1 laccd risk assessment presented by arnold jenner blanshard, cpa/mba director, internal audit...
TRANSCRIPT
11
LACCD RISK LACCD RISK ASSESSMENTASSESSMENT
Presented byPresented by
Arnold Jenner Blanshard, CPA/MBAArnold Jenner Blanshard, CPA/MBA
Director, Internal Audit Director, Internal Audit DepartmentDepartment
22
AGENDAAGENDA 1.1. WelcomeWelcome
2.2. Risk ManagementRisk Management AA. . Risk Terminology Risk Terminology B.B. Risk Risk Management PurposeManagement Purpose
3.3. Risk Frame Work Risk Frame Work A.A. Risk Risk Category Definitions Category Definitions B.B. Risk Risk Framework Framework C.C. Risk Risk Assessment ToolAssessment Tool
33
AGENDAAGENDA Cont. 1 Cont. 14.4. Risk Identification ProcessRisk Identification Process
AA. Identifying and Assessing Risk. Identifying and Assessing Risk B. B. Identifying and AssessingIdentifying and Assessing ControlsControls
5.5. EXAMPLES EXAMPLES
6.6. QuestionsQuestions
44
Course ObjectiveCourse ObjectiveThis course will prepare you This course will prepare you toto
• identify and assess Risk in identify and assess Risk in your auditees environment your auditees environment
• Evaluate controls that are Evaluate controls that are currently in place (if any)currently in place (if any)
• Recommend strong controls to Recommend strong controls to mitigate risks identified.mitigate risks identified.
55
Course objectives Cont.Course objectives Cont.
By the end of this course, you will be By the end of this course, you will be able to:able to:
• Describe the purpose of risk Describe the purpose of risk management.management.
• Explain the five risk categoriesExplain the five risk categories• Describe the risk identification Describe the risk identification
processprocess• Identify and assess risks and controls Identify and assess risks and controls
in your auditee's department.in your auditee's department.• Make Recommendation that would set Make Recommendation that would set
strong controls to mitigates risks strong controls to mitigates risks identified.identified.
66
Risk Management is Risk Management is Everyone’s responsibility:Everyone’s responsibility:BOD
Exec Mgmt
Tone at the top
Directors & Senior ManagersMiddle Manager
Employees
First Line of Defense from undue Risk
Board Committees, Executive, Internal Audit, LegalCompliance, Security,
Provide ongoing support and independent Review of Risk Management practices.
77
WHAT IS INTERNAL WHAT IS INTERNAL CONTROL ?CONTROL ?
In basic term, In basic term, internal control are internal control are the daily operating the daily operating guidelines used by guidelines used by
a company. a company.
88
WHAT IS INTERNAL CONTROL ? WHAT IS INTERNAL CONTROL ? Cont 1Cont 1
These controls are These controls are processes, effected processes, effected by people at every by people at every level (I. E.) board of level (I. E.) board of
directors, directors, management, and management, and other personnel, other personnel,
99
WHAT IS INTERNAL CONTROL ? WHAT IS INTERNAL CONTROL ? Cont. 2Cont. 2
designed to provide designed to provide reasonable assurance reasonable assurance
regarding the regarding the achievement of achievement of objectives in the objectives in the
following categories:following categories:
1010
WHAT IS INTERNAL CONTROL ? WHAT IS INTERNAL CONTROL ? Cont 3Cont 3
(1)Operations run (1)Operations run Effectively and Effectively and
efficiently to achieve efficiently to achieve performance target and performance target and
increase competitive increase competitive advantageadvantage
1111
WHAT IS INTERNAL CONTROL? WHAT IS INTERNAL CONTROL? Cont 4Cont 4
(2) Financial reporting (2) Financial reporting is accurate and timely is accurate and timely
with sufficient with sufficient information to information to
support decisionsupport decision
1212
WHAT IS INTERNAL CONTROL? WHAT IS INTERNAL CONTROL? Cont 5Cont 5
(3) Policies and (3) Policies and procedures comply procedures comply with all applicable with all applicable
laws and laws and regulations.regulations.
1313
WHAT IS INTERNAL AUDITING ?WHAT IS INTERNAL AUDITING ?
Internal auditing is an Internal auditing is an independent, objective independent, objective
assurance and assurance and consulting activity consulting activity
designed to add value designed to add value and improve an and improve an organization's organization's operations. operations.
1414
WHAT IS INTERNAL AUDITING ? CONTWHAT IS INTERNAL AUDITING ? CONT
It helps an organization It helps an organization accomplish its objectives accomplish its objectives by bringing a systematic, by bringing a systematic, disciplined approach to disciplined approach to evaluate, monitor and evaluate, monitor and improve the effectiveness improve the effectiveness of risk management, of risk management, control, and governance control, and governance processes. processes.
1515
WHAT IS THE FUNCTION OF THE WHAT IS THE FUNCTION OF THE INTERNAL AUDITOR ?INTERNAL AUDITOR ?
TheThe Internal auditor’s work Internal auditor’s work encompasses the examination encompasses the examination and evaluation of the adequacy and evaluation of the adequacy and effectiveness of the and effectiveness of the organization's system of internal organization's system of internal control and the quality of the control and the quality of the organization's performance.organization's performance.
1616
WHO DOES THE INTERNAL AUDIT WHO DOES THE INTERNAL AUDIT DEPARTMENT REPORT TO ?DEPARTMENT REPORT TO ?
internal audit internal audit DEPARTMENT DEPARTMENT
Reports DIRECTLY Reports DIRECTLY TO cfo/treasurer TO cfo/treasurer
WITH DOTTED LINE WITH DOTTED LINE TO THE BUDGET & TO THE BUDGET & finance committeefinance committee
1717
WHO IS THE AUDIT COMMITTEE ?WHO IS THE AUDIT COMMITTEE ?
THE AUDIT COMMITTEE IS MADE OF THE AUDIT COMMITTEE IS MADE OF MEMBERS OF THE BOARD OF MEMBERS OF THE BOARD OF trustees. THE COMMITTEE IS trustees. THE COMMITTEE IS RESPONSIBLE FOR MONITORING RESPONSIBLE FOR MONITORING MANAGEMENT AND STAFF; MANAGEMENT AND STAFF; COMPLIANCE WITH the BOARD OF COMPLIANCE WITH the BOARD OF Directors POLICIES AND APPLICABLE Directors POLICIES AND APPLICABLE LAWS AND Regulations. THIS IS LAWS AND Regulations. THIS IS Ascertained THROUGH THE Ascertained THROUGH THE FUNCTIONS OF THE INTERNAL FUNCTIONS OF THE INTERNAL AUDIT DEPARTMENTAUDIT DEPARTMENT..
1818
Risk TerminologyRisk Terminology
RISKRISK:: the chance of the chance of something adverse and something adverse and unexpected happening that unexpected happening that will affect corporate will affect corporate business (policies & business (policies & procedures) objective procedures) objective and /or financial and /or financial performance.performance.
1919
Risk TerminologyRisk Terminology Examples OF RISKExamples OF RISK::1.1. CAR: Low Oil, No water, won't start, CAR: Low Oil, No water, won't start,
and Flat tireand Flat tire2.2. Shopping: Not finding what you want: Shopping: Not finding what you want:
Spending a lot of money for something Spending a lot of money for something that’s not worth that amountthat’s not worth that amount
3.3. Relationship; you or your partner Relationship; you or your partner would cheat, someone will take your would cheat, someone will take your partner away from youpartner away from you
4.4. Work; the risk that I will not meet that Work; the risk that I will not meet that deadline: the risk that I Could be late deadline: the risk that I Could be late for work.for work.
2020
Risk Terminology cont.Risk Terminology cont.
ControlControl: the ACTION PLAN : the ACTION PLAN (TASKS OR PROCESSES) (TASKS OR PROCESSES) FORMULATED AND FORMULATED AND IMPLEMENTED TO REDUCE IMPLEMENTED TO REDUCE THE PROBABILITY OF THE PROBABILITY OF CRITICAL RISKS OCURRING CRITICAL RISKS OCURRING AND POTENTIAL DAMAGE AND POTENTIAL DAMAGE TO THE BUSINESS.TO THE BUSINESS.
2121
Risk Terminology cont.Risk Terminology cont.
Examples of ControlExamples of Control: : 1.1. Car: check oil & water weekly; Car: check oil & water weekly;
regular service check up, regular service check up, monthly SERVICE check up of monthly SERVICE check up of tire.tire.
2.2. Using the internet to locate Using the internet to locate items you want to buy; shop items you want to buy; shop more than three stores before more than three stores before making a purchasemaking a purchase
2222
Risk Terminology cont.Risk Terminology cont.
Examples of ControlExamples of Control: : 3.3. Set rules that will diminish any Set rules that will diminish any
remote idea of cheating; remote idea of cheating; evaluate the type of person evaluate the type of person before becoming partners.before becoming partners.
4.4. Set your deadline a week Set your deadline a week ahead of the actual deadline; ahead of the actual deadline; give yourself 15 minutes give yourself 15 minutes earlier as your start timeearlier as your start time
2323
Risk PROCESSRisk PROCESS
IDENTIFY ASSESS
CONTROL/MONITOR
RISKMANAGEMENT
2424
FIVE Risk Categories:FIVE Risk Categories:
CREDIT Operational
Strategic
ReputationI
Market
2525
Risk Categories: Credit Risk Categories: Credit Cont.1Cont.1
Credit Risk includesCredit Risk includes::
1.1. Default ( or failure to perform) Default ( or failure to perform) by an economic or legal entity by an economic or legal entity with which the company does with which the company does business.business.
2.2. Loss or opportunity cost as a Loss or opportunity cost as a result of the failure of a result of the failure of a counterparty or customer to counterparty or customer to honor its obligations in a timely honor its obligations in a timely mannermanner..
2626
Risk Categories: Risk Categories: OperationalOperational..
OperationalOperational: : Arises from the Arises from the potential that THE COMPANY Haspotential that THE COMPANY Has
• inadequate information systems, inadequate information systems,
• operational problems,operational problems,
• breaches in internal controls,breaches in internal controls,
• fraud fraud
• An Unforeseen catastrophe could An Unforeseen catastrophe could result in unexpected financial lossresult in unexpected financial loss
2727
Risk Categories: Operational Risk Categories: Operational contcont.1.1
..
Sub-Category Description
HUMAN RESOURCEMANAGEMENT RISK
The risk that the company is unable to attract, retain and properly train qualified individual to carry out its strategic plan.
Vendor Management Risk
The risk that vendors do not provide the service for which they are being paid and hence jeopardize our client relationship for lack of service
Custody of Asset Risk
The risk that assets which LACCD holds ( or holds at depositories) for the company, in collateral or for its customers, are not properly safeguarded.
2828
Risk Categories: Operational Risk Categories: Operational cont. 2cont. 2
..
Sub-Category Description
Accounting and Financial Public Disclosure Risk
The risk that accounting and/or financial information is inaccurate, untimely or unsupported by records, exposing the company to potential undisclosed position or losses.
Technology RiskThe risk that automated systems do not adequately support the operational and business needs of LACCD (DISTRICTWIDE)
Physical Security, Natural Hazard and environmental risk
The risk that insurance converges are inadequate to mitigate potential losses in the operational and business activities of LACCD (DISTRICTWIDE). This risk includes the possibility that unseen catastrophes (controllable or uncontrollable) will result in unexpected losses to the Company.
2929
Risk Categories: Operational Risk Categories: Operational Cont.3Cont.3
..
Sub-Category Description
Fraud and Embezzlement Risk (Internal and External)
The risk that monies and other Instruments /information of value are taken by theft.
Political /government Affairs Risk
The risk that changes in legislation or the political environment may disrupt or otherwise negatively affect normal business operation.
Modeling Risk
The risk that financial models ( such as end user Excel spreadsheets) designed and used by employees are not accurate as to spreadsheet analytics, mathematics and assumptions. These inaccuracies yield faulty results and hence critical strategic decision are made based upon these flawed conclusion.
3030
Risk Categories: Operational Risk Categories: Operational Cont.4Cont.4
..
Sub-Category Description
Loss Payment Loss Payment Exposure/ClaimsExposure/Claims
Current and prospective risk Current and prospective risk to earning and/or capital to earning and/or capital
claims are improperly claims are improperly adjudicated;adjudicated;
claim and Incurred But not claim and Incurred But not Reported (IBNR) reserves are Reported (IBNR) reserves are not adequate; not adequate;
reinsurance is not availablereinsurance is not available
3131
Risk Categories: Operational Risk Categories: Operational Cont.5Cont.5
..
Sub-Category Description
Compliance/Compliance/
regulatory/regulatory/
legal Risklegal Risk
The risk that arises from violation or non-The risk that arises from violation or non-conformance withconformance with
laws, rules, and regulations,laws, rules, and regulations, prescribed practices prescribed practices ethical standardsethical standards the company’s policies may be the company’s policies may be
ambiguous.ambiguous.
3232
Risk Categories: Operational Risk Categories: Operational Cont.6Cont.6
..
Sub-Category Description
Compliance/Compliance/
regulatory/regulatory/
legal Risklegal Risk
Resulting:Resulting: unenforceable contracts,unenforceable contracts, lawsuitslawsuits adverse judgments can disrupt adverse judgments can disrupt
Operation or otherwise negatively Operation or otherwise negatively affect operations. affect operations.
exposes the foundation to fines, civil exposes the foundation to fines, civil monetary, penalties, payment of monetary, penalties, payment of damage, voiding of contracts, ectdamage, voiding of contracts, ect
3333
Risk Categories: Cont.Risk Categories: Cont.
MARKET:MARKET: THE RISK THAT ADVERSE THE RISK THAT ADVERSE
MOVEMENTS IN MARKET MOVEMENTS IN MARKET RATES OR PRICES, SUCH AS RATES OR PRICES, SUCH AS INTEREST RATE AND INTEREST RATE AND COMPETITORS PRICE COULD COMPETITORS PRICE COULD NEGATIVELY AFFECT THE NEGATIVELY AFFECT THE MARKET VALUE OF LACCD MARKET VALUE OF LACCD (DISTRICTWIDE) (ASSETS (DISTRICTWIDE) (ASSETS AND/OR LIABILITIES). AND/OR LIABILITIES).
3434
Risk Categories: Market Risk Categories: Market Cont.1Cont.1
..
Sub-Category Description
Interest Rate RiskMargin and other profitability exposure
due to interest rate fluctuations.
Price riskThe Company's price sensitivity to market
and competitive factors
3535
Risk Categories: Market Risk Categories: Market Cont.2Cont.2
..
Sub-Category Description
Liquidity Risk
FUNDING LIQUIDITY:Risk that the Company is unable
to meet contractual obligations as they become due because of an inability to liquidate assets
Market liquidity risk:obtain adequate funding
without incurring unacceptable losses.
3636
Risk Categories: Market Risk Categories: Market Cont.3Cont.3
..
Sub-Category Description
Liquidity Risk
Loss of liquidity can be due:(A)funding sources and
costs,(B) diversity of those
sources , and cash flow.
3737
Risk Categories: Cont.Risk Categories: Cont.
REPUTATION:REPUTATION:IS the potential that negative publicity or public opinion regarding an institution’s business practices whether true or not, will trigger a decline in the customer base, costly litigation or revenue reductions.
3838
Risk Categories: Cont.Risk Categories: Cont.
REPUTATION:REPUTATION:The risk that poorly designed The risk that poorly designed business strategy and /or business strategy and /or inadequate controls inadequate controls surrounding credit, operational surrounding credit, operational and market risks will result in and market risks will result in significantly undermining the significantly undermining the Company’s reputation.Company’s reputation.
3939
Risk Categories: Risk Categories: Reputation.Reputation.cont.1cont.1
Reputation Risk cover such Reputation Risk cover such stakeholders as:stakeholders as:
Members AND POTENTIAL Members AND POTENTIAL MEMBERSMEMBERS
Regulatory community (Federal and Regulatory community (Federal and state agencies)state agencies)
VendorsVendors ProvidersProviders Other entitiesOther entities
4040
Risk Categories.Risk Categories.
CREDITIs the exposure to actual loss oropportunity losses due to aborrower's or counterparty'sfailure to perform on itsobligations in accordance withagreed terms
OperationalArises from the potential thatinadequate information system,operational problems, breaches ininternal control, fraud or anunforeseen catastrophe could resultinunexpected financial loss and /orregulatory noncompliance to thecompany
Strategicis the current or prospectiverisk to earnings and capital
arising from adversebusiness decisions ,
improper implementation ofdecisions or lack of
responsiveness to changesin the business
environment
ReputationIs the potential that negative publicity orpublic opinion regarding an institution'sbusiness practices, whether true or not ,will trigger a decline in the customerbase, costly litigation or revenuereductions.
MarketIs the risk that adverse movementsin market from competitors couldnegatively affect the market value ofUHP Healthcare assets and/orliabilities.
4141
RISK FRAMEWORKRISK FRAMEWORKEXTERNAL INFLUENCES
MEMBERS MEDIA
REGULATORS COMPETITION
MARK ETS ECONOMIC ENVIRONMENT
STRATEGIC RISK
REPUTATION RISK
CREDITRISK
OPERATION
RISK
MARKETRISK
4242
EXAMPLE RISK ASSESSMENT TOOLEXAMPLE RISK ASSESSMENT TOOL..
↓RISK CONSEQUENCES
HighAVOID
Considerable
AcceptMitigate
AcceptTransfer
Moderate
Marginal
LowAccept NoMitigationRequired
Risk Probability →Improbable Doubtful Moderate Possible Probable
4343
IDENTIFYING AND ASSESING RISKSIDENTIFYING AND ASSESING RISKS
Use your Policies and Procedures to Use your Policies and Procedures to identify each process and then identify identify each process and then identify the risk associated with that process.the risk associated with that process.
Use the sample questions Use the sample questions sample Risk Question.xlsand risk and risk category definitions to help you category definitions to help you brainstorm all risks in your department brainstorm all risks in your department processes, activities and products.processes, activities and products.
4444
IDENTIFYING AND ASSESING CONTROLIDENTIFYING AND ASSESING CONTROL
Identify all controls for each risk you identify Identify all controls for each risk you identify in your business processes, activities and in your business processes, activities and products. products.
Use the tip for evaluating control to assess Use the tip for evaluating control to assess the quality of total control currently in the quality of total control currently in place. place. Tips For Evaluating control summaries.doc
Determine Who is responsible for each Determine Who is responsible for each control ( management- level position)control ( management- level position)
4545
EXAMPLESEXAMPLESsample Risk .xls
4646
QUESTIONS ?QUESTIONS ?
4747