1 / 120

Risk Management And Internal Control Guidelines

Risk Management And Internal Control Guidelines. Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007. INTRODUCTION . MANAGEMENT’S GUIDE TO RISK MANAGEMENT AND INTERNAL CONTROL. INTRODUCTION (CONT’D). Enterprise Risk Management

juliette
Download Presentation

Risk Management And Internal Control Guidelines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007

  2. INTRODUCTION MANAGEMENT’S GUIDE TO RISK MANAGEMENT AND INTERNAL CONTROL

  3. INTRODUCTION (CONT’D) • Enterprise Risk Management • Changing Political And Regulatory Environment • Sarbanes-Oxley Act • General Accounting Office • AICPA Auditing Standards

  4. INTRODUCTION (CONT’D) • Internal Control and Governance Problems • Results of Texas State Comptroller’s ERM Implementation • Texas State Auditor Considers Increased Accountability a Priority

  5. INTRODUCTION (CONT’D) • Committee Of Sponsoring Organizations Of The Treadway Commission • Second report Enterprise Risk Management—Integrated Framework • First report Internal Control—Integrated Framework

  6. INTRODUCTION (CONT’D) • Guidance--Education and Tools • Agency Heads Responsibility

  7. OVERVIEW

  8. Overview • Relationship of COSO I and II • COSO Cube (three-dimensional matrix) • Objectives • Components • Entity Unit • Effectiveness • Roles and responsibilities

  9. Relationship of COSO I to COSO II • Internal Control—Integrated Framework (COSO I) • Still important for entities looking at internal control by itself • Enterprise Risk Management—Integrated Framework (COSO II) • Broader than internal control • Expands and elaborates on internal control • Focuses more fully on risk • Introduces the concepts of risk appetite, risk tolerance, and portfolio view

  10. COSO Cube • Direct relationship between objectives and enterprise risk components • Focus on the entirety of an entity’s ERM, or by objectives categories, component, entity unit, or any subset thereof

  11. Objectives Categories • Strategic • Effectiveness and efficiency of operations • Integrity and reliability of reporting • Compliance with applicable laws, regulations, contracts, and grant agreements • Stewardship of assets

  12. Components • Internal environment • Objective setting • Event identification • Risk assessment • Risk response • Control activities • Information and communication • Monitoring

  13. Effectiveness • Are the 8 components present and functioning effectively? • The components are criteria for effective ERM • Present and functioning properly = no significant deficiencies and material weaknesses • Test operating effectiveness of controls different from obtaining evidence of implementation • How controls were applied during the period • Consistency with which controls were applied • By whom and by what means they were applied

  14. Roles and Responsibilities • Audit committee, board of directors, or other oversight body • Commissioner/director/department head • Senior management • Internal audit • Other entity personnel

  15. SECTION IINTERNAL ENVIRONMENT

  16. SECTION IINTERNAL ENVIRONMENTWhat is it? • Risk Management Philosophy • Set of shared beliefs and attitudes • Reflects the entity’s values, influencing its culture and operating style • Affects how risks are identified, kinds of risks accepted, and how they are managed

  17. Internal Environment(cont’d) • Risk Appetite • Amount of risk management is willing to accept • Influences the entity’s culture and operating style • Oversight by Audit Committee • Oversight by another group • May significantly influence elements of Internal Environment

  18. Internal Environment(cont’d) • Integrity and Ethical Values • Management’s values • Code of conduct • Commitment to Competence • Knowledge and skills of staff • How well tasks need to be accomplish

  19. Internal Environment(cont’d) • Organizational Structure • Framework to plan, execute, control, and monitor activities • Assignment of Authority and Responsibility • Extent of authority and responsibility • Human Resource Standards • Staff development, training, and evaluation

  20. SECTION II OBJECTIVE SETTING

  21. Objective Setting • EVERY AGENCY FACES A VARIETY OF RISKS FROM EXTERNAL AND INTERNAL SOURCES, AND A PRECONDITION TO EFFECTIVE EVENT IDENTIFICATION, RISK ASSESSMENT, AND RISK RESPONSE IS ESTABLISHMENT OF OBJECTIVES

  22. Objective Setting • OBJECTIVES MUST EXIST BEFORE MANAGEMENT CAN IDENTIFY POTENTIAL EVENTS AFFECTING THEIR ACHEIVEMENT • ENTERPRISE RISK MANAGEMENT (ERM) ENSURES THAT MANAGEMENT HAS IN PLACE A PROCESS TO SET OBJECTIVES AND THAT THE CHOSEN OBJECTIVES SUPPORT AND ALIGN WITH THE AGENCY’S MISSION AND ARE CONSISTENT WITH ITS RISK APPETITE

  23. Objective Setting • WHILE AN AGENCY’S MISSION AND STRATEGIC OBJECTIVES ARE GENERALLY STABLE, ITS STRATEGY AND MANY RELATED OBJECTIVES ARE MORE DYNAMIC AND ADJUSTED FOR CHANGING INTERNAL AND EXTERNAL CONDITIONS • AS CONDITIONS CHANGE, STRATEGY AND RELATED OBJECTIVES ARE REALIGNED WITH STRATEGIC OBJECTIVES

  24. Objective Setting • IN CONSIDERING WAYS TO ACHIEVE ITS STRATEGIC OBJECTIVES, MANAGEMENT IDENTIFIES RISKS ASSOCIATED WITH A RANGE OF STRATEGY CHOICES AND CONSIDERS THEIR IMPLICATIONS • VARIOUS EVENT IDENTIFICATION AND RISK ASSESSMENT TECHNIQUES ARE USED IN THE STRATEGY-SETTING PROCESS

  25. Objective Setting • BY FOCUSING FIRST ON STRATEGIC OBJECTIVES AND STRATEGY, AN AGENCY IS IN A POSITION TO DEVELOP RELATED OBJECTIVES • AGENCY WIDE OBJECTIVES ARE THEN LINKED TO AND INTEGRATED WITH MORE SPECIFIC OBJECTIVES THAT CASCADE THROUGH THE ORGANIZATION TO SUB-OBJECTIVES ESTABLISHED FOR VARIOUS ACTIVITIES

  26. Objective Setting • OBJECTIVES NEED TO BE READILY UNDERSTOOD AND MEASURABLE • ERM REQUIRES THAT PERSONNEL AT ALL LEVELS HAVE AN UNDERSTANDING OF THE AGENCY’S OBJECTIVES AS THEY RELATE TO THAT INDIVIDUAL’S SPHERE OF INFLUENCE • ALL EMPLOYEES MUST HAVE A MUTUAL UNDERSTANDING OF WHAT IS TO BE ACCOMPLISHED AND A MEANS OF MEASURING WHAT IS BEING ACCOMPLISHED

  27. Objective Setting • THREE BROAD CATEGORIES OF OBJECTIVES • OPERATIONS • REPORTING • COMPLIANCE

  28. SMART OBJECTIVES Specific Use specific terms rather than vague abstract ones Measurable Include some method for objectively measuring their achievement Achievable Are challenging but realistic Relevant Follow the business strategy of the organization Timely Specify a time period

  29. Objective Setting • EFFECTIVE ERM PROVIDES REASONABLE ASSURANCE THAT AN AGENCY’S REPORTING AND COMPLIANCE OBJECTIVES ARE BEING ACHIEVED • BECAUSE, HOWEVER, ACHEIVEMENT OF OPERATIONS OBJECTIVES IS NOT SOLEY WITHIN AN AGENCY’S CONTROL (i.e. IT IS SUBJECT TO EXTERNAL EVENTS) ERM PROVIDES REASONABLE ASSURANCE THAT MANAGEMENT IS MADE AWARE OF THE EXTENT TO WHICH AN AGENCY IS MOVING TOWARD THE ACHIEVEMENT OF THESE OBJECTIVES ON A TIMELY BASIS

  30. Objective Setting • STRATEGIES OF THE BUSINESS • KEY BUSINESS OBJECTIVES • RELATED OBJECTIVES THAT CASCADE DOWN THE ORGANIZATION FROM KEY BUSINESS OBJECTIVES • ASSIGNMENT OF RESPONSIBILITIES TO ORGANIZATIONAL ELEMENTS AND LEADERS (LINKAGE)

  31. Objective Setting • EFFECTIVE ERM DOES NOT DICTATE WHICH OBJECTIVES MANAGEMENT SHOULD CHOOSE, BUT THAT MANAGEMENT HAS A PROCESS THAT ALIGNS STRATEGIC OBJECTIVES WITH AN AGENCY’S MISSION AND ENSURES THAT THE ENTITY’S CHOSEN STRATEGIC AND RELATED OBJECTIVES ARE CONSISTENT WITH THE AGENCY’S RISK APPETITE

  32. Objective Setting – Risk appetite • RISK APPETITE IS A GUIDEPOST IN STRATEGY SETTING • THERE IS A RELATIONSHIP BETWEEN AN AGENCY’S RISK APPETITE AND ITS STRATEGY • DIFFERENT STRATEGIES CAN BE USED TO ACHIEVE DESIRED RETURN, EACH HAVING DIFFERENT RISK

  33. Objective Setting – Risk appetite • RISK APPETITE IS THE AMOUNT OF RISK, ON A BROAD LEVEL, AN AGENCY IS WILLING TO ACCEPT IN PURSUIT OF ITS MISSION, VISION, BUSINESS OBJECTIVES AND VALUE GOALS • DIRECTLY RELATED TO AN AGENCY’S CULTURE, CAPABILITY, RISK CAPACITY AND STRATEGY • SHOULD CONSIDER RISK APPETITE BOTH QUALITATIVELY AND QUANTITATIVELY - IT IS MANY TIMES EXPRESSED IN ACCEPTABLE/UNACCEPTABLE OUTCOMES OR LEVEL OF RISK

  34. Objective Setting – Risk appetite • SOME POSSIBLE QUESTIONS • WHAT RISKS WILL THE AGENCY NOT ACCEPT? (For example, environmental or quality compromises) • ARE THERE SPECIFIC RISKS THAT THE AGENCY IS NOT PREPARED TO ACCEPT? (For example, risks that could result in non-compliance with federal regulations) • IS THE AGENCY PREPARED TO ENTER INTO PROGRAMS WITH LOWER LIKELIHOOD OF SUCCESS BUT LARGER POTENTIAL RETURNS?

  35. Objective Setting – Risk appetite • USE OF A LIKELIHOOD-IMPACT ASSESSMENT (MATRIX) IS A GOOD TOOL IN DOCUMENTING RISK APPETITE • FOR EACH RISK FREQUENCY OF OCCURRENCE (PROBABILITY) AND WORST OUTCOME (IMPACT) ARE ASSESSED AND CAPTURED IN A MATRIX • THE MATRIX IS THEN COMPARED WITH A CHARTED RISK APPETITE MAP THAT OUTLINES THE MAXIMUM ADVERSE RISK AN AGENCY IS WILLING TO ACCEPT

  36. Impact vs. Probability High Exceeds Risk Appetite I M P A C T Within Risk Appetite Low High PROBABILITY

  37. Objective Setting – Risk tolerance • RISK TOLERANCE, THE ACCEPTABLE LEVEL OF VARIATION AROUND OBJECTIVES, MUST BE ALIGNED WITH RISK APPETITE • REQUIRES THE ARTICULATION OF ACCEPTABLE VARIABILITY FROM THE SPECIFIED RISK APPETITE FOR ALL POSSIBLE OUTCOMES • OPERATIONALIZES THE RISK APPETITE • GENERALLY EXPRESSED IN TERMS OF RISK MEASURES OR OUTCOMES

  38. Objective Setting – Risk tolerance • SHOULD BE SET SUCH THAT THE AGGREGATION OF RISK TOLERANCES ENSURES THE ORGANIZATION OPERATES WITHIN THE RISK APPETITE

  39. SECTION IIIEVENT IDENTIFICATION

  40. EVENT IDENTIFICATION • INTERNAL AND EXTERNAL EVENTS AFFECTING ACHEIVEMENT OF AN AGENCY’S OBJECTIVES MUST BE IDENTIFIED, DISTINGUISHING BETWEEN RISKS AND OPPORTUNITIES • MANAGEMENT IDENTIFIES POTENTIAL EVENTS THAT, IF THEY OCCUR, WILL AFFECT THE AGENCY, AND IN WHAT MANNER

  41. Event identification • EVENTS WITH A POSITIVE IMPACT REPRESENT OPPORTUNITIES THAT SHOULD BE CHANNELED BACK INTO MANAGEMENT’S STRATEGY OR OBJECTIVE-SETTING PROCESSES • EVENTS WITH A NEGATIVE IMPACT REPRESENT RISKS, WHICH REQUIRE MANAGEMENT’S ASSESSMENT AND RESPONSE

  42. Event identification • AN EVENT IS AN INCIDENT OR OCCURRENCE ARISING FROM INTERNAL OR EXTERNAL SOURCES THAT AFFECTS IMPLEMENTATION OF STRATEGY OR ACHIEVEMENT OF OBJECTIVES • A NUMBER OF EXTERNAL AND INTERNAL FACTORS DRIVE EVENTS

  43. CONTRIBUTING EXTERNAL FACTORS ECONOMIC NATURAL ENVIRONMENT POLITICAL SOCIAL CONTRIBUTING INTERNAL FACTORS INFRASTRUCTURE PERSONNEL PROCESS TECHNOLOGY Event identification

  44. Economic changes such as lower economic growth reduce tax revenue and opportunities to provide a wider range of services or limit the availability or quality of existing services Failure to innovate leading to sub-standard services Loss or misappropriation of funds through fraud or impropriety Environmental damage caused by failure of regulations or government inspection regime Inconsistent policy objectives resulting in unwanted outcomes Achieving Service Delivery Failure to measure performance adequately Project delays cost overruns and inadequate quality standards Failure to monitor implementation Inadequate service plans to maintain continuity of service delivery Inadequate skills or resources to deliver services as required Failure of contractors, partners or other government agencies to provide services as required Failure to properly evaluate pilot projects before a new service is introduced may result in problems when the service becomes fully operational Technical risk – failure to keep pace with technical developments, or investment in inappropriate or mismatched technology SOME TYPICAL GOVERNMENT RISKS

  45. Event identification • AN AGENCY’S EVENT IDENTIFICATION METHODOLOGY MAY BE COMPRISED OF A COMBINATION OF TECHNIQUES, TOGETHER WITH SUPPORTING TOOLS • TECHNIQUES VARY WIDELY IN LEVEL OF SOPHISTICATION

  46. EXAMPLES OF TECHNIQUES FOR IDENTIFYING EVENTS: • EVENT INVENTORIES (LISTING COMMON POTENTIAL EVENTS) • INTERNAL ANALYSIS (COMPLETED AS PART OF A ROUTINE PLANNING CYCLE PROCESS, TYPICALLY THROUGH STAFF MEETINGS) • ESCALATION OR THRESHOLD TRIGGERS (COMPARE CURRENT TRANSACTIONS OR EVENTS WITH PREDEFINED CRITERIA) • FACILITATED WORKSHOPS AND INTERVIEWS (DRAW ON ACCUMULATED KNOWLEDGE AND EXPERIENCE OF MANAGEMENT, STAFF AND STAKEHOLDERS THROUGH STRUCTURED DISCUSSIONS)

  47. Event identification • POTENTIAL EVENTS ARE ALSO IDENTIFIED ON AN ONGOING BASIS IN CONNECTION WITH ROUTINE BUSINESS ACTIVITIES, SUCH AS • INDUSTRY/TECHNICAL CONFERENCES • PEER WEBSITES • BENCHMARKING REPORTS • TRADE & PROFESSIONAL JOURNALS • MEDIA REPORTS • MONTHLY MANAGEMENT REPORTS

  48. Event identification • ANOTHER USEFUL TOOL IS TO INTRODUCE AN INTERMEDIATE STEP - IDENTIFYING WHAT YOU DEPEND UPON TO ACHIEVE YOUR OBJECTIVES • THIS IS SOMETIMES MUCH EASIER THAN TRYING TO THINK ABOUT ALL THE EVENTS THAT COULD PREVENT SUCCESS

  49. Event identification • EVENTS DO NOT OCCUR IN ISOLATION – ONE EVENT CAN TRIGGER ANOTHER AND EVENTS CAN OCCUR CONCURRENTLY • MANAGEMENT SHOULD UNDERSTAND HOW EVENTS RELATE TO ONE ANOTHER

  50. Event identification • IT MAY BE USEFUL TO GROUP EVENTS INTO CATEGORIES (i.e. GROUPS OF SIMILAR POTENTIAL EVENTS) • SIMILAR EVENTS SHOULD BE COMBINED TO DEVELOP AN INITIAL RISK UNIVERSE AND DETERMINE HOW TO TRACK AND UPDATE THE LISTING OF POTENTIAL EVENTS AND RISKS

More Related