risk assessment workshop
TRANSCRIPT
![Page 1: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/1.jpg)
1
![Page 2: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/2.jpg)
Objective
2
To: • Identify your chief goals and objectives • Identify risks • Prioritize the risks to achieving objectives • Determine which controls/processes to review
In order to:
Develop an effective Internal Control Plan by application of the Enterprise Risk Management (ERM) process
![Page 3: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/3.jpg)
Agenda
What is (Enterprise Risk Management) ERM? The ERM Framework Objective Setting Navigating Risk Identifying Controls to Mitigate Risk Information & Communication Monitoring The Internal Control Plan Summary 3
![Page 4: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/4.jpg)
ERM
What is ERM? Enterprise Risk Management (ERM) coordinates controls to mitigate risks that could keep you from achieving your objectives.
4
![Page 5: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/5.jpg)
THE ERM FRAMEWORK
5
![Page 6: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/6.jpg)
We recommend the COSO* Integrated ERM Framework.
COSO’s Enterprise Risk Management (ERM) is a model structured to integrate risk management throughout an organization.
This ERM structure can help you align your mission and organizational roles within your department’s Internal Control Plan.
Employment of the ERM process, improves your ability to meet objectives by strategically addressing opportunities and vulnerabilities.
The ERM Framework
6 *Committee of Sponsoring Organizations (COSO)
![Page 7: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/7.jpg)
COSO’s ERM Integrated Framework
7
C.) Risk Management / Internal Controls
B.)
Organizational Roles
A.)
Mission Goals Objectives
Three levels:
![Page 8: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/8.jpg)
The ERM Framework Achievement of Goals/Objectives
• Strategy High-level goals, aligned with and supporting its mission
• Operations Effective and efficient use of its resources
• Reporting Reliability of reporting
• Compliance Conformity with applicable laws and regulations 8
Goals
![Page 9: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/9.jpg)
The ERM Framework
ERM coordinates organizational activity at all levels: • Department • Division • Bureau • Team
9
![Page 10: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/10.jpg)
The ERM Framework
Risks are considered through eight interrelated components of the framework.
10
![Page 11: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/11.jpg)
INTERNAL ENVIRONMENT
11
![Page 12: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/12.jpg)
The ERM Framework Internal Environment
Management Responsibilities: • Communicates the mission and goals • Conveys the importance of integrity, competence and internal controls • Provides structure • Train workforce Tone at the Top • Employees witness what their bosses are doing • Zero tolerance for unlawful, unethical,
or questionable behavior • Reward employees for integrating
personal and organizational loyalty Document It
(Policies and Procedures, Memos) Communicate It (Meetings, Trainings) Demonstrate It (Lead by Example) 12
![Page 13: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/13.jpg)
What’s your Mission?
13 • Tells the fundamental purpose of an organization • Specific to the principal reason an organization exists • Creates value
![Page 14: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/14.jpg)
Where do you see yourselves, as part of the mission?
14
![Page 15: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/15.jpg)
OBJECTIVE SETTING
15
![Page 16: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/16.jpg)
The ERM Framework Objective Setting • Objectives must exist before
management can identify potential events affecting their achievement.
• Have a process in place to set
objectives that support the entity’s mission and are consistent with its risk appetite.
16
![Page 17: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/17.jpg)
Objectives are based on goals
Goals are high level Objectives are :
pecific easurable
ttainable esults focused imely
17
![Page 18: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/18.jpg)
Prioritizing what you do
Finance and Administration determines and prioritizes goals for its business processes: What are the goals? What are the steps to achieve them? Which are most important?
18
![Page 19: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/19.jpg)
ACTIVITY
19
![Page 20: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/20.jpg)
Handout • Mission Statement: • My Business Area: • What I do: • Goal:
• Objectives (step toward the goal) • Objectives (step toward the goal) • Objectives (step toward the goal)
20
![Page 21: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/21.jpg)
21
![Page 22: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/22.jpg)
Risk Never Sleeps
22
• Risk is a fact of life; life constantly changes and is uncertain
• All management is essentially risk management
• Many risk management activities are well defined and accountability has been assigned
• Risks that have not been defined/assigned, may “slip between the cracks” and/or be managed inconsistently due to individual perceptions of the significance of the risk.
![Page 23: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/23.jpg)
Back to the Framework
23
Risk Management / Internal Controls
![Page 24: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/24.jpg)
RISK IDENTIFICATION
24
![Page 25: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/25.jpg)
The ERM Framework Event Identification • Internal and external events that impact achievement of
objectives must be identified, distinguishing between risks and opportunities.
• New opportunities are channeled back to management’s strategy or objective-setting processes
25
![Page 26: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/26.jpg)
Red Flags • Two Parts: • Risk Identification – Identify Risk • Identify the Red Flags • Red flags are indicators are activities that may indicate trouble
in any process. • These are best described as clues or hints that something
outside the norm is occurring or has occurred and that a closer look at an area or activity is required
• They are trigger points that something needs to be done
26
![Page 27: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/27.jpg)
Types of Risk
Internal Hazards
27
Natural Hazards
Cyber Threats
Fraud
![Page 28: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/28.jpg)
Harmon Tower, Las Vegas 28
![Page 29: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/29.jpg)
RISK ASSESSMENT
29
![Page 30: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/30.jpg)
The ERM Framework Risk Assessment • Risks are analyzed, considering likelihood/frequency and
impact as a basis for determining how they should be managed.
• Risks are assessed on an inherent and a residual basis.
30
![Page 31: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/31.jpg)
Risk Assessment: Likelihood/Frequency
Likelihood Comment
Probable The event is expected to occur in most circumstances.
Possible The event is more than remote but less than probable.
Remote The event may occur only in exceptional circumstances.
Can it happen? How often?
![Page 32: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/32.jpg)
32
Risk Assessment: Significance of Impact Significance Comment
Major Very significant impact that jeopardizes the ability to achieve objective.
Moderate Management gets involved with issue and focuses on completing it within a timely manner.
Low May not require attention of management. Process changes likely not required in response to risk occurrence.
![Page 33: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/33.jpg)
Risk Rating Interpretation
33
![Page 34: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/34.jpg)
34
GOAL: ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
HEAT MAP 1 2 3 4 5
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15 To treat a risk, you can: • Avoid • Accept and Monitor • Reduce the Likelihood/Impact • Transfer the risk
Treatment must reflect the: • Risk appetite of your group • Amount of control you have • Values of the group, and • Be measurable, and time-limited
2 2 4 6 8 10
1 1 2 3 4 5
Risks: LIKELI- HOOD IMPACT YOUR
SCORE
GROUP SCORE (AVE)
COLOR
Risk 1
Risk 2
Risk 3
Risk 4
Risk 5
![Page 35: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/35.jpg)
RISK RESPONSE
35
![Page 36: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/36.jpg)
The ERM Framework Risk Response
36
Management decides per risk: Four responses avoid the risk
accept the risk
share the risk
reduce the risk
![Page 37: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/37.jpg)
CONTROL ACTIVITIES
37
![Page 38: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/38.jpg)
The ERM Framework Control Activities
Control activities help assure that risk responses are effectively carried out. These can be federal/state laws or your own policies and procedures. A. Preventive controls
Segregation of duties B. Detective controls
Exception reports, reconciliation
38
![Page 39: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/39.jpg)
Premise: Fires are unavoidable and unpredictable
but can be extinguished.
• Install fire extinguishers • Install alarms • Inspect them regularly • Add more as required • Report and remedy deficiencies
39
Control based approach
![Page 40: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/40.jpg)
40
Root Cause approach
Premise: Fires are predictable and avoidable. Fires are caused when combustible material is exposed to a source of ignition… • Track all instances of fires and analyze root cause • Eliminate sources of ignition • Eliminate combustible material • Ongoing risk assessments to identify and eliminate the root cause
![Page 41: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/41.jpg)
Control Activity Examples Risk Activity
Late payments Let system schedule the payment date
Use correct date stamp
Discounts missed Check Comptroller reports
Not built to spec
Vetting of vendors Project management Site inspections
![Page 42: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/42.jpg)
42 42
![Page 43: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/43.jpg)
43
How Controls Mitigate Risks
Controls do not make risks disappear • Too many, or ineffective controls, are evidence of poor
risk management • Control management – sometimes less is more
![Page 44: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/44.jpg)
44
When Do Controls Change?
• Changes in federal/state laws and regulations
• Existing procedures prove ineffective • Changes due to organizational
structure • Changes in agency priorities
![Page 45: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/45.jpg)
GROUP ACTIVITY
45
![Page 46: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/46.jpg)
Activity: Risk Modeling
Select a goal, then: Determine measurable objectives (What are the steps to get there?) Identify risk (What can prevent success?) Assess risk (How bad is it?) Control risk (What can be done about it & who is responsible?)
46
![Page 47: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/47.jpg)
Goal:
Objective:
Risk Red Flag Control
![Page 48: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/48.jpg)
Control Self-Assessments
National Association of State Comptrollers (NASC) Multi-State Consortium on Internal Control •Accounting System Section •Budgets and Planning Section •Buy American Act Section •Capital Assets Control Section •Cash Section •Control Environment Section •Davis-Bacon Act Section •Information Systems and Technology Section •Payables Section •Personnel and Payroll Section •Receivables Section •Risk Assessment Section
48
![Page 49: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/49.jpg)
INFORMATION & COMMUNICATION
49
![Page 50: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/50.jpg)
The ERM Framework Information & Communication • Relevant information is identified, captured, and
communicated in a form and timeframe that enable people to carry out their responsibilities.
• Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
50
![Page 51: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/51.jpg)
MONITORING
51
"Even a correct decision is wrong when it was taken too late." Lee Iacocca, Chrysler
![Page 52: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/52.jpg)
The ERM Framework Monitoring • The entirety of enterprise risk management is monitored and
modifications made as necessary. • Monitoring is accomplished through ongoing management
activities, separate evaluations, or both.
52
![Page 53: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/53.jpg)
53
![Page 54: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/54.jpg)
Monitoring • Schedule monitoring on a
regular basis.
• Test controls at least annually to determine whether they continue to be adequate and are still functioning as intended.
• Use program monitors, auditors and reviewers as a resource in monitoring controls.
54
![Page 55: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/55.jpg)
NEXT STEPS
55
![Page 56: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/56.jpg)
THE INTERNAL CONTROL PLAN
56
![Page 57: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/57.jpg)
• It’s the law • Great tool for new employees and auditors • Tells your unique story • Puts focus on the “Right Stuff” (day-to-day) • Promotes effectiveness and efficiency
All in Order To: Accomplish Your Goals and Objectives
Why Have an Internal Control Plan?
57
![Page 58: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/58.jpg)
Internal Control Plan
58
An effective Internal Control Plan is a high level, department-wide summarization of risks and controls for all of its business processes. It is supported by lower level detail, communicated throughout the department, and continuously monitored and updated. Each department’s internal control plan will be unique; however, it should be based on the same framework – the organization’s mission statement, goals and objectives, and components of internal control recommended by COSO.
![Page 59: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/59.jpg)
Internal Control Plan
It is not uncommon for the detailed policies and procedures to be modified due to changes in personnel, audit or quality assurance recommendations, etc.
An organization is a living entity which changes over time. As a result, the organization’s mission, goals and objectives must be regularly evaluated and periodically revised. Thus, internal control is an ongoing process known as the Internal Control Cycle. 59
![Page 60: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/60.jpg)
Why add Anti-Fraud plans to your Internal Controls?
According to the Association of Certified Fraud Examiners, (ACFE),in their 2010 Report to the Nations demonstrated that organizations that invested in Anti-Fraud Action plans halved their average median losses. Effective Anti-Fraud Action Plans included: • Hotlines • Employee Support Programs • Enforceable Codes of Conduct • Adherence to proper "Tone at the Top" • Fraud Training • Formal Segregation of Duties • Job Rotation
60
![Page 61: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/61.jpg)
What’s Not in the Plan … but?
• Detailed daily activities
• Every objective and risk event
• Detailed Risk Assessment – refer to
• Strategic Plan – refer to
• Policies and Procedures – refer to
• Disaster Recovery Plan – refer to
61
![Page 62: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/62.jpg)
SUMMARY
62
Where are we headed?
![Page 63: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/63.jpg)
Summary
• Evaluate mission and goals/objectives • Include all programs/activities
• Risk • ID events that threaten success • Assess • Respond
• ID controls to mitigate risk • Implement activities to support controls
Always Segregate Duties
63
![Page 64: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/64.jpg)
Put another way:
What are you trying to accomplish?
What could prevent you from doing that?
What policies & procedures could you put in place to decrease this risk?
Who else needs this information?
How can you tell if these policies are working? 64
![Page 65: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/65.jpg)
Next Steps – the Nitty Gritty • Establish and continuously update your internal controls
• Follow 0guidelines • Identify risks and how you mitigate them
• 5 elements must be addressed • Control environment – “tone at the top” • Risk assessment • Control activities • Information and communication • Monitoring
![Page 66: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/66.jpg)
Next Steps – the Nitty Gritty • A point person or group needs to be named to manage the
internal controls and be responsible for it • Update policies and procedures • Monitor changes in grant regulations • Communicate to program personnel • Follow up on all deficiencies
![Page 67: Risk Assessment Workshop](https://reader030.vdocument.in/reader030/viewer/2022012804/61bd25c461276e740b0fd866/html5/thumbnails/67.jpg)
Risk Never Sleeps Contact us @:
67