corporate finance and internal audit
TRANSCRIPT
-
8/11/2019 Corporate Finance and Internal Audit
1/53
1
A Practical Approach to
Risk ManagementFinancial Management Institute,
Toronto ChapterFebruary 17 2010
Corinne Berinstein, BPT, MBA, MHSC, CA, CFIHealth Audit Services Team
Ontario Internal Audit Division
-
8/11/2019 Corporate Finance and Internal Audit
2/53
2
Contact Info:
Corinne Berinstein, BPT, MBA, MHSC, CA, CFI, Certificate in RiskManagement (Canadian Health Care Association
Senior Audit Manager
Health Audit Services Team
Ontario Internal Audit DivisionProvince of Ontario
Office: 416-327-7798
eMail: [email protected]
-
8/11/2019 Corporate Finance and Internal Audit
3/53
3
Basic Concepts
-
8/11/2019 Corporate Finance and Internal Audit
4/53
4
Objectives of todays session
Basic principles, concepts, definitions
A simple framework
Stocking your toolkiteducation, job aids, templates
What are you going to do back in the office?
Q &As
A caseLets practice!
Outline
-
8/11/2019 Corporate Finance and Internal Audit
5/53
5
Objectives
Give you a practical approach, framework and tools so
you can start implementing ERM when you get back to
the office.
Share some lessons learned. Share some tips and tricks.
Practice concepts and tools with a case study so that you
practice
-
8/11/2019 Corporate Finance and Internal Audit
6/53
6
The only alternative to risk management is crisis management --- andcrisis management is much more expensive, time consuming andembarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance 2003
Without good risk management practices, government cannot manage its
resources effectively. Risk management means more than preparing for
the worst; it also means taking advantage of opportunities to improveservices or lower costs.
Sheila Fraser, Auditor General of Canada
Why do we need Risk Management?
-
8/11/2019 Corporate Finance and Internal Audit
7/53
7
Why bother with RM?
Increase risk awarenessWhat could affect theachievement of objectives? What could change? What
could go wrong? What could go right?
Increase understanding of risksensitivities. What
makes my risks increase/decrease/disappear?
Promote a healthy risk culture Its safe to talk about
risk. Open and transparent.
Develop a common and consistent approach to risk across
the organization. Not intuition-based.
-
8/11/2019 Corporate Finance and Internal Audit
8/53
8
Why bother with RM? Allows intelligent informed risk-taking.
Focuses effortshelps prioritize. Top 10 list. Or top 3.Or
Is proactive. not reactive Prepare for risks before theyhappen. Identify risks and develop appropriate risk
mitigating strategies.
Improve outcomesachievement of objectives(corporate, clinical, etc)
Really comes to down to simple good management
Enables accountability, transparency and responsibility
And maybe even mean survival
-
8/11/2019 Corporate Finance and Internal Audit
9/53
-
8/11/2019 Corporate Finance and Internal Audit
10/53
10
Threats and opportunities
Threata risk that may HINDER the achievement of objectives
Opportunities- a risk that may HELP in the achievement of objectives
Interest rates
Foreign exchange rates
Supply of service/product/resources
Demand/uptake for service/product/resources
The economy
The weather
The stock market
-
8/11/2019 Corporate Finance and Internal Audit
11/53
11
Interactive Session #110 minutes
Introduce yourselves to others at your table
Pick 1riskdiscuss it as both a threat and
an opportunity
Report to the large group. Pick a
spokesperson.
-
8/11/2019 Corporate Finance and Internal Audit
12/53
12
Definition of ERM
aprocess, effected by an entity's board ofdirectors, management and other personnel, applied
in strategy setting and across the enterprise,
designed to identify potential events that may affect
the entity, and manage risks to be within its riskappetite, to provide reasonable assurance regarding
the achievement of entity objectives.
Source: COSO Enterprise Risk ManagementIntegrated Framework. 2004.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
-
8/11/2019 Corporate Finance and Internal Audit
13/53
13
Enterprise vs Integrated Risk Management
Similarities: Formal process
Consistent and systematic
Includes projects, programs,
operations
Is embedded in key processessuch as strategic planning,
budgeting, project planning,evaluation, etc
Must be driven and supported byLeadership
Adds value to decision-making
Differences:Enterprise-wide:
Is organizational-centric
Success is defined as
implementation over the entireorganization
Integrated:
Take a systems-focus
May actually create risks for
individual organizations
-
8/11/2019 Corporate Finance and Internal Audit
14/53
-
8/11/2019 Corporate Finance and Internal Audit
15/53
-
8/11/2019 Corporate Finance and Internal Audit
16/53
16Slide 16
Risk Management Basics Risk (uncertainty) may affect the achievement of
objectives.
Effective mitigation strategies/controls can reducenegative risks or increase opportunities.
Residual risk is the level of risk after evaluating the
effectiveness of controls.
Acceptance and action should be based on residual risklevels.
INHERENT
-
8/11/2019 Corporate Finance and Internal Audit
17/53
17
A Simple Framework
Evaluate
& TakeAction
EstablishObjectives
Identify
Risks &Controls
Assess
Risks &Controls
Monitor
&Report
Step 1 Step 2 Step 3 Step 4 Step 5
Communicate, learn, improve
-
8/11/2019 Corporate Finance and Internal Audit
18/53
18
Risk Management is critical to ALL levels of decisions
Decisions can be categorized into three types. The amount of risk uncertainty) varies
with the type of decisions. Most decisions are concerned with implementation.
UNCERTAINTY
Strategic Strategic
Programme Prog
ramme
Project&Operational Project
&Opera
tional
Strategic Decisions
Decisions transferring
strategy into action
Decisions required for
implementation
The HM Treasurys The Orange Book
-
8/11/2019 Corporate Finance and Internal Audit
19/53
19
The relationship between IRM & MOHLTCs Complex Risk
Environment
MOHLTC Extended
Enterprise
External Risk Environment
MOHLTC
Risk Environment
Laws&
regulatio
ns
Capacity
TheEconom
y
Corporate Governance
Requirements
Stak
eholde
r
expe
ctatio
ns
Political
Outcomes
Public
Perception
Oth
er
Minis
trie
s
Partner-
Organizations
LHINs
Financial
Organizational
Governance
HumanResources
Information
Inform
atio
n
Techn
ology
L
egal/
Com
plia
nce
Operati
onal
Strate
gic/
Polic
y
TransferP
ayment
Accountability&
Governance
Communication
& Learning
Monito
r
Evaluate
Assess
Identify
Estab
lish
Communication
& Learning
Communication
& Learning
-
8/11/2019 Corporate Finance and Internal Audit
20/53
20Slide 20
Categorizing RiskComprehensive1. Political or Reputational Risk
2. Financial Risk3. Service Delivery or Operational Risk
4. People / HR Risk
5. Information/Knowledge Risk
6. Strategic / Policy Risk
7. Stakeholder Satisfaction / Public Perception Risk
8. Legal / Compliance Risk
9. Technology Risk
10. Governance / Organizational Risk
11. Privacy Risk
12. Security Risk
13. Equity Risk
14. Patient SafetyNEW
-
8/11/2019 Corporate Finance and Internal Audit
21/53
21Slide 21
Risk Prioritizationlikelihood and impact
Likelihood of a risk event occurring
Very High: Is almost certain to occur
High: Is likely to occur
Medium:Is as likely as not to occur
Low:May occur occasionally
Very Low:Unlikely to occur
Risk Impact: Level of damage thatcan occur when a risk eventoccurs
Very High: Threatens the success ofthe project
High:Substantial impact on time, costor quality
Medium:Notable impact on time,cost or quality
Low:Minor impact on time, cost orquality
Very Low: Negligible impact
-
8/11/2019 Corporate Finance and Internal Audit
22/53
22
Third dimension for rating risks - proximity
Immediatenow
Less than 6 months
Between 6-12 months
Between 1224 months
Between 2436 months
More than 36 months
-
8/11/2019 Corporate Finance and Internal Audit
23/53
23Slide 23
Risk rating
Combining impact and likelihood
LIKELIHOOD
IMPACT
1
1
2
2
3
3
4
4
5
5
RISKI x L
RISK
I x L
RISK
I x L
RISK PRIORITIZATION MATRIX
-
8/11/2019 Corporate Finance and Internal Audit
24/53
24
Risk Level Action and Level of Involvement Required
Critical RiskInform Chief Executive Officer and Board of Directors
Immediate action required
High Risk
Inform Chief Executive OfficerStrategy Team involvement/attention is essential to manage risksprovide report to Board as appropriate
Moderate RiskManagement mitigation and ongoing monitoring required
Inform relevant Strategy Team members
Low Risk Accept, but monitor risksManage by routine procedures within the program and site
Risk reporting and communications
-
8/11/2019 Corporate Finance and Internal Audit
25/53
25
Ke Risk Indicators (KRIs) are linked to
-
8/11/2019 Corporate Finance and Internal Audit
26/53
26
Key Risk Indicators (KRIs) are linked to
strategy, performance and risk
Risk
Consequence
Strategy & objectives
Cause
KRI
KRIs need to be linked to strategy, objectives and target performancelevels, with a good understanding of the drivers to risk.
Performance
-
8/11/2019 Corporate Finance and Internal Audit
27/53
27
EXAMPLES OF KRIs
Human resource
Average time to fill vacant
positions
Staff absenteeism /sickness
rates
Percentage of staff appraisals
below satisfactory
Age demographics of key
managers
Information Technology
Systems usage versus
capacity
Number of system upgrades/
version releases
Number of help desk calls
Finance
Daily P&L adjustments (#,
amt)
Reporting deadlines missed
(#)
Incomplete P&L sign-offs (#,
aged)
Legal/compliance
Outstanding litigation cases
(#, amt)
Compliance investigations (#)
Customer complaints (#)
Audit
Outstanding high risk issues
(#, aged)
Audit findings (#, severity)
Revised management actiontarget dates (#)
Risk management
Management overrides
Limit breaches (#, amt)
-
8/11/2019 Corporate Finance and Internal Audit
28/53
28
Measure and report RM implementation progress
Excellent
Advanced capabilities to identify, measure, manage all risk exposures withintolerances
Advanced implementation, development and execution of ERM parameters
Consistently optimizes risk adjusted returns throughout the organization
Strong
Clear vision of risk tolerance and overall risk profile
Risk control exceeds adequate for most major risks
Has robust processes to identify and prepare for emerging risks Incorporates risk management and decision making to optimize risk adjusted
returns
Adequate
Has fully functioning control systems in place for all of their major risks
May lack a robust process for identifying and preparing for emerging risks
Performing good classical silo based risk management Not fully developed process to optimize risk adjusted returns
Weak Incomplete control process for one or more major risks
Inconsistent or limited capabilities to identify, measure or manage major riskexposures
Source: Standard & Poor
-
8/11/2019 Corporate Finance and Internal Audit
29/53
29
Progress to DateERM Report Card
Quality of Care and Patient SafetyCorporate Governance
Operation & Business Support
Reputation and Public Image
Human Resources and Staff RelationsFinancial Resources
Information Systems and Technology
Physical Assets
Legal and RegulatoryEnvironmental Health and Safety
Policies
Standards
-
8/11/2019 Corporate Finance and Internal Audit
30/53
-
8/11/2019 Corporate Finance and Internal Audit
31/53
31
The Approach
Incorporates risk information into the strategic direction-
setting, making decisions that consider established risk
tolerance levels.
Takes a systems approach to managing risk at thestrategic, operational and project levels which is
continuous, proactive and systematic.
Fosters a working culture that values learning, innovation,responsible risk-taking and continuous improvement.
-
8/11/2019 Corporate Finance and Internal Audit
32/53
32
We wanted to add value not work. We developed formsand templates.
So we developed and delivered educational sessions
usually attended by all team members. Included risk 101and then time for the team members to discuss how to
apply concepts to their work.
We assisted teams in actual risk assessments. Sometimes
we used voting software.
We trained the trainer.
Your toolkiteducation, job aids, templates
f
-
8/11/2019 Corporate Finance and Internal Audit
33/53
33
A Process for Embedding IRMHAST Sessions Components Participant Outcomes
Risk 101Presentation
IntroductionIntegrated Risk Management
Introduction to basic risk concepts and terminologies
Introduction to the MOHLTCs Integrated Risk
Framework
Status of IRM in MOHLTC
(Most effective when followed-up with facilitated riskassessment workshop or application to actual project)
Understanding of risk management process
Understanding of how risk management is relevant to their day-to-daywork
Knowledge of IRM in MOHLTC
Management IRM
Planning Meeting
Planning
Discuss best way to implementation IRM in area
Proposed IRM implementation plan presented for area
Clarify roles & responsibilities for risk management
Commitment to IRM implementation in area or stream of work
Risk management roles and responsibilities clearly defined
Review of IRM roll-out; timelines , deliverables, related forums
Commitment to continuous risk communication & learning
Risk AssessmentWorkshop
Facilitated Training
Identification of risks &mitigation strategies
Identification of objectives
Brainstorming and identification of risks to meetingobjectives (for project, branch, initiative, etc. )
Identification of source, mitigation strategies, ownershipand residual risk for each risk category
Hands-on experience allowing assimilation of consistent riskmanagement techniques
Hands-on practice of IRM process, enabling application of riskmanagement principles and tools to work
Greater understanding of work and inter-dependencies
Risk Prioritization
& Voting
Workshop
Facilitated TrainingAssessment of mitigationstrategies & prioritization
Review of risks, mitigation strategies and ownership
Anonymous voting on the impact and probability of eachrisk
Prioritization of risks on heat map
Discussion of mitigation strategies for high priority risks
Review of risks, mitigation strategies, ownership, residual risk to theirwork in a seamless manner
Unbiased risk prioritization and identification of high risks
Enables application of complete risk management process to everyday work
Risk follow-up
Session
Monitoring & Review
Review of risks six months after initial assessment
Review mitigation strategies and residual risks
Review of risks and status
Continuous improvement
Communication& Learning
Monit
or
Evaluat
e
Assess
Id
entify
Esta
blish
Communication& Learning
Monito
r
Evaluate
Assess
Identify
Estab
lish
Communication& Learning
Monit
or
Evaluate
Assess
Identify
Estab
lish
Communication& Learning
Monit
or
Evaluate
Assess
Identify
Es
tablish
IRM RISKS AND CONTROLS
-
8/11/2019 Corporate Finance and Internal Audit
34/53
34
The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.
Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)
ID Number
Responsible Org &
Name (Implement /Operate) Risk Control
Risk
Rating(Impact)
Risk
Rating(likelihood) Date Required Status
Category: Financial
Category: Equity
Category: Service Delivery or Operational
064 Person A 055 Insufficient knowledge transfer
102 Conflicting managementinstructions
Update impacted policies and procedures
for integration into knowledge support tools.Harmonizing policies and procedures (e.g.,
access procedures X has one and Y has
one there needs to be one
process/policy/procedure).
M M 31-Mar-09 Refer to Privacy
Action Plan Work onOngoing Operations
Commitments
Report
065 Person B 056 Lack of communication (Serious
service delivery issues)
352 Different business and IT
processes (incident management)
(a) IT incident and Triage (harmonization
between IT and Business).
(b) X and Y need to develop an incident
management process/service to deal withissues that arise during service delivery.
Roles and responsibilities need to be
defined in both organizations: from a
stewardship perspective on the ministry
side, and from a service delivery/reporting
perspective on the agency side. The
process/service ensures that incident/issues
are communicated as per agreement
requirements; well tracked and reported.
M M 31-Mar-09 (a, b) Refer to
ongoing Operations
IRM document
IRM RISKS AND CONTROLS
None in this category
None in this category
-
8/11/2019 Corporate Finance and Internal Audit
35/53
35
-
8/11/2019 Corporate Finance and Internal Audit
36/53
36
-
8/11/2019 Corporate Finance and Internal Audit
37/53
37
-
8/11/2019 Corporate Finance and Internal Audit
38/53
38
The Cyclist and the Risk Manager
-
8/11/2019 Corporate Finance and Internal Audit
39/53
39
Interactive Session #215 minutes
Identify risks that the cyclists faces in
cycling to work.
Report back.
-
8/11/2019 Corporate Finance and Internal Audit
40/53
40
Risk Factorsthe cyclist
.
http://tm.wc.ask.com/r?t=an&s=p&uid=098E1493A9EC1C514&sid=11DA886A45F270C14&qid=829E8A0EADF4CE4EBCA964773D7792AD&io=14&sv=za5cb0de8&o=8187&ask=traffic+ticket&uip=8e148eb7&en=is&eo=0&pt=&ac=24&qs=32&pg=3&u=http://pictures.ask.com/redir?bpg=http%3a%2f%2fpictures.ask.com%2fpictures%3fq%3dtraffic%2bticket%26o%3d8187%26page%3d3&q=traffic+ticket&u=http%3a%2f%2fwww.speedsk8in.com%2farticles%2ffeb2000%2fdefense.htm&s=p&bu=http%3a%2f%2fwww.speedsk8in.com%2farticles%2ffeb2000%2fdefense.htm&qte=0&o=8187&isimageSearch=true&fromImagePage=False&iskey=&thumbsrc=http%3a%2f%2fimages.picsearch.com%2fis%3f37655786706&imagesrc=http%3a%2f%2fwww.speedsk8in.com%2farticles%2ffeb2000%2ftraffic2.jpg&thumbwidth=128&thumbheight=96http://tm.wc.ask.com/r?t=an&s=p&uid=098E1493A9EC1C514&sid=11DA886A45F270C14&qid=2CF4A17580AA02488EDF37EFE872C174&io=6&sv=za5cb0de9&o=8187&ask=alice+in+wonderland+&uip=8e148eb7&en=is&eo=1&pt=&ac=11&qs=32&pg=1&u=http://pictures.ask.com/redir?bpg=http%3a%2f%2fpictures.ask.com%2fpictures%3fq%3dalice%2bin%2bwonderland%2b%26o%3d8187%26page%3d1&q=alice+in+wonderland+&u=http%3a%2f%2fwww1.thny.bbc.co.uk%2foxford%2fgoing_out%2f2003%2f03%2foxford_story.shtml&s=p&bu=http%3a%2f%2fwww1.thny.bbc.co.uk%2foxford%2fgoing_out%2f2003%2f03%2foxford_story.shtml&qte=0&o=8187&isimageSearch=true&fromImagePage=False&iskey=&thumbsrc=http%3a%2f%2fimages.picsearch.com%2fis%3f654728293862&imagesrc=http%3a%2f%2fwww1.thny.bbc.co.uk%2foxford%2fgoing_out%2f2003%2f03%2fimages%2foxford_story_270.jpg&thumbwidth=128&thumbheight=78http://tm.wc.ask.com/r?t=c&s=p&id=30751&sv=z6f5372c5&uid=098E1493A9EC1C514&sid=157E092258E460C14&p=%2fimagetop&o=8187&u=http://www.kenpapai.com/racing/sf2002/lance0451z.jpg -
8/11/2019 Corporate Finance and Internal Audit
41/53
-
8/11/2019 Corporate Finance and Internal Audit
42/53
42
Risk Factorsthe driver
.
http://images.google.ca/imgres?imgurl=http://www.connectingstanislaus.com/files/u46/ID_0.jpg&imgrefurl=http://www.connectingstanislaus.com/Youth/Get_Drivers_License_State%2BID_Card&usg=__oZNiU6g0bwPY_hAQhaoPkNxR67U=&h=282&w=424&sz=85&hl=en&start=7&itbs=1&tbnid=5zLQKXfj3xye5M:&tbnh=84&tbnw=126&prev=/images%3Fq%3Dyoung%2Bdriver%26gbv%3D2%26hl%3Denhttp://images.google.ca/imgres?imgurl=http://www.connectingstanislaus.com/files/u46/ID_0.jpg&imgrefurl=http://www.connectingstanislaus.com/Youth/Get_Drivers_License_State%2BID_Card&usg=__oZNiU6g0bwPY_hAQhaoPkNxR67U=&h=282&w=424&sz=85&hl=en&start=7&itbs=1&tbnid=5zLQKXfj3xye5M:&tbnh=84&tbnw=126&prev=/images%3Fq%3Dyoung%2Bdriver%26gbv%3D2%26hl%3Denhttp://images.google.ca/imgres?imgurl=http://www.grandprix.com/jpeg/phc/pmon05/fri/schumacher1-rg.jpg&imgrefurl=http://current.com/items/88709101_race-car-driver-takes-over-taxi-to-catch-flight.htm&usg=__4zWF4xQraHBB-5XUQlWkx1rmR9E=&h=450&w=300&sz=24&hl=en&start=14&itbs=1&tbnid=c7OdL3Gia1z1YM:&tbnh=127&tbnw=85&prev=/images%3Fq%3Drace%2Bcar%2Bdriver%26gbv%3D2%26hl%3Den -
8/11/2019 Corporate Finance and Internal Audit
43/53
43
Risks
Threats:
Death
Head Injury
Injury
Reputation
Financial
Damage to the bike
Sunburn/frost bite
Opportunities:
Exercise
Sunlight
Reputation
Financial
Role model
Environment
-
8/11/2019 Corporate Finance and Internal Audit
44/53
44
Mitigation Strategies for threats
Death, head injury, other injuryhelmet, bright clothes, lights, bell,
CANbike course, obeying traffic laws, positive attitude, anger
management course
Reputationgreat outfit, change of wrinkle-free clothes, shower,
time management
Financialhigh quality locks, beater, stopping at stop signs
Damage to the bikeregular maintenance, avoiding pot holes
Sunburn/frost bitesunscreen, mittens, hats, token/change
Dehydration- filled water bottle
-
8/11/2019 Corporate Finance and Internal Audit
45/53
-
8/11/2019 Corporate Finance and Internal Audit
46/53
46
Keep it simple
-
8/11/2019 Corporate Finance and Internal Audit
47/53
47
Back at the office
Why is the organization interested in RM?What are they hopingwill be achieved with its implementation?
Who is doing what? Roles & responsibilities must be clearlydefined. Make sure Leadership supports RM and uses RM results tomake decisions. Everyone is a risk manager. Make sure that all risks
have owners and the responsibilities for mitigation are assigned
How will it be implemented?What is your framework? What is thecommon language? How will risks be measured and reported?
Where will you start?Choices could be where you can most easily
succeed or where it is needed the most or where interest is high.
When will it be implemented? It is a journey not a destination; 3-5years for complete roll-out; how often will risks be assessed; whenwill mitigation plans be implemented and monitored; when will risks
be reported.
-
8/11/2019 Corporate Finance and Internal Audit
48/53
48
Ask questions and develop your approach
Do we understand our major risks? Do we know what is causing ourrisks to increase, decrease or stay the same?
Have we assessed the likelihood and impact of our risks?
Have we identified the sources and causes of our risks?
How well are we managing our risks?
Are we trying to prevent the downside risks from happening? Or arewe trying to simply recover from them?
Who is accountable for these risks?
How do we talk about risk? Do we have a common language acrossbranches, across divisions, across the ministry, across the OPS, across
the health care system?
Are we taking too much risk? Or not enough risk?
Are the right people taking the right risks at the right time?
Whats our culture? Are we risk adverse or are we risk-takers? Or arewe somewhere in between?
TAKE SMALL BITES IRM IMPLEMENTATION
-
8/11/2019 Corporate Finance and Internal Audit
49/53
49
TAKE SMALL BITES. IRM IMPLEMENTATION
-
8/11/2019 Corporate Finance and Internal Audit
50/53
50
Questions?
-
8/11/2019 Corporate Finance and Internal Audit
51/53
51
Case 1The Pan Am Games 2015
Case 2The provincial response to the next Pandemic
Case 3The extension of Hwy 404
Case 4The rescue efforts in Haiti
Case 5Human Resources in the Ontario Public Services
Case 6A big teaching hospital in Toronto
The case - You are responsible for Risk Management
for:
-
8/11/2019 Corporate Finance and Internal Audit
52/53
52
Consider the 13 categories of risk
Identify top 5 threats (downside) and top 5opportunities (upside)
Propose mitigation strategies
Discuss how the following risk factors would affect your assessment:
Economy
Demographics
Weather
Technology
Timing of events such an election
Others
The case
-
8/11/2019 Corporate Finance and Internal Audit
53/53
53
Questions?