|
|
Posted By AFERM,
Sunday, November 6, 2016
Updated: Monday, November 25, 2024
|
I am drafting a risk assessment report and want to understand whether exclusion of current risk reports should be excluded. Am I just identifying issues, or also giving credit for planned or in process work?
AFERM EXPERTS SAY...
There is no standard form for developing a risk assessment report. While various sources indicate elements that may find a home in such a report, one might expect no standard exists because assessment reports can be written for different audiences with different information needs.
Understanding what might go into a risk assessment report should thus begin with an understanding of the needs of those for whom the report is intended. ISO 31000 defines risk assessment as the combination of risk identification, analysis, and evaluation, but does not include risk treatment. Are we looking only to report information on the assessment of risks (as suggested by the wording of your question), or are we also seeking to report on the implementation status of selected risk treatments, and the resulting risk after treatment? The more inclusive reporting of risk treatment status is required if the report is to be used by management to monitor risk treatment activities, and ensure that the targeted levels of risk resulting from risk treatments is actually achieved. If your report is to share newly identified risks, then there would be no need to include risks previously identified. However, if the intent is to communicate the organization’s ongoing level of risk and corresponding risk treatments, then understanding the full set of key risks is critical.
I would propose the following elements for any risk assessment report:
- Objective to be achieved (remember that risks by definition do not exist in isolation, but are linked to a specific objective.
- Name of risk
- Classification category of risk
- Risk appetite for the risk classification
- Likelihood/probability (of current risk)
- Consequence/impact (of current risk)
- Risk rating (prioritization based upon consideration of consequence and likelihood)
- Selected treatment (Accept, Avoid, Transfer/Share, or Mitigate/Reduce, and also Enhance if intentionally increasing risk to seek opportunities).
- Likelihood/probability (projected after completion of selected treatment)
- Consequence/impact (projected after completion of selected treatment)
- The basis for selected risk treatment (considerations of consistency with desired risk appetite, and cost-benefit analysis of various responses for treating any particular risk).
- Risk owner (the person responsible for determining the acceptability of the risk, selecting the appropriate risk treatment, and ensuring completion of the risk treatment).
If this report will also be used to monitor the actual implementation of the selected risk treatment, I would propose also including the following:
- Date risk treatment projected to be completed.
- Current status of treatment (or indication of completion)
Too often organizations consider risk in a very informal, ad hoc manner. Effective risk management requires meaningful reporting and monitoring. Formal risk reporting will be important to any organization seeking to truly manage risks in an effective manner. A full understanding of an organization’s risks will require inclusion of newly identified risks as well as ongoing risk treatment activities previously assessed.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Thursday, October 6, 2016
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
Rationalizing and aligning the concepts and terminology of the internal control community with the risk management community is an ongoing challenge for many in the public sector and beyond. This is in part because these two communities come from a history relying on similar terms to mean different things.
Take for example the concepts of inherent risk and residual risk. The GAO Green Book—the “rulebook” for internal control in the US Federal government—defines inherent risk and residual risk as follow:
• Inherent risk is the risk to an entity in the absence of management’s response to the risk.
• Residual risk is the risk that remains after management’s response to inherent risk.
In the internal control community, these definitions are typically thought of as the risk prior to implementing internal control (inherent risk) and the risk after implementation of internal control (residual risk). However, from a risk management perspective, there are multiple problems with these definitions. First, what exactly is “the absence of management’s response to the risk”? Good process design should inherently consider what might not operate as planned in a process, and then design the process in a way that considers the possibility of not achieving the desired result.
For example, on a semi-automated factory assembly line, the assembly process considers how parts are to be moved along the line toward final assembly, how to reduce random variation in the process to gain stability over a quality output, when to have human intervention to minimize variation or to even temporarily stop the assembly process, etc. At what point are controls being “added”? Even more to the point, after the assembly process has been fully designed and implemented, how much of the designed-in process controls do you remove to be able to assess the inherent risk? In the assembly line example, internal controls are not added to a process that first has no controls, but are instead designed into the process from the very start. There is no meaningful basis to assess an inherent risk as might be practiced by auditors in looking at, for example, the risk of inaccurate financial reporting.
While this assembly process was chosen to highlight the problems in meaningfully defining inherent risk, that problem remains with any process, whether it be something as straightforward as the employee pay process, or something never attempted before, such as a NASA interplanetary mission.
What may be an even more important question from a risk management perspective is asking what the value is of such an exercise? From a risk management perspective, there are two points of risk measurement that are important. The first is our current level of risk given existing controls, and while operating within the current external and internal environment. The second is what is our targeted level of risk?
Our current level of risk should be compared to our risk appetite—that level of risk we are willing to accept in order to appropriately balance considerations of opportunities and threats. That comparison will tell us whether or not the risks we are in reality accepting are within that level we have agreed are appropriate to accept. Artificially removing from consideration existing internal controls to evaluate inherent risk is not a useful exercise in understanding our current level of risk with our current controls.
However, in addition to our current level of risk, another consideration is the level of risk we are targeting to be at in the future. We may seek to move from where we are today in order to reduce threats or go after greater opportunities. In either case, we need to understand current risks, targeted future levels of risks, and actions we plan to take to move from where we are today to where we wish to be in the future.
The new A-123 moves a step in the right direction by defining inherent risk as “…the exposure arising from a specific risk before any action has been taken to manage it beyond normal operations.” (emphasis added). This modification of the GAO definition would suggest that OMB requires agencies to understand their current risk (i.e., that which is reflected in “normal” operations), and then to address how that level of risk might be further acted upon by the agency to reach a new level of risk (i.e., future residual risk). This minor tweaking of the inherent risk definition by OMB may help facilitate the needed discussion between the internal control and risk management community to provide an effective and value-added risk assessment and monitoring process.
While these comments have focused on inherent risk and residual risk, they are but a reflection of a need for a broader discussion of concepts and terminology between practitioners of internal control and the broader risk management community. The two communities need to develop a common understanding of how the two concepts fit together in achieving organizational success.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, September 20, 2016
Updated: Monday, November 25, 2024
|
Question asked by David Wooten
Additional Details
Some say that ERM will only occur at the Departmental level and above and that the bureaus (within Departments) will continue to only use the internal controls program. Are they correct?
AFERM EXPERTS SAY...
David, thank you for your question. In my view, ERM is intended to be forward thinking/scanning the horizon, while the existing internal controls only measure how well we are executing measurable components towards our strategic goals. ERM looks at what could keep us from accomplishing our goals, so it would seem that ERM would have to reach into the bureaus. I am not in the camp that views ERM as only a Departmental-level initiative.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Wednesday, September 7, 2016
Updated: Monday, November 25, 2024
|
Additional Details
(part 2 of 2) We are a bureau within a much larger agency. Some are calling for us to implement ERM, but there appears to be no meaningful action to do so at the higher agency level. How can we implement ERM without doing so at the agency level? Will doing so even be helpful?
AFERM EXPERTS SAY...
As I hopefully conveyed in my prior thoughts on the distinction between ERM and internal controls, it would be a serious mistake for any organization to presume their internal control program will suffice for addressing the risk to their organizational objectives. Hopefully that message will filter down throughout the Department, because all levels of the Department will need to be engaged if true ERM is to ultimately result.
Moving to ERM requires a change in organizational culture for most of the Federal government. In may be that bureaus may in some cases actually have leaders who more quickly understand and see the value of ERM. In those cases, we may see bureaus or other subordinate parts of larger organizations being the primary advocates for ERM. In DoD, for example, early explorers of ERM included DFAS (in 2007) and DLA (in 2009), well before DoD as a whole had expressed any interest in ERM. While these early initiatives eventually stalled due to changes in leadership, my expectation is that the new focus by OMB on risk management and ERM as reflected in A-123 and A-11 will encourage proactive leaders to initiate ERM programs regardless of their organizational level.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Thursday, September 1, 2016
Updated: Monday, November 25, 2024
|
Question asked by Web User
Additional Details
(part 1 of 2) We are a bureau within a much larger agency. Some are calling for us to implement ERM, but there appears to be no meaningful action to do so at the higher agency level. How can we implement ERM without doing so at the agency level? Will doing so even be helpful?
AFERM EXPERTS SAY...
One way of answering this question is to first ask: (1) what is the purpose of ERM? and (2) what is the key mechanism of ERM in accomplishing this goal? ERM seeks to develop an organization-wide, portfolio view of risk that allows balancing results, resources and risks in a manner that maximizes stakeholder value. The key mechanism is two-fold. In the words of John Fraser, former Chief Risk Officer of Canada’s Hydro One, ERM is about “conversation” and “prioritization”. By conversation, John is referring to an open conversation of risk across the organization. This in turn leads to meaningful prioritization of risk treatments at an enterprise level contributing to maximizing stakeholder value.
Implementing a formal ERM program may indeed have little value if those conversations and prioritizations are already occurring. This can easily be the case in small organizations that are already well interconnected and have not grown to the size and complexity where functional and programmatic silos have evolved as a result of organizational structures. A basketball team, as a very simple example, understands the risks to each of the other players at any point in the game and reacts to those risks in a manner designed to win the game. However, as any organization grows to require larger numbers of participants and more complex organizational structures to coordinate efforts, this group interaction in understanding risks begins to fall apart. Instead, many business decisions and associated risks are management within organizational silos. Concrete efforts need to take place to this conversation and prioritization across the enterprise is to take place.
With the preceding as background, it is clear that where an organization sits in the overall organizational hierarchy is not the critical factor. The key considerations are: (1) will the organization considering implementing ERM potentially benefit from that implementation, and (2) does it have the capabilities to be successful in that implementation.
The answer to point one is “yes” if the organization is large enough and complex enough to benefit from a conscious and organized approach to identifying, sharing, and managing risk across the organization in an integrated fashion. For a group of a dozen individuals, this level of sharing and integration is likely already present. However, when organizations grow to hundreds and thousands of individuals, then the resulting organizational silos make the benefits of ERM almost inevitable. If so, then the second question must be answered: does the organization have the capabilities to implement ERM. Internal organizational capabilities can be developed, but the starting point is to know that the organization has sufficient autonomy within the larger organizational structure to pull together the necessary governance structures, make the necessary risk-informed resource allocations, and develop the necessary cultural changes. The leader of a bureau typically has the needed level of autonomy and resource allocation discretion. If those necessary prerequisites are present, then the implementation of ERM within the bureau is possible even when the higher level organization (agency or department) has not yet sought to implement ERM.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Wednesday, August 17, 2016
Updated: Monday, November 25, 2024
|
Question asked by Web User
Additional Details
(part 2 of 2) I have worked with A-123 and Internal Controls for years, but now I am hearing a lot about ERM. Isn’t this just a more mature way to implement internal controls? After all, the GAO Green Book states that internal control is a process “…that provides reasonable assurance that the objectives of an entity will be achieved.” Is this the same as saying risk is well managed?
AFERM EXPERTS SAY...
Previously, I shared thoughts on the relationship between internal control and risk management. These two terms are not synonyms, and to understand their relationship is important to achieving any organization’s full set of objectives. However, how does Enterprise Risk Management (ERM) factor into this discussion? Is ERM simply a new term for discussing risk management, or is there more to the story?
COSO released their first Internal Control—Integrated Framework in 1992, which was revised in 2013. In 2004, COSO released their Enterprise Risk Management—Integrated Framework, and a 2016 update was recently published. However, there has never been a “Risk Management Framework” by COSO. Does this infer that ERM is simply a new name for what was previously known as risk management? While this might be a fair question looking only at the title of their existing frameworks, a quick review of the COSO Enterprise Risk Management–Integrated Framework Executive Summary would show that there are aspects of ERM that go beyond traditional risk management.
Given an understanding that risk is the uncertainty of achieving an objective, risk management can be employed anytime we have established an objective. This might be completing a major project, or it might be as simple as getting to an appointment on time. The traditional approach to managing risk prior to ERM would be to look at each of the identified risks independently, and then seek to manage that risk without consideration of the other objectives and risks also being managed in the organization. In this traditional approach, the CIO manages information technology risks on his or her own, the CFO manages financial and reporting risks independent of others, program managers focus on their specific program risks, etc.
In contrast to this traditional approach to risk management, the current update to the COSO ERM Framework indicates that ERM seeks to:
• Establish risk governance and appropriate culture
• Align risk management with strategy and performance
• Develop a portfolio view of risk across the enterprise
• Flow risk information up, down and across the enterprise
This goal of fully integrating risk management across the enterprise in a manner that allows for the balancing of results sought, resources to be consumed, and risks to be accepted, directly contributes to the ultimate goal of generating maximum value for the organization’s key stakeholders. This is the goal of ERM, something that clearly cannot be accomplished when risks are managed only within functional, programmatic, or organizational silos.
One important aspect of ERM is that it “…facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.” While giving a nod to integrated risks, the 2004 ERM COSO is relatively silent on this critical distinction between ERM and traditional risk management. However, the revised ERM framework clearly goes farther in recognizing this important aspect of ERM by establishing one of the 23 principles as “Develops Portfolio View”. An integrated, portfolio view of risk across an organization is unique to ERM, and is a key differentiator between ERM and traditional risk management. This concept underlies the definition of ERM offered by OMB A-11, when it defines ERM as “an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos”.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Wednesday, June 22, 2016
Updated: Monday, November 25, 2024
|
Question asked by Web User
Additional Details
(part 1 of 2) I have worked with A-123 and Internal Controls for years, but now I am hearing a lot about ERM. Isn’t this just a more mature way to implement internal controls? After all, the GAO Green Book states that internal control is a process “…that provides reasonable assurance that the objectives of an entity will be achieved.” Is this the same as saying risk is well managed?
AFERM EXPERTS SAY...
The distinction between internal control, risk management, and ERM is often a point of confusion. In translating a definition into a working concept, it is often important to understand the application of the concept, and what words in a definition might be lacking to further explain the concept. To start, the full GAO Green Book definition of internal control is:
“…a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. These objectives and related risks can be broadly classified into one or more of the following three categories:
• Operations – Effectiveness and efficiency of operations
• Reporting – Reliability of reporting for internal and external use
• Compliance – Compliance with applicable laws and regulations”
In each of these cases, processes and procedures can and should be set in place to achieve operational results, allow for appropriate reporting, and do so while ensuring compliance with applicable laws and regulations. Internal control is indeed important to developing reasonable assurance that the applicable processes will operate as designed and achieve the desired objectives.
However, what is unstated in the Green Book definition is that organizations can have objectives outside of these three categories. Any choice of a future action typically entails risk. Those choices extend far beyond the execution of currently implemented business processes, and include any decision for future action not dependent on an existing process.
Let us agree for purposes of this explanation that risk is the uncertainty of achieving objectives, and risk management is that set of activities used to assess and control risks to acceptable levels that contribute to maximizing stakeholder value. We manage risks in part by choosing to treat risks through one of the following options: acceptance, avoidance, transference, or mitigation. If our choice is to mitigate a risk, we are looking to take action through an internal control to reduce either the likelihood that a risk transitions into an adverse event, or the impact of that event is lessened, or both. This internal control can be placed on an existing process (if the process is in operation), or prospectively if the process is being designed or otherwise intended for future implementation. Internal controls are thus a means of lessening the risks to business processes.
Based on this description, internal control is clearly an important element of risk management. However, there are aspects of risk that are not addressed by internal control. Many risks occur outside the control of the organization (e.g., the likelihood that a federal agency will be allocated their requested budget by Congress). Other risks arise from plans that are made, well before processes are designed or put into place to deliver products or services in accordance with those plans (e.g., strategic planning options). Internal control cannot be applied to future trade-off considerations when there are no processes to control. While internal control may not be an option for managing some risks, that does not make the risk in those various trade-offs any less important.
This post has not been tagged.
Permalink
| Comments (0)
|
|
Blog Home
All Blogs
Print Page
RSS