© 2016 CHAN Healthcare

Place Image Here

Enterprise Risk Management – An Auditor’s Perspective

Central Iowa IIA Chapter Meeting – October 11, 2016

© 2016 CHAN Healthcare 2 2

Survey

What is your current involvement with Enterprise Risk Management (ERM) in

your organization?

a) Highly involved

b) Involved to a limited degree

c) Not involved at all

© 2016 CHAN Healthcare 3 3

What is Enterprise Risk Management?

“A structured, consistent and continuous process across the whole organization

for identifying, assessing, deciding on responses to and reporting on

opportunities and threats that affect the achievement of its objectives”*

In other words – Risk management without silos

*From “IIA Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management” issued in January 2009

© 2016 CHAN Healthcare 4 4

Advantages To Internal Audit Involvement

Gain insight into the organization’s strategy

Understand what Executive Management is most worried about

Establish ourselves as risk experts in the organization

Show that we can be part of the solution, not just identifying problems

Gain a “seat at the table”

© 2016 CHAN Healthcare 5 5

Core Internal Audit Roles In Regard To ERM

Giving assurance on the risk management processes

Evaluating risk management processes

Giving assurance that risks are correctly evaluated

Evaluating the reporting of key risks

Reviewing the management of key risks

*From “IIA Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management” issued in January 2009

© 2016 CHAN Healthcare 6 6

Legitimate Internal Audit Roles With Safeguards

Maintaining and developing the ERM framework

Championing establishment of ERM

Developing ERM strategy for Board approval

Facilitating identification and evaluation of risks

Coaching Management in responding to risk

Coordinating ERM activities

Consolidated reporting on risks

*From “IIA Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management” issued in January 2009

© 2016 CHAN Healthcare 7 7

Roles Internal Audit Should Not Undertake

Setting the risk appetite

Imposing risk management processes

Management assurance on risks

Taking decisions on risk responses

Implementing risk responses on Management’s behalf

Accountability for risk management

*From “IIA Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management” issued in January 2009

© 2016 CHAN Healthcare 8 8

2016 State of Risk Oversight: An Overview of Enterprise

Risk Management Practices – Enterprise Risk Management

Initiative, North Carolina State University

57% of executives believe that the volume and complexity of risks have

changed “extensively” or “mostly” in the last five years; only 25% believe their

organization has a “complete formal enterprise risk management process in

place”

25% describe their organization’s level of risk management maturity as

“Mature” or “Robust”

50% reported no formal process to update their understanding of risks

70% reported that their organizations do not provide any guidelines or scales

for Management to assess risk probabilities or impacts

56% said that their organization’s risk management process is “not at all” or

“minimally” viewed as a proprietary strategic tool that provides unique

competitive advantage

© 2016 CHAN Healthcare 9 9

Key Elements to an ERM Program

Board Ownership

Management Buy-In

Common Risk Framework and Language (e.g., COSO)

Methodology for measuring and quantifying risk

© 2016 CHAN Healthcare 10 10

COSO ERM Framework

A “Portfolio” View of Risk

© 2016 CHAN Healthcare 11 11

Measuring and Quantifying Risk

Magnitude (a.k.a. Impact, Criticality)

Insignificant Catastrophic

Likelihood (a.k.a. Probability)

Highly Unlikely Highly Probable

Velocity (a.k.a. Speed)

Low High

© 2016 CHAN Healthcare 12 12

Addressing Black Swans

© 2016 CHAN Healthcare 13 13

Addressing Black Swans (cont.)

3 principal characteristics:

Unpredictable

Carry a massive impact

After the fact, we concoct an explanation that makes it appear less random, and more

predictable, than it was

Why incorporate into risk management?

Pace of change continues to accelerate

Uncertainty is the new normal

Could be blind spots in organizational planning

Help determine risk appetite

© 2016 CHAN Healthcare 14 14

Risk Response Options

Avoid

Exit a product line

Sell a division

Prohibit an activity

Reduce

Implement or enhance controls

Share

Insurance

Hedging

Outsourcing

Indemnification

Accept

*From the COSO ERM Framework

© 2016 CHAN Healthcare

Place Image Here

Example ERM Program

© 2016 CHAN Healthcare 16 16

Getting Started

Enterprise Risk Management Charter

Board ownership of enterprise risks

Responsibilities for identifying, assessing and reporting on risks

Risk definitions and terminology

Measurement/ranking methodology

Reporting frequency and standards

Information sharing standards

© 2016 CHAN Healthcare 17 17

Gaining Buy-In

Board approval of ERM charter

ERM Steering Committee of VPs/Senior VPs

Risk Council of Department Directors

Steering Committee and Risk Council contained broad membership, including

Strategy, Retail, Marketing, Supply Chain, Legal, Product Development,

Finance, IT and Business Continuity

© 2016 CHAN Healthcare 18 18

Risk Capture

ERM process integrated with annual audit planning and annual strategic

planning

Survey sent to all Directors and above throughout the organization:

Asked to respond with at least one risk in each category: Strategic, Operations,

Reporting, Compliance

Asked to rank each risk from 1-5 on both Magnitude and Likelihood

In-person brainstorming conducted at staff meetings of Senior VPs and above

© 2016 CHAN Healthcare 19 19

Risk Prioritization

Based on initial Magnitude/Likelihood rankings, Risk Council was asked to:

Agree on the top 5-7 enterprise risks

Determine the 3-5 black swans which were of the most concern

Identify other risks for inclusion on the “watch list” (i.e., risk where there was some

disagreement as to the Magnitude/Likelihood scoring or where the volatility was so

great that the scoring could reasonably change in the near future)

Risk Council results were taken to ERM Steering Committee for validation

Upon Steering Committee validation, results reported to CEO and Board

© 2016 CHAN Healthcare 20 20

Risk Reporting

For the top enterprise risks:

Identify an owner at the executive level (VP or above)

Conduct an analysis of opportunities and threats related to the risk

Owner works with other members of Management to develop mitigating actions

Performance indicators are agreed to that will measure the effectiveness of the

mitigating actions

For the top black swans:

Gain a detailed understanding of the risk, including controls/metrics currently in place,

and prepare a summary document for Executive Management and the Board

Executive Management and Board identify any additional actions that need to be taken

© 2016 CHAN Healthcare 21 21

Risk Monitoring

Quarterly Risk Council and ERM Steering Committee meetings to update risk

rankings as necessary

Quarterly reporting to Board, including the status of mitigating action and a

quarter-over-quarter comparison of performance indicators

© 2016 CHAN Healthcare

Section Break

Place Image Here

22

Section Break

Place Image Here

22

Practical Tips To Consider

© 2016 CHAN Healthcare 23 23

Practical Tips For Those With Limited ERM Involvement

Assess the feasibility of tying annual audit planning with the ERM process

Compare audit plan against the top risks identified through ERM

Report on ERM risks through existing audits with an “Other Observations” or

“Recommendations” section

Consider a business continuity audit

Ask to sit in on ERM committee meetings

© 2016 CHAN Healthcare 24 24

Practical Tips For Those With No ERM Involvement

Start small

Consider an audit of the company’s overall risk management framework

Incorporate corporate strategy discussions into annual audit planning

Build a knowledge base by asking enterprise risk questions on existing audits

Incorporate enterprise/strategic risk discussions into Audit Committee

presentations

© 2016 CHAN Healthcare 25 25

Common ERM Roadblocks

A Culture That Frowns Upon Sharing Bad News

Obtain executive buy-in to champion the initiative

“We Don’t Have Time For This”

Start simple and build credibility over time

Duplication of Existing Efforts

Incorporate the results of existing risk frameworks (e.g., business continuity,

environmental health and safety, IT security) into ERM discussions

Inconsistent Understanding of Risk

Use the charter to establish a common risk language; continuously repeat and educate

© 2016 CHAN Healthcare 26 26

Questions?

© 2016 CHAN Healthcare 27 27

For more information, contact:

Ryan Willhite

Direct 515.643.7318

Mobile 913.221.2366

rwillhite@chanllc.com

In accordance with applicable professional standards, some firm services may not be available to attest clients.

This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from

qualified advisers in your jurisdiction.

© 2016 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure