1 strategic value of enterprise risk management john e. homan 2015–2016 aga national president...
TRANSCRIPT
1
Strategic Value of Enterprise Risk Management
JOHN E. HOMAN
2015–2016 AGA National President
East Tennessee Chapter
Knoxville, TN
November 9, 2015
2
Key Issues in Government AccountabilityNEED TO ADDRESS RISK AT ALL LEVELS OF GOVERNMENT
3
• Severely reduced populations
• Failing physical infrastructure•
RISK IS PERVASIVE
• Budget shortfalls • Approaching “silver tsunami”
• Increased demand for new skillsets (e.g. analytics, cyber)
AT ALL LEVELS OF GOVERNMENT & IS AT HIGHEST LEVEL SINCE GREAT DEPRESSION
STATE AND LOCAL LEVEL FEDERAL LEVEL
FEDERAL LEVELRisk Experience of The Past Several Years
The economic downturn, slow recovery, political gridlock, and federal fiscal sustainability issues have created the highest risk environment since the Great Depression
The failure of Congress to approve a budget led to a temporary government shutdown in 2013 and fixed, across-the-board spending cuts
Multiple debt limit crises, in which Congress has only agreed to meet the full fiscal obligations of the nation at the very last minute
The 2008 mortgage crisis, which led to the institution of the Troubled Asset Relief Program (TARP), requiring more than $460 billion of capital infusions, guarantees, and loans to stabilize the financial system
STATE AND LOCAL LEVEL Risk Experience of the Past Several Years and Impact of Risk at the Federal
Level to the States
Bankruptcies have occurred in Detroit MI, San Bernardino and Stockton CA Pension crisis in Illinois Intergovernmental Financial Risk-Some States now rely on the federal government
for over one third of their revenue• In 2011, California, Louisiana, New York and Virginia received over 30% of their
revenue from the federal cash flows based on the SEFA (Schedule of Federal Expenditures) for each
California Louisiana New York Virginia0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
% Direct Federal Dollars Flowing to SelectedStates Stated as % of Total State Revenues
200920102011
6
FORMAL DEFINITION
The Committee of Sponsoring Organizations (COSO) defines ERM as a process affected by the entity’s Board of Directors, management and other professionals, applied in a strategy setting and across the enterprise, designed to identify potential events that could affect an organization, and then taking steps to reduce or eliminate the risk so the organization can achieve its objectives.
ERM AS A POSSIBLE SOLUTIONENTERPRISE RISK MANAGEMENT
• Framework for modeling and addressing risk• Structured approach to identifying, measuring, and assessing risks and
developing effective policy responses
7
Establishing the risk types
ONE
Defining the likelihood and
impact of the risks
TWODeveloping a
visual summary of the results
FOUR
Defining the level of risk
intensity
THREESynthesizing the information for decision-making
FIVE
A WELL IMPLEMENTED ERM MODEL CAN ADDRESS RISK AND OVERCOME THE CHALLENGES
A notional government model may have five stages:
ERM AS A POSSIBLE SOULUTION
Profile of Northeast County- A Sample Entity to which
we can apply the Five Stage Model
Department or Office Budget ($ millions)
Full-Time Employees
Number of Federal Grant
Programs
Federal Grants
State Grants
Public Policy Issues
1 Correction $ 24.0 211 2 County Executive $ 2.2 17 3 Education $ 209.0 1000 5 $ 40.0 $ 40.0 4 Emergency Management $ 0.5 3 1 $ 0.1 5 Environmental Protection $ 38.8 51 3 $ 4.0 6 Finance $ 19.8 42 17 Fire Services $ 65.8 442 1 $ 1.2 8 Health & Human Service $ 91.2 467 9 $ 39.0 $ 25.0 9 Housing $ 14.9 27 10 Human Resources $ 62.1 27 12 Police $ 83.7 555 13 Libraries $ 12.8 79 14 Technology Service $ 10.8 55 15 Transportation $ 64.2 447 3 $ 20.0 $ 10.0 2 Total ($ in millions) $ 700 3,423 22 104.3 75.0
16 Capital Improvement Program $ 300
1 Public pressure to have pension plans divest from companies invested in distilling, tobacco, sugar-
based foods, the defense industry and those producing products abroad
2 Public pressure to provide capital improvements to county facilities going beyond the scope of the Americans with Disabilities Act
9
ERM MECHANICSWHAT NEEDS TO BE DONE TO ASSESS THE RISKS — ESTABLISH THE RISK TYPE FOR LIKELIHOODTaxation and Regulatory Risk
Assessed on the basis of level of expenditure at risk compared to the overall this “notional” Northeast budget
Inter-governmental Risk
Assessed by the degree to which the department is dependent on federal funding as measured by the latest SEAFA and state funding as measured by the state grand receipts
Public PolicyRisk
Assessed by the degree to which political pressure at the governance level could alter existing plans at the department level
Strategic Risk Assessed as the inability to meet business objectives and strategies due to improper or unfocused strategic planning
Financial Operations Risk
Assessed by determining the quality of accounting and budget information
10
ERM MECHANICSWHAT NEEDS TO BE DONE TO ASSESS THE RISKS — ESTABLISH THE RISK TYPE FOR LIKELIHOOD
Information Technology Risk
Assessed by determining if the technology Northeast uses effectively supports its operation and whether its systems are opens to compromise or illegal access.
Legal & Regulatory Risk
Assessed by determining if Northeast complies with all major county, state or federal laws.
Integrity/ Fraud Risk
Assessed by reviewing the actual instances of waste, fraud and abuse which have been documented in the past several years and by assessing vulnerabilities in operations such as exposure to cash collection or inadequate segregation of duties
Customer Service/ Delivery Risk
Assessed by how well Northeast delivers its services. Considers the risk that a department may be susceptible to failing to respond to customers in a timely and effective fashion.
11
ERM MECHANICSWHAT NEEDS TO BE DONE TO ASSESS THE RISKS — ESTABLISH THE RISK TYPE FOR LIKELIHOOD
Environment, Health & Safety Risk
Assessed by looking for conditions or vulnerabilities that can have an adverse effect on the environment or which threaten the health and safety of the local community.
Human Resource Risk
Assessed by determining if the Northeast workforce has the proper skills sets, resources and training to complete its missions and whether its level of benefits is sufficiently competitive to attract a strong workforce.
Information & Communication Risk
Assessed by determining if there is consistent, accurate and timely communications to internal and external Northeast constituencies.
Overall Likelihood Risk A blend of the 12 factors weighted and tempered by judgment.
12
ERM MECHANICSWHAT NEEDS TO BE DONE TO ASSESS THE RISKS — ESTABLISH THE RISK TYPE FOR IMPACT
Reputation or Public Perception Impact
Assessed by determining risk that the state or locality suffers a diminution in reputation or public perception from a risk occurring.
Business Operations Impact
Assessed by looking for impacts occurring that lead to County operations not functioning effectively or efficiently or not meeting internal or external goals. This could include failures from changes in the volume, or complexity of transactions or activities.
Financial ImpactAssessed by significant financial implications to the department or the County such as misstated financial statements or the failure to meet financial obligations or comply with bond covenants or meet future funding requirement for benefits.
Overall Impact Risk
A blend of the three factors weighted and tempered by judgment.
13
WHAT NEEDS TO BE DONE TO ASSESS THE RISKS — DEFINE THE LIKELIHOOD AND IMPACT OF RISK AND LEVEL OF INTENSITY
VERY HIGH Immediate and high degree of vulnerability — if not controlled, could have a serious, long-term or detrimental effect
HIGH Less immediate and somewhat lower degree of vulnerability — if not controlled, could have significant, long-term or detrimental effect
MODERATE Risk present should be addressed and controlled but the probability is not as severe as defined above — if not controlled, could have some impact
LOW The threat of a serious event is possible. The area should be managed but the level of risk response is limited.
VERY LOW The threat of a serious event is either non-existent or remote. The area should be managed but the level of risk response is limited.
VERY HIGH Financial ramifications would be severe and/or operations would suffer long-standing consequences
HIGH The financial ramifications would be significant
MODERATE Consequences would be negative and must be managed, but would not have substantial effect
LOW Small impact financially or operationally
VERY LOW Little to no impact financially or operationally
LIKELIHOOD IMPACT
ERM MECHANICS
14
SAMPLE ERM RESULTSDEVELOPING THE VISUAL SUMMARY AND APPLYING THE RESULTS
SAMPLE RESULTS FOR “NORTHEAST COUNTY”Assessed Risk Areas
Finance
Health & Human Service Libraries Transportation
Taxation & Revenue Risk
1VH H M H
Inter Governmental Risk
2VH VH VL VH
Public Policy Risk 3VH VH VL VH
Strategic Risk 4M H L H
Financial Operations Risk
5H VH VL H
Information Technology Risk
6H VH VL H
Legal & Regulatory Risk
7M VH VL H
Integrity/ Fraud Risk 8M H VL VH
Customer Service/ Delivery Risk
9M H L VH
Environment, Health & Safety Risk
10L M L H
Personnel/ HR Risk 11M H L M
Information & Communication Risk
12M M L M
Overall Likelihood 13VH VH L VH
M
Reputation Impact 14M VH L H
Business Operations Impact
15H VH L M
Financial Impact 16VH VH VL H
Overall Impact 17VH VH VL H
OVERALL Overall Rating VH VH LVH
LIKELIHOOD
IMPACT
Selected Areas
15
• Apply them to audits, budgets and strategic plans
• Develop multi-year audit plan -- would emphasize HHS, Finance and Transportation and deemphasize Libraries
• Validate operating budgets
• Apply to strategic planning process -- makes consequences and trade-offs across departments transparent with regard to risk
SAMPLE ERM RESULTSSYNTHESIZING FOR DECISION MAKING
Assessed Risk Areas
Finance
Health & Human Service Libraries Transportation
Taxation & Revenue Risk
1VH H M H
Inter Governmental Risk
2VH VH VL VH
Public Policy Risk 3VH VH VL VH
Strategic Risk 4M H L H
Financial Operations Risk
5H VH VL H
Information Technology Risk
6H VH VL H
Legal & Regulatory Risk
7M VH VL H
Integrity/ Fraud Risk 8M H VL VH
Customer Service/ Delivery Risk
9M H L VH
Environment, Health & Safety Risk
10L M L H
Personnel/ HR Risk 11M H L M
Information & Communication Risk
12M M L M
Overall Likelihood 13VH VH L VH
M
Reputation Impact 14M VH L H
Business Operations Impact
15H VH L M
Financial Impact 16VH VH VL H
Overall Impact 17VH VH VL H
OVERALL Overall Rating VH VH LVH
LIKELIHOOD
IMPACT
Selected Areas
HOW THESE RESULTS MAY BE USED
16
ERM MODEL CONCLUSIONS
ERM is an excellent tool for addressing risk
Applicable to both the federal and state/local sectors
ERM has been reviewed at federal level in two meetings of president’s management council
New revisions of OMB Circulars such as A-123 explicitly incorporate ERM into the internal control process. OMB trying to get a full ERM plan by FY 2016
Key issue- who should own process at Federal Agencies: a separate risk officer or embed in an existing position?
AGA is encouraging its use and expansion and is assisting the Office of Management and Budget in implementing it throughout the Federal Government
AGA’ S ERM INITIATIVE - WHAT WE ARE DOING TO PROMOTE ERM IN THE FEDERAL GOVERNMENT
The AGA National Executive Committee has established a working group to assist OMB in implementing ERM throughout the Federal Government. The mission and core members of the ERM Working Group are as follows:
Mission: To bring about strategic change in Federal, State, and local governments in the area of Enterprise Risk Management (ERM) through the leveraging and coordination of AGA’s thought leadership and its Agency, Industry, and Academic relationships to meet OMB’s goals for the adoption of ERM.
Core Members:• Sheila Conley, Deputy CFO, Department of Health and Human Services• Doug Glenn, Deputy CFO, Department of Interior• Dan Kaneshiro, Policy Analyst, Office of Management and Budget• Christine Jones, Associate Deputy Assistant Secretary for Finance, Department of Health and Human Services• Tim Soltis, Deputy CFO, Department of Education• Teresa Taber, Deputy Director Office of Financial Management, Department of Interior• Dr. Doug Webster, Director, Government to Government Risk Management at US Agency for International
Development• Mike Wetklow, Branch Chief, Office of Management and Budget (Chair)
AGA’ S ERM INITIATIVE – THE WORK PRODUCTS
The Working Group is developing an AGA sponsored ERM Webinar Series to provide training and implementation guidance. Timing: 2015 – 2016 and ongoing
Webinar Number One (by March 2016), sample learning objectives: What is Enterprise Risk Management? What is a CRO and what are the roles and responsibilities of the CFO and other CXOs (i.e., good
governance)? What is the nexus between Federal and State governments in implementing ERM? What does success look like? What are the best practices? How do I get started? How to build ERM into existing processes rather than add on?
Webinar Number Two (by March 2016), sample learning objectives: Overview of ERM Standards. Comparisons between COSO and ISSO. The link between ERM and Internal Control Standards. Applied Case Studies: Improper Payments and the DATA Act
AGA’ S ERM INITIATIVE -- THE WORK PRODUCTS
Webinar Number Three (by June 2016), sample learning objectives: What are the tools and templates of ERM? Do I have to do it all at once, what’s a sample maturity model? What are the differences between COSO and ISSO Standards?
Webinar Number Four (by June 2016), sample learning objectives: What role does the Inspector General play in ERM? What are the road rules for management engagement of inspector generals
in ERM?
AGA PDT 2016 (July 2016) Session based on the Webinars
An AGA sponsored research survey of the current state of Enterprise Risk Management in the Government, similar to AGA CPAG Report No. 26, “The Maturity of GRC in the Public Sector: Where are we today and where are we going?”
Timing: June 2016 Table of contents based off of portions of Webinar Project Above Develop survey and interview instruments based off of prior CPAG
Report No. 26 and AICPA/NC State Annual Report of the Current State of Enterprise Oversight
Conduct Survey and Interviews
AGA’ S ERM INITIATIVE -- THE WORK PRODUCTS
The Group will also Facilitate Faculty Networking Opportunities between the AGA and other associations and business lines:
• Identify whether efforts by other professional associations (e.g., Association Federal ERM, Partnership for Public Service, National Association of State Auditors, Comptrollers and Treasurers, International Federation of Accountants and others) and or government bodies (e.g. OMB, CFOC, CIOC, CAOC, PIC, CHCO, CIGIE) are underway in the area of enterprise risk management and determine whether partnerships with those organizations are prudent.
• Brief management councils on A-123 and future A-11 efforts.
• Create an electronic portal for AGA members to connect with one another, and to share best practices.
• Publicize academic research in the area of ERM to the members of the AGA.
AGA’ S ERM INITIATIVE -- THE WORK PRODUCTS
ERM -- KEY CHALLENGES IN APPLYING IN A GOVERNMENT SETTING -- GENERAL ISSUES
Liquidity Pressures : Since the government has the power to tax and, in the case of the Federal Government borrow from the capital markets, governments have not traditionally had the short-term liquidity pressures of the private sector. But today the federal government faces liquidity pressures as it struggles to meet the rising costs of Medicare, Medicaid, Social Security, pensions, and services for a growing population.
Laws and Regulations: Another major challenge is the vast array of laws and policy regulations imposed on federal agencies and governments in general. From the financial reporting regulations and internal controls required by the Office of Management and Budget, to complex appropriations laws, federal government administrators face a constant uphill battle. State and localities likewise have the risk from federal and state regulations.
Cultural: There needs be strong culture surrounding ERM where everyone, not just financial staff look for and recognize risk and where everyone is encouraged to identify problems and raise questions.
Key issue: Who should own the process -- a separate risk officer or embed in an existing position?
ERM -- FINAL THOUGHTS
“Risk comes from not knowing what you're doing” ― Warren Buffett
With a well designed and properly implemented ERM program, our governments will know what they are doing and where the external and internal threats to carrying out its mission lie
By embracing Risk we enhance the mission of our governments- The desire for safety stands against every great and noble enterprise.”
― Tacitus