Lawrence Lake

1
Using Risk Management Frameworks

• Lawrence Lake
• Managing Director
• Protiviti Inc.

2

• What are Risk Management Frameworks and Why have
  them?
• What is a Risk Control Matrix, COSO, COBIT, Risk
  Universe, Key Controls, Critical Controls?
• Using them in SOA, ERA or Revenue Cycle

3
Business risks are greater today than ever

• Globalization means increased exposure to
  international events
• Need for efficiencies, innovation and
  differentiation to compete
• We now know the unthinkable can happen
• Financial reporting is now a risk area
• Application is uneven at companies applying EWRM

We live in unpredictable times
4
Why is business risk a priority?

• Points of view from a recent survey
• Many executives see an array of ever-increasing
  business risks
• Business risk management practices require
  improvement
• Substantial revisions in business risk management
  have either been made or will be made
• Senior executives want more confidence that all
  potentially significant risks are identified and
  managed

Source FEI survey
5
Gartner reveals top five business issues

• Cost constraints
• Security of data and privacy
• Stakeholder returns
• Managing business risk
• Innovation

The Gartner Group, based upon interviews and
surveys
6
Key indicators of need

• Management wants increased confidence that all
  potentially significant risks are identified and
  managed Key decisions are made without a
  systematic evaluation of risk and reward
  trade-offs
• Risk management isnt integrated with strategic
  and business planning
• Risks are not systematically identified, sourced,
  measured and managed
• Units of the organization are managing similar
  risks differently
• Inability to measure performance on a
  risk-adjusted basis
• Capital investment process requires improvement
• Increasing demands for more information relating
  to risks and internal controls from the board and
  investors

7
A common framework will accelerate progress

• We need a common language
• We need criteria against which to benchmark
• Now we can communicate more effectively
• Familiarity of concepts is useful
• Application guidance is critical piece
• Issuance of framework is only the beginning

8
Traditional Risk Universe Framework
9
Risk Control Matrix
10
Control Levels

• Entity-level Controls
• Entity-level controls are those controls that
  management relies upon to establish the
  appropriate tone at the top relative to
  financial reporting. An entity-level assessment
  for each control entity should be conducted as
  early as possible in the evaluation process
• Process-Level Controls
• Process level controls are usually directly
  involved with initiating, recording, processing
  or reporting transactions
• General IT and Application Controls
• General IT controls typically impact a number of
  individual applications and data in the
  technology environment
• Application controls relate primarily to the
  controls programmed within an application that
  can be relied upon to mitigate business
  process-level risks

11
Control Levels Examples of Entity-Level Controls
COSO Component Risk Assessment Control
Environment Information and
Communication Control Activities Monitoring
Application Address attributes for each COSO
component -- For each attribute, evaluate
appropriate points of focus, as illustrated below
for ONE attribute, Human Resource Policies and
Procedures

• Attributes
• Entity-wide objectives
• Activity-level objectives
• Risk Identification
• Managing Change
• Integrity and ethical values
• Commitment to competence
• Board of Directors or Audit Committee
• Managements philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and procedures
• External and internal information is identified,
  captured, processed and reported
• Effective communication down, across, up the
  organization
• Policies, procedures, and actions to address
  risks to achievement of stated objectives

• Points of Focus
• Is there a process for defining the level of
  competence needed for specific jobs, including
  the requisite knowledge and skills?
• Are there human resource policies and processes
  for acquiring, recognizing, rewarding, and
  developing personnel in key positions?
• Is the background of prospective employees
  checked and references obtained?
• Are performance expectations clearly defined and
  reinforced with appropriate performance measures?
• Are employee retention, promotion and performance
  evaluation processes effective?
• Is the established code of conduct reinforced and
  disciplinary action taken when warranted?
• Are everyones control-related responsibilities
  clearly articulated and carried out?

Source Section 404 FAQs, Question 40.
12
Control Types

• Manual vs. System-based controls
• Manual controls predominantly depend upon the
  manual execution by one or more individuals
• Automated controls predominantly rely upon
  programmed applications or IT systems to execute
  a step or perhaps prevent a transaction from
  occurring without manual decision or interaction
• There are also system-dependant manual controls,
  e.g., controls that are manual (comparing one
  thing to another) but what is being compared is
  system-generated and not independently
  collaborated therefore, the manual control is
  dependant on reliability of system processing
• Preventive vs. Detective controls
• Preventive controls, either people-based or
  systems-based, are designed to prevent errors or
  omissions from occurring and are generally
  positioned at the source of the risk within a
  business process
• Detective controls are processes, either
  people-based or systems-based, that are designed
  to detect and correct an error (or fraud) or an
  omission within a timely manner prior to
  completion of a stated objective (e.g., begin the
  next transaction processing cycle, close the
  books, prepare final financial reports, etc.)

13
Control Reliability

• As transaction volumes increase and with
  increasingly complex calculations, systems-based
  controls are often more reliable than
  people-based controls because they are less prone
  to mistakes than human beings, if designed,
  operated, maintained and secured effectively
• A shift toward an anticipatory, proactive
  approach to controlling risk requires greater use
  of preventive controls than the reactive find
  and fix approach embodied in a detective control
• Effectively designed controls that prevent risk
  at the source free up people resources to focus
  on the critical tasks of the business

Systems-Based, Preventive Control
MORE RELIABLE/ DESIRABLE
Systems-Based, Detective Control
People-Based, Preventive Control
People-Based, Detective Control
LESS RELIABLE/ DESIRABLE
NOTE The above framework is intended to apply to
process-level controls. It does not always apply
at the entity-level, e.g., the internal audit
function.
14
What is a Critical Control?

• Definitions
• KEY CONTROL An activity or task performed by
  management or other personnel designed to provide
  reasonable assurance regarding the achievement of
  certain objectives as well as mitigating the risk
  of an unanticipated outcome. Significant
  reliance is placed upon this controls effective
  design and operation. Upon failure of the key
  control, the risk of occurrence of an undesired
  activity would not be mitigated regardless of
  other controls identified. In other words,
  reasonable assurance of achieving the process
  objectives could not be obtained.
• CRITICAL CONTROL The FIRST subset of key
  controls these controls have a pervasive impact
  on financial reporting (segregation of duties,
  system and data access, change controls, physical
  safeguards, authorizations, input controls,
  reconciliations, review process, etc.) and have
  the most direct impact on achieving financial
  statement assertions. Upon failure of a critical
  control, the risk of occurrence of an undesired
  activity would not be mitigated regardless of
  other controls identified within ANY process.
  Failure of critical controls would affect the
  ability of management to achieve not only process
  objectives, but also the companys financial
  statement objectives.

15
Control Types

• Primary vs. secondary controls
• Primary controls are controls that are especially
  critical to the mitigation of risk and the
  ultimate achievement of one or more financial
  reporting assertions for each significant account
  balance, class of transactions and disclosure
  these are the controls that managers and process
  owners primarily rely on
• Secondary controls are important to the
  mitigation of risk and the ultimate achievement
  of one or more financial reporting assertions,
  but are not considered critical by management
  and process owners while these controls are
  significant, there are compensating controls that
  also assist in achieving the assertions
• Controls over routine processes vs. controls over
  non-routine processes
• Controls over routine processes are the manual
  and automated controls over transactions
• Controls over non-routine processes are the
  manual and automated controls over estimates and
  period-end adjustments these controls often
  address the greatest risks in the financial
  reporting process and are most susceptible to
  management override

16
Control Levels Examples of Common Process-Level
Control Activities
Pervasive Process-Level Controls
Specific Process-Level Controls

• Obtain prescribed approvals
• Establish transaction/document control
• Establish processing/transmission control totals
• Establish/verify sequencing
• Validate against predefined parameters
• Test samples/assess process performance
• Recalculate computations
• Perform reconciliations
• Match and compare
• Independently analyze results for reasonableness
• Independently verify existence
• Verify occurrence with counterparties
• Report and resolve exceptions
• Evaluate reserve requirements

• Establish and communicate objectives
• Authorize and approve
• Establish boundaries and limits
• Assign key tasks to quality people
• Establish accountability for results
• Measure performance
• Facilitate continuous learning
• Segregate incompatible duties
• Restrict process system and data access
• Create physical safeguards
• Implement process/systems change controls
• Maintain redundant/backup capabilities

Controls affecting multiple processes, including
entity-level and general IT controls Controls
specific to a process, including programmed
application controls
17

• What is the COSO ERM Framework?

18
SOA and the COSO Framework
Complying with SOA Section 404 in the Context of
the COSO Framework The COSO Framework is
recommended by the SEC as an accepted internal
control framework to guide corporate compliance
with SOA 404. COSO requires an entity-level (or
tone at the top) internal control focus and an
activity or process level focus (the right side
of the cube), with the three objectives of
effectiveness and efficiency of operations
(including safeguarding of assets), reliability
of financial reporting, and compliance with
applicable laws and regulations (across the top
of the cube). Our approach captures the five
components of internal control the control
environment, risk assessment, control activities,
information/communication, and monitoring.
19
The COSO ERM Framework

• Began over four years ago
• COSO concluded a broadly recognized common
  structure for ERM is needed
• Framework developed through input from many
  sources, including members of the five COSO
  organizations
• Originally Authored by PwC
• COSO-appointed advisory council provided input
  and guidance to the process

20
The COSO ERM Framework

• Was initiated in May 2001 before the events
  leading to The Sarbanes-Oxley Act of 2002
• Speaks to many of the issues currently facing
  organizations
• How does an organization determine the
  appropriate level of risk for the value it seeks
  to create for stakeholders
• How does an organization communicate its risk
  policy to stakeholders
• Final Version released September 2004

21
The COSO ERM Framework

• Details essential components and concepts of
  enterprise risk management for all organizations,
  regardless of size
• Identifies the interrelationships between
  enterprise risk management and internal control
• Is intended to be comprehensive and holistic
  approach
• Is intended for application across many sectors
  and organizations

22
ERM provides a pathway for supporting ongoing
compliance AND moving beyond compliance

• An enterprise-wide risk assessment process
  infuses the disclosure process with new risks
  more timely as they emerge
• ERM builds upon the disclosure infrastructure to
  broaden the focus on transparency beyond
  financial reporting
• ERM instills the discipline needed to
  continuously improve risk management capabilities
• The COSO ERM Framework
• Provides a much needed common language
• Illustrates how ERM is built around the Internal
  Control Integrated Framework

23
The COSO Framework provides an understanding of
the components of ERM

• Enterprise Risk Management
• Is a process
• Is effected by people
• Is applied in strategy setting
• Is applied across the enterprise
• Is designed to identify potential events
• Manages risks with risk appetite
• Provides reasonable assurance
• Supports achievement of objectives

Source COSO proposed ERM Framework
24
The COSO ERM Framework Internal Environment

• Risk management philosophy
• Risk culture
• Board of directors
• Integrity and ethical values
• Commitment to competence
• Managements philosophy and operating style
• Risk appetite
• Organizational structure
• Assignment of authority and responsibility
• Human resources policies and practices

Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities

• Key points
• Reinforces control environment
• Adds key risk elements

Information Communication
Monitoring
Source COSO proposed ERM Framework
25
The COSO ERM Framework Objective Setting

• Strategic objectives
• Related objectives
• Selected objectives
• Risk appetite
• Risk tolerance

Internal Environment
Objective Setting
Event Identification
Risk Assessment

• Key points
• Integration with strategic management
• Integration with business planning (operations)
• Integration with performance measurement
• Integration with compliance function

Risk Response
Control Activities
Information Communication
Monitoring
Source COSO proposed ERM Framework
26
The COSO ERM Framework Event Identification

• Events
• Factors influencing strategy and objectives
• Methodologies and techniques
• Event interdependencies
• Event categories
• Risks and opportunities

Internal Environment
Objective Setting
Event Identification
Risk Assessment

• Key points
• Focus on objectives
• Need a common language
• Group into families
• Understanding interdependencies is foundation for
  model building

Risk Response
Control Activities
Information Communication
Monitoring
Source COSO proposed ERM Framework
27
The COSO ERM Framework Risk Assessment

• Inherent and residual risk
• Likelihood and impact
• Methodologies and techniques
• Correlation

Internal Environment
Objective Setting
Event Identification

• Key points
• Focus on events
• Need a common process
• Correlations enable more effective measurement

Risk Assessment
Risk Response
Control Activities
Information Communication
Monitoring
Source COSO proposed ERM Framework
28
Prioritize Risks
29
The COSO ERM Framework Risk Response

• Identify risk response
• Evaluate possible risk responses
• Select responses
• Portfolio view

Internal Environment
Objective Setting
Event Identification

• Key points
• Several responses available
• Choices are strategic and tactical
• This makes risk management real to operators

Risk Assessment
Risk Response
Control Activities
Information Communication
Monitoring
Source COSO proposed ERM Framework
30
The COSO ERM Framework Control Activities

• Integration with risk response
• Types of control activities
• General controls
• Application controls
• Entity specific

Internal Environment
Objective Setting
Event Identification
Risk Assessment

• Key points
• Integral to risk response
• Similar to integrated framework
• Emphasize preventive and systems-based controls

Risk Response
Control Activities
Information Communication
Monitoring
Source COSO proposed ERM Framework
31
The COSO ERM Framework Information
Communication

• Information
• Strategic and integrated systems
• Communication

Internal Environment
Objective Setting

• Key points
• Similar to integrated framework but expanded focus

Event Identification
Risk Assessment
Risk Response
Control Activities
Information Communication
Monitoring
Source COSO proposed ERM Framework
32
The COSO ERM Framework Monitoring

• Separate evaluations
• Ongoing evaluations

Internal Environment
Objective Setting

• Key points
• Similar to integrated framework but expanded focus

Event Identification
Risk Assessment
Risk Response
Control Activities
Information Communication
Monitoring
Source COSO proposed ERM Framework
33
The COSO ERM Framework Whats the message?

• There are a multitude of possible elements that
  make up an ERM solution the COSO framework
  lists many of these elements
• Companies have different objectives, strategies,
  structure, culture, risk appetite and financial
  wherewithal -- no two ERM solutions are alike
• The specific policies, processes, skillsets,
  reports, methodologies and systems comprising the
  elements defining the solution for one company
  may differ from another company
• Companies looking for off-the-shelf ERM solutions
  are setting themselves up for disappointment in
  terms of what they find or the results they get

34
Recognize that ERM is a journey not a destination
and requires a change process
How will we know we are successful?
Why do we need to begin our journey?
Drivers
What are the expected outcomes?
Achievable Goal
How do we get there?
INCREASING RISK MANAGEMENT CAPABILITIES
What elements need to be put in place?
Constraints
Where are we now?
What are the obstacles along the way?
35
Risk management focus, scope and emphasis are
often limited
Financial and hazard risks and internal
controls Preserve enterprise value Treasury,
insurance and operations involved Financial
and operations Selected risk areas, units and
processes
Business risk and internal controls Preserve
enterprise value Business managers accountable
(risk-by-risk) Management Selected risk
areas, units and processes
Business risk and internal controls Create
and preserve enterprise value Strategy, people,
process, technology and knowledge aligned to
manage risk on an enterprise-wide basis
Strategy Enterprise-wide
36
Know Your End Game
The Journey can start with SOA
D R I V E R S
Protect and Enhance Enterprise Value
Enterprise Risk Management

• Improve governance
• Improve risk evaluation
• Improve strategy setting
• Achieve business objectives

INDUSTRY -- All
Operational Effectiveness and Efficiency

• Improve quality
• Reduce costs
• Compress time

Value Contributed
Improve Quality, Cost and Time
INDUSTRY -- All
Other Compliance

• Comply with other regulations

INDUSTRY -- Health care, FSI
Section 404 and 302 Integration

• Comply with SOA

Sustainability of the Control Structure
Self -Assessment

• Reinforce process owner accountability
• Identify areas to address

INDUSTRY -- All
Comply with 302 and 404
Section 404 Compliance

• Comply with SOA

Voluntary
Required
Time
37
COBITs Control Framework

• Starts from the premise that IT needs to deliver
  the information that the enterprise needs to
  achieve its objectives.
• Promotes process focus and process ownership
• Divides IT into 34 processes belonging to four
  domains and provides a high level control
  objective for each
• Looks at fiduciary, quality and security needs of
  enterprises,providing seven information criteria
  that can be used to generically define what the
  business requires from IT
• Is supported by a set of over 300 detailed
  control objectives

• Planning
• Acquiring Implementing
• Delivery Support
• Monitoring

• Effectiveness
• Efficiency
• Availability
• Integrity
• Confidentiality
• Reliability
• Compliance

38
The CobiT Frameworks Principles
Business Requirements
IT Processes
IT Resources
39
The CobiT Frameworks Principles
40
COBIT Cube
Information Criteria
Fiduciary
Security
Quality
Domains
Data
Facilities
IT Processes
Technology
Processes
Application Systems
People
Activities
IT Resources
41
Sarbanes-Oxley, COSO and CobiT
42

• Implementing an ERM Framework What We Need?

43
Define and implement the ERM solution

• Following is an illustrative approach for
  facilitating a change process
• The objective is to craft a future goal state for
  risk management within the organization and
  sustain the journey toward realizing that goal

Define Project Scope
Create ERM Vision
Build ERM Business Case
Manage ERM Journey
Continuously Improve ERM Capabilities
44
Define project scope
Define Project Scope

• Articulate the problem to be solved (the
  business motivation)
• Define project sponsor
• Organize working committee of senior executives
• Articulate current state
• Inventory existing risk management initiatives

45
Create ERM vision

Create ERM Vision

• Define risk management vision, goals and
  objectives
• Define future goal state
• Understand the journey elements needed to make
  the future state happen
• Foundation elements
• Process elements
• Enhancement elements

46
Identify the relevant journey elements
EWRM Value Proposition
INCREASING RISK MANAGEMENT CAPABILITIES
Categories of ERM Journey Elements
FOUNDATION ELEMENTS
PROCESS ELEMENTS
ENHANCEMENT ELEMENTS
Establish sustainable competitive advantage
Improve enterprise performance
Quantify multiple risks enterprise-wide
Design/ implement capabilities
Establish oversight and governance
Assess risk and develop strategies
Adopt common language
Continuously improve
A journey element consists of the processes,
people, reports, methodologies, technology, or a
combination thereof, integrated within the ERM
solution to achieve the expected outcomes
specified in the business case
47
Examples of foundation elements
Establish oversight and governance
Adopt common language
Does the company have
A common language for risks and risk management?
Overall an effective oversight structure and
governance?

• Risk model
• Risk management glossary
• Process classification scheme
• Other relevant frameworks
• Improved dialogue about risk and its sources,
  drivers or root causes
• More organized process for sharing of information

• Overall risk management policy
• Top-down communications of risk management
  direction
• Organizational oversight structure, with Board
  oversight
• Risk management oversight committee(s) and
  management accountability
• Designated senior executive responsible for risk
  management (I.e., a CRO)
• Integrated risk management and governance
  processes
• Business risk management staff function

Possible Journey elements

• Increase chances of identifying all key risks
• Enable people from multiple disciplines to focus
  on issues faster

• Achieve clarity as to risk management role,
  purpose and accountabilities
• Get things done quicker by executives empowered
  to act

Possible expected outcomes
48
The companys selected journey elements build
COSO ERM components
Categories of ERM Journey Elements
FOUNDATION
PROCESS
ENHANCEMENT
Establish
Improve
Quantify
Design/
Assess risk
Establish
Adopt
Continuously
sustainable
enterprise
multiple risks
implement
oversight and
and develop
common
improve
competitive
performance
Enterprise
capabilities
governance
strategies
language
advantage
wide
Internal Environment
X
X
X
X
X
X
X
X
Objective Setting
X
X
X
X
X
X
Event Identification
X
X
X
X
X
X
X
Risk Assessment
X
X
X
X
X
Risk Response
X
X
X
X
X
X
X
Control Activities
X
X
X
X
X
X
Information Communication
X
X
X
X
X
X
X
X
Monitoring
X
X
X
X
X
X
49
Build ERM business case


Build ERM Business Case

• Articulate the ERM vision, including the desired
  journey elements and expected outcomes
• Describe the overall effort
• Analyze the related costs and benefits and
  provide the economic justification for going
  forward
• Provide a context for monitoring progress over
  time

50
Manage ERM journey



Manage ERM Journey

• Organize the ERM journey to understand and
  respond to sponsor expectations, address change
  issues, manage journey risks/constraints and
  communicate relevant messages often
• Develop journey management plan, laying out the
  appropriate sequence of elements
• Monitor journey performance
• Assess journey impact
• Manage discrete projects to deliver the journey
  elements according to the selected priority and
  appropriate sequence

51
Continuously improve ERM capabilities




Continuously Improve ERM Capabilities

• Continuously improve capabilities to move the
  company up the capability maturity curve