so you have your baseline risk assessment for erm, what … 2... · dan graves, cpa partner, risk...
TRANSCRIPT
![Page 1: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/1.jpg)
So You Have Your Baseline Risk Assessment For ERM, What Next?
San Antonio IIA – I Heart Audit ConferenceFebruary 2018
![Page 2: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/2.jpg)
Speaker Profiles
2
Jody Allred, CPA, CITP, CISA, CGMAPartner, Risk Advisory Services
Dan Graves, CPAPartner, Risk Advisory Services12 years of public accounting experience, with a practice emphasis in risk assessment, internal audit, and business process improvement
16 years of experience in public accounting, a deep background in both financial statement audit and advisory services, and a passion for client service.
![Page 3: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/3.jpg)
Today’s Agenda
► ERM Basics» What is ERM?» Risk assessment process
► What’s Next?» Creating a structure for continuous
monitoring» Creating a risk register to manage risk» Internal Audit’s role
► Example of Effective Risk Management Structure
► Continuous Improvement and Implementation» ERM isn’t overnight» Implement in stages
3
![Page 4: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/4.jpg)
ERM BASICSRisk Definitions and Assessment
Methods
![Page 5: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/5.jpg)
Defining Risk Management
5
How Do COSO & ISO Define Risk Management ?
COSO-ERM FrameworkEnterprise Risk Management is a structured and coordinated entity wide governance approach to identify, quantify, respond to, and monitor the consequences of potential events. Implemented by management, ERM is evaluated by the internal auditors for effectiveness and efficiency.
ISO 31000The Risk Management Process is a systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoringand reviewing risk.
![Page 6: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/6.jpg)
6
Defining Enterprise Risk Management
• The “Why” (root cause risk): Establishment of an ERM risk universe through which all organizational root cause risks are identified at their source• Allows users to develop the arsenal of actions to
establish a plan to address a risk at its source and eliminates the fallacy that you can manage the consequence
• The “What” (risk identification description): Linking all risks to their root cause
• The “Where we need to be” (risk tolerance): Identifying the degree of future residual risk that is acceptable for every root cause risk, at all management levels
ERM Seeks to Identify:
![Page 7: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/7.jpg)
7
Defining Enterprise Risk Management
• The “Who” (risk owner and mitigation action owner):Attaching ownership to the correct root cause risks at every level of the organization• Ensures organizational structure is focused on
exactly what employees can and should own, so there is no conflict between accountability and ability
• The “So What” (inherent risk – likelihood and impact)• The “What are we going to do about it” (mitigation
action plans)• The “The Who and by When” (mitigation due date):
Mitigation action ownership and timeline• The “Where are we” (current residual risk): Likelihood
after mitigation actions
ERM Seeks to Identify, continued:
![Page 8: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/8.jpg)
Enterprise Risk Management
8
![Page 9: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/9.jpg)
9
ERM Approach
Risk Identification• Identification
of relevant risk factors
Risk Assessment• Entity level risk
assessment.• Process level risk
assessment.
Risk Response and Mitigation• Development and
confirmation of control activities
• Control rationalization and process documentation
• Imbedding risk and control consciousness throughout the organization
• Internal audit over high risk operational, financial, and regulatory activities
Monitoring• Periodic re-
evaluation of risk factors and risk assessment
• Risk and control registers
• Continuous monitoring of critical risks and controls
The ERM approach begins with risk identification and assessment, then incorporates risk mitigation and monitoring activities.
![Page 10: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/10.jpg)
10
Entity-Level Risk Assessment
AVERAGE
POLITICAL AND SOCIAL RISK 2REGULATORY RISK 2INDUSTRY RISK 2ECONOMIC RISK 3ENVIRONMENTAL RISK 1CREDITOR/INVESTOR RISK 2COMPETITION RISK 3MANAGEMENT RISK 2PLANNING AND BUDGETING RISK 1CUSTOMER RISK 3SUPPLY RISK 2EMPLOYEE RISK 2
GENERAL 2PRODUCT LINE 3PRODUCTION PROCESS 2FACILITIES AND EQUIPMENT 2INVESTMENT 1CASH MANAGEMENT 1RECEIVABLES 1COMMITMENTS AND CONTINGENCIES 1FINANCIAL REPORTING 1INFORMATION PROCESSING 2INTERNAL CONTROL 1DEFALCATION RISKMISAPPROPRIATION OF ASSETS 2
MANAGEMENT CHARACTERISTICS 1OPERATING CHARACTERISTICS AND FINANCIAL STABILITY 1INDUSTRY-SPECIFIC RISKSMANUFACTURING INDUSTRY 1DISTRIBUTION INDUSTRY 2INVENTORIES 2FACILITIES AND EQUIPMENT 2
RISK CATEGORY
GENERAL RISKS
FRAUDULENT FINANCIAL REPORTING RISK
OPERATION RISKS
![Page 11: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/11.jpg)
11
Process-Level Risk Assessment
![Page 12: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/12.jpg)
12
Process-Level Risk Assessment
![Page 13: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/13.jpg)
WHAT’S NEXT
Creating a Structure for Continuous Monitoring
![Page 14: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/14.jpg)
ERM as an Ongoing Process
14
► ERM is a continuous process that should be updated as changes in the operating environment occur: » Economic events continually impact financial, liquidity, competition
risk» Strategic risk should be re-evaluated for:
» Launching new product or service offerings » Expanding into new markets
» Risks and responses must be kept up-to-date to reflect latest regulatory changes
► ERM should be independently owned in the organization to ensure:» Risks are embedded in the strategy-setting and decision-making
processes of the organization» Monitoring activities are being performed and follow-up actions
occur to ensure risks are properly identified and mitigated on an ongoing basis
![Page 15: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/15.jpg)
15
Mapping Critical Enterprise-wide Risks
•Determine critical success factors for each objective
•Understand which KPIs managers are monitoring to meet business results and strategic objectives
•Perform root analysis to identify risk influencers – KRIs, that affect KPIs
Identify the strategic objectives and major initiatives of the organization.
![Page 16: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/16.jpg)
Key Risk Indicators
16
• Many organizations currently monitor key performance indicators (KPIs) in order to stay up-to-date on potential events
• According to COSO, KPIs may not provide enough advance notice. Often, KPIs alert management to risk events that have already impacted the organization
KPIs
• Key Risk Indicators (KRIs): Metrics developed by management to identify potential future shifts in risk conditions
• Using KRIs allows for more timely, strategic, and proactive development of risk mitigation strategies
KRIs
![Page 17: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/17.jpg)
17
Anatomy and Lifecycle of a Risk EventERM seeks to identify and address risks here…
… instead after they have impacted the company of reacting to risk events here
Stage 1 -Root Cause Event Signal
• Factors/signals are present that create a high risk environment.
• Can be identified through monitoring of Key Risk Indicators (discussed in Monitoring section).
Stage 2 -High Risk
Environment
• A high risk environment has resulted from the signals identified in Stage 1. High potential for root cause event.
Stage 3 - Root Cause Event
• An event occurs that creates potential for significant risks to be realized.
Stage 4 - Risk Realization
and Consequence
• A significant risk event occurs, impacting the company.
• A snowball effect can occur, causing risks to multiply at this stage:• Reputation risk • Fraud risk
Stage 5 -Management / Mitigation
• Management evaluates outcome and establishes mitigation strategy to avoid future risk.
![Page 18: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/18.jpg)
18
If the risk had been identified here through monitoring of Key Risk
Indicators …
… the cause event may never have occurred
…
… and the risk may never have been realized.
Stage 1 - Root Cause Event
Signal
• Tire pressure is low
Stage 2 -High Risk
Environment
• Flat tire
Stage 3 - Root Cause Event
• Car Accident
Stage 4 - Risk Realization
and Consequence
• Increased insurance cost
• Relegated to high risk pool
• Inability to negotiate terms
Stage 5 -Management / Mitigation
• Switch insurance providers
• Wait for accident to clear from record
• Take defensive driving
• Check tire pressure regularly
Anatomy and Lifecycle of a Risk Event
![Page 19: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/19.jpg)
19
Example: KRI• A company derives most of its
earnings from manufacturing outdoor recreational products for younger adults.
• The company reviewed the recent census data and identified a steady rise in the average age of the nation’s adult population as a sign that its market for those products is shrinking.
• The aging population is considered an external, demographic risk event.
![Page 20: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/20.jpg)
• Although the company may not feel the full impact of the risk for several years, the likelihood seems inevitable.
• The company cannot accept this risk, therefore, they begin to invest in research & development for new products that would appeal to older individuals.
• In response, the internal audit function would consider auditing research and development based on the significance of the risk factor and the impact on the company’s objectives.
Example: KRI
20
![Page 21: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/21.jpg)
Develop Risk Responses
21
•Considers alternative responses•Reduce: Implement mitigating controls•Accept: Take no positive action to mitigate the risk•Avoid: Stop engaging in any activity that creates the risk•Share: Share the risk with a third party; e.g., insurance
policies•Evaluates costs/benefits of available risk responses•Analyzes whether risk responses appropriately reduce risk to
tolerable level•Selects most appropriate risk response based on risk appetite,
risk tolerance, and evaluation of portfolio risk
When developing risk responses, Management:
![Page 22: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/22.jpg)
22
Likeli-hood Impact Velocity Persist-
ence OverallCommodity Price Volatility
High
Liquidity Management
Moderate-High
Financial Reporting
Moderate-High
Capital Market Health
Moderate-High
Public Perception of the Industry
Low
Public Perception of the Company
Low
Asset Concentration
HighFinancial Stability
Transportation costs per unit increase.
Price Efficiency
Low Cost Operations
Investor Relations
Low
Transportation Contract Initiation
High
C-Suite heavily involved in investor communications and press releases.
Market reactions closely monitored.
Contract rev iew by multiple groups, operations, legal, marketing.
Transportation cost metrics monitored.
VP Investor Relations
VP, Business Development
Increasing firm transport commitment with no corresponding increase in production for geographical area.
Financial Stability
Price Efficiency
Low Cost Operations
Process Evaluation Experience
Confirmed Residual
RiskRisk IndicatorsMonitoring
Activities
Time Period (Now, Mid-Term, Long-
Term)
Direct Linked Risk Events
Process Owner
Process Risk
RatingProcess
Expected Residual Risk (Risk Management Committee Rated)
Low-Moderate
ModerateLow-
Moderate
Strategic Objectives
Risk Rating
(EL)
Lack analyst coverage.
Poor analyst or rating agency results.
Stock price movement following press release.
Internal Audit 2017. Limited
findings.
Intenal Audit 2016. Limited
findings.
Low
Low-ModerateReliance on
Midstream / Downstream Entities
Moderate-High
Now
Now
Low Low High Moderate Low
ModerateModerate
Example Risk RegisterKRIs
Risk Response Plan
![Page 23: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/23.jpg)
Risk Management’s Role
Establish and operate the enterprise risk management framework on behalf of the board.
Incorporate the Internal Audit function and their monitoring activities into the risk management effort.
Include Internal Audit’s input of the effectiveness of internal controls to evaluate residual risk.
23
![Page 24: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/24.jpg)
Internal Audit’s RoleCreate tools and techniques used by internal audit to analyze risks and controls available to the RM function.Share knowledge, expertise, and methods for analyzing risks and controls with the RM function.
Act as the central point for coordinating, monitoring and reporting on effectiveness of internal controls.IA should participate in identifying and evaluating risk but not own the risk management responsibility.
Support managers as they work to identify the best way to mitigate a risk.Provide consultation services that helps management develop the controls to mitigate risk.
24
![Page 25: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/25.jpg)
25
Internal Audit’s RoleInternal Audit’s core role with regard to ERM is to provide objective assurance to the board on the effectiveness of risk management.
Source: IIA Position Paper: The Role of Internal Auditing in Enterprise‐wide Risk Management.
![Page 26: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/26.jpg)
• ERM approach ensures that critical risks and processes are linked to strategic objectives to ensure coverage of the “right risks”.
• Creates an awareness of risk across the entitythat enhances collaboration between departments and cooperation with internal audit.
• Assists in engagement scoping to ensure that audit procedures are focused on key risks and strategic initiatives.
• Enhances the perception of the internal auditfunction as a trusted advisor that adds value to the organization.
Benefits of an ERM-based Focus
26
![Page 27: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/27.jpg)
80%• Prioritize resources on most significant risks
in the Entity-wide and Process-level Risk Assessments
• Focus on Risk Response Plan activities will cover some compliance objectives
20%• Compliance Obligations (FERPA, Uniform
Guidance, PCI, HIPAA, etc.)• New areas or changes that are outside of
the Enterprise Risk Assessment
Prioritize audit activities to ensure that strategically impactful risks and activities are reviewed.
ERM-based Audit Plan
27
![Page 28: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/28.jpg)
ERM-based Audit Plan
Advertising/MarketingReputationEconomic
Financial StabilityHigh
Internal Audit will include an evaluation of risks and internal controls in place related to the Organization's Advertising activities. Activities to be evaluated will include Market Analyis, Campaign Development, Quality Control Review,Publication Release, and Distribution.
Information SecurityInformation TechnologyBusiness Environment High
Internal Audit will include an evaluation of risks and internal controls in place related to the Organization's Information Security practices. Activities to be evaluated will include Internal and External Security, Logical Access, Physical Access, and Compliance with security and privacy requirements.
Disaster Recovery / Business Continuity Planning
RegulatoryReputationOperational
ModerateInternal audit will include an evaluation of the disaster recovery plan and procedures to restore Organizational data and operations in the event a disaster event occurs. Activities to be evaluated will include, Disaster Identification, Scenario Planning, Resumption Planning and Periodic Testing.
PurchasingFinancial Stability
EconomicOperational
ModerateInternal Audit will perform follow-up procedures on prior Internal Audit findings to ensure corrective action has been taken.
Human Resources Human CapitalDemographic
PoliticalHigh
Internal Audit will perform follow-up procedures on prior Internal Audit findings to ensure corrective action has been taken.
Construction ManagementEconomicReputationRegulatory
HighInternal Audit will perform follow-up procedures on prior Internal Audit findings to ensure corrective action has been taken.
Data PrivacyRegulatory
Information TechnologyBusiness Environment
ModerateInternal Audit will include an evaluation of the Organization's controls in place related to customer data privacy and compliance with privacy regulations. Activities to be evaluated will include, Data Collection, Data Entry, Data Storage (digital and manual), Data Security, and Data Transmission.
PCI ReadinessRegulatory
Information TechnologyReputation
ModerateInternal Audit will include an evaluation of the Organization's controls and processes in place related to compliance with PCI DSS standards. Activities to be evaluated will include Data Storage and Retetion, Network Security, Vulnerability Management, Policies and Procedures, and Network Scanning.
Process Key Risk Areas Risk Rating Summary Procedures
Planned Risk Based Internal Audits
Planned Internal Audit Follow-up
Planned Compliance Internal Audits
80%
20%
28
![Page 29: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/29.jpg)
29
Likeli-hood Impact Velocity Persist-
ence OverallCommodity Price Volatility
High
Liquidity Management
Moderate-High
Financial Reporting
Moderate-High
Capital Market Health
Moderate-High
Public Perception of the Industry
Low
Public Perception of the Company
Low
Asset Concentration
HighFinancial Stability
Transportation costs per unit increase.
Price Efficiency
Low Cost Operations
Investor Relations
Low
Transportation Contract Initiation
High
C-Suite heavily involved in investor communications and press releases.
Market reactions closely monitored.
Contract rev iew by multiple groups, operations, legal, marketing.
Transportation cost metrics monitored.
VP Investor Relations
VP, Business Development
Increasing firm transport commitment with no corresponding increase in production for geographical area.
Financial Stability
Price Efficiency
Low Cost Operations
Process Evaluation Experience
Confirmed Residual
RiskRisk IndicatorsMonitoring
Activities
Time Period (Now, Mid-Term, Long-
Term)
Direct Linked Risk Events
Process Owner
Process Risk
RatingProcess
Expected Residual Risk (Risk Management Committee Rated)
Low-Moderate
ModerateLow-
Moderate
Strategic Objectives
Risk Rating
(EL)
Lack analyst coverage.
Poor analyst or rating agency results.
Stock price movement following press release.
Internal Audit 2017. Limited
findings.
Intenal Audit 2016. Limited
findings.
Low
Low-ModerateReliance on
Midstream / Downstream Entities
Moderate-High
Now
Now
Low Low High Moderate Low
ModerateModerate
Example Risk RegisterInternal Audit Results
![Page 30: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/30.jpg)
30
Internal Audit Coordination
Risk Management• Forward looking insight to inform the internal audit plan• Proactively managing risk profiles• Barometer for Management’s response to audit findings• Assists with buy-in among departments for audit plan
Audit Committee• Receives and approves the recommended audit plan and
audit reports• Directs Internal Audit when necessary to conduct audits or
investigations
Internal Audit• Conducts risk assessment and develops proposed IA plan• Plans and executes internal audits from approved plan• Coordinates execution of IA plan with Management• Reports to Audit Committee
Plans, Executes, Reports
Assists in Coordinating
Receives, Approves, Directs
![Page 31: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/31.jpg)
31
Risk Committee Activities –“Watch List”
"Watch List"
Issue Description Division Impacted Timeframe Impact Updates Impact(North, South, Corp) (Now, Med‐Term, Long‐Term) (Low, Med, High) (Low, Med, High)
1 Ability to contract quality work crews
Increased activity in the area by other operators has limited the availability of quality equipment and crews.
North, South Now Low Reduced operational need for vertical crews reduced risk and led to removal of item
Low
2 Ability to contract quality equipment
Increased activity in the area by other operators has limited the availability of quality equipment and crews
Now Low Low
3 Competition for employees with industry experience
With prices stabilizing competition is beginning to increaseactivity and recruit Company personnel. (2017 uptick in attritiondriven in part by PE‐backed start‐ups; trend being monitored)
Corp Now Med Med
4 Competition for non‐industryspecific employees
Low unemployment nationwide is creating demand for most employee skillsets in sectors outside industry
All Now Med Med
5 Rising service costs Service companies beginning to push back on low prices, with some price increases noted in 2018. (Pressure seems to be abating)
All Now Med Med
6 Political Environment Federal, state, and local political actions or inactions that hamper Range's ability to operate in a timely and cost‐effective manner. Beginning to see increased dialog in South.
All Now Med Med
7 Post production costs Regulatory uncertainty on allowed post‐production costs allocable to owners and increasing frequency of ownerlitigation and threatened litigation
North Now Med Legislative risk considered somewhat reduced.
High
8 Permits for critical business partners
All new transport lines on which company has committedcapacity are now in service or in service dates with greater confidence
North Now Med High
9 Permits for Company Permits required for critical activities were received after lengthy process/delay. Approval timing is unpredictable. (Plan to remediate working, with 2018 permits largely in hand)
North Now Low Low
10 Safety Performance and Compliance
Continued focus on full implementation and improvement to the safety management system and safety training (policies, programs and practices). This includes heightened safety communication and focus in locations with reduced activity levels and/or organizational uncertainty.
All Now Med Revised wording from Safety based on progress and status
Med
North, South
![Page 32: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/32.jpg)
ERM IMPLEMENTATION
Components of a Successful ERM Program
![Page 33: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/33.jpg)
The Capability Maturity Model
• Where are we, and where do we want to be?• At what rate do we want to improve?• Upon which risks do we focus our efforts for
improvement?• What resources are we willing to commit to risk
management to ensure continuous attainment of objectives?
Management needs to make the following decisions regarding ERM:
33
![Page 34: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/34.jpg)
Initial•Ad hoc•Undocumente
d
•Risk Management is not a defined process.
•Culture does not promote risk awareness or facilitate risk identification across the entity.
Repeatable•Repeatable
and sometimes consistent
•Limited process discipline
•Individual departments may do own risk assessments
•May be some consistency in processes
•Little buy-in from top management and the process is not implemented across the entity.
Defined•Standard
processes in place and documented
•Consistent
•Individual departments have mature, documented, consistent risk assessment processes, but there is little visibility of the results of these assessments at the Senior Management or Board Level.
•Risk assessments are performed, but in silos, thus there is not a true "portfolio view" of risk.
Managed•Management
controls the “As-Is” process
•Can adapt process to projects
•Management has begun inventorying risk assessments and developing an entity-wide risk universe.
•Risk management is no longer siloedwithin the organization.
•Limited monitoring and reporting functions exist to provide proactive identification of KPI's, KRI's.
Optimizing•Continual
process improvement
•Management regularly revisits maturity goals and benchmarks progress against goals.
•KRI's, KPI's are consistently measured to gain a proactive view of risks facing the company.
The Capability Maturity Model
34
![Page 35: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/35.jpg)
A Phased Approach to ERM Implementation
35
It’s is a journey – not a destination.
Take time to embed ERM into the organization’s decision-making in
order to reap the rewards.
Communicate and collaborate.
Ensure communication and collaboration across business units,
senior management and the board.
Independence is key.
To effectively manage and monitor risk, ERM needs to be independent of other operational functions needs to
have authority to foster change.
Do the upfront work.
Organizations that spend time upfront to identify, understand, manage,
navigate risk benefit from insights into risk influences that are strategic to the
organization’s success.
What We’ve Found
![Page 36: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/36.jpg)
Key Takeaways►Key Components of a Successful ERM
» Monitor KPIs and KRIs proactively» Establish goals for process maturity» Monitor results of ERM activities
» Two effective tools for monitoring are surveys and the internal audit function
» Implement effective reporting mechanisms» Communicate results of performance» ERM is an ongoing process. It’s a journey – not
a destination
36
![Page 37: So You Have Your Baseline Risk Assessment For ERM, What … 2... · Dan Graves, CPA Partner, Risk Advisory Services 12 years of public accounting experience, with a practice emphasis](https://reader031.vdocument.in/reader031/viewer/2022031514/5ce14d2988c99337398c7bef/html5/thumbnails/37.jpg)
QUESTIONS & ANSWERSJody Allred, CPA, CITP, CISA, CGMA | Partner, Advisory Services
817.882.7750 | [email protected]
Daniel Graves, CPA | Senior Manager, Advisory Services512.609.1913 | [email protected]