Post on 12-Mar-2018
transcript
1
OMBCircularNo.A-123Management’sResponsibilityforEnterpriseRisk
ManagementandInternalControl
CounciloftheInspectorsGeneralonIntegrityandEf7iciency
FederalAuditExecutiveCouncilAnnualConferenceSeptember26,2017
From1-2-3toE-R-M
2
OpeningRemarks
CXO/Operations Support
RISK
2
3
CurrentRiskEnvironmentFacingFederalGovernment
CXO/Operations Support
• TheFederalgovernmentisfacinggreaterchangethanatanyotherpointin?me• Currentbudgetreali?esmeangovernmentagenciescompeteforlimited
resourcesasneverbefore• Budgetswillgotothosewhobestshowvalue• Thereisgreaterscru?nyandexpecta?onsfrominternalandexternal
stakeholdersforagenciestorespondtoriskfasterandmoreeffec?vely• Thecon?nualfocusofriskmanagementonfinancialareashaslimitedthe
broaderconsidera?onsofriskwithinorganiza?ons
MajorManagementChallengesCouldtheyhavebeenavoided?
Couldtheimpacthavebeenminimizedandmoremanageable?
Whatwillbenext?
4
EnterpriseRiskManagementandInternalControl
CXO/Operations Support
Riskistheeffectofuncertaintyonobjec?ves.Itistypicallyaddressedwithinfunc?onal,programma?c,ororganiza?onalsilos.EnterpriseRiskManagementis:“adisciplinethataddressesthefullspectrumofanorganiza?on’srisks,includingchallengesandopportuni?es,andintegratesthemintoanenterprise-wide,strategicallyalignedporQolioview.ERMcontributestoimproveddecision-makingandsupportstheachievementofanorganiza?on’smission,goals,andobjec?ves.”
InternalControlisaprocesseffectedbyanen?ty’soversightbody,managementandpersonnelthatprovidesreasonableassurancethattheobjec?vesofanen?tywillbeachieved.(GAOGreenBook)Aprocesstohelpachieveobjec?ves(GAOGreenBook)Inotherwords,thingsyoudotomakesuregoodthingshappenandbadthingsdon’t.InternalControlSystemisacon?nuousbuilt-incomponentofopera?ons,effectedbypeople,thatprovidesreasonableassurance,notabsoluteassurance,thatanen?ty’sobjec?veswillbeachieved.(GAOGreenBook)
Outcomes:• Anincreasedlikelihoodofsuccessfullydeliveringonagencygoalsandobjec?ves.• Fewerunan?cipatedoutcomesencountered.• BeVerassessmentofrisksassociatedwithchangesintheenvironment.
5
BackgroundandContext
6
TheDecisionWeMade
CXO/Operations Support
• CompliancewithNewGAOInternalControlStandards
• Trea?ngRiskasonlyNega?ve• HeavyEmphasisonFinancial
Repor?ng• RegardingRiskManagementas
Separate• ChecktheBoxon3YearA-123
Assessments
• RiskBasedApproachwithNewInternalControlStandards
• Trea?ngRiskasPosi?ve(i.e.,opportunity)andNega?ve
• BalancedEmphasisonFinancialRepor?ng
• Integra?ngRiskManagementandInternalControl
• ManageRisksAcrossSilos
ERMandInternalControlsTheCubeVersion
7
A-123Sec?onII.Update(EnterpriseRiskManagement)
Source:BasedonCOSO
LevelsofOrganizationalStructure
ComponentsofInternalControl
ControlActivities
InformationandCommunication
Monitoring
RiskAssessment
ControlEnvironment Function
OperatingU
nit
Division
Entity Monitoring
InternalEnvironment
Subsidiary
BusinessUnit
Division
Entity-Level
ObjectiveSetting
EventIdentification
RiskAssessment
RiskResponse
ControlActivities
InformationandCommunication
Monitoring
Source:GAOGreenBook
A-123Sec?onIII.Update(InternalControls)
ExpandingontheGreenCubeToIncludeERM
8
ControlActivities
InformationandCommunication
Monitoring
Function
OperatingU
nit
Division
EntityRiskAssessment
ControlEnvironmentObjectiveSetting
EventIdentification
RiskResponse
2017RequirementsofA-123,ExpansionofRiskAssessment
2017RequirementstoA-123,Incorpora?ngStrategicObjec?ves
2016UpdatetoA-123,InternalControls
Theorganiza?onofinternalcontrolsasintroducedinthe2014GreenBook
Theinclusionofastrategicprocesstorisk
managementandinternalcontrol
Theintroduc?onandrefinementofERMcomponentstobeintegratedintoexis?nginternalcontrolprocesses
EnterpriseRiskManagementModel
9
Overview:• 7CyclicalComponents
• EstablishtheContext• Iden?fyRisks• AnalyzeandEvaluate• DevelopAlterna?ves• RespondtoRisks• MonitorandReview• Con?nuousRisk
Iden?fica?onandAssessment
• 3EnterpriseComponents• CommunicateandLearn• ExtendedEnterprise• RiskEnvironment/Context
Illustra(veExampleofanEnterpriseRiskManagementModel
CommunicateandLearn
1.EstablishContext
4.DevelopAlternatives
2.IdentifyRisks
3.AnalyzeandEvaluate
5.RespondToRisks
6.MonitorandReview
10
WhatIsRequiredbyA-123toImplementERM?
• RiskProfiles:Establisha“riskprofile”withthefollowingcomponents:• Iden?fica?onofObjec?ves• Iden?fica?onofRisk• InherentRiskAssessment• CurrentRiskResponse• ResidualRiskAssessment• ProposedRiskResponse• ProposedRiskResponseCategory
• Integra?on:Riskprofilestobeintegratedwithmanagementevalua?onofInternalControl(ReasonableAssuranceProcess)
• Governance:AgenciesmustestablishanERMgovernancestructure.• Agencieshavediscre?onandflexibilityinoverallgovernancestructure.• Shouldbeledbyhighrankingpolicyofficial,COOorequivalent.• AgenciesmayestablishaChiefRiskOfficer,butarenotrequiredto.• Shouldincludeaprocessforconsideringriskappe?teandrisktolerance.
Agencies must complete their ini1al risk profiles in coordina1on with the agency Strategic Reviews. Key findings should be made available for discussion with OMB as part of the Agency Strategic Review mee1ngs and/or FedSTAT.
ERMImplementaConPlans
IniCalRiskProfile IntegraConwithManagementEvaluaConofInternalControl
For those risks for which formal internal controls have been iden1fied as part of the Ini1al Risk Profile in FY 2017, assurances on internal control processes must be presented in the Agency FY 2017 Annual Financial Report (AFR) or Performance and Accountability Report (PAR).
June ‘17 Sept ‘17
RevisedOMBCircularA-123ERMImplementa?on
Agencies are encouraged (not required) to develop an approach to implement Enterprise Risk Management.
No less than annually, agencies must prepare a complete risk profile and include required risk components and elements required by this guidance. CFO Act Agencies, at a minimum, must complete their risk profiles in coordina1on with the agency Strategic Review. For these Agencies, key findings should be made available for discussion with OMB by June 3rd as part of the Agency Strategic Review mee1ngs and/or FedSTAT.
UpdatedRiskProfile
Annually, June 3, 20XX As soon as prac1cable, prior to June Ini1al Risk Profile
11
12
Crea?nganEnterprise-LevelRiskProfile
AgencieshavediscreConintermsofcontentandformatfortheirRiskProfiles;however,ingeneralriskprofilesshouldincludethefollowingcomponents:
• Iden?fica?onofObjec?ves• Iden?fica?onofRisk• InherentRiskAssessment• CurrentRiskResponse• ResidualRiskAssessment• ProposedRiskResponse• ProposedRiskResponseCategory
RISK
RiskProfile:AnIllustra?veExample
13
A-11A-123
GreenBookPlaybook
Policy/Guidance
ManagementChallenge
StrategicObjecCveRiskResponse
Chief Risk Officer (CRO)
LowRisk
MediumRisk
HighRisk
ChiefRiskOfficer
CFOOrganizaCon
HROrganizaCon
PIOOrganizaCon
CAOOrganizaCon
14
15
ERMKeyTerminology
RiskAppe?te“Thebroad-basedamountofriskanorganiza?oniswillingtoacceptinpursuitofitsmission/vision.Itisestablishedbytheorganiza?on’smostseniorlevelleadershipandservesastheguideposttosetstrategyandselectobjec?ves.”
RiskTolerance
“Theacceptablelevelofvarianceinperformancerela?vetotheachievementofobjec?ves.Itisgenerallyestablishedattheprogram,objec?veorcomponentlevel.Inseongrisktolerancelevels,managementconsiderstherela?veimportanceoftherelatedobjec?vesandalignsrisktolerancewithriskappe?te.”
HeatMap–Illustra?veExample
16
17
“Providesinsightintoallareasoforganiza?onalexposuretorisk(suchasreputa?onal,programma?cperformance,financial,informa?ontechnology,acquisi?ons,humancapital,etc.),thusincreasinganAgency’schancesofexperiencingfewerunan?cipatedoutcomesandexecu?ngabeVerassessmentofriskassociatedwithchangesintheenvironment.”
• PorQolioViewofRisk
ERMKeyTerminology
18
ERMImplementa?onPlaybook
ERMPlaybookSteeringCommiUeeSetprojectpolicyandestablishedthe?meline
fortheproject.
PlaybookPurpose:ToprovideanERMFrameworkandprac?calguidancetosupportA-123complianceandeffec?veERMimplementa?onacrossagencies.
ERMPlaybookWorkingGroupImplementedtheprojectgoalssetbysteering
commiAeeandkeyedupdecisionsandrecommenda?onsfortheSteeringCommiAee.
Mul?-disciplinaryrepresenta?onfromacrossthefederalgovernment
Overtwentyfederalagenciesrepresented
ü FinancialManagementü Procurementü RiskManagement
ü PerformanceManagementü GrantsManagementü FederalCredit
AccessthePlaybookatthesewebsites
CFOCouncil:www.cfo.gov
AFERM:www.aferm.org
ü InternalControlsü HumanCapitalü IT
OMBCircularA-123andPlaybookOutreachEffortsandMajorMilestones
SeptApr2016 May June July Aug OctSept Oct Nov Dec Jan2017 Feb Mar Apr May June July Aug
4/21-NOVAGASpringTrainingEvent
4/25-AGAForum
5/9-JointFinancialManagementImprovementProgram
6/29-PartnershipA-123RollOut
7/17-20-AGAPDTAnaheim
8/8-AICPAEasternConference
5/10-PartnershipIGRoundTableDiscussion
5/4-AFERMLuncheon
7/14-PotomacForum
5/5-AGAMontgomery/PGCounty
11/1-DOT
7/7–AFERMLuncheon/ERMBlitz
6/17-NAPA
7/15A-123PublicRelease
5/24CAOC
5/23-AmericanAssoc.forBudget&ProgramAnalysis
3/23-BOAC
3/24-PIC
4/24–PerformanceLeads
6/22–SmallAgencyCouncil
7/29-ReleaseERMImplementaConPlaybook1.0 6/3/2017–IniCalRiskProfile
(Allagencies) 9/30–DiscussionofKeyRiskFindingsaspartofA-11StrategicReviewsunderM-17-22guidance
6/2ASMC
9/20-21–AGAInternalControlForum
Dec–CIOCouncil
Jan–FinancialSystemsSummit
9/16–ERMTownHall
3/2–Execu?veCouncil
6/15-COFAR/FACE
7/15–OMBBlogPost
*Knowndatesareprovided.Approximate?meframesareprovidedforeventswhichareintheplanningphase.
MajorMilestones
GovernmentEvent
PublicEvent
A-123Deliverable
CompletedEvent!
!!
!!
!!
!!
!!!
!!
!!
!!
!
8/2-IICW
8/9-WGofFederalComplianceProfessionals
!!
11/7/8–AFERMSummit
!
!
9/15/2017–IntegraConofERMandInternalControl(2017AssuranceStatements)
!
!
!
AgencyRollout
!
8/16-CIGIE
9/23–USAID
8/23-PotomacForum
9/26–DCIEAuditCommiVee
8/24-AFERMSmallAgenciesCOP!
!
9/7-AGAHawaiiChapter8/30–Treasury
9/22–EPA
9/23–TSA
9/27–VA9/28–NSF
10/4–HHS10/5–OPM10/6–NASA10/12–SSA
10/14–ED
!
10/19–State
10/21–DOD
!!
9/26–SBA
!
9/21–DOC
!
10/24–GSA
10/26–HUD!
!
!!
!!!!
10/20–DOI
11/8–NRC
10/25-USDA
10/3–DOE!!!!
10/18–PPS
!!!
!
!!!
!
10/27–NRCIC
!
10/27–DHS!
!
!!
!
12/8-AGAMontgomery/PGCounty
7/8-13–AGAPDTBoston
9/7-AGAHawaiiChapter
4/20–AGANM
4/27–CIGIEGAO
5/8–JFMIP
ReleaseDrabPresident’sManagementAgenda
!
4/28–AGANOVA
AgencyRollout
3/29–Treas4/5–NASA
4/26–HUD4/26–TSA!
!!!!
!!
6/30–IniCalAgencyReformPlans,MaximizingEmployeePerformanceunderM-17-22
!!
4/27–AGAMoCo/PG
7/24–PerformanceIns?tute
9/25-9/26–FederalExecu?veAuditCouncil11/1-11/2–AFERMConference
!!
8/10-SBA!
9/19-9/20-AGAInternalControlandFraudForum
8/17-ED8/18-DOD
8/24-VA8/25-USDA
!!!!
9/6-DOE
9/6-DHS
!!
9/15-GSA!
19
ERM-KeyFactors
Leadership
Process
Culture
20
A-123/ERM Assessments CURRENTMATURITY
LessMature MoreMature
FewerCapabili?e
sHigherCapabili?e
sLessMature,HigherCapabiliCes
Agenciesareatearlystagesof
implementa?on,buthavethecapabili?esnecessarytomature
LessMature,FewerCapabiliCes*Agenciesareatearlystagesof
implementa?onandfacesignificant
hurdlesinmaturing
*Agencies in this quadrant exhibit higher levels of
component autonomy.
MoreMature,Higher
CapabiliCesAgenciesareontrack.Lookforbestprac?ces.
MoreMature,Fewer
CapabiliCesAgencieshavesomematureprocesses,butcapabili?es
hinderfurtherprogress
CAPA
BILITIESNEEDE
DTO
MAT
URE
21
ANewSetOfParametersTowardsaMoreResilientGovernment
22
• “SuccessfulimplementaConofthisCircularrequiresAgenciestoestablishandfosteranopen,transparentculturethatencouragespeopletocommunicateinforma?onaboutpotenCalrisksandotherconcernswiththeirsuperiorswithoutfearofretaliaConorblame.
• “Similarly,agencymanagers,InspectorsGeneral(IG)andotherauditorsshouldestablishanewsetofparametersencouragingthefreeflowofinformaConaboutagencyriskpointsandcorrec?vemeasureadop?on.”
• “Anopenandtransparentcultureresultsintheearlieriden?fica?onofrisk,allowingtheopportunitytodevelopacollabora?veresponse,ul?matelyleadingtoamoreresilientgovernment.”
--OMBCircularNo.A-123
ERMandtheRoleoftheAuditor
23Source:BasedonIIAmodelforinternalauditrolewithERM
Accountabilityforrisk
management
Implemen?ngriskre
sponses
onmanagement’sb
ehalf
Cham
pion
ingestablish
ment
ofERM
Maintaining&develop
ing
theER
Mfram
ework
Givingassuranceontheriskmanagementprocess
Givingassurancethatrisksarecorrectlyevaluated
Coordina?ngERMac?vi?es
Consolida?ngrepor?ngon
risks
CoreinternalauditrolesinregardtoERM
Legi?mateinternalauditroleswithsafeguards
Rolesinternalauditshouldnotundertake
CoreInternalAuditRolesinRegardtoERM
24
Source:BasedonIIAmodelforinternalauditrolewithERM
ReviewingTheManagementOfKeyRisks
Evalua?ngTheRepor?ngOfKeyRisks
GivingAssuranceOntheRiskManagementProcess
GivingAssuranceThatRisksAreCorrectlyEvaluated
Evalua?ngRiskManagementProcesses
Evalua?ngandReviewingEstablishedRiskProcesses
• Evalua?ngtheagency’s
establishedriskmanagementprocesses.
• Evalua?ngtheagency’seffortsatrepor?ngonkeyrisks.
• Providingassurancesontheagency’sriskmanagementprocesses.
RolesInternalAuditShouldNotUndertake
25
Source:BasedonIIAmodelforinternalauditrolewithERM
SeongTheRiskAppe?te
ImposingRiskManagementProcesses
ManagementAssurancesOnRisk
AccountabilityForRiskManagement
Implemen?ngRiskResponsesOnManagement’sBehalf
MakingDecisionsOnRiskResponses
Ac?veManagementandOwnershipOverERM
• Makingdecisionsand
ac?onstypicallyinthepurviewofmanagement.
• Takingresponsibilityforriskdecisionsandresponses
• GivingassurancesforERMandriskresponses.
Legi?mateInternalAuditRolesWithSafeguards
26Source:BasedonIIAmodelforinternalauditrolewithERM
DevelopingRiskManagementForBoardApproval
ChampioningEstablishmentofERM
Maintaining&DevelopingTheERMFramework
Facilita?ngIden?fica?on&Evalua?onOfRisks
CoachingManagementInRespondingToRisks
Coordina?ngERMAc?vi?es
Consolida?ngRepor?ngOnRisks
Assis?ngandImprovingERMDevelopment
• Advoca?ngERMasa
goodmanagementtool.
• Workingwithmanagementtoiden?fy,evaluate,respondtorisks
• Coordina?ngwithmanagementtodevelopandimproveERMframeworks
ERMandtheRoleoftheAuditor
27
WhyDoCarsHaveBrakes?
28
• “Whydoesacarhavebrakes?Acarhasbrakessoitcangofast.Ifyougotintoacarandyouknewtherewerenobrakes,you’dcreeparoundveryslowly.Butifyouhavebrakesyoufeelquitecomfortablegoing65milesanhourdownthestreet.Thesameistrueof[risk]limits.”
--JohnReed,formerCEOofCi?grouptotheFinancialCrisisInquiryCommission
29
Ques?ons?
MoreQuestions?
PleaseContactOfficeofFederalFinancialManagement(OFFM)PerformanceandPersonnelManagement(PPM)DanKaneshiro,Daniel_S_Kaneshiro@omb.eop.gov
MarkBussow,Mark_Bussow@omb.eop.gov