COSO Enterprise Risk Management ' ' ' An Integrated Framework - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

COSO Enterprise Risk Management ' ' ' An Integrated Framework

Description:

Relationship with Internal Control. Example of Implementation of ... vsp.com. Project Background ... officers, general liability, fiduciary and fidelity bonds ... – PowerPoint PPT presentation

Number of Views:1266
Avg rating:3.0/5.0
Slides: 45
Provided by: And106
Category:

less

Transcript and Presenter's Notes

Title: COSO Enterprise Risk Management ' ' ' An Integrated Framework


1
COSOEnterprise Risk Management . . . An
Integrated Framework
2
Todays Agenda
  • COSO ERM Framework Project Overview
  • Key Concepts
  • Key Components
  • Relationship with Internal Control
  • Example of Implementation of ERM Framework

3
Enterprise Risk Management
  • Patricia Cochran, CFO
  • VSP
  • patrco_at_vsp.com

4
Project Background
  • COSO
  • Concluded that there was a need for a recognized
    framework despite an abundance of literature on
    the subject.
  • Believes there is consensus that all
    organizations can benefit from improved risk
    identification and risk analysis procedures.
  • Recognizes that many organizations are engaged
    in some aspects of enterprise risk management.

5
Project Overview
  • Enterprise Risk Management Framework consists of
    two documents

6
Tools And Guidance
  • Executive Summary - Free Download - COSO
  • Framework and Application Guidance - AICPA
  • Web cast on the Framework AICPA
  • Audit Committee Tool - AICPA (ACEC Site)
  • AICPA Journal of Accountancy Article (Summer
    2005)
  • Small Business Guidance (forthcoming)

7
Enterprise Risk Management Defined
  • Enterprise risk management is a process
  • Effected by an entitys board of directors,
    management and other personnel,
  • Applied in a strategic setting and across the
    enterprise,
  • Designed to identify potential events that may
    affect the entity, and
  • Manage risk to be within its risk appetite
  • To provide reasonable assurance regarding the
    achievement of entity objectives.

8
ERM Key Concepts
  • Risk Philosophy
  • Risk Appetite
  • Portfolio View of Risk

9
The Enterprise Risk Management Framework
  • The Enterprise Risk Management framework has
    eight interrelated components
  • Entity objectives can be viewed in the context of
    four categories
  • Strategic
  • Operations
  • Reporting
  • Compliance
  • ERM considers activities at all
  • levels of the organization

10
Relationship With Internal Control
  • The ERM Framework is not intended to, and does
    not replace the IC-IF document.

11
COSO ERM vs. COSO I/C
  • ERM extends into strategic domain
  • Reporting category encompasses more than
    Financial Reporting
  • Risk assessment- three separate ERM components

12
ERM and Internal Control
  • Effective internal control is necessary for
    effective enterprise risk management.

You can have effective internal control without
effective enterprise risk management, you cannot
have effective enterprise risk management without
effective internal control.
13
VSP Overview
  • Nations largest provider of eyecare benefits
  • Founded in 1955
  • About 44 million members (1 in 8 Americans)
  • 1,900 employees
  • Seventh year in a row - 7 on 2006 List

14
VSP Overview
  • 2005 Revenue 2.2 billion
  • 23,000 clients
  • Cover 184 of the Fortune 500 companies
  • Cover 39 of the Fortune 100 Best Places to Work
    companies

15
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
16
Internal Environment Component
  • Establishes a philosophy regarding risk
    management. It recognizes that unexpected as
    well as expected events may occur.
  • Risk appetite is set by management and approved
    by the board.
  • Considers all other aspects of the organizations
    actions including allocation of authority, ethics
    and values, and human resources.

17
Elements of VSPs Risk Management Process
  • Internal Environment
  • One Clear Vision ethical values policy and code
    of conduct with annual recommitment
  • Senior vice president serving as ethics and
    compliance officer
  • Open door policy

18
Elements of VSPs Risk Management Process
  • Internal Environment
  • Human resource practices pertaining to
    orientation of new employees, counseling,
    promoting, compensating and taking remedial
    action
  • Hiring practices to insure competence of staff,
    including background checks, drug testing and
    credit checks
  • Ongoing training programs (Top 100 Training
    Company)

19
Objective Setting Component
  • ERM is applied in objective-setting when
    management considers risks strategy in the
    setting of objectives.
  • Objectives are set with regard to the risk
    appetite.
  • Tolerances are established for related objectives.

20
Elements of VSPs Risk Management Process
  • Objective Setting
  • Annual goals provided by the Board of Directors
    to the CEO
  • Strategic plan with high level goals aligned with
    the companys mission and vision
  • Communication of company objectives to personnel
    at all levels, insuring requisite understanding
    to each employees sphere of influence (Meeting
    in a Box)

21
Elements of VSPs Risk Management Process
  • Objective Setting
  • Annual operating plans and budgets by division
  • Key job accountability requirements for each
    employee, with regular performance evaluations
  • Best practices and industry benchmarks (ABM)

22
Event Identification Component
  • Identify those incidents, occurring internally or
    externally, that could affect strategy and
    achievement of objectives.
  • Addresses how internal and external factors
    combine and interact to influence its risk
    profile.
  • Distinguish risk and opportunity.

23
Elements of VSPs Risk Management Process
  • Event Identification
  • Monitor payments in default in accounts
    receivable monthly
  • Identification and reporting of security and
    safety incidents to executive team
  • Mitigate potential for natural disasters through
    insurance coverage (high flood risk in
    Sacramento)
  • Monitor systems access and potential computer
    viruses

24
Elements of VSPs Risk Management Process
  • Event Identification
  • Current status of evolving electronic commerce
    and impact on the business
  • Market intelligence activities and reporting
  • Evaluation of competitor actions
  • Determination of changing market demographics
  • Evaluation of political threats or opportunities,
    such as national health insurance

25
Risk Assessment Component
  • Allows an entity to understand the extent to
    which potential events might impact objectives.
  • Assesses risks from two perspectives likelihood
    and impact.
  • The unit of measure assess risks should be the
    same or congruent to measure used for related
    objectives.
  • Employs a combination of both qualitative and
    quantitative risk assessment methodologies.
  • Time horizons are related to objective time
    horizons.
  • Assesses risk on both an inherent and residual
    basis.

26
Elements of VSPs Risk Management Process
  • Risk Assessment
  • Strategic planning review of strengths,
    weaknesses, opportunities and threats (SWOT)
  • Benchmarking against competitors and like
    industries and reporting to Board of Directors
  • Periodic reviews of business continuity plans,
    with regular testing at offsite vendor location

27
Risk Response Component
  • Identifies and evaluates possible responses to
    risk.
  • Evaluates options in relation to entitys risk
    appetite, cost vs. benefit of potential risk
    responses and degree to which a response will
    reduce impact and/or likelihood.
  • Assessment of and response to risks are integral
    components of ERM which specific response is
    selected is not.
  • Selects and executes its response based on
    evaluation of the portfolio of risks and
    responses.

28
Elements of VSPs Risk Management Process
  • Risk Response
  • Remote location data processing center
  • Redundant call center services between Sacramento
    and Columbus
  • Redundant telephone, IVR and eClaim equipment in
    Sacramento and Columbus
  • Supervision with review and approval over key
    information processing procedures

29
Elements of VSPs Risk Management Process
  • Risk Response
  • Weekly executive meetings to share information
    and to determine appropriate responses to
    situations that involve risk
  • Budget Oversight Committee review and approval of
    company budgets and major capital expenditures,
    as well as mid-year revisions
  • Insurance coverage for errors and omissions,
    directors and officers, general liability,
    fiduciary and fidelity bonds

30
Control Activities Component
  • Control activities are the policies and
    procedures that help ensure that the risk
    responses, as well as other entity directives,
    are carried out.
  • Occur throughout the organization, at all levels
    and in all functions.
  • Includes application controls and general
    information technology controls.

31
Elements of VSPs Risk Management Process
  • Control Activities
  • Formal job descriptions with proper segregation
    of duties
  • Regular meetings of multi-divisional Internal
    Control Forum
  • Regular review of activity based management
    reports
  • Control procedures for recording journal entries
    or other post closing adjustments in general
    ledger

32
Elements of VSPs Risk Management Process
  • Control Activities
  • Use of banks lock boxes to collect client premium
  • Cash controls, including positive pay, over check
    disbursements
  • Established signature authority levels for
    approval of expenditures and routine verification

33
Elements of VSPs Risk Management Process
  • Control Activities
  • Controls over applications of information
    technology systems, such as control totals, edit
    checks, and authorization security
  • Steering committee oversight over major
    information technology projects
  • Standard controls over software acquisition,
    development and maintenance

34
Elements of VSPs Risk Management Process
  • Control Activities
  • Physical safeguards over frame and lens
    inventories and periodic physical inventory
    counts attended by Finance staff
  • External security service for physical facilities
  • Regular reporting of performance indicators

35
Information and Communication Component
  • Information is needed at all levels of an entity
    in identifying, assessing, and responding to
    risk.
  • Management identifies, captures and communicates
    pertinent information in a form and timeframe
    that enables people to carry out their
    responsibilities.
  • Communication occurs in a broader sense, flowing
    down, across and up the organization.

36
Elements of VSPs Risk Management Process
  • Information and Communication
  • Quarterly ABM benchmark reporting for all
    administrative and ophthalmic materials
    activities
  • Monthly financial statement reporting and
    analysis within five working days
  • Monthly reporting of budget versus actual results
    to each supervisor
  • Detailed expenditure reporting to the manager of
    each cost center

37
Elements of VSPs Risk Management Process
  • Information and Communication
  • Quarterly meetings of senior management and Board
    leadership to review progress of plans
  • Semi-annual all-employee meetings with CEO
  • Strategic planning intranet with current
    competitor information

38
Monitoring Component
  • Monitors the ongoing effectiveness of the other
    enterprise risk management components through
  • Ongoing monitoring activities
  • Separate evaluations
  • A combination of the two

39
Elements of VSPs Risk Management Process
  • Monitoring
  • Special investigative fraud auditing unit of
    certified fraud examiners
  • Internal auditing of claims to verify processing
    accuracy and timeliness
  • Audits by Insurance Departments with regulatory
    oversight responsibility
  • Independent audit by CPA firm

40
Elements of VSPs Risk Management Process
  • Monitoring
  • Corroboration of billing data by clients,
    insuring accuracy of revenue reporting
  • Regular reconciliation of operating reports, bank
    accounts and subsidiary systems to general ledger
    account balances
  • Review and grade setting by insurance rating
    agency (AM Best)

41
Elements of VSPs Risk Management Process
  • Monitoring
  • Employee focus group meetings each quarter with
    CEO and VP of Human Resources
  • External hotline phone for reporting illegal or
    improper acts anonymously (whistleblower
    protection)
  • Routine surveying of the satisfaction levels of
    clients, patients, doctors and employees (bonus
    program)

42
Roles and Responsibilities
  • Distinct roles and responsibilities are necessary
    to ensure effective enterprise risk management
  • Management
  • The Board of Directors
  • Risk officers
  • Internal auditors

43
Key Concepts In The Enterprise Risk Management
Framework
  • Events and risks
  • Applying risk management in strategy setting
  • Risk appetite and risk tolerance
  • Portfolio view

44
  • Summary Questions
Write a Comment
User Comments (0)
About PowerShow.com