Using Risk Management Frameworks

7/31/2019 Using Risk Management Frameworks

1/51

Lawrence Lake

Managing Director

Protiviti Inc.

Using Risk ManagementFrameworks


2/51

2003 Protiviti Inc.

2

What are Risk Management Frameworks

and Why have them?

What is a Risk Control Matrix, COSO,

COBIT, Risk Universe, Key Controls,

Critical Controls?

Using them in SOA, ERA or Revenue Cycle


3/51

2003 Protiviti Inc.

3

Business risks are greatertoday than ever

Globalization means increased exposure to internationalevents

Need for efficiencies, innovation and differentiation tocompete

We now know the unthinkable can happen

Financial reporting is now a risk area

Application is uneven at companies applying EWRM

We live in unpredictable times


4/51

2003 Protiviti Inc.

4Source: FEI survey

Points of view from a recent survey

Many executives see an array of ever-increasing businessrisks

Business risk management practices require improvement

Substantial revisions in business risk management haveeither been made or will be made

Senior executives want more confidence that all potentiallysignificant risks are identified and managed

Why is business risk a priority


5/51

2003 Protiviti Inc.

5

Gartner reveals topfive business issues

The Gartner Group, based upon interviews and surveys

Cost constraints

Security of data and privacy

Stakeholder returns

Managing business risk

Innovation


6/51

2003 Protiviti Inc.

6

Key indicators of need

Management wants increased confidence that all potentially significantrisks are identified and managed Key decisions are made without asystematic evaluation of risk and reward trade-offs

Risk management isnt integrated with strategic and business planning

Risks are not systematically identified, sourced, measured andmanaged

Units of the organization are managing similar risks differently

Inability to measure performance on a risk-adjusted basis

Capital investment process requires improvement

Increasing demands for more information relating to risks and internalcontrols from the board and investors


7/51

2003 Protiviti Inc.

7

A common frameworkwill accelerate progress

We need a common language

We need criteria against which to benchmark

Now we can communicate more effectively

Familiarity of concepts is useful

Application guidance is critical piece

Issuance of framework is only the beginning


8/51

2003 Protiviti Inc.

8

Traditional Risk Universe Framework


9/51

2003 Protiviti Inc.

9

Risk Control Matrix

Regulation

Risk Category

Regulatory guidance

Tested (Y/N) Test PlanRegulation Control RankingOwnerRisk Category Control Description Program Type

Regulatory Control Example- Written Policies and Procedures (OIG)

Regulatory guidance

OIG Implementing

Written Policies

and Procedures

Vendor commitment to

compliance is

documented in written

code of conduct

document.

General Vendor Primary Obtain copy of

vendor

compliance

documentation

(e.g., code of

conduct)

Vendor sign off on

program contract

specifying intention to

comply with TAP

internal guidelines and

code of conduct.

General Pharmaceutical

Manufacture

Secondary Review contract

with vendor to

ensure contract

exists specifying

requirements

and vendor

si nature occurs

Program

Type

Owner Control

Ranking

Test PlanTested (Y/N)

Develop and distribute

written standards of

conduct, as well as written

policies, procedures, and

protocols that verbalize

the company's

commitment to

compliance. (section C)

Risk Category Control DescriptionRegulation


10/51

2003 Protiviti Inc.

10

Entity-level Controls

Entity-level controls are those controls that management relies upon toestablish the appropriate tone at the top relative to financial reporting.

An entity-level assessment for each control entity should be conductedas early as possible in the evaluation process

Process-Level Controls

Process level controls are usually directly involved with initiating,recording, processing or reporting transactions

General IT and Application Controls

General IT controls typically impact a number of individual applicationsand data in the technology environment

Application controls relate primarily to the controls programmed withinan application that can be relied upon to mitigate business process-levelrisks

Control Levels


11/51

2003 Protiviti Inc.

11

Control Levels Examples of Entity-Level Controls

COSO Component

Risk Assessment

Control Environment

Information andCommunication

Control Activities

Monitoring

Attributes

Entity-wide objectives Activity-level objectives Risk Identification Managing Change

Integrity and ethical values Commitment to competence

Board of Directors or Audit Committee Managements philosophy and operating

style Organizational structure Assignment of authority and responsibility Human resource policies and procedures

External and internal information is identified,captured, processed and reported

Effective communication down, across, upthe organization

Policies, procedures, and actions to addressrisks to achievement of stated objectives

Ongoing monitoring Separate evaluations

Reporting deficiencies

Application:Address attributes for each COSOcomponent -- For each attribute, evaluateappropriate points of focus, as illustratedbelow for ONE attribute, Human ResourcePolicies and Procedures

Points of Focus: Is there a process for defining the level of

competence needed for specific jobs, includingthe requisite knowledge and skills?

Are there human resource policies andprocesses for acquiring, recognizing, rewarding,and developing personnel in key positions?

Is the background of prospective employeeschecked and references obtained?

Are performance expectations clearly definedand reinforced with appropriate performancemeasures?

Are employee retention, promotion andperformance evaluation processes effective?

Is the established code of conduct reinforcedand disciplinary action taken when warranted?

Are everyones control-related responsibilities

clearly articulated and carried out?

Source: Section 404 FAQs, Question 40.


12/51

2003 Protiviti Inc.

12

Control Types

Manual vs. System-based controls

Manual controls predominantly depend upon the manual execution by one or moreindividuals

Automated controls predominantly rely upon programmed applications or IT systems toexecute a step or perhaps prevent a transaction from occurring without manual decision orinteraction

There are also system-dependant manual controls, e.g., controls that are manual(comparing one thing to another) but what is being compared is system-generated and notindependently collaborated; therefore, the manual control is dependant on reliability ofsystem processing

Preventive vs. Detective controls

Preventive controls, either people-based or systems-based, are designed to preventerrors or omissions from occurring and are generally positioned at the source of the riskwithin a business process

Detective controls are processes, either people-based or systems-based, that aredesigned to detect and correct an error (or fraud) or an omission within a timely mannerprior to completion of a stated objective (e.g., begin the next transaction processing cycle,close the books, prepare final financial reports, etc.)


13/51

2003 Protiviti Inc.

13

Control Reliability

As transaction volumes increase and withincreasingly complex calculations, systems-based controls are often more reliable thanpeople-based controls because they are less

prone to mistakes than human beings, ifdesigned, operated, maintained and securedeffectively

A shift toward an anticipatory, proactiveapproach to controlling risk requires greateruse of preventive controls than the reactive

find and fix approach embodied in adetective control

Effectively designed controls that prevent riskat the source free up people resources tofocus on the critical tasks of the business

Systems-Based,Preventive Control

Systems-Based,Detective Control

People-Based,Preventive Control

People-Based,Detective Control

MORE RELIABLE/DESIRABLE

LESS RELIABLE/DESIRABLE

NOTE:The above framework is

intended to apply to process-levelcontrols. It does not always applyat the entity-level, e.g., the internalaudit function.


14/51

2003 Protiviti Inc.

14

Definitions:

KEY CONTROL:An activity or task performed by management or otherpersonnel designed to provide reasonable assurance regarding the achievementof certain objectives as well as mitigating the risk of an unanticipated outcome.Significant reliance is placed upon this controls effective design and operation.

Upon failure of the key control, the risk of occurrence of an undesired activitywould not be mitigated regardless of other controls identified. In other words,reasonable assurance of achieving the process objectives could not be obtained.

CRITICAL CONTROL:The FIRST subset of key controls; these controlshave a pervasive impact on financial reporting (segregation of duties, system anddata access, change controls, physical safeguards, authorizations, input controls,

reconciliations, review process, etc.) and have the most direct impact onachieving financial statement assertions. Upon failure of a critical control, the riskof occurrence of an undesired activity would not be mitigated regardless of othercontrols identified within ANY process. Failure of critical controls would affectthe ability of management to achieve not only process objectives, but also thecompanys financial statement objectives.

What is a Critical Control?


15/51

2003 Protiviti Inc.

15

Control Types

Primary vs. secondary controls Primary controls are controls that are especially critical to the mitigation of risk and

the ultimate achievement of one or more financial reporting assertions for eachsignificant account balance, class of transactions and disclosure; these are thecontrols that managers and process owners primarily rely on

Secondary controls are important to the mitigation of risk and the ultimate

achievement of one or more financial reporting assertions, but are not consideredcritical by management and process owners; while these controls are significant,

there are compensating controls that also assist in achieving the assertions

Controls over routine processes vs. controls over non-routineprocesses

Controls over routine processes are the manual and automated controls overtransactions

Controls over non-routine processes are the manual and automated controls overestimates and period-end adjustments; these controls often address the greatestrisks in the financial reporting process and are most susceptible to managementoverride


16/51

2003 Protiviti Inc.

16

Control Levels Examples of Common

Process-Level Control Activities

Pervasive Process-Level Controls*

Establish and communicate objectives

Authorize and approve

Establish boundaries and limits

Assign key tasks to quality people

Establish accountability for results Measure performance

Facilitate continuous learning

Segregate incompatible duties

Restrict process system and data access

Create physical safeguards

Implement process/systems changecontrols

Maintain redundant/backup capabilities

Obtain prescribed approvals

Establish transaction/document control

Establish processing/transmissioncontrol totals

Establish/verify sequencing Validate against predefined parameters

Test samples/assess processperformance

Recalculate computations

Perform reconciliations

Match and compare

Independently analyze results forreasonableness

Independently verify existence

Verify occurrence with counterparties

Report and resolve exceptions

Evaluate reserve requirements

Specific Process-Level Controls**

*Controls affecting multiple processes, including entity-level and general IT controls

** Controls specific to a process, including programmedapplication controls


17/51

2003 Protiviti Inc.

17

What is the COSO ERMFramework?


18/51

2003 Protiviti Inc.

18

SOA and the COSO Framework

Complying with SOA Section 404 in theContext of the COSO Framework

The COSO Framework is recommended by the SECas an accepted internal control framework to guidecorporate compliance with SOA 404. COSO requiresan entity-level (or tone at the top) internal controlfocus and an activity or process level focus (the rightside of the cube), with the three objectives ofeffectiveness and efficiency of operations (including

safeguarding of assets), reliability of financialreporting, and compliance with applicable laws andregulations (across the top of the cube).

Our approach captures the five components of internal

control: the control environment, risk assessment,control activities, information/communication, andmonitoring.


19/51

2003 Protiviti Inc.

19

The COSO ERM Framework

Began over four years ago

COSO concluded a broadly recognized common structure forERM is needed

Framework developed through input from many sources,including members of the five COSO organizations

Originally Authored by PwC

COSO-appointed advisory council provided input and guidanceto the process


20/51

2003 Protiviti Inc.

20


Was initiated in May 2001 before the events leading to TheSarbanes-Oxley Act of 2002

Speaks to many of the issues currently facing organizations

How does an organization determine the appropriate levelof risk for the value it seeks to create for stakeholders

How does an organization communicate its risk policy tostakeholders

Final Version released September 2004


21/51

2003 Protiviti Inc.

21


Details essential components and concepts of enterprise riskmanagement for all organizations, regardless of size

Identifies the interrelationships between enterprise risk

management and internal control

Is intended to be comprehensive and holistic approach

Is intended for application across many sectors andorganizations

ERM pro ides a path a for


22/51

2003 Protiviti Inc.

22

ERM provides a pathway forsupporting ongoing compliance

AND moving beyond compliance

An enterprise-wide risk assessment process infuses thedisclosure process with new risks more timely as they emerge

ERM builds upon the disclosure infrastructure to broaden the

focus on transparency beyond financial reporting

ERM instills the discipline needed to continuously improve riskmanagement capabilities

The COSO ERM Framework:

Provides a much needed common language Illustrates how ERM is built around the Internal Control

Integrated Framework

The COSO Framework


23/51

2003 Protiviti Inc.

23

The COSO Frameworkprovides an understanding of

the components of ERM

Enterprise Risk Management:

Is a process

Is effected by people

Is applied in strategy setting

Is applied across the enterprise

Is designed to identify potential events

Manages risks with risk appetite

Provides reasonable assurance

Supports achievement of objectivesMonitoring

Information & Communication

Control Activities

Risk Response

Risk Assessment

Event Identification

Objective Setting

Internal Environment

DIVISION

BUSINESS

UNIT

SUBSIDIARY

STRA

TEGIC

OPER

ATION

S

REPO

RTING

COMP

LIANC

E

ENTITY-LEVEL

Source: COSO proposed ERM Framework


24/51

2003 Protiviti Inc.

24

Monitoring


Control Activities

Risk Response

Risk Assessment


Objective Setting

Internal Environment Risk management philosophy Risk culture Board of directors

Integrity and ethical values Commitment to competence Managements philosophy and operating style Risk appetite Organizational structure Assignment of authority and responsibility Human resources policies and practices

The COSO ERM FrameworkInternal Environment

Key points:

Reinforces control environment

Adds key risk elements



25/51

2003 Protiviti Inc.

25

Monitoring


Control Activities

Risk Response

Risk Assessment


Objective Setting

Internal Environment Strategic objectives Related objectives Selected objectives

Risk appetite Risk tolerance

The COSO ERM FrameworkObjective Setting

Key points:

Integration with strategic management

Integration with business planning

(operations)

Integration with performancemeasurement

Integration with compliance function



26/51

2003 Protiviti Inc.

26

Monitoring


Control Activities

Risk Response

Risk Assessment


Objective Setting

Internal Environment Events Factors influencing strategy and objectives Methodologies and techniques

Event interdependencies Event categories Risks and opportunities

The COSO ERM FrameworkEvent Identification

Key points:

Focus on objectives

Need a common language

Group into families

Understanding interdependencies isfoundation for model building



27/51

2003 Protiviti Inc.

27

Monitoring


Control Activities

Risk Response

Risk Assessment


Objective Setting


The COSO ERM FrameworkRisk Assessment

Inherent and residual risk Likelihood and impact Methodologies and techniques

Correlation


Key points:

Focus on events

Need a common process

Correlations enable more effectivemeasurement


28/51

2003 Protiviti Inc.

28

Prioritize Risks


29/51

2003 Protiviti Inc.

29

Monitoring


Control Activities

Risk Response

Risk Assessment


Objective Setting


The COSO ERM FrameworkRisk Response

Identify risk response Evaluate possible risk responses Select responses

Portfolio view

Key points:

Several responses available

Choices are strategic and tactical

This makes risk management real tooperators



30/51

2003 Protiviti Inc.

30

Monitoring


Control Activities

Risk Response

Risk Assessment


Objective Setting


The COSO ERM FrameworkControl Activities

Integration with risk response Types of control activities General controls

Application controls Entity specific

Key points:

Integral to risk response

Similar to integrated framework

Emphasize preventive and systems-based controls



31/51

2003 Protiviti Inc.

31

Monitoring


Control Activities

Risk Response

Risk Assessment


Objective Setting


The COSO ERM FrameworkInformation & Communication

Information Strategic and integrated systems Communication

Key points:

Similar to integrated framework butexpanded focus



32/51

2003 Protiviti Inc.

32

Monitoring


Control Activities

Risk Response

Risk Assessment


Objective Setting


The COSO ERM FrameworkMonitoring

Separate evaluations Ongoing evaluations

Key points:

Similar to integrated framework butexpanded focus



33/51

2003 Protiviti Inc.

33

The COSO ERM FrameworkWhats the message?

There are a multitude of possible elements that make up an ERMsolution the COSO framework lists many of these elements

Companies have different objectives, strategies, structure, culture, risk

appetite and financial wherewithal -- no two ERM solutions are alike

The specific policies, processes, skillsets, reports, methodologies andsystems comprising the elements defining the solution for one companymay differ from another company

Companies looking for off-the-shelf ERM solutions are settingthemselves up for disappointment in terms of what they find or theresults they get

Recognize that ERM is a


34/51

2003 Protiviti Inc.

34

What elements need

to be put in place?

Recognize that ERM is ajourney not a destination and

requires a change process

What are theexpected

outcomes?

How will we knowwe are successful?

Where arewe now?

How do weget there?

What are the obstacles

along the way?

Why do we need tobegin our journey?

Achievable

Goal


35/51

2003 Protiviti Inc.

35

Financial and hazardrisks and internalcontrols

Preserve enterprisevalue

Treasury, insurance andoperations involved

Financial and operations

Selected risk areas, unitsand processes

Business risk andinternal controls

Preserve enterprisevalue

Business managersaccountable (risk-by-risk)

Management

Selected risk areas, unitsand processes

Business risk andinternal controls

Create and preserveenterprise value

Strategy, people, process,technology and knowledgealigned to manage risk onan enterprise-wide basis

Strategy

Enterprise-wide

Risk management focus, scopeand emphasis are often limited

CURRENT STATE CAPABILITIES FUTURE STATE VISION

Enterprise RiskManagement

Business RiskManagement

RiskManagement

Focus

Objective

Scope

Emphasis

Application


36/51

2003 Protiviti Inc.

36Time

Operational Effectiveness and Efficiency

Enterprise Risk Management

Section 404

Compliance

INDUSTRY -- All

INDUSTRY -- All

INDUSTRY -- All

Sustainabi

lityoftheControlStructure

Va

lueContributedProtect and

EnhanceEnterprise

Value

ImplementOngoing

ComplianceStructure

D R I V E R S

Comply with SOA

Comply with SOA

Reinforce process owneraccountability

Identify areas to address

Improve quality Reduce costs Compress time

Improve governance

Improve risk evaluation Improve strategy setting Achieve business objectives

Required

Voluntary

Comply with otherregulations

Section 404 and302 Integration

Other Compliance

INDUSTRY -- Health care, FSI

Self -Assessment

Comply

with 302and 404

ImproveQuality,

Cost andTime

Know Your End Game

The Journey can start with SOA


37/51

2003 Protiviti Inc.

37

COBITs Control Framework

Starts from the premise that IT needs todeliver the information that the enterprise

needs to achieve its objectives.

Promotes process focus and process

ownership

Divides IT into 34 processes belonging to fourdomains and provides a high level control

objective for each

Looks at fiduciary, quality and security needs

of enterprises,providing seven information

criteria that can be used to generically define

what the business requires from IT

Is supported by a set of over 300 detailed

control objectives

Planning

Acquiring & Implementing

Delivery & Support

Monitoring

Effectiveness

Efficiency

Availability

IntegrityConfidentiality

Reliability

Compliance


38/51

2003 Protiviti Inc.

38

The CobiT Frameworks Principles

BusinessRequirements

IT Processes IT Resources


39/51

2003 Protiviti Inc.

39

The CobiT Frameworks Principles


40/51

2003 Protiviti Inc.

40

Information Criteria

ITProces

ses

People

ApplicationSys

tems

Data

Technology

Facilities

Domains

Processes

Activities

COBIT Cube


41/51

2003 Protiviti Inc.

41

Sarbanes-Oxley, COSO and CobiT

Monitoring

Information and Communication

Control Activities

Risk Assessment

Control Environment

C

OSO

Components

COBIT Objectives

Plan

and

Orga

nize

Section

302

Section

302

Supp

ort

Deliv

erand

Monito

rand

Evaluate

Acquire

and

Implem

ent

Section

404

Section

404

IT controls should consider the overallgovernance framework to support the

quality and integrity of information.

Competency in all five layers of COSOs framework arenecessary to achieve an integrated control program.

Controls in IT are relevant to both financial reportingAnd disclosure requirements of Sarbanes-Oxley.


42/51

2003 Protiviti Inc.

42

Implementing an ERM

Framework What WeNeed?


43/51

2003 Protiviti Inc.

43

Following is an illustrative approach for facilitating a changeprocess

The objective is to craft a future goal state for risk management

within the organization and sustain the journey toward realizingthat goal

Define and implementthe ERM solution

DefineProjectScope

CreateERM

Vision

BuildERM

BusinessCase

ManageERM

Journey

ContinuouslyImprove

ERMCapabilities


44/51

2003 Protiviti Inc.

44

Articulate the problem to be solved (the business motivation)

Define project sponsor

Organize working committee of senior executives

Articulate current state

Inventory existing risk management initiatives

Define project scope

DefineProjectScope


45/51

2003 Protiviti Inc.

45

Define risk management vision, goals and objectives

Define future goal state

Understand the journey elements needed to make the future state

happen Foundation elements

Process elements

Enhancement elements

CreateERM

Vision

Create ERM vision


46/51

2003 Protiviti Inc.

46

Identify the relevantjourney elements

INCREASING RISK MANAGEMENT CAPABILITIES

Establishsustainablecompetitiveadvantage

Improveenterprise

performance

Quantifymultiple risks

enterprise-wide

Continuouslyimprove

Design/implementcapabilities

Establishoversight andgovernance

Assess riskand developstrategies

Adoptcommonlanguage

Categories of ERM Journey Elements

FOUNDATIONELEMENTS

PROCESSELEMENTS

ENHANCEMENTELEMENTS

EWRMValue

Proposition

A journey element consists of the processes, people, reports, methodologies,

technology, or a combination thereof, integrated within the ERM solution toachieve the expected outcomes specified in the business case

E l f


47/51

2003 Protiviti Inc.

47

A common language for risks and riskmanagement?

Does thecompany have:

Establish oversight and governanceAdopt common language

Overall an effective oversight structure andgovernance?

PossibleJourneyelements

Risk model

Risk management glossary

Process classification scheme

Other relevant frameworks

Improved dialogue about risk and itssources, drivers or root causes

More organized process for sharingof information

Overall risk management policy Top-down communications of risk

management direction Organizational oversight structure, withBoard oversight

Risk management oversight committee(s)and management accountability

Designated senior executive responsiblefor risk management (I.e., a CRO)

Integrated risk management and

governance processes Business risk management staff function

Increase chances of identifying allkey risks

Enable people from multipledisciplines to focus on issues faster

Achieve clarity as to risk managementrole, purpose and accountabilities

Get things done quicker by executivesempowered to act

Possibleexpectedoutcomes

Examples offoundation elements

The companys selected


48/51

2003 Protiviti Inc.

48

Establish

sustainable

competitive

advantage

Improve

enterprise

performance

Quantify

multiple risksEnterprise

wide

Continuouslyimprove

Design/implement

capabilities

Establish

oversight and

governance

Assess risk

and develop

strategies

Adopt

commonlanguage

Categories of ERM Journey Elements

FOUNDATION PROCESS ENHANCEMENT

Monitoring

Information &Communication

Control Activities

Risk Response

Risk Assessment


Objective Setting


X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

p yjourney elements build

COSO ERM components


49/51

2003 Protiviti Inc.

49

Articulate the ERM vision, including the desired journey elements andexpected outcomes

Describe the overall effort

Analyze the related costs and benefits and provide the economicjustification for going forward

Provide a context for monitoring progress over time

BuildERM

BusinessCase

Build ERM business case


50/51

2003 Protiviti Inc.

50

Organize the ERM journey to understand and respond to sponsorexpectations, address change issues, manage journey risks/constraintsand communicate relevant messages often

Develop journey management plan, laying out the appropriate sequenceof elements

Monitor journey performance

Assess journey impact

Manage discrete projects to deliver the journey elements according tothe selected priority and appropriate sequence

ManageERM

Journey

Manage ERM journey


51/51

2003 Protiviti Inc.

ContinuouslyImprove

ERMCapabilities

Continuously improveERM capabilities

Continuously improve capabilities to move the company up thecapability maturity curve

Date post:	05-Apr-2018
Category:	Documents
Upload:	jaycreate
View:	219 times
Download:	0 times

Using Risk Management Frameworks

Documents