© 2016 CHAN Healthcare
Place Image Here
Enterprise Risk Management – An Auditor’s Perspective
Central Iowa IIA Chapter Meeting – October 11, 2016
© 2016 CHAN Healthcare 2 2
Survey
What is your current involvement with Enterprise Risk Management (ERM) in
your organization?
a) Highly involved
b) Involved to a limited degree
c) Not involved at all
© 2016 CHAN Healthcare 3 3
What is Enterprise Risk Management?
“A structured, consistent and continuous process across the whole organization
for identifying, assessing, deciding on responses to and reporting on
opportunities and threats that affect the achievement of its objectives”*
In other words – Risk management without silos
*From “IIA Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management” issued in January 2009
© 2016 CHAN Healthcare 4 4
Advantages To Internal Audit Involvement
Gain insight into the organization’s strategy
Understand what Executive Management is most worried about
Establish ourselves as risk experts in the organization
Show that we can be part of the solution, not just identifying problems
Gain a “seat at the table”
© 2016 CHAN Healthcare 5 5
Core Internal Audit Roles In Regard To ERM
Giving assurance on the risk management processes
Evaluating risk management processes
Giving assurance that risks are correctly evaluated
Evaluating the reporting of key risks
Reviewing the management of key risks
*From “IIA Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management” issued in January 2009
© 2016 CHAN Healthcare 6 6
Legitimate Internal Audit Roles With Safeguards
Maintaining and developing the ERM framework
Championing establishment of ERM
Developing ERM strategy for Board approval
Facilitating identification and evaluation of risks
Coaching Management in responding to risk
Coordinating ERM activities
Consolidated reporting on risks
*From “IIA Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management” issued in January 2009
© 2016 CHAN Healthcare 7 7
Roles Internal Audit Should Not Undertake
Setting the risk appetite
Imposing risk management processes
Management assurance on risks
Taking decisions on risk responses
Implementing risk responses on Management’s behalf
Accountability for risk management
*From “IIA Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management” issued in January 2009
© 2016 CHAN Healthcare 8 8
2016 State of Risk Oversight: An Overview of Enterprise
Risk Management Practices – Enterprise Risk Management
Initiative, North Carolina State University
57% of executives believe that the volume and complexity of risks have
changed “extensively” or “mostly” in the last five years; only 25% believe their
organization has a “complete formal enterprise risk management process in
place”
25% describe their organization’s level of risk management maturity as
“Mature” or “Robust”
50% reported no formal process to update their understanding of risks
70% reported that their organizations do not provide any guidelines or scales
for Management to assess risk probabilities or impacts
56% said that their organization’s risk management process is “not at all” or
“minimally” viewed as a proprietary strategic tool that provides unique
competitive advantage
© 2016 CHAN Healthcare 9 9
Key Elements to an ERM Program
Board Ownership
Management Buy-In
Common Risk Framework and Language (e.g., COSO)
Methodology for measuring and quantifying risk
© 2016 CHAN Healthcare 10 10
COSO ERM Framework
A “Portfolio” View of Risk
© 2016 CHAN Healthcare 11 11
Measuring and Quantifying Risk
Magnitude (a.k.a. Impact, Criticality)
Insignificant Catastrophic
Likelihood (a.k.a. Probability)
Highly Unlikely Highly Probable
Velocity (a.k.a. Speed)
Low High
© 2016 CHAN Healthcare 12 12
Addressing Black Swans
© 2016 CHAN Healthcare 13 13
Addressing Black Swans (cont.)
3 principal characteristics:
Unpredictable
Carry a massive impact
After the fact, we concoct an explanation that makes it appear less random, and more
predictable, than it was
Why incorporate into risk management?
Pace of change continues to accelerate
Uncertainty is the new normal
Could be blind spots in organizational planning
Help determine risk appetite
© 2016 CHAN Healthcare 14 14
Risk Response Options
Avoid
Exit a product line
Sell a division
Prohibit an activity
Reduce
Implement or enhance controls
Share
Insurance
Hedging
Outsourcing
Indemnification
Accept
*From the COSO ERM Framework
© 2016 CHAN Healthcare
Place Image Here
Example ERM Program
© 2016 CHAN Healthcare 16 16
Getting Started
Enterprise Risk Management Charter
Board ownership of enterprise risks
Responsibilities for identifying, assessing and reporting on risks
Risk definitions and terminology
Measurement/ranking methodology
Reporting frequency and standards
Information sharing standards
© 2016 CHAN Healthcare 17 17
Gaining Buy-In
Board approval of ERM charter
ERM Steering Committee of VPs/Senior VPs
Risk Council of Department Directors
Steering Committee and Risk Council contained broad membership, including
Strategy, Retail, Marketing, Supply Chain, Legal, Product Development,
Finance, IT and Business Continuity
© 2016 CHAN Healthcare 18 18
Risk Capture
ERM process integrated with annual audit planning and annual strategic
planning
Survey sent to all Directors and above throughout the organization:
Asked to respond with at least one risk in each category: Strategic, Operations,
Reporting, Compliance
Asked to rank each risk from 1-5 on both Magnitude and Likelihood
In-person brainstorming conducted at staff meetings of Senior VPs and above
© 2016 CHAN Healthcare 19 19
Risk Prioritization
Based on initial Magnitude/Likelihood rankings, Risk Council was asked to:
Agree on the top 5-7 enterprise risks
Determine the 3-5 black swans which were of the most concern
Identify other risks for inclusion on the “watch list” (i.e., risk where there was some
disagreement as to the Magnitude/Likelihood scoring or where the volatility was so
great that the scoring could reasonably change in the near future)
Risk Council results were taken to ERM Steering Committee for validation
Upon Steering Committee validation, results reported to CEO and Board
© 2016 CHAN Healthcare 20 20
Risk Reporting
For the top enterprise risks:
Identify an owner at the executive level (VP or above)
Conduct an analysis of opportunities and threats related to the risk
Owner works with other members of Management to develop mitigating actions
Performance indicators are agreed to that will measure the effectiveness of the
mitigating actions
For the top black swans:
Gain a detailed understanding of the risk, including controls/metrics currently in place,
and prepare a summary document for Executive Management and the Board
Executive Management and Board identify any additional actions that need to be taken
© 2016 CHAN Healthcare 21 21
Risk Monitoring
Quarterly Risk Council and ERM Steering Committee meetings to update risk
rankings as necessary
Quarterly reporting to Board, including the status of mitigating action and a
quarter-over-quarter comparison of performance indicators
© 2016 CHAN Healthcare
Section Break
Place Image Here
22
Section Break
Place Image Here
22
Practical Tips To Consider
© 2016 CHAN Healthcare 23 23
Practical Tips For Those With Limited ERM Involvement
Assess the feasibility of tying annual audit planning with the ERM process
Compare audit plan against the top risks identified through ERM
Report on ERM risks through existing audits with an “Other Observations” or
“Recommendations” section
Consider a business continuity audit
Ask to sit in on ERM committee meetings
© 2016 CHAN Healthcare 24 24
Practical Tips For Those With No ERM Involvement
Start small
Consider an audit of the company’s overall risk management framework
Incorporate corporate strategy discussions into annual audit planning
Build a knowledge base by asking enterprise risk questions on existing audits
Incorporate enterprise/strategic risk discussions into Audit Committee
presentations
© 2016 CHAN Healthcare 25 25
Common ERM Roadblocks
A Culture That Frowns Upon Sharing Bad News
Obtain executive buy-in to champion the initiative
“We Don’t Have Time For This”
Start simple and build credibility over time
Duplication of Existing Efforts
Incorporate the results of existing risk frameworks (e.g., business continuity,
environmental health and safety, IT security) into ERM discussions
Inconsistent Understanding of Risk
Use the charter to establish a common risk language; continuously repeat and educate
© 2016 CHAN Healthcare 26 26
Questions?
© 2016 CHAN Healthcare 27 27
For more information, contact:
Ryan Willhite
Direct 515.643.7318
Mobile 913.221.2366
In accordance with applicable professional standards, some firm services may not be available to attest clients.
This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from
qualified advisers in your jurisdiction.
© 2016 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure