View
218
Download
2
Tags:
Embed Size (px)
Citation preview
UNIVERSITY OF PENNSYLVANIA
1
ASSESSING AND MITIGATING
BUSINESS RISK
USING INTEGRATED INTERNAL CONTROL FRAMEWORK
UNIVERSITY OF PENNSYLVANIA
2
BUSINESS RISK - WHAT IS IT?
Threats to achieving organization’s business objectives
UNIVERSITY OF PENNSYLVANIA
3
EXAMPLES OF BUSINESS RISK
Having shortsighted goals Processes are ineffective to achieve progressive goalsFinancial fraudFailure to comply with government regulationsTarnishing reputation
UNIVERSITY OF PENNSYLVANIA
4
WHY BE CONCERNED ABOUT RISK?
Fierce competition Pressure for increased productivity,
responsiveness and responsibility, while reducing costs
Powerful new technologies Increased external scrutinyMore decentralized accountability
UNIVERSITY OF PENNSYLVANIA
5
BUSINESS RISK CAN BE CATEGORIZED
• - type of business risk that most quickly comes to mind
• Financial* - protecting monetary funds• Strategic - goals of the organization• Operational - processes that operationalize goals• Compliance - laws and regulations• Reputational - public image
UNIVERSITY OF PENNSYLVANIA
6
CURRENT EXAMPLES OF FINANCIAL AND REPUTATIONAL DAMAGE
Public Demandfor
Improved Control
University of MinnesotaMisuse federal grants
$32 mil
New York University Medical CenterInflated research grant costs
$15.5 mil
Duke UniversitySexual harassment
$0.5 mil
University of ChicagoResearch fraud and abuse
$650,000
Miscellaneous Scientific MisconductJohns Hopkins
Harvard (2)Yale
University of MichiganConflict of Interest
$100,000 penalty/1 year probationFor Chief Urologist
Duke University Medical CenterHuman Subject Protections
University of Wisconsin-Madison
False Statements$10,000 Fine/ Prison
Birmingham-Southern CollegeGift/Development Impropriety
Columbia/HCA$745 mil
Medicare billing
UNIVERSITY OF PENNSYLVANIA
7
WHO NEEDS TO BE CONCERNED ABOUT RISK?
Everyone in the organization– Agenda for Excellence: “Upgrade the University’s
Internal Controls and Compliance mechanisms”1
Understand your role in identifying and mitigating risk
1 - Source:Agenda for Excellence, Strategic Goal 3, Subgoal 3(b),page S-6
UNIVERSITY OF PENNSYLVANIA
8
WHAT CAN BE DONE ABOUT RISK?
EliminateAcceptTransfer - insure, outsourceMitigate
UNIVERSITY OF PENNSYLVANIA
9
HOW DO YOU MITIGATE RISK?
Brainstorm ways to reduce or remove riskResearch best practices Select the best alternative (cost-effective)
UNIVERSITY OF PENNSYLVANIA
10
WHERE IS RISK FOUND?
UNIVERSITY OF PENNSYLVANIA
11
CONTROL ENVIRONMENT:tone at the top, infrastructure, compliance; culture: integrity and competence of people
RISK ASSESSMENT: identify, prioritize, mitigate risks;
ongoing; wide participation
CONTROLACTIVITIES:
processes, procedures, safeguards, access
security, authorization
MONITORING:throughout
INTEGRATED INTERNAL CONTROL FRAMEWORK
Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO) http://www.coso.org/
INFO
RM
ATI
ON
& C
OM
MUNIC
ATI
ON
INFO
RM
ATIO
N &
CO
MM
UNIC
ATIO
N
UNIVERSITY OF PENNSYLVANIA
12
CONTROL ENVIRONMENT: FOUNDATION OF ALL OTHER COMPONENTS
Established by an institution’s senior management group (President, Provost, EVP, CEO UPHS and Deans) - “tone at the top”
Based on attitudes and practices of those in positions of authority
Influences the “risk consciousness” of personnelAn element in establishing an organization’s
culturePeople
UNIVERSITY OF PENNSYLVANIA
13
CONTROL ENVIRONMENT FACTORS
Integrity and ethical valuesCompetence Management's philosophy and operating styleResponsibility, authority and accountabilityHuman resource practices and policies
UNIVERSITY OF PENNSYLVANIA
14
RISK ASSESSMENT: PROCESSES TO IDENTIFY AND ANALYZE BUSINESS RISK
Managing in a changing environment requires a constant assessment of risk
No practical way exists to reduce risks to zeroManagement must decide how much risk is
acceptableMethods of managing significant risks must be
established
UNIVERSITY OF PENNSYLVANIA
15
ONGOING RISK ASSESSMENT ACTIVITIES
Identify external and internal risks to business objectives
Anticipate worst case scenariosEstimate the probability and impact of each riskEstablish a proactive, cost-effective plan for
managing risksUse this process periodically or ad hoc
(restructuring, launching new programs)
UNIVERSITY OF PENNSYLVANIA
16
CONTROL ACTIVITIES: SPECIFIC POLICIES AND PROCEDURES DESIGNED TO MITIGATE RISK
Policies establish behavioral guidelines Processes and procedures establish how work is to be
performed Risk control activities need to occur throughout the
organizationat all levels and in all functions
UNIVERSITY OF PENNSYLVANIA
17
TYPES OF CONTROL ACTIVITIES
Review reports of operational performance
Information systems and data processing security
Segregation of duties(custody, record-keeping, approval/review)
Annual performance reviewsReconciliationsLimits of authority and access
(signatures, ID badges, user IDs, locks)
UNIVERSITY OF PENNSYLVANIA
18
INFORMATION AND COMMUNICATION
Information systems must provide data that is:– Accurate, reliable and sufficiently detailed– Timely, understandable and useable
Information must be provided to the right people in time to allow appropriate response
Communication flow must be:– Up and down through the organization– Across organizational boundaries
UNIVERSITY OF PENNSYLVANIA
19
INFORMATION AND COMMUNICATION SYSTEMS
Information systems should:– Allow systematic monitoring of strategic plans– Provide operational, financial and compliance-
related informationCommunication systems should ensure:
– Responsibilities are effectively communicated to all employees
– Channels exist for suspected improprieties to be reported without fear of retribution
– Employees’ ideas and suggestions are solicited, acknowledged and considered
UNIVERSITY OF PENNSYLVANIA
20
MONITORING
Processes assessing quality of institution's performance over time - feedback loop
Control environment, risk assessment activities, control activities, and information channels should be monitored and periodically evaluated for effectiveness
Provides early warning signs
UNIVERSITY OF PENNSYLVANIA
21
ONGOING MONITORING ACTIVITIES
CE: Culture studyRA: Annual assessment of risksCA: Monitoring of performance indicators I&C: Determining emerging information needsObjective external reviews
UNIVERSITY OF PENNSYLVANIA
22
SUMMARY
Business risk encompasses strategic, operational, financial, compliance, reputational risk
Everyone is responsible to assess and mitigate risk