11thAnnualPublicPrivatePartnershipConference

Risk Management and the Seven Deadly Sins S D dl Si

DevelopedforPPPCWorkshopby RemondeBrangman,CPA
CBIZMHMMidAtlanticRiskAdvisoryPracticeLeader CBIZMHMMid Atl ti Ri kAd i P ti L d

August25,2011

Agenda
IntroductiontoRiskManagement SevenDeadlySins APracticalApproach Q&A

Risk Management (RM) g ( )

OperationalRisk
BidProcess Communications ProgramManagement InformationTechnology Four Quadrantsof BusinessRisk Donor/BeneficiaryChanges GrowthStrategy PublicRelations[Form990] Competition C titi FederalRequirements RestrictedFundingRequirements OversightofSubrecipients ProgramReporting Program Reporting

FinancialRisk
OperatingReserves AccountingProcess MarketRisk FinancialReporting

StrategicRisk

ComplianceRisk

Risk Management speak speak

TotheTechnician:
A holistic risk management process. A

TotheLayman:
A way of managing my business.

RM: Both Negative & Positive Mindsets

Uncontrolled Risk Under Performance

VS.
Controlled Risk Maximum Performance

Industries that have adopted RM

Health Care

Energy Sector Financial Services

Transportation Education

65%
of Public Firms
Source: Excellence in Risk Management VI, Marsh | RIMS

RM Implementation Drivers p

Public Companies Compliance Transparency

Not for Profit Organizations Competition C titi

7

Technology T h l

7 Deadly Sins

7 Deadly Sins
Vanity / Pride
Common Themes: I know my risks already I dont need Risk Management We have good people and pretty good controls We have done well without it
9

Potential Risks: Inadequate disaster planning No succession planning Lack of financial savvy Fraud risk

7 Deadly Sins
Greed
Common Themes: We will take all funding Our donors trust us with their Contributions To date, we have not had any major problems Our controls are good g enough
10

Potential Risks: Funding risk Concentration risk Insufficient working capital Misallocation/misuse of restricted funds

7 Deadly Sins
Envy
Common Themes: Others seem to do well without risk management Taking on areas of risk beyond the organizations expertise In order to keep up we must focus on growth not on risk management
11

Potential Risks: Lack of business discipline Inadequate policies and Procedures Lack of attention to controls Failure to execute on new business

7 Deadly Sins y
Anger
Common Themes: Low morale creates additional risk (potential fraud risk) Were just not appreciated for what we do and how well we do it Our organization pushes its staff hard. This is the only way g to get the results we need.
12

Potential Risks: Fraud risk Breakdowns in controls Inadequate accountability

7 Deadly Sins
Lust
Common Themes: Significant short termterm growth without changing structure As more funding comes in, we will expand our capacity to accommodate this demand Potential Risks: Lack of change management Inadequate focus on updating risks internal processes and controls Structure (people, processes and systems) has not kept pace with growth

13

7 Deadly Sins
Gluttony
Common Themes: L k of contentment Lack f t t t Rushing into the next big idea id Taking on too many initiatives initiati es Potential Risks: Lack of long term planning/stability Inadequate reserves for future deficits Taking unnecessary risks (e.g. investment exposures)

14

7 Deadly Sins
Sloth
Common Themes: I trust my people The It wont happen to me me sentiment My processes/people work fine I dont need to don t review them Potential Risks: Lack of formalized structure for Governance, Risk and Compliance Lack of proper segregation

15

A Practical Approach
Wh Risk M Why Ri k Management? t? Best Practices Risk Management Principles Risk Management Framework

16

Why Implement Risk Management? g

Increasethelikelihoodofachieving

objectives

Encourageproactivemanagement Beawareoftheneedtoidentifyandtreat

riskthroughouttheorganization andthreats

Improvetheidentificationofopportunities Complywithrelevantlegalandregulatory

requirementsandinternationalnorms

17

Why Implement Risk Management? g

Improvemandatoryandvoluntary

reporting

Improvegovernance Improvestakeholderconfidenceandtrust Establishareliablebasisfordecision

makingandplanning

Improvecontrols Effectivelyallocateanduseresourcesfor

risktreatment

18

Why Implement Risk Management? g

Improveoperationaleffectivenessand

efficiency

Enhancehealthandsafetyperformance,as

wellasenvironmentalprotection management

Improvelosspreventionandincident Minimizelosses Improveorganizationallearning Improveorganizationalresilience

19

RM Best Practice Approach

Keepitsimple andpractical complexityisnot anadvantage

Principles Framework

Integratedapproach thatincludesrisk /opportunity management

Process

Incorporatesmostof thekeyelementsof theCOSO framework

Requiresstrongand Sustained management commitment

20

RM Principals
RiskManagementmust:
1. 2. 3. 3 4. 5. 6. 7. 8. 9. 10. 11. Createandprotectvalue Beanintegralpartofallorganizationalprocesses Bepartofdecisionmaking Explicitlyaddressuncertainty Besystematic,structuredandtimely Bebasedonthebestavailableinformation Betailoredtotheorganization Takehumanandculturalfactorsintoaccount Betransparentandinclusive Bedynamic,iterativeandresponsivetochange Facilitatethecontinualimprovementofthe organization

21

Risk Management Framework

MandateandCommitment Designofframeworkformanagingrisk Understandingtheorganizationandcontext Establishingpolicy Accountability Integrationintoprocesses Resources Establishinginternalandexternal communicationandreportingmechanisms i ti d ti h i

Continualimprovement

Implementingriskmanagement Frameworkandprocess

Monitoringandreview

22

Risk Management Process

Risk Factor Identification Identify all potential risk exposures Risk Analysis Analyze presence of risk
- Assess the level of risk
- Quantify the results - Report the findings - Recommend action

Risk Monitoring Observe the completed implementation and report the results

Risk Control Implement a solution to reduce or transfer the risk

Risk Response Develop an action plan; determine what risks to control and assign l d i responsible individuals

23

Risk Management Heat Map

Managementaddressesthesekeyrisksand opportunitiesinitsplansandpriorities
Note:Someadjustmenttocurrentprioritiesmayberequired

Developed by Jay Mattingly

Impacton nObjective es

R-3 R - 72

1 O - 14

O-8 R - 34

Opportunities pp
24

Likelihood

Likelihood

Risks

Impacton nObjective es

O - 21

R - 11

Risk Prioritization Map

High

Control Now
Imp portanc ce

Control Soon

Control Low High

Likelihood

FrameworkDesign:ClarifyingWhoDoesWhat
(SampleFederalOrganization)
(BasedontheInstitute ofInternalAuditors PositionPaper& revisedbyCSA)

CBIZ MHM 2011 Workshop Presenters

Remonde Brangman, CPA, the CBIZ MHM Mid-Atlantic Risk & Advisory practice leader, has 30 years experience providing governance, risk and internal controls advisory.
As a Risk Advisory consultant, Mr. Brangman has extensive knowledge of best practices in Risk Management and Internal Control. Mr. Brangman is the firms resident expert on the new International Risk Management Standard ISO 31000. He is y also a seasoned Forensic Accountant with over 21 years of fraud investigation and forensic accounting experience. Mr. Brangman has been responsible for leading compliance reviews (including Sarbanes-Oxley, section 404) for several leading global businesses and has provided guidance to overseas governments and regulators in risk management . As a former leader in the E&Y Risk Advisory Practice, he was responsible for supporting and developing their D.C. operation with a focus on Government entities (e.g., Fannie Mae and Freddie Mac). Mr. Brangman is the incoming Vice President of the D.C. Chapter of the Institute of Internal Auditors where he has been a keynote speaker for Chief Audit Executive events.

J. Scott Denlinger, CPA, is the Director in charge of the CBIZ MHM Outsourced Services practice and has more than 20 years experience in accounting, tax and auditing.
Mr. Denlinger designs and manages outsourced CFO and accounting engagements serving both for-profit and nonprofit organizations. He also performs CFO duties for several organizations, assisting in the preparation of p internal financial statements and presentation to their Boards. With his extensive auditing experience, Mr. Denlinger is able to assist our outsourcing clients in preparing for their year-end audits. Combining his communication skills and ability to translate difficult accounting concepts into laymens terms, as well as his penchant for teaching, Mr. Denlinger is frequently asked to teaching Mr lead seminars and workshops by various organizations on a broad range of financial management and reporting topics. He is a member of the MACPA Government and Nonprofit Conference Committee and serves on the Board of Family and Children Services of Central Maryland.

CBIZ MHM, LLC Bethesda, MD (301) 951-3636 rbrangman@cbiz.com 27

CBIZ MHM, LLC Bethesda, MD (301) 951-3636 sdenlinger@cbiz.com

11thAnnualPublicPrivatePartnershipConference

Risk Management and the Seven Deadly Sins S D dl Si

DevelopedforPPPCWorkshopby RemondeBrangman,CPA
CBIZMHMMidAtlanticRiskAdvisoryPracticeLeader CBIZMHMMid Atl ti Ri kAd i P ti L d

August25,2011

28