Enterprise Risk Management
The Integration of Governance, Risk Management,
Compliance and Culture to facilitate
the achievement of goals and objectives.
Presented By
David B. Crawford,
Justina Crawford,
JDEnterprises
CIA, CCSA
MA, BME
[email protected]
1
ERM is Management 101
Monitoring
Plan
Organize
Control
Communication
& Information
Goals &
Objectives
Risk
Assessment
Direct
Control
Activities
2
Why Implement ERM?



Quick response to new State Government
requirements
US Sentencing Guidelines for Organizations
(Compliance)
Sarbanes Oxley Act of 2002
(Financial Reporting)

Transparency and Accountability
(Operations and Strategic)
3
Benefits of ERM

Align organization priorities from top to bottom
for managing risks

Quickly identify emerging risks and problem areas
before they escalate and cause serious harm or
produce negative surprises

Respond to expectations of regulators,
stakeholders, and others

Make risk and controls understandable

Focus efforts on important issues and concerns
4
ERM will CHANGE your
Organizational Culture

Ownership of risk and controls

Questioning before acting

Two-way communication

Bad as well as good news

Rapid response to changes

Rapid response to failures in risk management
5
Primary ERM Process Activities



Know the boundaries and obstacles that will
have a critical effect on the achievement of
objectives
Optimize the set of strategies to minimize
the effect of boundary violations and
obstacle occurrences
Perform on-going assessments of the design
and application of mitigation strategies
6
Assurance Continuum
ERM Model

Standard risk assessment methodology

Common risk language

Standard tools and techniques

Standard outputs
7
Risk Self Assessment Techniques

Facilitated Workshop

Management Directed

External Facilitator Directed

Interviews

Questionnaires
8
Common Risk Language Examples

Business risk

Level 3 Controls

Impact

Level 4 Controls

Probability/likelihood

Process

Monitoring plan

Mitigation strategy
On-going assurance

Assurance Continuum
Periodic assurance

Certification



Goals and objectives

Level 1 Controls

Level 2 Controls

Self-assessment
workshop

Control footprint

Risk Footprint
9
Standard Tools and Techniques

Texas Instrument’s Brainstorming

Excel Workbook

Standard Outputs
(powered by Visual Basic Macros)

Risk Footprint

Control Footprint


The Levels of Control in COSO
Monitoring Footprint
10
Know the Boundaries and Obstacles
(Risk Assessment)

Know the desired objectives

Inventory activities performed to achieve objectives

Inventory risks (boundary and obstacle) associated
with each activity

Value each risk as to impact on achievement of
objectives and probability of occurrence without
mitigation strategies

Produce a risk footprint
11
Risk Footprint
# ACTIVITIES
RISKS
1
2
3
Administration (13,
Staff
3 15, 18, 23)
HH Bad PR
HH Fraud
HH turnover
HM
Inadequate
communica
Facility (5, 6, 7, 12,
tions
Inadequate
Unhealthy
2 19, 20, 21, 22)
HM system
HM space
HM environment MM
Security &
Lack of
Failure to
Safety(2, 3, 4, 8,
Lack of ER
trained
comply with
1 11, 14, 16, 17)
HM training
HM security
HL regs., laws HL
Maintenance (1, 7,
Insecure
4 9, 10)
HM facility
4
Lawsuitclass
action
5
6
Failure to
Contractor
comply with
goes
rules, regs,
HL bankrupt
MM etc.
MM
Equipment
Poor
failure
ML lighting
Lack of
Fire & acts
plan or
of nature HL Failure to
Power
ML failure
HL Riot
Unlicensed
Deferred
Equipment
Inadequate
HM facility
MH maintenance MM breakdown MM staff
MM Theft
7
Inability to
recruit
qualified
staff
Unsafe
ML building
8
9
Lack of
performance
Operation
by
budget
MM contractor MM shortages
Lack of
sufficient
LM storage
Physical
MM attack
MM Vandalism
Unsanitary
or unhealthy
Injury or
MM environment ML death
Unsafe
LM furniture
ML Death
Lawsuit LM individual
12
Optimize the Portfolio of Mitigation
Strategies (Control Optimization)

Inventory mitigation strategies used to manage each
activity row on the risk footprint

Assign appropriate Level of Control to each
mitigation strategy

Assign inventoried strategies to identified risks

Identify under-controlled and over-controlled risks

Identify excess or unproductive mitigation strategies

Optimize the mitigation strategy portfolio
13
Assurance Continuum
Levels of Control in COSO
Collaborative Assurance
(Governance and Management Control Processes)
I----------I
Periodic Assurance
I----------I
(Governance Control Processes)
I------------ On-going Assurance ------------I
(Management Control Processes)
Level 4
Controls
Level 1
Controls
Level 2
Controls
(Internal Audit)
(Execution )
During
execution of
event or
transaction
Pre-operations
design review
of on-going
assurance
Controls
Level 4
Controls
(Supervisory)
(Oversight)
( Internal Audit)
Immediately
after execution
of event or
transaction
Soon after
execution of
event or
transaction
Post-operations
audit of
execution of ongoing assurance
Level 3
14
Spot check of equipment
3 by Mgr.
Exception report to Mgr.
3 About emps not attended
X
X
X
Lawsuit individual
Inadequate staff
X
X
1 Checklist of tasks
Visual inspection by
2 Supervisor
1 Training of employees
Comparison of training
2 log to list of employees
X
Injury or death
X
Theft
Unsanitary or
unhealthy
environment
3 Mgr. Walkthrough
Security check on staff
1 ins & outs
Preventive maintenance
1 schedule
Supervisor reviews
2 completed maintenance
Equipment
breakdown
Maintenance (1, 7, 9, 10)
Insecure facility
Unlicensed
facility
Deferred
maintenance
Level
Control Footprint
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Evidence of Control
X
X
X
Preventive
maintenance schedule
X
Supr. Signs & dates
report with notes
List of equip. checked;
Memo to file; Sign log
on equip.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Training roster,
certificates, curriculum
Report of exceptions
signed & dated
Manager initials &
dates with comments
of actions taken.
15
Perform On-going Assessments



Determine the mitigation strategies that
provide the most assurance that critical
risks are being managed
Develop a monitoring plan for assessment
of the proper application of planned
mitigation strategies
Perform continuous monitoring using the
plan to ensure acceptable performance and
desired results
16
Spot check of equipment
3 by Mgr.
Exception report to Mgr.
3 About emps not attended
X
X
X
X
Lawsuit individual
Inadequate staff
X
X
1 Checklist of tasks
Visual inspection by
2 Supervisor
1 Training of employees
Comparison of training
2 log to list of employees
X
Injury or death
X
Theft
Unsanitary or
unhealthy
environment
3 Mgr. Walkthrough
Security check on staff
1 ins & outs
Preventive maintenance
1 schedule
Supervisor reviews
2 completed maintenance
Equipment
breakdown
Maintenance (1, 7, 9, 10)
Insecure facility
Unlicensed
facility
Deferred
maintenance
Level
Monitoring Footprint
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Preventive
maintenance schedule
X
Supr. Signs & dates
report with notes
List of equip. checked;
Memo to file; Sign log
on equip.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Date Reviewer
Status
X
X
X
X
X
Evidence of Control
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Training roster,
certificates, curriculum
Report of exceptions
signed & dated
Manager initials &
dates with comments
of actions taken.
17
Resources
Effective Compliance Systems: A Practical Guide
for Educational Institutions [Crawford,et al]
www.theiia.org
www.COSO.org
www.csa-pdk.com
Email: [email protected]
18
Risk Ranking Characteristics
Impact:
Effect on achievement of goals & objectives
[H]
High -
“showstopper”
[M]
Medium -
inefficient and extra work
[L]
Low-
no effect
Probability:
Likelihood of the risk happening
[H]
High -
will happen frequently
[M]
Medium -
will happen infrequently
[L]
Low -
will seldom happen
19
How to Value Impact



Develop a list of consequences to the
organization if a risk were to become a reality
(Every organization has a finite number of
potential consequences)
Value the effect on the organization for each
consequence (high, medium, or low)
The Impact value of an identified risk is the
value of its highest potential consequence
20
Example: Impact Valuation

Activity: Own an Automobile

Consequence





Loss of asset
Death/Major Injury
Minor Injury
Criminal penalty
Risk



with Value to Owner
Medium
High
Low
High
with associated consequence & value
Fender Bender
DWI
No PM
Minor Injury
Criminal penalty or D/I
Loss of asset
L
H
M
21