Академический Документы
Профессиональный Документы
Культура Документы
What are Risk Management Frameworks and Why have them? What is a Risk Control Matrix, COSO, COBIT, Risk Universe, Key Controls, Critical Controls?
Using them in SOA, ERA or Revenue Cycle
Globalization means increased exposure to international events Need for efficiencies, innovation and differentiation to compete We now know the unthinkable can happen Financial reporting is now a risk area Application is uneven at companies applying EWRM We live in unpredictable times
2003 Protiviti Inc.
Points of view from a recent survey Many executives see an array of ever-increasing business risks Business risk management practices require improvement Substantial revisions in business risk management have either been made or will be made Senior executives want more confidence that all potentially significant risks are identified and managed
Cost constraints
Security of data and privacy Stakeholder returns Managing business risk Innovation
Increasing demands for more information relating to risks and internal controls from the board and investors
2003 Protiviti Inc.
Regulatory Control Example- Written Policies and Procedures (OIG) Regulation Risk Category Regulatory guidance OIG Implementing Written Policies and Procedures Develop and distribute written standards of conduct, as well as written policies, procedures, and protocols that verbalize the company's commitment to compliance. (section C) Control Description Program Type Owner Control Ranking Primary Tested (Y/N) Test Plan
Vendor commitment to General compliance is documented in written code of conduct document. Vendor sign off on program contract specifying intention to comply with TAP internal guidelines and code of conduct. General
Vendor
Obtain copy of vendor compliance documentation (e.g., code of conduct) Review contract with vendor to ensure contract exists specifying requirements and vendor signature occurs
Control Levels
Entity-level Controls Entity-level controls are those controls that management relies upon to establish the appropriate tone at the top relative to financial reporting. An entity-level assessment for each control entity should be conducted as early as possible in the evaluation process
Process-Level Controls Process level controls are usually directly involved with initiating, recording, processing or reporting transactions
General IT and Application Controls General IT controls typically impact a number of individual applications and data in the technology environment Application controls relate primarily to the controls programmed within an application that can be relied upon to mitigate business process-level risks
10
Application: Address attributes for each COSO component -- For each attribute, evaluate appropriate points of focus, as illustrated below for ONE attribute, Human Resource Policies and Procedures Points of Focus:
Is there a process for defining the level of competence needed for specific jobs, including the requisite knowledge and skills? Are there human resource policies and processes for acquiring, recognizing, rewarding, and developing personnel in key positions? Is the background of prospective employees checked and references obtained? Are performance expectations clearly defined and reinforced with appropriate performance measures? Are employee retention, promotion and performance evaluation processes effective?
Control Environment
Integrity and ethical values Commitment to competence Board of Directors or Audit Committee Managements philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and procedures External and internal information is identified, captured, processed and reported Effective communication down, across, up the organization Policies, procedures, and actions to address risks to achievement of stated objectives Ongoing monitoring Separate evaluations Reporting deficiencies
Control Activities
Monitoring
Is the established code of conduct reinforced and disciplinary action taken when warranted? Are everyones control-related responsibilities clearly articulated and carried out?
11
Control Types
There are also system-dependant manual controls, e.g., controls that are manual (comparing one thing to another) but what is being compared is system-generated and not independently collaborated; therefore, the manual control is dependant on reliability of system processing
12
Control Reliability
As transaction volumes increase and with increasingly complex calculations, systemsbased controls are often more reliable than people-based controls because they are less prone to mistakes than human beings, if designed, operated, maintained and secured effectively A shift toward an anticipatory, proactive approach to controlling risk requires greater use of preventive controls than the reactive find and fix approach embodied in a detective control
Effectively designed controls that prevent risk at the source free up people resources to focus on the critical tasks of the business
13
14
Control Types
Primary vs. secondary controls
Primary controls are controls that are especially critical to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions for each significant account balance, class of transactions and disclosure; these are the controls that managers and process owners primarily rely on Secondary controls are important to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions, but are not considered critical by management and process owners; while these controls are significant, there are compensating controls that also assist in achieving the assertions
15
17
18
Began over four years ago COSO concluded a broadly recognized common structure for ERM is needed Framework developed through input from many sources, including members of the five COSO organizations Originally Authored by PwC COSO-appointed advisory council provided input and guidance to the process
19
Was initiated in May 2001 before the events leading to The Sarbanes-Oxley Act of 2002 Speaks to many of the issues currently facing organizations How does an organization determine the appropriate level of risk for the value it seeks to create for stakeholders How does an organization communicate its risk policy to stakeholders Final Version released September 2004
20
Details essential components and concepts of enterprise risk management for all organizations, regardless of size Identifies the interrelationships between enterprise risk management and internal control
21
ERM provides a pathway for supporting ongoing compliance AND moving beyond compliance
An enterprise-wide risk assessment process infuses the disclosure process with new risks more timely as they emerge ERM builds upon the disclosure infrastructure to broaden the focus on transparency beyond financial reporting ERM instills the discipline needed to continuously improve risk management capabilities The COSO ERM Framework:
Provides a much needed common language Illustrates how ERM is built around the Internal Control Integrated Framework
22
G TIN CO M
C IAN PL
Is effected by people Is applied in strategy setting Is applied across the enterprise Is designed to identify potential events Manages risks with risk appetite Provides reasonable assurance Supports achievement of objectives
Internal Environment
SUBSIDIARY
Objective Setting
BUSINESS UNIT
ENTITY-LEVEL
Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
DIVISION
23
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
Risk management philosophy Risk culture Board of directors Integrity and ethical values Commitment to competence Managements philosophy and operating style Risk appetite Organizational structure Assignment of authority and responsibility Human resources policies and practices
Key points:
Reinforces control environment Adds key risk elements
24
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
Strategic objectives Related objectives Selected objectives Risk appetite Risk tolerance
Key points:
Integration with strategic management Integration with business planning (operations) Integration with performance measurement Integration with compliance function
25
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
Events Factors influencing strategy and objectives Methodologies and techniques Event interdependencies Event categories Risks and opportunities
Key points:
Focus on objectives Need a common language Group into families Understanding interdependencies is foundation for model building
26
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
Inherent and residual risk Likelihood and impact Methodologies and techniques Correlation
Key points:
Focus on events Need a common process
27
Prioritize Risks
28
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
Identify risk response Evaluate possible risk responses Select responses Portfolio view
Key points:
Several responses available Choices are strategic and tactical This makes risk management real to operators
29
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
Integration with risk response Types of control activities General controls Application controls Entity specific
Key points:
Integral to risk response Similar to integrated framework Emphasize preventive and systemsbased controls
30
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
Key points:
Similar to integrated framework but expanded focus
31
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
Key points:
Similar to integrated framework but expanded focus
32
There are a multitude of possible elements that make up an ERM solution the COSO framework lists many of these elements
Companies have different objectives, strategies, structure, culture, risk appetite and financial wherewithal -- no two ERM solutions are alike
The specific policies, processes, skillsets, reports, methodologies and systems comprising the elements defining the solution for one company may differ from another company Companies looking for off-the-shelf ERM solutions are setting themselves up for disappointment in terms of what they find or the results they get
33
Recognize that ERM is a journey not a destination and requires a change process
How will we know we are successful?
Achievable Goal
Emphasis Application
2003 Protiviti Inc.
Know Your End Game The Journey can start with SOA
DRIVERS
Value Contributed
Protect and Enhance Enterprise Value Improve Quality, Cost and Time Implement Ongoing Compliance Structure
Improve governance Improve risk evaluation Improve strategy setting Achieve business objectives
Improve quality Reduce costs Compress time Comply with other regulations
Other Compliance
INDUSTRY -- Health care, FSI
Reinforce process owner accountability Identify areas to address Comply with SOA
Voluntary Required
36
deliver the information that the enterprise needs to achieve its objectives. Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high level control objective for each Looks at fiduciary, quality and security needs of enterprises,providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of over 300 detailed control objectives
2003 Protiviti Inc.
Planning Acquiring
& Implementing
37
Business Requirements
IT Processes
IT Resources
38
39
COBIT Cube
Information Criteria
IT Processes
Domains
People Application Systems Technology Facilities Data
Processes
Activities
40
COBIT Objectives
Ac I m qu pl ire em a e n nd t M o Ev nit a l or ua a n te d De liv Su e r pp a n or d t Pl O an rg a n an d iz e
Control Environment
Section 404
COSO Components
Risk Assessment
Control Activities
Monitoring
Controls in IT are relevant to both financial reporting And disclosure requirements of Sarbanes-Oxley.
Competency in all five layers of COSOs framework are necessary to achieve an integrated control program.
41
42
Following is an illustrative approach for facilitating a change process The objective is to craft a future goal state for risk management within the organization and sustain the journey toward realizing that goal
Define Project Scope Create ERM Vision Build ERM Business Case Manage ERM Journey Continuously Improve ERM Capabilities
43
Articulate the problem to be solved (the business motivation) Define project sponsor Organize working committee of senior executives
44
Define risk management vision, goals and objectives Define future goal state Understand the journey elements needed to make the future state happen Foundation elements Process elements Enhancement elements
45
PROCESS ELEMENTS
Design/ implement capabilities
ENHANCEMENT ELEMENTS
Establish Improve Quantify Continuously sustainable multiple risks enterprise improve enterprise- performance competitive advantage wide
A journey element consists of the processes, people, reports, methodologies, technology, or a combination thereof, integrated within the ERM solution to achieve the expected outcomes specified in the business case
2003 Protiviti Inc.
46
Increase chances of identifying all key risks Enable people from multiple disciplines to focus on issues faster
PROCESS
Design/ implement capabilities Continuously improve
ENHANCEMENT
Quantify multiple risks Enterprise wide Improve enterprise performance Establish sustainable competitive advantage
X X
X X
X X
X X
X X
X X
Event Identification
Risk Assessment Risk Response Control Activities Information & Communication Monitoring
2003 Protiviti Inc.
X
X
X
X X X
X
X X X X X X X
X
X X X X X
X
X X X X X
X X X X
48
X X X X
X X
Articulate the ERM vision, including the desired journey elements and expected outcomes Describe the overall effort Analyze the related costs and benefits and provide the economic justification for going forward Provide a context for monitoring progress over time
49
Organize the ERM journey to understand and respond to sponsor expectations, address change issues, manage journey risks/constraints and communicate relevant messages often
Develop journey management plan, laying out the appropriate sequence of elements Monitor journey performance Assess journey impact Manage discrete projects to deliver the journey elements according to the selected priority and appropriate sequence
50
2003 Protiviti Inc.
Continuously improve capabilities to move the company up the capability maturity curve
51