So You Have Your Baseline Risk Assessment For ERM, What Next?

San Antonio IIA – I Heart Audit ConferenceFebruary 2018

Speaker Profiles

2

Jody Allred, CPA, CITP, CISA, CGMAPartner, Risk Advisory Services

Dan Graves, CPAPartner, Risk Advisory Services12 years of public accounting experience, with a practice emphasis in risk assessment, internal audit, and business process improvement

16 years of experience in public accounting, a deep background in both financial statement audit and advisory services, and a passion for client service.

Today’s Agenda

► ERM Basics» What is ERM?» Risk assessment process

► What’s Next?» Creating a structure for continuous

monitoring» Creating a risk register to manage risk» Internal Audit’s role

► Example of Effective Risk Management Structure

► Continuous Improvement and Implementation» ERM isn’t overnight» Implement in stages

3

ERM BASICSRisk Definitions and Assessment

Methods

Defining Risk Management

5

How Do COSO & ISO Define Risk Management ?

COSO-ERM FrameworkEnterprise Risk Management is a structured and coordinated entity wide governance approach to identify, quantify, respond to, and monitor the consequences of potential events. Implemented by management, ERM is evaluated by the internal auditors for effectiveness and efficiency.

ISO 31000The Risk Management Process is a systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoringand reviewing risk.

6

Defining Enterprise Risk Management

• The “Why” (root cause risk): Establishment of an ERM risk universe through which all organizational root cause risks are identified at their source• Allows users to develop the arsenal of actions to

establish a plan to address a risk at its source and eliminates the fallacy that you can manage the consequence

• The “What” (risk identification description): Linking all risks to their root cause

• The “Where we need to be” (risk tolerance): Identifying the degree of future residual risk that is acceptable for every root cause risk, at all management levels

ERM Seeks to Identify:

7

Defining Enterprise Risk Management

• The “Who” (risk owner and mitigation action owner):Attaching ownership to the correct root cause risks at every level of the organization• Ensures organizational structure is focused on

exactly what employees can and should own, so there is no conflict between accountability and ability

• The “So What” (inherent risk – likelihood and impact)• The “What are we going to do about it” (mitigation

action plans)• The “The Who and by When” (mitigation due date):

Mitigation action ownership and timeline• The “Where are we” (current residual risk): Likelihood

after mitigation actions

ERM Seeks to Identify, continued:

Enterprise Risk Management

8

9

ERM Approach

Risk Identification• Identification

of relevant risk factors

Risk Assessment• Entity level risk

assessment.• Process level risk

assessment.

Risk Response and Mitigation• Development and

confirmation of control activities

• Control rationalization and process documentation

• Imbedding risk and control consciousness throughout the organization

• Internal audit over high risk operational, financial, and regulatory activities

Monitoring• Periodic re-

evaluation of risk factors and risk assessment

• Risk and control registers

• Continuous monitoring of critical risks and controls

The ERM approach begins with risk identification and assessment, then incorporates risk mitigation and monitoring activities.

10

Entity-Level Risk Assessment

AVERAGE

POLITICAL AND SOCIAL RISK 2REGULATORY RISK 2INDUSTRY RISK 2ECONOMIC RISK 3ENVIRONMENTAL RISK 1CREDITOR/INVESTOR RISK 2COMPETITION RISK 3MANAGEMENT RISK 2PLANNING AND BUDGETING RISK 1CUSTOMER RISK 3SUPPLY RISK 2EMPLOYEE RISK 2

GENERAL 2PRODUCT LINE 3PRODUCTION PROCESS 2FACILITIES AND EQUIPMENT 2INVESTMENT 1CASH MANAGEMENT 1RECEIVABLES 1COMMITMENTS AND CONTINGENCIES 1FINANCIAL REPORTING 1INFORMATION PROCESSING 2INTERNAL CONTROL 1DEFALCATION RISKMISAPPROPRIATION OF ASSETS 2

MANAGEMENT CHARACTERISTICS 1OPERATING CHARACTERISTICS AND FINANCIAL STABILITY 1INDUSTRY-SPECIFIC RISKSMANUFACTURING INDUSTRY 1DISTRIBUTION INDUSTRY 2INVENTORIES 2FACILITIES AND EQUIPMENT 2

RISK CATEGORY

GENERAL RISKS

FRAUDULENT FINANCIAL REPORTING RISK

OPERATION RISKS

11

Process-Level Risk Assessment

12

Process-Level Risk Assessment

WHAT’S NEXT

Creating a Structure for Continuous Monitoring

ERM as an Ongoing Process

14

► ERM is a continuous process that should be updated as changes in the operating environment occur: » Economic events continually impact financial, liquidity, competition

risk» Strategic risk should be re-evaluated for:

» Launching new product or service offerings » Expanding into new markets

» Risks and responses must be kept up-to-date to reflect latest regulatory changes

► ERM should be independently owned in the organization to ensure:» Risks are embedded in the strategy-setting and decision-making

processes of the organization» Monitoring activities are being performed and follow-up actions

occur to ensure risks are properly identified and mitigated on an ongoing basis

15

Mapping Critical Enterprise-wide Risks

•Determine critical success factors for each objective

•Understand which KPIs managers are monitoring to meet business results and strategic objectives

•Perform root analysis to identify risk influencers – KRIs, that affect KPIs

Identify the strategic objectives and major initiatives of the organization.

Key Risk Indicators

16

• Many organizations currently monitor key performance indicators (KPIs) in order to stay up-to-date on potential events

• According to COSO, KPIs may not provide enough advance notice. Often, KPIs alert management to risk events that have already impacted the organization

KPIs

• Key Risk Indicators (KRIs): Metrics developed by management to identify potential future shifts in risk conditions

• Using KRIs allows for more timely, strategic, and proactive development of risk mitigation strategies

KRIs

17

Anatomy and Lifecycle of a Risk EventERM seeks to identify and address risks here…

… instead after they have impacted the company of reacting to risk events here

Stage 1 -Root Cause Event Signal

• Factors/signals are present that create a high risk environment.

• Can be identified through monitoring of Key Risk Indicators (discussed in Monitoring section).

Stage 2 -High Risk

Environment

• A high risk environment has resulted from the signals identified in Stage 1. High potential for root cause event.

Stage 3 - Root Cause Event

• An event occurs that creates potential for significant risks to be realized.

Stage 4 - Risk Realization

and Consequence

• A significant risk event occurs, impacting the company.

• A snowball effect can occur, causing risks to multiply at this stage:• Reputation risk • Fraud risk

Stage 5 -Management / Mitigation

• Management evaluates outcome and establishes mitigation strategy to avoid future risk.

18

If the risk had been identified here through monitoring of Key Risk

Indicators …

… the cause event may never have occurred

…

… and the risk may never have been realized.

Stage 1 - Root Cause Event

Signal

• Tire pressure is low

Stage 2 -High Risk

Environment

• Flat tire

Stage 3 - Root Cause Event

• Car Accident

Stage 4 - Risk Realization

and Consequence

• Increased insurance cost

• Relegated to high risk pool

• Inability to negotiate terms

Stage 5 -Management / Mitigation

• Switch insurance providers

• Wait for accident to clear from record

• Take defensive driving

• Check tire pressure regularly

Anatomy and Lifecycle of a Risk Event

19

Example: KRI• A company derives most of its

earnings from manufacturing outdoor recreational products for younger adults.

• The company reviewed the recent census data and identified a steady rise in the average age of the nation’s adult population as a sign that its market for those products is shrinking.

• The aging population is considered an external, demographic risk event.

• Although the company may not feel the full impact of the risk for several years, the likelihood seems inevitable.

• The company cannot accept this risk, therefore, they begin to invest in research & development for new products that would appeal to older individuals.

• In response, the internal audit function would consider auditing research and development based on the significance of the risk factor and the impact on the company’s objectives.

Example: KRI

20

Develop Risk Responses

21

•Considers alternative responses•Reduce: Implement mitigating controls•Accept: Take no positive action to mitigate the risk•Avoid: Stop engaging in any activity that creates the risk•Share: Share the risk with a third party; e.g., insurance

policies•Evaluates costs/benefits of available risk responses•Analyzes whether risk responses appropriately reduce risk to

tolerable level•Selects most appropriate risk response based on risk appetite,

risk tolerance, and evaluation of portfolio risk

When developing risk responses, Management:

22

Likeli-hood Impact Velocity Persist-

ence OverallCommodity Price Volatility

High

Liquidity Management

Moderate-High

Financial Reporting

Moderate-High

Capital Market Health

Moderate-High

Public Perception of the Industry

Low

Public Perception of the Company

Low

Asset Concentration

HighFinancial Stability

Transportation costs per unit increase.

Price Efficiency

Low Cost Operations

Investor Relations

Low

Transportation Contract Initiation

High

C-Suite heavily involved in investor communications and press releases.

Market reactions closely monitored.

Contract rev iew by multiple groups, operations, legal, marketing.

Transportation cost metrics monitored.

VP Investor Relations

VP, Business Development

Increasing firm transport commitment with no corresponding increase in production for geographical area.

Financial Stability

Price Efficiency

Low Cost Operations

Process Evaluation Experience

Confirmed Residual

RiskRisk IndicatorsMonitoring

Activities

Time Period (Now, Mid-Term, Long-

Term)

Direct Linked Risk Events

Process Owner

Process Risk

RatingProcess

Expected Residual Risk (Risk Management Committee Rated)

Low-Moderate

ModerateLow-

Moderate

Strategic Objectives

Risk Rating

(EL)

Lack analyst coverage.

Poor analyst or rating agency results.

Stock price movement following press release.

Internal Audit 2017. Limited

findings.

Intenal Audit 2016. Limited

findings.

Low

Low-ModerateReliance on

Midstream / Downstream Entities

Moderate-High

Now

Now

Low Low High Moderate Low

ModerateModerate

Example Risk RegisterKRIs

Risk Response Plan

Risk Management’s Role

Establish and operate the enterprise risk management framework on behalf of the board.

Incorporate the Internal Audit function and their monitoring activities into the risk management effort.

Include Internal Audit’s input of the effectiveness of internal controls to evaluate residual risk.

23

Internal Audit’s RoleCreate tools and techniques used by internal audit to analyze risks and controls available to the RM function.Share knowledge, expertise, and methods for analyzing risks and controls with the RM function.

Act as the central point for coordinating, monitoring and reporting on effectiveness of internal controls.IA should participate in identifying and evaluating risk but not own the risk management responsibility.

Support managers as they work to identify the best way to mitigate a risk.Provide consultation services that helps management develop the controls to mitigate risk.

24

25

Internal Audit’s RoleInternal Audit’s core role with regard to ERM is to provide objective assurance to the board on the effectiveness of risk management.

Source: IIA Position Paper: The Role of Internal Auditing in Enterprise‐wide Risk Management.

• ERM approach ensures that critical risks and processes are linked to strategic objectives to ensure coverage of the “right risks”.

• Creates an awareness of risk across the entitythat enhances collaboration between departments and cooperation with internal audit.

• Assists in engagement scoping to ensure that audit procedures are focused on key risks and strategic initiatives.

• Enhances the perception of the internal auditfunction as a trusted advisor that adds value to the organization.

Benefits of an ERM-based Focus

26

80%• Prioritize resources on most significant risks

in the Entity-wide and Process-level Risk Assessments

• Focus on Risk Response Plan activities will cover some compliance objectives

20%• Compliance Obligations (FERPA, Uniform

Guidance, PCI, HIPAA, etc.)• New areas or changes that are outside of

the Enterprise Risk Assessment

Prioritize audit activities to ensure that strategically impactful risks and activities are reviewed.

ERM-based Audit Plan

27

ERM-based Audit Plan

Advertising/MarketingReputationEconomic

Financial StabilityHigh

Internal Audit will include an evaluation of risks and internal controls in place related to the Organization's Advertising activities. Activities to be evaluated will include Market Analyis, Campaign Development, Quality Control Review,Publication Release, and Distribution.

Information SecurityInformation TechnologyBusiness Environment High

Internal Audit will include an evaluation of risks and internal controls in place related to the Organization's Information Security practices. Activities to be evaluated will include Internal and External Security, Logical Access, Physical Access, and Compliance with security and privacy requirements.

Disaster Recovery / Business Continuity Planning

RegulatoryReputationOperational

ModerateInternal audit will include an evaluation of the disaster recovery plan and procedures to restore Organizational data and operations in the event a disaster event occurs. Activities to be evaluated will include, Disaster Identification, Scenario Planning, Resumption Planning and Periodic Testing.

PurchasingFinancial Stability

EconomicOperational

ModerateInternal Audit will perform follow-up procedures on prior Internal Audit findings to ensure corrective action has been taken.

Human Resources Human CapitalDemographic

PoliticalHigh

Internal Audit will perform follow-up procedures on prior Internal Audit findings to ensure corrective action has been taken.

Construction ManagementEconomicReputationRegulatory

HighInternal Audit will perform follow-up procedures on prior Internal Audit findings to ensure corrective action has been taken.

Data PrivacyRegulatory

Information TechnologyBusiness Environment

ModerateInternal Audit will include an evaluation of the Organization's controls in place related to customer data privacy and compliance with privacy regulations. Activities to be evaluated will include, Data Collection, Data Entry, Data Storage (digital and manual), Data Security, and Data Transmission.

PCI ReadinessRegulatory

Information TechnologyReputation

ModerateInternal Audit will include an evaluation of the Organization's controls and processes in place related to compliance with PCI DSS standards. Activities to be evaluated will include Data Storage and Retetion, Network Security, Vulnerability Management, Policies and Procedures, and Network Scanning.

Process Key Risk Areas Risk Rating Summary Procedures

Planned Risk Based Internal Audits

Planned Internal Audit Follow-up

Planned Compliance Internal Audits

80%

20%

28

29

Likeli-hood Impact Velocity Persist-

ence OverallCommodity Price Volatility

High

Liquidity Management

Moderate-High

Financial Reporting

Moderate-High

Capital Market Health

Moderate-High

Public Perception of the Industry

Low

Public Perception of the Company

Low

Asset Concentration

HighFinancial Stability

Transportation costs per unit increase.

Price Efficiency

Low Cost Operations

Investor Relations

Low

Transportation Contract Initiation

High

C-Suite heavily involved in investor communications and press releases.

Market reactions closely monitored.

Contract rev iew by multiple groups, operations, legal, marketing.

Transportation cost metrics monitored.

VP Investor Relations

VP, Business Development

Increasing firm transport commitment with no corresponding increase in production for geographical area.

Financial Stability

Price Efficiency

Low Cost Operations

Process Evaluation Experience

Confirmed Residual

RiskRisk IndicatorsMonitoring

Activities

Time Period (Now, Mid-Term, Long-

Term)

Direct Linked Risk Events

Process Owner

Process Risk

RatingProcess

Expected Residual Risk (Risk Management Committee Rated)

Low-Moderate

ModerateLow-

Moderate

Strategic Objectives

Risk Rating

(EL)

Lack analyst coverage.

Poor analyst or rating agency results.

Stock price movement following press release.

Internal Audit 2017. Limited

findings.

Intenal Audit 2016. Limited

findings.

Low

Low-ModerateReliance on

Midstream / Downstream Entities

Moderate-High

Now

Now

Low Low High Moderate Low

ModerateModerate

Example Risk RegisterInternal Audit Results

30

Internal Audit Coordination

Risk Management• Forward looking insight to inform the internal audit plan• Proactively managing risk profiles• Barometer for Management’s response to audit findings• Assists with buy-in among departments for audit plan

Audit Committee• Receives and approves the recommended audit plan and

audit reports• Directs Internal Audit when necessary to conduct audits or

investigations

Internal Audit• Conducts risk assessment and develops proposed IA plan• Plans and executes internal audits from approved plan• Coordinates execution of IA plan with Management• Reports to Audit Committee

Plans, Executes, Reports

Assists in Coordinating

Receives, Approves, Directs

31

Risk Committee Activities –“Watch List”

"Watch List"

Issue Description Division Impacted  Timeframe Impact Updates Impact(North, South, Corp) (Now, Med‐Term, Long‐Term) (Low, Med, High) (Low, Med, High)

1 Ability to contract quality work crews

Increased activity in the area by other operators has limited the availability of quality equipment and crews.    

North, South Now Low  Reduced operational need for vertical crews reduced risk and led to removal of item

Low

2 Ability to contract quality equipment

Increased activity in the area by other operators has limited the availability of quality equipment and crews

Now Low Low

3 Competition for employees with industry experience

With prices stabilizing competition is beginning to increaseactivity and recruit Company personnel. (2017 uptick in attritiondriven in part by PE‐backed start‐ups; trend being monitored)

Corp Now Med Med

4 Competition for non‐industryspecific employees

Low unemployment nationwide is creating demand for most employee skillsets in sectors outside industry

All Now Med Med

5 Rising service costs Service companies beginning to push back on low prices, with some price increases noted in 2018. (Pressure seems to be abating)

All Now Med Med

6 Political Environment Federal, state, and local political actions or inactions that hamper Range's ability to operate in a timely and cost‐effective manner. Beginning to see increased dialog in South.

All Now Med Med

7 Post production costs Regulatory uncertainty on allowed post‐production costs allocable to owners and increasing frequency of ownerlitigation and threatened litigation

North Now Med Legislative risk considered somewhat reduced.

High

8 Permits for critical business partners

All new transport lines on which company has committedcapacity are now in service or in service dates with greater  confidence

North Now Med High

9 Permits for Company Permits required for critical activities were received after lengthy process/delay. Approval timing is unpredictable. (Plan to remediate working, with 2018 permits largely in hand)

North Now Low Low

10 Safety Performance and Compliance

Continued focus on full implementation and improvement to the safety management system and safety training (policies, programs and practices). This includes heightened safety communication and focus in locations with reduced activity levels and/or organizational uncertainty. 

All Now Med Revised wording from Safety based on progress and status

Med

North, South

ERM IMPLEMENTATION

Components of a Successful ERM Program

The Capability Maturity Model

• Where are we, and where do we want to be?• At what rate do we want to improve?• Upon which risks do we focus our efforts for

improvement?• What resources are we willing to commit to risk

management to ensure continuous attainment of objectives?

Management needs to make the following decisions regarding ERM:

33

Initial•Ad hoc•Undocumente

d

•Risk Management is not a defined process.

•Culture does not promote risk awareness or facilitate risk identification across the entity.

Repeatable•Repeatable

and sometimes consistent

•Limited process discipline

•Individual departments may do own risk assessments

•May be some consistency in processes

•Little buy-in from top management and the process is not implemented across the entity.

Defined•Standard

processes in place and documented

•Consistent

•Individual departments have mature, documented, consistent risk assessment processes, but there is little visibility of the results of these assessments at the Senior Management or Board Level.

•Risk assessments are performed, but in silos, thus there is not a true "portfolio view" of risk.

Managed•Management

controls the “As-Is” process

•Can adapt process to projects

•Management has begun inventorying risk assessments and developing an entity-wide risk universe.

•Risk management is no longer siloedwithin the organization.

•Limited monitoring and reporting functions exist to provide proactive identification of KPI's, KRI's.

Optimizing•Continual

process improvement

•Management regularly revisits maturity goals and benchmarks progress against goals.

•KRI's, KPI's are consistently measured to gain a proactive view of risks facing the company.

The Capability Maturity Model

34

A Phased Approach to ERM Implementation

35

It’s is a journey – not a destination.

Take time to embed ERM into the organization’s decision-making in

order to reap the rewards.

Communicate and collaborate.

Ensure communication and collaboration across business units,

senior management and the board.

Independence is key.

To effectively manage and monitor risk, ERM needs to be independent of other operational functions needs to

have authority to foster change.

Do the upfront work.

Organizations that spend time upfront to identify, understand, manage,

navigate risk benefit from insights into risk influences that are strategic to the

organization’s success.

What We’ve Found

Key Takeaways►Key Components of a Successful ERM

» Monitor KPIs and KRIs proactively» Establish goals for process maturity» Monitor results of ERM activities

» Two effective tools for monitoring are surveys and the internal audit function

» Implement effective reporting mechanisms» Communicate results of performance» ERM is an ongoing process. It’s a journey – not

a destination

36

QUESTIONS & ANSWERSJody Allred, CPA, CITP, CISA, CGMA | Partner, Advisory Services

817.882.7750 | jody.allred@weaver.com

Daniel Graves, CPA | Senior Manager, Advisory Services512.609.1913 | daniel.graves@weaver.com