management and preparing
TRANSCRIPT
10/28/2021
1
© 2017 Clark Nuber all materials included Seek permission for republishing
Risk Management and Preparing your Organization for the Future
October 28, 2021
Pete Miller, CPA, CFE
Shareholder
[email protected] 425‐709‐6696
© 2020 Clark Nuber all materials included Seek permission for republishing
Pete Miller profile
• Northwest native
• Graduate from Western Washington University
• Joined Clark Nuber right out of school
• Current practice focus:• Shareholder in audit practice• Leader in forensic accounting/fraud investigation practice• Leader in IT security/privacy practice• Leader in Quality of Earnings practice
1
2
10/28/2021
2
© 2020 Clark Nuber all materials included Seek permission for republishing
Table of Contents
• Grounding in risks
• Risk assessments
• Backdrop of COVID as a case study
• Discussion of current and future risks
© 2020 Clark Nuber all materials included Seek permission for republishing
Grounding in Risks
3
4
10/28/2021
3
“A situation or event involving exposure to either a gain or to danger, harm or loss.”
Risk:
“Events that can have a negative impact on your organization or on you as a board member”
Organizational Risk:
5
6
10/28/2021
4
•Risk Management covers ALL types of risks:•Strategic•Financial•Operational•Technological•Compliance •Reputational
•Both risk of doing something damaging, or not doing something beneficial
Types of Risks
COSO Framework
7
8
10/28/2021
5
COSO Framework
•Precondition to controls is identifying the risks•Risks evolve over time
•Process for risk management• Likelihood of occurrence• Impacts to the organization
Risk Assessment
9
10
10/28/2021
6
•“Tone at the top”•Core to sound integrity and ethical values of the organization
•Foundation for all other components of internal control (the “umbrella”)
Control Environment
•Response to identified risks•Occurs throughout the organization•Two key aspects:•Policy of what should be done•Procedures to accomplish this policy
•Types of controls:•Preventive v. detective•Manual v. automated • IT general and application
Control Activities
11
12
10/28/2021
7
•Key elements of information systems•Identify•Capture•Process•Distribute
Information and Communication
•Monitoring of controls
•Ongoing•Focus on deviations from norm•Leads to investigations or system changes
•Separate evaluations•Objective look at controls is needed•Internal audit can play a vital role
Monitoring
13
14
10/28/2021
8
Risk Assessments
Risk Tolerance
• Some of us are risk adverse and some are risk tolerant
•We cannot eliminate all risk, or we would never achieve anything
• Rather than avoid all risks, we should be trying to minimize the negative impact of the risks we take
• Not all risks are predictable. Some are unpredictable (i.e., a storm)
Brand name and presentation title16
15
16
10/28/2021
9
Risk and Reward
•The right sponsor/facilitator•Independent and objectivity•Good working knowledge of the business•People from all levels•Engendered trust•Ability to think the unthinkable•Consider high‐risk issues, regardless of dollar value•Plan to keep it alive and relevant
Elements of a good risk assessment
17
18
10/28/2021
10
Package it right:•Use the language of the business•One size does not fit all•Keep it simple
Assemble the right team:•Diverse knowledge•Skills (communication)•Perspective•Skeptical people
Elements of a good risk assessment
How to gather information:•One‐on‐one interviews•Focus groups•Surveys•Anonymous feedback
Obtain the sponsor’s agreement up front:•Scope of what will be done•Methods to use•Participants•Content of questioning•Report format/distribution
Elements of a good risk assessment
19
20
10/28/2021
11
Identify potential inherent risks:•Incentives, pressures, opportunities•Management’s ability override controls
•Regulatory and legal risk•Reputation•Risk to IT
Elements of a good risk assessment
Build a heat map:•Assess the likelihood of occurrence of identified risks•Assess the significance of identified risks•Identify and consider mitigation factors
•Establish an acceptable level of risk tolerance•Calculate potential loss and rank each
Elements of a good risk assessment
21
22
10/28/2021
12
Risk Assessment Matrix/Heat Map
Avoidance
• Dispose of program
• Decide not to engage in new program/initiative
Share the Risk
• Buy insurance
• Joint venture
• Hedge risk
Reduction of Risk
• Diversify/rebalance
• Limits of involvement
Acceptance
• Self insure
• Accept risk that meets organizations risk tolerance
Risk Response
Risk Response
23
24