2004 COSO: ERM – Integrated Framework 2009 ISO 31000: Suite of Risk Management Standards 2016 OMB: Circular A-123 requires Federal Agencies to implement ERM and Internal Controls www. flbog. edu 2017 of GOVERNORS State University System of Florida COSO: ERM – Integrating with Strategy. BOARD and Performance 27
TRADITIONAL RISK MANAGEMENT V. ERM Traditional Risk Management Enterprise Risk Management Past-focused Future-focused Segmented/Siloed Enterprise-wide Little or no knowledge of overall organizational risks Broad perspective on overall organizational risk Focused on preventing loss within business unit (tactical) Focused on enhancing value, capitalizing on opportunities, and managing all risks across entire organization (strategic) Scope: physical and financial assets Scope: entire asset portfolio Siloed risk mitigation Enterprise-wide risk mitigation www. flbog. edu BOARD of GOVERNORS State University System of Florida 28
ERM PROGRAM CHARACTERISTICS • • Enterprise-wide approach Executive-level sponsorship Defined accountability Intentional Systematic and structured Defined risk appetite Establishment and communication of risk management process goals and activities Monitored treatment plans www. flbog. edu BOARD of GOVERNORS State University System of Florida 29
RISK MANAGEMENT FRAMEWORKS FRAMEWORK DESCRIPTION AS/NZS 4360 Australian and New Zealand Standard on Risk Management (1995) ISO 31000 International Organization for Standardization (ISO) based on AS/NZS 4360 www. flbog. edu BOARD of GOVERNORS State University System of Florida 30
Key Reminders • Each organization is unique. • Each organization needs a tailored approach. • ERM is not a compliance exercise. • ERM is a mindset. • ERM facilitates information-sharing. • ERM facilitates decision-making. www. flbog. edu BOARD of GOVERNORS State University System of Florida 31
AS/NZS Framework www. flbog. edu BOARD of GOVERNORS State University System of Florida 32
ISO 31000 – Framework www. flbog. edu BOARD of GOVERNORS State University System of Florida 33
Evolution of Auditing PERIOD MILESTONE 1941 IIA Established 1947 IIA Statement of Responsibilities 1974 IIA: First CIA Examination 1978 IIA: Audit Standards Approved 1980 s Control Focus: Audit for Compliance 1990 s Control Framework: Audit for Compliance and for Controls Environment 2000 s ERM: Audit Focus includes soft controls 2010 s ERM Maturing and Audit Focus to serve as trusted advisor on matters of risk, control, and governance. www. flbog. edu BOARD of GOVERNORS State University System of Florida 34
Relationship Acumen Expanding Role of Internal Audit Engaged, but Not Strategic (A Good Lunch Partner) Trusted Advisor (Seat at the Table) . ator. r. ner e lv Ge o S ht m le Insig b Pro Capable, but Assurance Poorly Aligned Provider (A Well Kept Secret) Risk, Control & Governance Expertise www. flbog. edu BOARD of GOVERNORS State University System of Florida 35
Definition of Internal Auditing • "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. " www. flbog. edu BOARD of GOVERNORS State University System of Florida 36
Governance, Control, and Risk Management www. flbog. edu BOARD of GOVERNORS State University System of Florida 37
What is Expected from IA • Greater assurances that internal controls and risk management procedures are in place and aligned with business objectives. • Audit efforts need to be as much forwardlooking as the traditional point-in-time and pastfocused. • Increased view of strategic and emerging risks. www. flbog. edu BOARD of GOVERNORS State University System of Florida 38
Risk Management and Standards • IIA Standard 2120 – Risk Management • The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. • 2120. C 3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. www. flbog. edu BOARD of GOVERNORS State University System of Florida 39
When Lines May be Blurred • • • Facilitating risk assessments/workshops Coaching/educating management Coordinating ERM activities Maintaining the ERM framework ERM Champion Developing ERM strategy for leadership www. flbog. edu BOARD of GOVERNORS State University System of Florida 40
What to Avoid • Helps the organization set the risk appetite. • Develops policies or risk management processes. • Determines the appropriate risk response. • Implements risk responses. • Ownership/accountability for risk management functions. www. flbog. edu BOARD of GOVERNORS State University System of Florida 41
Role of Audit • Renewed Focus on ERM o More diverse, complex risks o More opportunities for IA to lead • The Evolving Role of Internal Audit o Educator o Consultant o Independent assurance provider • Drawing the Boundaries o Distinguish decision-making from consulting/advisory Role o Communicate to all involved www. flbog. edu BOARD of GOVERNORS State University System of Florida 42
What is ERM? • Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ” www. flbog. edu BOARD of GOVERNORS State University System of Florida 43
ERM… • Provides a comprehensive and systematic approach to more proactive and holistic risk management • Provides a common lexicon of risk terminology, and provides direction and guidance for implementing ERM • Requires that organizations examine their complete portfolio of risks, consider how those risks interrelate, and that management develop an appropriate risk mitigation approach to address these risks in a manner consistent with the organization’s strategy and risk appetite www. flbog. edu BOARD of GOVERNORS State University System of Florida 44
ERM is not… • A silver bullet to prevent risks from occurring • A methodology or a checklist of items that need to be completed that guarantee results • The only way organizations can take a more proactive approach to managing risk www. flbog. edu BOARD of GOVERNORS State University System of Florida 45
Where’s the Value? ? ? • The biggest value in each of these frameworks lay in their promotion of continuous improvement, diligent management practices, and ongoing monitoring. www. flbog. edu BOARD of GOVERNORS State University System of Florida 46
ERM Challenges • ERM is too costly to implement! • Current staff already have a huge workload! • We don’t have resources for ERM! • How do staff know what risks they “own? ” • We already do risk assessments! www. flbog. edu BOARD of GOVERNORS State University System of Florida 47
ERM Life Cycle Evaluate Performance Implement Culture Internal Environment www. flbog. edu Goal setting Objective Setting Confirm Evaluate next Identify and options steps prioritize risks Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring BOARD of GOVERNORS State University System of Florida 48
Enterprise Risk Management Framework: Integrating with Strategy and Performance (June 2017) Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 49
Summary of Public Comment Feedback: Survey • • • Over 200 responses –double that of the internal control update Over 70% of responses from individuals Over 50% of participation outside of North America Almost 50% had affiliations beyond COSO memberships Almost 50% of respondents had 10 or more years of risk management experience Positive ratings outnumbered negative ratings by 4. 5: 1 www. flbog. edu BOARD of GOVERNORS State University System of Florida 50
Summary of Public Comment Feedback: Letters • • • 48 letters received –many of which demonstrated considerable investment Comments on concepts (flawed missing, unnecessary) collectively represented less than 15% of the total number of comments received Greatest number of comments requested clarity of drafted content versus adding/deleting content www. flbog. edu BOARD of GOVERNORS State University System of Florida 51
A Key Introduction… • Our understanding of the nature of risk, the art and science of choice lies at the core of our modern market economy • Every choice we make in the pursuit of objectives has its risks. From day-to-day operational decisions to the fundamental trade-offs in the boardroom, dealing with uncertainly in these choices is a part of our organizational lives. www. flbog. edu BOARD of GOVERNORS State University System of Florida 52
COSO ERM Framework Update • June 2017 - COSO Board released update to 2004 Enterprise Risk Management–Integrated Framework • Framework used widely by management to enhance organization’s ability to manage uncertainty and to consider how much risk to accept as it strives to increase value • Initiative enhanced framework’s content and relevance in an increasingly complex business environment so that organizations can attain better value from enterprise risk management www. flbog. edu BOARD of GOVERNORS State University System of Florida 53
• 10 Key Things to Know about the Framework www. flbog. edu BOARD of GOVERNORS State University System of Florida 54
1) Provides a New Document Structure • Framework focused on fewer components (five) • Uses focused call-out examples to emphasize key points • Follows the business model versus isolated risk management process Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 55
2) Introduces Principles • 20 key principles within • each of the five components Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 56
1. Exercises Board Risk Oversight - Board of directors provides oversight of strategy and carries out governance responsibilities to support management in achieving strategy and business objectives. 2. Establishes Operating Structures - Organization establishes operating structures in the pursuit of strategy and business objectives. 3. Defines Desired Culture - Organization defines desired behaviors that characterize entity’s desired culture. 4. Demonstrates Commitment to Core Values - Organization demonstrates commitment to entity’s core values. 5. Attracts, Develops, and Retains Capable Individuals - Organization committed to building human capital in alignment with strategy and business objectives. Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 57
6. Analyzes Business Context - Organization considers potential effects of business context on risk profile. 7. Defines Risk Appetite - Organization defines risk appetite in context of creating, preserving, and realizing value. 8. Evaluates Alternative Strategies - Organization evaluates alternative strategies and potential impact on risk profile. 9. Formulates Business Objectives - Organization considers risk while establishing business objectives at various levels that align and support strategy. Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 58
10. Identifies Risk - Organization identifies risk that impacts performance of strategy and business objectives. 11. Assesses Severity of Risk - Organization assesses risk severity. 12. Prioritizes Risks - organization prioritizes risks as basis for selecting risk responses. 13. Implements Risk Responses - Organization identifies and selects risk responses. 14. Develops Portfolio View - Organization develops and evaluates portfolio view of risk. Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 59
15. Assesses Substantial Change - Organization identifies and assesses changes that may substantially affect strategy and business objectives. 16. Reviews Risk and Performance - Organization reviews entity performance and considers risk. 17. Pursues Improvement in Enterprise Risk Management - Organization pursues improvement of enterprise risk management. Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 60
18. Leverages Information Systems - Organization leverages entity’s information and technology systems to support enterprise risk management. 19. Communicates Risk Information - Organization uses communication channels to support enterprise risk management. 20. Reports on Risk, Culture, and Performance Organization reports on risk, culture, and performance at multiple levels and across entity. Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 61
3) Incorporates New Graphics • Graphic has stronger ties to the business model Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 62
4) Focuses on integration • Integrating ERM with business practices results in better information that supports improved decision-making and leads to enhanced performance. It helps organizations to: o Anticipate risks earlier or more explicitly, opening up more options for managing the risks o Identify and pursue existing and new opportunities o Respond to deviations in performance more quickly and consistently o Develop and report a more comprehensive and consistent portfolio view of risk o Improve collaboration, trust, and information-sharing Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 63
5) Emphasizes Value • Enhances value focus – how entities create, preserve, and realize value • Embeds value throughout the framework, as • evidenced by its: o Prominence in core definition of enterprise risk management o Extensive discussion in principles o Linkage to risk appetite o Focus on the ability to manage risk to acceptable levels Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 64
6) Links to Strategy • Explores strategy from three perspectives: o Possibility of strategy and business objectives not aligning with mission, vision and values o Implications from the strategy chosen o Risk to executing the strategy Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 65
7) Links to Performance • Enables achievement of strategy by actively managing risk and performance • Focuses on how risk is integral to performance by: o Exploring how enterprise risk management practices support risk identification and assessment that impact performance o Discussing tolerance for variations in performance • Manages risk in the context of achieving strategy and business objectives – not as individual risks Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 66
8) Recognizes Importance of Culture • Addresses the growing focus, attention and importance of culture within enterprise risk management • Influences all aspects of enterprise risk management • Explores culture within broader context of overall core • Depicts culture behavior within a risk spectrum • Explores possible effects of culture on decision-making • Explores alignment of culture between individual and entity behavior Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 67
9) Focuses on Decision-making • Explores how enterprise risk management drives risk aware decisionmaking • Highlights how risk awareness optimizes and aligns decisions impacting performance • Explores how risk aware decisions affect risk profile Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 68
10) Builds links to internal control • Document does not replace the Internal Control –Integrated Framework • The frameworks are distinct and complementary • Both use a components-andprinciples structure • Aspects of internal control common to enterprise risk management are not repeated • Some aspects of internal control are developed further in this framework Enterprise Risk Management Framework: Integrating with Strategy and Performance © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. www. flbog. edu BOARD of GOVERNORS State University System of Florida 69
Who Uses ERM? www. flbog. edu BOARD of GOVERNORS State University System of Florida 70
www. flbog. edu BOARD of GOVERNORS State University System of Florida 71
TRADITIONAL RISK MANAGEMENT V. ERM Traditional Risk Management Segmented Department-driven risk approach Little or no knowledge of overall organizational risks Enterprise Risk Management Enterprise-wide Board-driven risk approach Broad perspective on overall organizational risk Focused on preventing loss within the business unit (tactical) Focused on enhancing value, capitalizing on opportunities, and managing all risks across the entire organization (strategic) Scope: physical and financial assets Siloed risk mitigation Scope: entire asset portfolio www. flbog. edu Enterprise-wide risk mitigation BOARD of GOVERNORS State University System of Florida 72
ERM PROGRAM CHARACTERISTICS • • • Enterprise-wide Approach Executive-level Sponsorship Defined Accountability Intentional Systematic and Structured www. flbog. edu • Defined Risk Appetite • Establishment and Communication of Risk Management Process Goals and Activities • Monitored Treatment Plans BOARD of GOVERNORS State University System of Florida 73
www. flbog. edu BOARD of GOVERNORS State University System of Florida 74
SUS RISK MANAGEMENT SURVEY RESULTS Percent 100% 50% Information Traditional risk management Communicate risks to senior management Enterprise-level risk inventory 100% Board-level committee responsible for risk management 50% 25% 75% Management-level risk committee ERM governing document Board of Trustees communicates Risk Appetite www. flbog. edu BOARD of GOVERNORS State University System of Florida 75
HIGHLIGHTED BEST PRACTICES University FIU Best Practices • Enterprise Risk Management Framework (23 -pages) • Executive ERM sponsor UWF • Risk and Compliance Council (with Charter) • Annual risk heat matrix USF • Triennial enterprise-wide risk assessment (2011) • Risk mitigation follow-up in years 2 and 3 www. flbog. edu BOARD of GOVERNORS State University System of Florida 76
RISKS IDENTIFIED Mental Health Counseling Campus Safety Cloud Computing PBF Data and Metrics Facilities Infrastructure Sliding Enrollments Cost and Access Delivering Value Campus Climate www. flbog. edu Cybersecurity/Cyberterrorism Academic Freedom & Free Speech Achieving and Maintaining Diversity Speed of Growth Regulation Compliance Legislation/Regulation Complexity Cost of Faculty/Staff Recruitment Meeting University's Mission BOARD of GOVERNORS State University System of Florida 77
www. flbog. edu BOARD of GOVERNORS State University System of Florida 78
www. flbog. edu BOARD of GOVERNORS State University System of Florida 79
Risk Maturity www. flbog. edu BOARD of GOVERNORS State University System of Florida 80
University of Alberta Statement of Risk Tolerance The University acknowledges that there is an element of risk in any decision or activity and encourages risk taking when the risk is appropriately managed. This Statement, which is to be applied at the institutional level, explains a critical component of the University’s risk management framework by attempting to quantify the level of risk the University is willing to tolerate across the following vital areas: • • Reputation • Infrastructure (financial and physical) • Education/Research • • Human Resources • Safety/Security www. flbog. edu BOARD of GOVERNORS State University System of Florida 81
Quantifying Risk Level • University of Alberta Statement of Risk Tolerance (con’t): • • In the University’s risk framework, the level of risk is quantified by combining the likelihood of a negative event or condition occurring and the consequence of that event or condition. • Assisted by the tables below, the decision maker estimates likelihood on a scale from “rare” to “almost certain, ” and consequence on a scale from “negligible” to “high, ” then determines the overall level of risk by placing them in the matrix that follows. www. flbog. edu BOARD of GOVERNORS State University System of Florida 82
Likelihood of Event or Condition Occurring www. flbog. edu BOARD of GOVERNORS State University System of Florida 83
Consequence of Event or Condition Occurring • REPUTATION www. flbog. edu BOARD of GOVERNORS State University System of Florida 84
Consequence of Event or Condition Occurring • INFRASTRUTURE (FINANCIAL OR PHYSICAL) www. flbog. edu BOARD of GOVERNORS State University System of Florida 85
The Matrix www. flbog. edu BOARD of GOVERNORS State University System of Florida 86
Treating Risk www. flbog. edu BOARD of GOVERNORS State University System of Florida 87
Summary • Risk • COSO • Risk Management Frameworks • Role of Audit • COSO ERM Framework • Examples • Q&A www. flbog. edu BOARD of GOVERNORS State University System of Florida 88
www. flbog. edu BOARD of GOVERNORS State University System of Florida 89
Resources Agency Resource AGA’s ERM Resources https: //www. agacgfm. org/ERMhub? utm_source=Informz&utm_medium =Email&utm_campaign=AGA+Communications Institute of Management Accountants ERM Implementation Tools and Techniques publication: https: //www. imanet. org/insights-and-trends/risk-management/test? ssopc=1 OMB Circular No. A- Circular 123 for ERM https: //www. whitehouse. gov/sites/whitehouse. gov/files/omb/memoran implementation for da/2016/m-16 -17. pdf federal programs Summary – https: //www 2. deloitte. com/us/en/pages/publicsector/articles/navigating-the-revised-omb-circular-a-one-twothree. html COSO Updated ERM https: //www. coso. org/Pages/default. aspx Framework ISO 31000: 2009 https: //www. iso. org/standard/43170. html AS/NZS 4360 www. flbog. edu https: //www. standards. govt. nz/search-and-buy-standards/standards. BOARD of GOVERNORS State University System of Florida information/risk-managment/ 90
www. flbog. edu BOARD of GOVERNORS State University System of Florida 91
Questions/ Comments 92 www. flbog. edu BOARD of GOVERNORS State University System of Florida 92
BOARD of GOVERNORS State University System of Florida www. flbog. edu BOARD of GOVERNORS State University System of Florida 93
- Slides: 93