@iiachicago #iiachi devry approach to erm seminar presentations/b4...iia chicago chapter 53rd annual...
TRANSCRIPT
IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center
@IIAChicago
#IIACHI
DeVryApproach to ERM
Elizabeth Truelove McDermott, CPAVice President, Audit, Ethics & Compliance Services
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 2
DeVry’s ERM Approach
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 3
DeVry’s ERM Program Ownership – Roles & Responsibilities
Internal Audit“Provides Independent Assurance”
Monitor, advise, coordinate and facilitate ERM process
Objective review of risk management process
Independent assurance to management and Board on assertions of risk exposure
ERM Champions“Supports ERM Steering Committee,
Management, and the Board”
ERM Program Management
Governance, policy, and appetite implementation and coordination
Risk assessment methods
Measurement, aggregation, reporting rules and tools
Monitor risk exposure status and report to Board
Business Areas“Manage Risks”
Risk identification
Risk self-assessments
Strategy and actions to address risk within policy
Ensure compliance with ERM policies and procedures
Provide assertions on risk exposure
Board of Directors & CEO
The Board of Directors has ultimate accountability for all risk but can delegate responsibility to senior management
ERM Steering Committee“ERM Oversight”
Clearinghouse for risks,policy, appetite setting, and governance
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 4
DeVry - Strategic Plan Key Risk Indicators
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 5
Inputs to DeVry’s Audit Plan
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 6
• Buy in from CEO & executive team is imperative to the program’s success
• Engage management; broad constituency
• Integration of risk discussions and ERM monitoring into everyday business is essential – not a documentation exercise
• Keep business focused on what has meaning for them; make sure they’re not duplicating efforts
• Build common language and common metrics
• Integrate risk management with strategic planning
• Clear communication and identification of management’s and the board’s responsibilities is key
Lessons Learned
IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center
@IIAChicago
#IIACHI
SIRVARisk Management
ApproachDavid Doney, CIA, CPAVice President - Internal AuditSIRVA, Inc.
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 8
Risk Management
Strategic &
Operational
Legal &
Regulatory
Financial
Reporting
External audit SOX
program
Strategic risk assessment
L&R risk assessment
IA focus: Strengthening practices within categories
SOC 2&3 Operational Audits
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 9
Legal & RegulatoryApproach
Identify laws/regulations and related risks
Prioritize risks for additional review
Identify controls and remediate compliance gaps
IA facilitating meetings with SIRVA Legal Department and other contacts
Information captured in standard template
CFO, Legal, and other business leaders determine prioritization within silos
General Counsel completed initial prioritization across silos
Phase Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Law and Risk Inventory
Risk Prioritization
Control Identification (Key Areas)
Gap Identification
Remediation Planning
Remediation (2013 - 2014)
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 10
Operational: IT / SOC 2&3
AICPA Principles (4 ITGC & Privacy)
AICPA Criteria190
SIRVA Controls128
Tests20 assigned to IA
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 11
Strategic Risk• CEO & Board review strategic planning materials from each business in detail• Variation across businesses in how this information was presented to board• IA proposed strategic risk template in 2012; will re-visit in 2013• Concept was to take strategic plans & budgets and standardize risk elements
#
Strategic Goal or
Objective (Top 3-5)
Supporting
Metric(s) # Risk Rank Owner ResponseShipment count via
alternate channels
R1.1 Risk is capacity constraints that limit volume growth
during busy season
H Name Initiative 1
Committed fleet count R1.2 Risk is loss of key agents. M Name Initiative 2
% Agents adopting new
system
R2.1 Risk is system enhancements are not implemented on
schedule.
M Name Initiative 3
Margin per shipment R2.2 Risk is we do not build an optimal pricing engine and
price escalation methodology.
H Name Initiative 4
SG&A costs per
headcount
R3.1 Risk is system rollouts are not implemented on-
schedule
H Name Initiative 5
Costs per bill; %
shipments with >1 bill
R3.2 Risk is we are unable to identify and reduce billing re-
work.
M Name Initiative 6
4 Example: Maintain safety scores
exceeding industry standard.
FMCSA safety measures R4.1 Risk is that Agents are not effectively monitored for
safety compliance
H Name Initiative 7
Example: Increase number of
shipments from X to Y
Example: Improve margin per shipment
(from X/shipment to Y in Channel A and
Y/shipment to Z in Channel B.)
Example: Implement productivity
initiatives to reduce SG&A from X% to
Y% of revenue.
3
2
1
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 12
IA Role in Risk Mgmt
• IA in project manager / facilitator role• L&R risk assessment• Financial control / SOX update• SOC 2/3 efforts• Annual audit planning meetings
• IA maintains templates or database of risk and control information
• IA assisted with L&R risk template design and edit of input
• IIA Standards: IA should evaluate RM practices• Consider helping build processes initially within silos
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 13
Lessons Learned• No ERM? Pick a silo and make its risk assessment better
• Board support needed; one board member’s questions resulted in L&R risk assessment
• Management appreciates IA:• Taking on project management role• Maintaining database of risk and control information• Edit and review of risk and control information• Feedback on risk prioritization
• Keep subject experts focused on surfacing risks and controls; IA can handle the project administration
• Easily customized database technology very helpful
• Develop next steps / plans for improving risk assessment in each silo
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 14
Risk Mgmt – Next StepsStrategic / Ops Revisit template concept after April refresh of strategic plan
Financial Reporting Expand control information with exception tolerance and follow-up details
Legal / Regulatory Complete initial risk inventory and prioritization Execute projects in key areas (e.g., FCPA, Mortgage)
IT Continue annual reporting of key risks to audit committee Continue executing SOC 2/3 assessment Complete template for other areas
Management Risk Committee with Enterprise Scope Establish formal management risk committee for all areas of risk Select top issues in each category for Board discussion
IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center
@IIAChicago
#IIACHI
United AirlinesApproach to ERM
Steve Goepfert, CIA, CPA, CRMAVice President - Internal AuditUnited Airlines
United Airlines
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 16
• Executive Vice President and Chief Financial Officer (chair)
• Vice Chairman & Chief Revenue Officer
• Executive Vice President HR & Labor Relations
• Executive Vice President & General Counsel Secretary
• Executive Vice President Communication & Government Affairs
• Executive Vice President & Chief Operating Officer
• Senior Vice President & Chief Information Officer
• Senior Vice President Finance & Treasurer
• Senior Vice President Strategy & Business Development
• Sr. Vice President Marketing & Loyalty
• Vice President Internal Audit
• Managing Director Retirement Investments
• Senior Project Manager Enterprise Risk P&I
ERM Executive Committee
17
Risk Categories and Risk Owners
R 124
G 132
B 138
R 237
G 183
B 43
R 100
G 125
B 143
R 98
G 169
B 227
R 197
G 171
B 133
R 5
G 92
B 173
R 146G 164
B 177
External - Financial External – Economic
or Physical Governmental
Operational and/or
Commercial
IT SystemsSVP & CIO
Compliance RequirementsEVP & General Counsel Secretary
Economic EventsVice Chairman & Chief Revenue
Officer
Safety/Health
PandemicEVP & COO
Jet FuelSVP Finance & Treasurer
Capital MarketsSVP Finance & Treasurer
Regulatory ChangesEVP Communication &
Government Affairs
Change ManagementSVP Strategy &
Business Development
Vendor IssuesSVP Finance & Treasury
SecurityEVP & COO
Labor IssuesEVP HR & Labor Relations
Risk velocity is a key dimension to consider along with impact and likelihood of occurrence
18
Score Velocity
15 H
14 H
14 H
12 H
12 L
12 L
11 L
11 L
11 L
10 H
10 H
10 H
10 H
10 H
Score Velocity
9 H
9 H
9 H
9 L
7 H
7 L
6 H
6 H
6 H
6 L
6 L
3 L
2 L
Key Risks
Risk
Jet Fuel Price Increase
Significant Recession
Unavailability of Mission Critical IT Systems
Data Privacy: Non-Compliance with Regulatory Requirements
Major Aircraft Accident/Incident (Hull Loss)
Labor Strike (or Threat) Disrupts or Grounds Airline
External/Natural Event (e.g. Health Pandemic, Natural Disasters)
European Union Emissions Trading Scheme (EU ETS) Regulation
Catastrophic Sabotage (Terrorism Event)
Political Instability (Geopolitical)
19
IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center
@IIAChicago
#IIACHI
ERM for CAE’s
John Covell FCA, CIA, CRMA, Managing DirectorTempler Charters Consulting
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 21
Role of Internal Audit in ERM
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 22
ISO 31000 ERM Model
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 23
COSO ERM Model
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 24
• Engage Senior Management and Board of Directors
• Start by focusing on strategy and related strategic risks
• Keep it simple / build on existing risk activities
• Look at emerging risks
• What risks could bring the business down?
• ERM is a journey not a destination
Lessons Learned from ERM Implementations
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 25
• Black Swans
• Risk appetite and tolerance
• Complex risk taking (e.g., JP Morgan synthetic derivatives)
• Risk measurement and metrics
• Reporting to Senior Management and the Board
• Board risk oversight
More Complex ERM Issues
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 26
• COSO ERM Guidance
• ISO 3100 Guidance
• COSO ERM White Papers– Getting Started
– Role of the Board
– Risk Appetite
– Risk Indicators
• 2012 IIA book on ERM by Paul Sobel & Kurt Reding
ERM Resources
What do you think?Share your thoughts about this presentation on Twitter using the hashtag #IIACHI
@IIAChicago
Visit our Social Media booth in the Exhibit Hall to join the conversation today!
Not on Twitter?
Follow us on Twitter