1 laccd risk assessment presented by arnold jenner blanshard, cpa/mba director, internal audit...

11

LACCD RISK LACCD RISK ASSESSMENTASSESSMENT

Presented byPresented by

Arnold Jenner Blanshard, CPA/MBAArnold Jenner Blanshard, CPA/MBA

Director, Internal Audit Director, Internal Audit DepartmentDepartment

22

AGENDAAGENDA 1.1. WelcomeWelcome

2.2. Risk ManagementRisk Management AA. . Risk Terminology Risk Terminology B.B. Risk Risk Management PurposeManagement Purpose

3.3. Risk Frame Work Risk Frame Work A.A. Risk Risk Category Definitions Category Definitions B.B. Risk Risk Framework Framework C.C. Risk Risk Assessment ToolAssessment Tool

33

AGENDAAGENDA Cont. 1 Cont. 14.4. Risk Identification ProcessRisk Identification Process

AA. Identifying and Assessing Risk. Identifying and Assessing Risk B. B. Identifying and AssessingIdentifying and Assessing ControlsControls

5.5. EXAMPLES EXAMPLES

6.6. QuestionsQuestions

44

Course ObjectiveCourse ObjectiveThis course will prepare you This course will prepare you toto

• identify and assess Risk in identify and assess Risk in your auditees environment your auditees environment

• Evaluate controls that are Evaluate controls that are currently in place (if any)currently in place (if any)

• Recommend strong controls to Recommend strong controls to mitigate risks identified.mitigate risks identified.

55

Course objectives Cont.Course objectives Cont.

By the end of this course, you will be By the end of this course, you will be able to:able to:

• Describe the purpose of risk Describe the purpose of risk management.management.

• Explain the five risk categoriesExplain the five risk categories• Describe the risk identification Describe the risk identification

processprocess• Identify and assess risks and controls Identify and assess risks and controls

in your auditee's department.in your auditee's department.• Make Recommendation that would set Make Recommendation that would set

strong controls to mitigates risks strong controls to mitigates risks identified.identified.

66

Risk Management is Risk Management is Everyone’s responsibility:Everyone’s responsibility:BOD

Exec Mgmt

Tone at the top

Directors & Senior ManagersMiddle Manager

Employees

First Line of Defense from undue Risk

Board Committees, Executive, Internal Audit, LegalCompliance, Security,

Provide ongoing support and independent Review of Risk Management practices.

77

WHAT IS INTERNAL WHAT IS INTERNAL CONTROL ?CONTROL ?

In basic term, In basic term, internal control are internal control are the daily operating the daily operating guidelines used by guidelines used by

a company. a company.

88

WHAT IS INTERNAL CONTROL ? WHAT IS INTERNAL CONTROL ? Cont 1Cont 1

These controls are These controls are processes, effected processes, effected by people at every by people at every level (I. E.) board of level (I. E.) board of

directors, directors, management, and management, and other personnel, other personnel,

99

WHAT IS INTERNAL CONTROL ? WHAT IS INTERNAL CONTROL ? Cont. 2Cont. 2

designed to provide designed to provide reasonable assurance reasonable assurance

regarding the regarding the achievement of achievement of objectives in the objectives in the

following categories:following categories:

1010

WHAT IS INTERNAL CONTROL ? WHAT IS INTERNAL CONTROL ? Cont 3Cont 3

(1)Operations run (1)Operations run Effectively and Effectively and

efficiently to achieve efficiently to achieve performance target and performance target and

increase competitive increase competitive advantageadvantage

1111

WHAT IS INTERNAL CONTROL? WHAT IS INTERNAL CONTROL? Cont 4Cont 4

(2) Financial reporting (2) Financial reporting is accurate and timely is accurate and timely

with sufficient with sufficient information to information to

support decisionsupport decision

1212

WHAT IS INTERNAL CONTROL? WHAT IS INTERNAL CONTROL? Cont 5Cont 5

(3) Policies and (3) Policies and procedures comply procedures comply with all applicable with all applicable

laws and laws and regulations.regulations.

1313

WHAT IS INTERNAL AUDITING ?WHAT IS INTERNAL AUDITING ?

Internal auditing is an Internal auditing is an independent, objective independent, objective

assurance and assurance and consulting activity consulting activity

designed to add value designed to add value and improve an and improve an organization's organization's operations. operations.

1414

WHAT IS INTERNAL AUDITING ? CONTWHAT IS INTERNAL AUDITING ? CONT

It helps an organization It helps an organization accomplish its objectives accomplish its objectives by bringing a systematic, by bringing a systematic, disciplined approach to disciplined approach to evaluate, monitor and evaluate, monitor and improve the effectiveness improve the effectiveness of risk management, of risk management, control, and governance control, and governance processes. processes.

1515

WHAT IS THE FUNCTION OF THE WHAT IS THE FUNCTION OF THE INTERNAL AUDITOR ?INTERNAL AUDITOR ?

TheThe Internal auditor’s work Internal auditor’s work encompasses the examination encompasses the examination and evaluation of the adequacy and evaluation of the adequacy and effectiveness of the and effectiveness of the organization's system of internal organization's system of internal control and the quality of the control and the quality of the organization's performance.organization's performance.

1616

WHO DOES THE INTERNAL AUDIT WHO DOES THE INTERNAL AUDIT DEPARTMENT REPORT TO ?DEPARTMENT REPORT TO ?

internal audit internal audit DEPARTMENT DEPARTMENT

Reports DIRECTLY Reports DIRECTLY TO cfo/treasurer TO cfo/treasurer

WITH DOTTED LINE WITH DOTTED LINE TO THE BUDGET & TO THE BUDGET & finance committeefinance committee

1717

WHO IS THE AUDIT COMMITTEE ?WHO IS THE AUDIT COMMITTEE ?

THE AUDIT COMMITTEE IS MADE OF THE AUDIT COMMITTEE IS MADE OF MEMBERS OF THE BOARD OF MEMBERS OF THE BOARD OF trustees. THE COMMITTEE IS trustees. THE COMMITTEE IS RESPONSIBLE FOR MONITORING RESPONSIBLE FOR MONITORING MANAGEMENT AND STAFF; MANAGEMENT AND STAFF; COMPLIANCE WITH the BOARD OF COMPLIANCE WITH the BOARD OF Directors POLICIES AND APPLICABLE Directors POLICIES AND APPLICABLE LAWS AND Regulations. THIS IS LAWS AND Regulations. THIS IS Ascertained THROUGH THE Ascertained THROUGH THE FUNCTIONS OF THE INTERNAL FUNCTIONS OF THE INTERNAL AUDIT DEPARTMENTAUDIT DEPARTMENT..

1818

Risk TerminologyRisk Terminology

RISKRISK:: the chance of the chance of something adverse and something adverse and unexpected happening that unexpected happening that will affect corporate will affect corporate business (policies & business (policies & procedures) objective procedures) objective and /or financial and /or financial performance.performance.

1919

Risk TerminologyRisk Terminology Examples OF RISKExamples OF RISK::1.1. CAR: Low Oil, No water, won't start, CAR: Low Oil, No water, won't start,

and Flat tireand Flat tire2.2. Shopping: Not finding what you want: Shopping: Not finding what you want:

Spending a lot of money for something Spending a lot of money for something that’s not worth that amountthat’s not worth that amount

3.3. Relationship; you or your partner Relationship; you or your partner would cheat, someone will take your would cheat, someone will take your partner away from youpartner away from you

4.4. Work; the risk that I will not meet that Work; the risk that I will not meet that deadline: the risk that I Could be late deadline: the risk that I Could be late for work.for work.

2020

Risk Terminology cont.Risk Terminology cont.

ControlControl: the ACTION PLAN : the ACTION PLAN (TASKS OR PROCESSES) (TASKS OR PROCESSES) FORMULATED AND FORMULATED AND IMPLEMENTED TO REDUCE IMPLEMENTED TO REDUCE THE PROBABILITY OF THE PROBABILITY OF CRITICAL RISKS OCURRING CRITICAL RISKS OCURRING AND POTENTIAL DAMAGE AND POTENTIAL DAMAGE TO THE BUSINESS.TO THE BUSINESS.

2121


Examples of ControlExamples of Control: : 1.1. Car: check oil & water weekly; Car: check oil & water weekly;

regular service check up, regular service check up, monthly SERVICE check up of monthly SERVICE check up of tire.tire.

2.2. Using the internet to locate Using the internet to locate items you want to buy; shop items you want to buy; shop more than three stores before more than three stores before making a purchasemaking a purchase

2222


Examples of ControlExamples of Control: : 3.3. Set rules that will diminish any Set rules that will diminish any

remote idea of cheating; remote idea of cheating; evaluate the type of person evaluate the type of person before becoming partners.before becoming partners.

4.4. Set your deadline a week Set your deadline a week ahead of the actual deadline; ahead of the actual deadline; give yourself 15 minutes give yourself 15 minutes earlier as your start timeearlier as your start time

2323

Risk PROCESSRisk PROCESS

IDENTIFY ASSESS

CONTROL/MONITOR

RISKMANAGEMENT

2424

FIVE Risk Categories:FIVE Risk Categories:

CREDIT Operational

Strategic

ReputationI

Market

2525

Risk Categories: Credit Risk Categories: Credit Cont.1Cont.1

Credit Risk includesCredit Risk includes::

1.1. Default ( or failure to perform) Default ( or failure to perform) by an economic or legal entity by an economic or legal entity with which the company does with which the company does business.business.

2.2. Loss or opportunity cost as a Loss or opportunity cost as a result of the failure of a result of the failure of a counterparty or customer to counterparty or customer to honor its obligations in a timely honor its obligations in a timely mannermanner..

2626

Risk Categories: Risk Categories: OperationalOperational..

OperationalOperational: : Arises from the Arises from the potential that THE COMPANY Haspotential that THE COMPANY Has

• inadequate information systems, inadequate information systems,

• operational problems,operational problems,

• breaches in internal controls,breaches in internal controls,

• fraud fraud

• An Unforeseen catastrophe could An Unforeseen catastrophe could result in unexpected financial lossresult in unexpected financial loss

2727

Risk Categories: Operational Risk Categories: Operational contcont.1.1

..

Sub-Category Description

HUMAN RESOURCEMANAGEMENT RISK

The risk that the company is unable to attract, retain and properly train qualified individual to carry out its strategic plan.

Vendor Management Risk

The risk that vendors do not provide the service for which they are being paid and hence jeopardize our client relationship for lack of service

Custody of Asset Risk

The risk that assets which LACCD holds ( or holds at depositories) for the company, in collateral or for its customers, are not properly safeguarded.

2828

Risk Categories: Operational Risk Categories: Operational cont. 2cont. 2

..


Accounting and Financial Public Disclosure Risk

The risk that accounting and/or financial information is inaccurate, untimely or unsupported by records, exposing the company to potential undisclosed position or losses.

Technology RiskThe risk that automated systems do not adequately support the operational and business needs of LACCD (DISTRICTWIDE)

Physical Security, Natural Hazard and environmental risk

The risk that insurance converges are inadequate to mitigate potential losses in the operational and business activities of LACCD (DISTRICTWIDE). This risk includes the possibility that unseen catastrophes (controllable or uncontrollable) will result in unexpected losses to the Company.

2929

Risk Categories: Operational Risk Categories: Operational Cont.3Cont.3

..


Fraud and Embezzlement Risk (Internal and External)

The risk that monies and other Instruments /information of value are taken by theft.

Political /government Affairs Risk

The risk that changes in legislation or the political environment may disrupt or otherwise negatively affect normal business operation.

Modeling Risk

The risk that financial models ( such as end user Excel spreadsheets) designed and used by employees are not accurate as to spreadsheet analytics, mathematics and assumptions. These inaccuracies yield faulty results and hence critical strategic decision are made based upon these flawed conclusion.

3030


..


Loss Payment Loss Payment Exposure/ClaimsExposure/Claims

Current and prospective risk Current and prospective risk to earning and/or capital to earning and/or capital

claims are improperly claims are improperly adjudicated;adjudicated;

claim and Incurred But not claim and Incurred But not Reported (IBNR) reserves are Reported (IBNR) reserves are not adequate; not adequate;

reinsurance is not availablereinsurance is not available

3131


..


Compliance/Compliance/

regulatory/regulatory/

legal Risklegal Risk

The risk that arises from violation or non-The risk that arises from violation or non-conformance withconformance with

laws, rules, and regulations,laws, rules, and regulations, prescribed practices prescribed practices ethical standardsethical standards the company’s policies may be the company’s policies may be

ambiguous.ambiguous.

3232


..


Compliance/Compliance/

regulatory/regulatory/

legal Risklegal Risk

Resulting:Resulting: unenforceable contracts,unenforceable contracts, lawsuitslawsuits adverse judgments can disrupt adverse judgments can disrupt

Operation or otherwise negatively Operation or otherwise negatively affect operations. affect operations.

exposes the foundation to fines, civil exposes the foundation to fines, civil monetary, penalties, payment of monetary, penalties, payment of damage, voiding of contracts, ectdamage, voiding of contracts, ect

3333

Risk Categories: Cont.Risk Categories: Cont.

MARKET:MARKET: THE RISK THAT ADVERSE THE RISK THAT ADVERSE

MOVEMENTS IN MARKET MOVEMENTS IN MARKET RATES OR PRICES, SUCH AS RATES OR PRICES, SUCH AS INTEREST RATE AND INTEREST RATE AND COMPETITORS PRICE COULD COMPETITORS PRICE COULD NEGATIVELY AFFECT THE NEGATIVELY AFFECT THE MARKET VALUE OF LACCD MARKET VALUE OF LACCD (DISTRICTWIDE) (ASSETS (DISTRICTWIDE) (ASSETS AND/OR LIABILITIES). AND/OR LIABILITIES).

3434

Risk Categories: Market Risk Categories: Market Cont.1Cont.1

..


Interest Rate RiskMargin and other profitability exposure

due to interest rate fluctuations.

Price riskThe Company's price sensitivity to market

and competitive factors

3535


..


Liquidity Risk

FUNDING LIQUIDITY:Risk that the Company is unable

to meet contractual obligations as they become due because of an inability to liquidate assets

Market liquidity risk:obtain adequate funding

without incurring unacceptable losses.

3636


..


Liquidity Risk

Loss of liquidity can be due:(A)funding sources and

costs,(B) diversity of those

sources , and cash flow.

3737


REPUTATION:REPUTATION:IS the potential that negative publicity or public opinion regarding an institution’s business practices whether true or not, will trigger a decline in the customer base, costly litigation or revenue reductions.

3838


REPUTATION:REPUTATION:The risk that poorly designed The risk that poorly designed business strategy and /or business strategy and /or inadequate controls inadequate controls surrounding credit, operational surrounding credit, operational and market risks will result in and market risks will result in significantly undermining the significantly undermining the Company’s reputation.Company’s reputation.

3939

Risk Categories: Risk Categories: Reputation.Reputation.cont.1cont.1

Reputation Risk cover such Reputation Risk cover such stakeholders as:stakeholders as:

Members AND POTENTIAL Members AND POTENTIAL MEMBERSMEMBERS

Regulatory community (Federal and Regulatory community (Federal and state agencies)state agencies)

VendorsVendors ProvidersProviders Other entitiesOther entities

4040

Risk Categories.Risk Categories.

CREDITIs the exposure to actual loss oropportunity losses due to aborrower's or counterparty'sfailure to perform on itsobligations in accordance withagreed terms

OperationalArises from the potential thatinadequate information system,operational problems, breaches ininternal control, fraud or anunforeseen catastrophe could resultinunexpected financial loss and /orregulatory noncompliance to thecompany

Strategicis the current or prospectiverisk to earnings and capital

arising from adversebusiness decisions ,

improper implementation ofdecisions or lack of

responsiveness to changesin the business

environment

ReputationIs the potential that negative publicity orpublic opinion regarding an institution'sbusiness practices, whether true or not ,will trigger a decline in the customerbase, costly litigation or revenuereductions.

MarketIs the risk that adverse movementsin market from competitors couldnegatively affect the market value ofUHP Healthcare assets and/orliabilities.

4141

RISK FRAMEWORKRISK FRAMEWORKEXTERNAL INFLUENCES

MEMBERS MEDIA

REGULATORS COMPETITION

MARK ETS ECONOMIC ENVIRONMENT

STRATEGIC RISK

REPUTATION RISK

CREDITRISK

OPERATION

RISK

MARKETRISK

4242

EXAMPLE RISK ASSESSMENT TOOLEXAMPLE RISK ASSESSMENT TOOL..

↓RISK CONSEQUENCES

HighAVOID

Considerable

AcceptMitigate

AcceptTransfer

Moderate

Marginal

LowAccept NoMitigationRequired

Risk Probability →Improbable Doubtful Moderate Possible Probable

4343

IDENTIFYING AND ASSESING RISKSIDENTIFYING AND ASSESING RISKS

Use your Policies and Procedures to Use your Policies and Procedures to identify each process and then identify identify each process and then identify the risk associated with that process.the risk associated with that process.

Use the sample questions Use the sample questions sample Risk Question.xlsand risk and risk category definitions to help you category definitions to help you brainstorm all risks in your department brainstorm all risks in your department processes, activities and products.processes, activities and products.

4444

IDENTIFYING AND ASSESING CONTROLIDENTIFYING AND ASSESING CONTROL

Identify all controls for each risk you identify Identify all controls for each risk you identify in your business processes, activities and in your business processes, activities and products. products.

Use the tip for evaluating control to assess Use the tip for evaluating control to assess the quality of total control currently in the quality of total control currently in place. place. Tips For Evaluating control summaries.doc

Determine Who is responsible for each Determine Who is responsible for each control ( management- level position)control ( management- level position)

4545

EXAMPLESEXAMPLESsample Risk .xls

4646

QUESTIONS ?QUESTIONS ?

1 laccd risk assessment presented by arnold jenner blanshard, cpa/mba director, internal audit...

Documents

risk categories

risk framework

risk terminology

risk management purpose

purpose of risk management

internal control

risk assessment tool

risk identification