@iiachicago #iiachi devry approach to erm seminar presentations/b4...iia chicago chapter 53rd annual...

IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center

@IIAChicago

#IIACHI

DeVryApproach to ERM

Elizabeth Truelove McDermott, CPAVice President, Audit, Ethics & Compliance Services

#IIACHI

April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 2

DeVry’s ERM Approach

#IIACHI


DeVry’s ERM Program Ownership – Roles & Responsibilities

Internal Audit“Provides Independent Assurance”

Monitor, advise, coordinate and facilitate ERM process

Objective review of risk management process

Independent assurance to management and Board on assertions of risk exposure

ERM Champions“Supports ERM Steering Committee,

Management, and the Board”

ERM Program Management

Governance, policy, and appetite implementation and coordination

Risk assessment methods

Measurement, aggregation, reporting rules and tools

Monitor risk exposure status and report to Board

Business Areas“Manage Risks”

Risk identification

Risk self-assessments

Strategy and actions to address risk within policy

Ensure compliance with ERM policies and procedures

Provide assertions on risk exposure

Board of Directors & CEO

The Board of Directors has ultimate accountability for all risk but can delegate responsibility to senior management

ERM Steering Committee“ERM Oversight”

Clearinghouse for risks,policy, appetite setting, and governance

#IIACHI


DeVry - Strategic Plan Key Risk Indicators

#IIACHI


Inputs to DeVry’s Audit Plan

#IIACHI


• Buy in from CEO & executive team is imperative to the program’s success

• Engage management; broad constituency

• Integration of risk discussions and ERM monitoring into everyday business is essential – not a documentation exercise

• Keep business focused on what has meaning for them; make sure they’re not duplicating efforts

• Build common language and common metrics

• Integrate risk management with strategic planning

• Clear communication and identification of management’s and the board’s responsibilities is key

Lessons Learned


@IIAChicago

#IIACHI

SIRVARisk Management

ApproachDavid Doney, CIA, CPAVice President - Internal AuditSIRVA, Inc.


Risk Management

Strategic &

Operational

Legal &

Regulatory

Financial

Reporting

External audit SOX

program

Strategic risk assessment

L&R risk assessment

IA focus: Strengthening practices within categories

SOC 2&3 Operational Audits


Legal & RegulatoryApproach

Identify laws/regulations and related risks

Prioritize risks for additional review

Identify controls and remediate compliance gaps

IA facilitating meetings with SIRVA Legal Department and other contacts

Information captured in standard template

CFO, Legal, and other business leaders determine prioritization within silos

General Counsel completed initial prioritization across silos

Phase Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Law and Risk Inventory

Risk Prioritization

Control Identification (Key Areas)

Gap Identification

Remediation Planning

Remediation (2013 - 2014)


Operational: IT / SOC 2&3

AICPA Principles (4 ITGC & Privacy)

AICPA Criteria190

SIRVA Controls128

Tests20 assigned to IA


Strategic Risk• CEO & Board review strategic planning materials from each business in detail• Variation across businesses in how this information was presented to board• IA proposed strategic risk template in 2012; will re-visit in 2013• Concept was to take strategic plans & budgets and standardize risk elements

#

Strategic Goal or

Objective (Top 3-5)

Supporting

Metric(s) # Risk Rank Owner ResponseShipment count via

alternate channels

R1.1 Risk is capacity constraints that limit volume growth

during busy season

H Name Initiative 1

Committed fleet count R1.2 Risk is loss of key agents. M Name Initiative 2

% Agents adopting new

system

R2.1 Risk is system enhancements are not implemented on

schedule.

M Name Initiative 3

Margin per shipment R2.2 Risk is we do not build an optimal pricing engine and

price escalation methodology.

H Name Initiative 4

SG&A costs per

headcount

R3.1 Risk is system rollouts are not implemented on-

schedule

H Name Initiative 5

Costs per bill; %

shipments with >1 bill

R3.2 Risk is we are unable to identify and reduce billing re-

work.

M Name Initiative 6

4 Example: Maintain safety scores

exceeding industry standard.

FMCSA safety measures R4.1 Risk is that Agents are not effectively monitored for

safety compliance

H Name Initiative 7

Example: Increase number of

shipments from X to Y

Example: Improve margin per shipment

(from X/shipment to Y in Channel A and

Y/shipment to Z in Channel B.)

Example: Implement productivity

initiatives to reduce SG&A from X% to

Y% of revenue.

3

2

1


IA Role in Risk Mgmt

• IA in project manager / facilitator role• L&R risk assessment• Financial control / SOX update• SOC 2/3 efforts• Annual audit planning meetings

• IA maintains templates or database of risk and control information

• IA assisted with L&R risk template design and edit of input

• IIA Standards: IA should evaluate RM practices• Consider helping build processes initially within silos


Lessons Learned• No ERM? Pick a silo and make its risk assessment better

• Board support needed; one board member’s questions resulted in L&R risk assessment

• Management appreciates IA:• Taking on project management role• Maintaining database of risk and control information• Edit and review of risk and control information• Feedback on risk prioritization

• Keep subject experts focused on surfacing risks and controls; IA can handle the project administration

• Easily customized database technology very helpful

• Develop next steps / plans for improving risk assessment in each silo


Risk Mgmt – Next StepsStrategic / Ops Revisit template concept after April refresh of strategic plan

Financial Reporting Expand control information with exception tolerance and follow-up details

Legal / Regulatory Complete initial risk inventory and prioritization Execute projects in key areas (e.g., FCPA, Mortgage)

IT Continue annual reporting of key risks to audit committee Continue executing SOC 2/3 assessment Complete template for other areas

Management Risk Committee with Enterprise Scope Establish formal management risk committee for all areas of risk Select top issues in each category for Board discussion


@IIAChicago

#IIACHI

United AirlinesApproach to ERM

Steve Goepfert, CIA, CPA, CRMAVice President - Internal AuditUnited Airlines

United Airlines

#IIACHI


• Executive Vice President and Chief Financial Officer (chair)

• Vice Chairman & Chief Revenue Officer

• Executive Vice President HR & Labor Relations

• Executive Vice President & General Counsel Secretary

• Executive Vice President Communication & Government Affairs

• Executive Vice President & Chief Operating Officer

• Senior Vice President & Chief Information Officer

• Senior Vice President Finance & Treasurer

• Senior Vice President Strategy & Business Development

• Sr. Vice President Marketing & Loyalty

• Vice President Internal Audit

• Managing Director Retirement Investments

• Senior Project Manager Enterprise Risk P&I

ERM Executive Committee

17

Risk Categories and Risk Owners

R 124

G 132

B 138

R 237

G 183

B 43

R 100

G 125

B 143

R 98

G 169

B 227

R 197

G 171

B 133

R 5

G 92

B 173

R 146G 164

B 177

External - Financial External – Economic

or Physical Governmental

Operational and/or

Commercial

IT SystemsSVP & CIO

Compliance RequirementsEVP & General Counsel Secretary

Economic EventsVice Chairman & Chief Revenue

Officer

Safety/Health

PandemicEVP & COO

Jet FuelSVP Finance & Treasurer

Capital MarketsSVP Finance & Treasurer

Regulatory ChangesEVP Communication &

Government Affairs

Change ManagementSVP Strategy &

Business Development

Vendor IssuesSVP Finance & Treasury

SecurityEVP & COO

Labor IssuesEVP HR & Labor Relations

Risk velocity is a key dimension to consider along with impact and likelihood of occurrence

18

Score Velocity

15 H

14 H

14 H

12 H

12 L

12 L

11 L

11 L

11 L

10 H

10 H

10 H

10 H

10 H

Score Velocity

9 H

9 H

9 H

9 L

7 H

7 L

6 H

6 H

6 H

6 L

6 L

3 L

2 L

Key Risks

Risk

Jet Fuel Price Increase

Significant Recession

Unavailability of Mission Critical IT Systems

Data Privacy: Non-Compliance with Regulatory Requirements

Major Aircraft Accident/Incident (Hull Loss)

Labor Strike (or Threat) Disrupts or Grounds Airline

External/Natural Event (e.g. Health Pandemic, Natural Disasters)

European Union Emissions Trading Scheme (EU ETS) Regulation

Catastrophic Sabotage (Terrorism Event)

Political Instability (Geopolitical)

19


@IIAChicago

#IIACHI

ERM for CAE’s

John Covell FCA, CIA, CRMA, Managing DirectorTempler Charters Consulting

#IIACHI


Role of Internal Audit in ERM

#IIACHI


ISO 31000 ERM Model

#IIACHI


COSO ERM Model

#IIACHI


• Engage Senior Management and Board of Directors

• Start by focusing on strategy and related strategic risks

• Keep it simple / build on existing risk activities

• Look at emerging risks

• What risks could bring the business down?

• ERM is a journey not a destination

Lessons Learned from ERM Implementations

#IIACHI


• Black Swans

• Risk appetite and tolerance

• Complex risk taking (e.g., JP Morgan synthetic derivatives)

• Risk measurement and metrics

• Reporting to Senior Management and the Board

• Board risk oversight

More Complex ERM Issues

#IIACHI


• COSO ERM Guidance

• ISO 3100 Guidance

• COSO ERM White Papers– Getting Started

– Role of the Board

– Risk Appetite

– Risk Indicators

• 2012 IIA book on ERM by Paul Sobel & Kurt Reding

ERM Resources

What do you think?Share your thoughts about this presentation on Twitter using the hashtag #IIACHI

@IIAChicago

Visit our Social Media booth in the Exhibit Hall to join the conversation today!

Not on Twitter?

Follow us on Twitter

@iiachicago #iiachi devry approach to erm seminar presentations/b4...iia chicago chapter 53rd annual...

Documents