Using Risk Management Frameworks

Lawrence Lake Managing Director Protiviti Inc.

What are Risk Management Frameworks and Why have them? What is a Risk Control Matrix, COSO, COBIT, Risk Universe, Key Controls, Critical Controls?
Using them in SOA, ERA or Revenue Cycle

2003 Protiviti Inc.

Business risks are greater today than ever

Globalization means increased exposure to international events Need for efficiencies, innovation and differentiation to compete We now know the unthinkable can happen Financial reporting is now a risk area Application is uneven at companies applying EWRM We live in unpredictable times
2003 Protiviti Inc.

Why is business risk a priority?

Points of view from a recent survey Many executives see an array of ever-increasing business risks Business risk management practices require improvement Substantial revisions in business risk management have either been made or will be made Senior executives want more confidence that all potentially significant risks are identified and managed

2003 Protiviti Inc.

Source: FEI survey

Gartner reveals top five business issues

Cost constraints
Security of data and privacy Stakeholder returns Managing business risk Innovation

2003 Protiviti Inc.

The Gartner Group, based upon interviews and surveys

Key indicators of need

Management wants increased confidence that all potentially significant risks are identified and managed Key decisions are made without a systematic evaluation of risk and reward trade-offs Risk management isnt integrated with strategic and business planning Risks are not systematically identified, sourced, measured and managed Units of the organization are managing similar risks differently Inability to measure performance on a risk-adjusted basis Capital investment process requires improvement

Increasing demands for more information relating to risks and internal controls from the board and investors
2003 Protiviti Inc.

A common framework will accelerate progress

We need a common language We need criteria against which to benchmark

Now we can communicate more effectively

Familiarity of concepts is useful Application guidance is critical piece Issuance of framework is only the beginning

2003 Protiviti Inc.

Traditional Risk Universe Framework

2003 Protiviti Inc.

Risk Control Matrix

Regulation
Risk Category Regulation Risk Category Regulatory guidance Control Description Program Type Owner Control Ranking Tested (Y/N) Test Plan

Regulatory Control Example- Written Policies and Procedures (OIG) Regulation Risk Category Regulatory guidance OIG Implementing Written Policies and Procedures Develop and distribute written standards of conduct, as well as written policies, procedures, and protocols that verbalize the company's commitment to compliance. (section C) Control Description Program Type Owner Control Ranking Primary Tested (Y/N) Test Plan

Vendor commitment to General compliance is documented in written code of conduct document. Vendor sign off on program contract specifying intention to comply with TAP internal guidelines and code of conduct. General

Vendor

Pharmaceutical Secondary Manufacture

Obtain copy of vendor compliance documentation (e.g., code of conduct) Review contract with vendor to ensure contract exists specifying requirements and vendor signature occurs

2003 Protiviti Inc.

Control Levels

Entity-level Controls Entity-level controls are those controls that management relies upon to establish the appropriate tone at the top relative to financial reporting. An entity-level assessment for each control entity should be conducted as early as possible in the evaluation process

Process-Level Controls Process level controls are usually directly involved with initiating, recording, processing or reporting transactions

General IT and Application Controls General IT controls typically impact a number of individual applications and data in the technology environment Application controls relate primarily to the controls programmed within an application that can be relied upon to mitigate business process-level risks

2003 Protiviti Inc.

10

Control Levels Examples of Entity-Level Controls

COSO Component Risk Assessment
Attributes Entity-wide objectives Activity-level objectives Risk Identification Managing Change

Application: Address attributes for each COSO component -- For each attribute, evaluate appropriate points of focus, as illustrated below for ONE attribute, Human Resource Policies and Procedures Points of Focus:
Is there a process for defining the level of competence needed for specific jobs, including the requisite knowledge and skills? Are there human resource policies and processes for acquiring, recognizing, rewarding, and developing personnel in key positions? Is the background of prospective employees checked and references obtained? Are performance expectations clearly defined and reinforced with appropriate performance measures? Are employee retention, promotion and performance evaluation processes effective?

Control Environment

Information and Communication

Integrity and ethical values Commitment to competence Board of Directors or Audit Committee Managements philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and procedures External and internal information is identified, captured, processed and reported Effective communication down, across, up the organization Policies, procedures, and actions to address risks to achievement of stated objectives Ongoing monitoring Separate evaluations Reporting deficiencies

Control Activities

Monitoring

2003 Protiviti Inc.

Is the established code of conduct reinforced and disciplinary action taken when warranted? Are everyones control-related responsibilities clearly articulated and carried out?
11

Source: Section 404 FAQs, Question 40.

Control Types

Manual vs. System-based controls

Manual controls predominantly depend upon the manual execution by one or more individuals Automated controls predominantly rely upon programmed applications or IT systems to execute a step or perhaps prevent a transaction from occurring without manual decision or interaction

There are also system-dependant manual controls, e.g., controls that are manual (comparing one thing to another) but what is being compared is system-generated and not independently collaborated; therefore, the manual control is dependant on reliability of system processing

Preventive vs. Detective controls

Preventive controls, either people-based or systems-based, are designed to prevent errors or omissions from occurring and are generally positioned at the source of the risk within a business process Detective controls are processes, either people-based or systems-based, that are designed to detect and correct an error (or fraud) or an omission within a timely manner prior to completion of a stated objective (e.g., begin the next transaction processing cycle, close the books, prepare final financial reports, etc.)

2003 Protiviti Inc.

12

Control Reliability

As transaction volumes increase and with increasingly complex calculations, systemsbased controls are often more reliable than people-based controls because they are less prone to mistakes than human beings, if designed, operated, maintained and secured effectively A shift toward an anticipatory, proactive approach to controlling risk requires greater use of preventive controls than the reactive find and fix approach embodied in a detective control

MORE RELIABLE/ DESIRABLE

Systems-Based, Preventive Control

Systems-Based, Detective Control

People-Based, Preventive Control
LESS RELIABLE/ DESIRABLE

People-Based, Detective Control

NOTE: The above framework is

intended to apply to process-level controls. It does not always apply at the entity-level, e.g., the internal audit function.

Effectively designed controls that prevent risk at the source free up people resources to focus on the critical tasks of the business
13

2003 Protiviti Inc.

What is a Critical Control?

Definitions: KEY CONTROL: An activity or task performed by management or other
personnel designed to provide reasonable assurance regarding the achievement of certain objectives as well as mitigating the risk of an unanticipated outcome. Significant reliance is placed upon this controls effective design and operation. Upon failure of the key control, the risk of occurrence of an undesired activity would not be mitigated regardless of other controls identified. In other words, reasonable assurance of achieving the process objectives could not be obtained.

CRITICAL CONTROL: The FIRST subset of key controls; these controls

have a pervasive impact on financial reporting (segregation of duties, system and data access, change controls, physical safeguards, authorizations, input controls, reconciliations, review process, etc.) and have the most direct impact on achieving financial statement assertions. Upon failure of a critical control, the risk of occurrence of an undesired activity would not be mitigated regardless of other controls identified within ANY process. Failure of critical controls would affect the ability of management to achieve not only process objectives, but also the companys financial statement objectives.
2003 Protiviti Inc.

14

Control Types
Primary vs. secondary controls
Primary controls are controls that are especially critical to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions for each significant account balance, class of transactions and disclosure; these are the controls that managers and process owners primarily rely on Secondary controls are important to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions, but are not considered critical by management and process owners; while these controls are significant, there are compensating controls that also assist in achieving the assertions

Controls over routine processes vs. controls over non-routine processes

Controls over routine processes are the manual and automated controls over transactions Controls over non-routine processes are the manual and automated controls over estimates and period-end adjustments; these controls often address the greatest risks in the financial reporting process and are most susceptible to management override

2003 Protiviti Inc.

15

Control Levels Examples of Common Process-Level Control Activities

Pervasive Process-Level Controls*
Establish and communicate objectives Authorize and approve Establish boundaries and limits Assign key tasks to quality people Establish accountability for results Measure performance Facilitate continuous learning Segregate incompatible duties Restrict process system and data access Create physical safeguards Implement process/systems change controls Maintain redundant/backup capabilities
*Controls affecting multiple processes, including entitylevel and general IT controls
** Controls specific to a process, including programmed application controls
2003 Protiviti Inc.

Specific Process-Level Controls**

Obtain prescribed approvals Establish transaction/document control Establish processing/transmission control totals Establish/verify sequencing Validate against predefined parameters Test samples/assess process performance Recalculate computations Perform reconciliations Match and compare Independently analyze results for reasonableness Independently verify existence Verify occurrence with counterparties Report and resolve exceptions Evaluate reserve requirements
16

What is the COSO ERM Framework?

2003 Protiviti Inc.

17

SOA and the COSO Framework

Complying with SOA Section 404 in the Context of the COSO Framework
The COSO Framework is recommended by the SEC as an accepted internal control framework to guide corporate compliance with SOA 404. COSO requires an entity-level (or tone at the top) internal control focus and an activity or process level focus (the right side of the cube), with the three objectives of effectiveness and efficiency of operations (including safeguarding of assets), reliability of financial reporting, and compliance with applicable laws and regulations (across the top of the cube). Our approach captures the five components of internal control: the control environment, risk assessment, control activities, information/communication, and monitoring.

2003 Protiviti Inc.

18

The COSO ERM Framework

Began over four years ago COSO concluded a broadly recognized common structure for ERM is needed Framework developed through input from many sources, including members of the five COSO organizations Originally Authored by PwC COSO-appointed advisory council provided input and guidance to the process

2003 Protiviti Inc.

19

The COSO ERM Framework

Was initiated in May 2001 before the events leading to The Sarbanes-Oxley Act of 2002 Speaks to many of the issues currently facing organizations How does an organization determine the appropriate level of risk for the value it seeks to create for stakeholders How does an organization communicate its risk policy to stakeholders Final Version released September 2004

2003 Protiviti Inc.

20

The COSO ERM Framework

Details essential components and concepts of enterprise risk management for all organizations, regardless of size Identifies the interrelationships between enterprise risk management and internal control

Is intended to be comprehensive and holistic approach

Is intended for application across many sectors and organizations

2003 Protiviti Inc.

21

ERM provides a pathway for supporting ongoing compliance AND moving beyond compliance
An enterprise-wide risk assessment process infuses the disclosure process with new risks more timely as they emerge ERM builds upon the disclosure infrastructure to broaden the focus on transparency beyond financial reporting ERM instills the discipline needed to continuously improve risk management capabilities The COSO ERM Framework:
Provides a much needed common language Illustrates how ERM is built around the Internal Control Integrated Framework

2003 Protiviti Inc.

22

The COSO Framework provides an understanding of the components of ERM

Enterprise Risk Management:

Is a process
TE RA ST GIC
O IO AT ER P NS R PO RE

G TIN CO M

C IAN PL

Is effected by people Is applied in strategy setting Is applied across the enterprise Is designed to identify potential events Manages risks with risk appetite Provides reasonable assurance Supports achievement of objectives

Internal Environment

SUBSIDIARY

Objective Setting

BUSINESS UNIT

ENTITY-LEVEL

Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring

DIVISION

2003 Protiviti Inc.

Source: COSO proposed ERM Framework

23

The COSO ERM Framework Internal Environment

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring

Risk management philosophy Risk culture Board of directors Integrity and ethical values Commitment to competence Managements philosophy and operating style Risk appetite Organizational structure Assignment of authority and responsibility Human resources policies and practices

Key points:
Reinforces control environment Adds key risk elements

2003 Protiviti Inc.

Source: COSO proposed ERM Framework

24

The COSO ERM Framework Objective Setting

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring

Strategic objectives Related objectives Selected objectives Risk appetite Risk tolerance

Key points:
Integration with strategic management Integration with business planning (operations) Integration with performance measurement Integration with compliance function

2003 Protiviti Inc.

Source: COSO proposed ERM Framework

25

The COSO ERM Framework Event Identification

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring

Events Factors influencing strategy and objectives Methodologies and techniques Event interdependencies Event categories Risks and opportunities

Key points:
Focus on objectives Need a common language Group into families Understanding interdependencies is foundation for model building

2003 Protiviti Inc.

Source: COSO proposed ERM Framework

26

The COSO ERM Framework Risk Assessment

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring

Inherent and residual risk Likelihood and impact Methodologies and techniques Correlation

Key points:
Focus on events Need a common process

Correlations enable more effective measurement

2003 Protiviti Inc.

Source: COSO proposed ERM Framework

27

Prioritize Risks

2003 Protiviti Inc.

28

The COSO ERM Framework Risk Response

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring

Identify risk response Evaluate possible risk responses Select responses Portfolio view

Key points:
Several responses available Choices are strategic and tactical This makes risk management real to operators

2003 Protiviti Inc.

Source: COSO proposed ERM Framework

29

The COSO ERM Framework Control Activities

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring

Integration with risk response Types of control activities General controls Application controls Entity specific

Key points:
Integral to risk response Similar to integrated framework Emphasize preventive and systemsbased controls

2003 Protiviti Inc.

Source: COSO proposed ERM Framework

30

The COSO ERM Framework Information & Communication

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring

Information Strategic and integrated systems Communication

Key points:
Similar to integrated framework but expanded focus

2003 Protiviti Inc.

Source: COSO proposed ERM Framework

31

The COSO ERM Framework Monitoring

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring

Separate evaluations Ongoing evaluations

Key points:
Similar to integrated framework but expanded focus

2003 Protiviti Inc.

Source: COSO proposed ERM Framework

32

The COSO ERM Framework Whats the message?

There are a multitude of possible elements that make up an ERM solution the COSO framework lists many of these elements

Companies have different objectives, strategies, structure, culture, risk appetite and financial wherewithal -- no two ERM solutions are alike
The specific policies, processes, skillsets, reports, methodologies and systems comprising the elements defining the solution for one company may differ from another company Companies looking for off-the-shelf ERM solutions are setting themselves up for disappointment in terms of what they find or the results they get

2003 Protiviti Inc.

33

Recognize that ERM is a journey not a destination and requires a change process
How will we know we are successful?

Why do we need to begin our journey?

How do we get there?

Achievable Goal

What are the expected outcomes?

What elements need to be put in place? Where are we now?

2003 Protiviti Inc.

What are the obstacles along the way?

34

Risk management focus, scope and emphasis are often limited

Risk Management Focus Objective Scope
Financial and hazard risks and internal controls Preserve enterprise value Treasury, insurance and operations involved

Business Risk Management

Business risk and internal controls Preserve enterprise value Business managers accountable (risk-byrisk) Management

Enterprise Risk Management

Business risk and internal controls Create and preserve enterprise value Strategy, people, process, technology and knowledge aligned to manage risk on an enterprise-wide basis Strategy

Emphasis Application
2003 Protiviti Inc.

Financial and operations

Selected risk areas, units and processes

Selected risk areas, units and processes

Enterprise-wide FUTURE STATE VISION

35

CURRENT STATE CAPABILITIES

Know Your End Game The Journey can start with SOA
DRIVERS

Value Contributed

Sustainability of the Control Structure Time

Protect and Enhance Enterprise Value Improve Quality, Cost and Time Implement Ongoing Compliance Structure

Enterprise Risk Management

INDUSTRY -- All

Improve governance Improve risk evaluation Improve strategy setting Achieve business objectives

Operational Effectiveness and Efficiency

INDUSTRY -- All

Improve quality Reduce costs Compress time Comply with other regulations

Other Compliance
INDUSTRY -- Health care, FSI

Section 404 and 302 Integration Self -Assessment

INDUSTRY -- All

Comply with SOA

Reinforce process owner accountability Identify areas to address Comply with SOA

Comply with 302 and 404

Section 404 Compliance

Voluntary Required

2003 Protiviti Inc.

36

COBITs Control Framework

Starts from the premise that IT needs to

deliver the information that the enterprise needs to achieve its objectives. Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high level control objective for each Looks at fiduciary, quality and security needs of enterprises,providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of over 300 detailed control objectives
2003 Protiviti Inc.

Planning Acquiring

& Implementing

Delivery & Support Monitoring

Effectiveness Efficiency Availability Integrity

Confidentiality Reliability Compliance

37

The CobiT Frameworks Principles

Business Requirements

IT Processes

IT Resources

2003 Protiviti Inc.

38

The CobiT Frameworks Principles

2003 Protiviti Inc.

39

COBIT Cube
Information Criteria

IT Processes

Domains
People Application Systems Technology Facilities Data

Processes

Activities

2003 Protiviti Inc.

40

Sarbanes-Oxley, COSO and CobiT

IT controls should consider the overall governance framework to support the quality and integrity of information.

COBIT Objectives
Ac I m qu pl ire em a e n nd t M o Ev nit a l or ua a n te d De liv Su e r pp a n or d t Pl O an rg a n an d iz e

Control Environment

Section 404

COSO Components

Section 302 Section 302

Risk Assessment

Control Activities

Information and Communication

Monitoring
Controls in IT are relevant to both financial reporting And disclosure requirements of Sarbanes-Oxley.

2003 Protiviti Inc.

Competency in all five layers of COSOs framework are necessary to achieve an integrated control program.

41

Implementing an ERM Framework What We Need?

2003 Protiviti Inc.

42

Define and implement the ERM solution

Following is an illustrative approach for facilitating a change process The objective is to craft a future goal state for risk management within the organization and sustain the journey toward realizing that goal
Define Project Scope Create ERM Vision Build ERM Business Case Manage ERM Journey Continuously Improve ERM Capabilities

2003 Protiviti Inc.

43

Define project scope

Define Project Scope

Articulate the problem to be solved (the business motivation) Define project sponsor Organize working committee of senior executives

Articulate current state

Inventory existing risk management initiatives

2003 Protiviti Inc.

44

Create ERM vision

Create ERM Vision

Define risk management vision, goals and objectives Define future goal state Understand the journey elements needed to make the future state happen Foundation elements Process elements Enhancement elements

2003 Protiviti Inc.

45

Identify the relevant journey elements

INCREASING RISK MANAGEMENT CAPABILITIES

Categories of ERM Journey Elements
FOUNDATION ELEMENTS
Adopt common language Establish oversight and governance Assess risk and develop strategies

EWRM Value Proposition

PROCESS ELEMENTS
Design/ implement capabilities

ENHANCEMENT ELEMENTS
Establish Improve Quantify Continuously sustainable multiple risks enterprise improve enterprise- performance competitive advantage wide

A journey element consists of the processes, people, reports, methodologies, technology, or a combination thereof, integrated within the ERM solution to achieve the expected outcomes specified in the business case
2003 Protiviti Inc.

46

Examples of foundation elements

Adopt common language Does the company have:
A common language for risks and risk management? Risk model Risk management glossary Process classification scheme Other relevant frameworks Improved dialogue about risk and its sources, drivers or root causes More organized process for sharing of information

Establish oversight and governance

Overall an effective oversight structure and governance? Overall risk management policy Top-down communications of risk management direction Organizational oversight structure, with Board oversight Risk management oversight committee(s) and management accountability Designated senior executive responsible for risk management (I.e., a CRO) Integrated risk management and governance processes Business risk management staff function Achieve clarity as to risk management role, purpose and accountabilities Get things done quicker by executives empowered to act
47

Possible Journey elements

Possible expected outcomes

2003 Protiviti Inc.

Increase chances of identifying all key risks Enable people from multiple disciplines to focus on issues faster

The companys selected journey elements build COSO ERM components

Categories of ERM Journey Elements FOUNDATION
Adopt common language Establish oversight and governance Assess risk and develop strategies

PROCESS
Design/ implement capabilities Continuously improve

ENHANCEMENT
Quantify multiple risks Enterprise wide Improve enterprise performance Establish sustainable competitive advantage

Internal Environment Objective Setting

X X

X X

X X

X X

X X

X X

Event Identification
Risk Assessment Risk Response Control Activities Information & Communication Monitoring
2003 Protiviti Inc.

X
X

X
X X X

X
X X X X X X X

X
X X X X X

X
X X X X X

X X X X
48

X X X X

X X

Build ERM business case

Build ERM Business Case

Articulate the ERM vision, including the desired journey elements and expected outcomes Describe the overall effort Analyze the related costs and benefits and provide the economic justification for going forward Provide a context for monitoring progress over time

2003 Protiviti Inc.

49

Manage ERM journey

Manage ERM Journey

Organize the ERM journey to understand and respond to sponsor expectations, address change issues, manage journey risks/constraints and communicate relevant messages often
Develop journey management plan, laying out the appropriate sequence of elements Monitor journey performance Assess journey impact Manage discrete projects to deliver the journey elements according to the selected priority and appropriate sequence
50

2003 Protiviti Inc.

Continuously improve ERM capabilities

Continuously Improve ERM Capabilities

Continuously improve capabilities to move the company up the capability maturity curve

2003 Protiviti Inc.

51