1

Governance Models in
the Public Sector
Risk Management
• What is Risk?
 As defined in ISO 31000  risk is the effect of uncertainty on
objectives, whether positive or negative.

• What is Risk Management?

It is the identification, assessment, and prioritization
of risks followed by the application of resources to minimize,
monitor, and control the probability of occurrence of any
unfortunate events.
 3

Fundamentals of Risk Management:

• Risk Management Process must be enterprise wide involving all
the people at all different levels of an enterprise.

• Risk Categories:
E.g. External, Internal, Technical & Unforeseeable

Categorized by Cause:
E.g. Schedule, Cost, Quality, Scope, Resources, Customer
Satisfaction

• Effective Risk Management increases the probability of positive

risks and decreases the probability of threats.
 4

Risk Management Phases:

Risk Identification

Quantitative or Qualitative Assessment of Risk

Risk Prioritization

Risk Monitoring
 5

Risk Identification
• “Risk identification process requires a studied, deliberate
approach to looking at potential risks in each area of
operations and then identifying the more significant risk areas
that may impact each operation in a reasonable time period.“

• This risk identification process should occur at multiple levels in

an enterprise. A risk that impacts an individual business unit or
project may not have that great of an impact on the entire
enterprise or beyond. Conversely, is also true.
 6

Risk Identification - Brainstorming

• Rapid response group exercise

• Knowledgeable individuals from different backgrounds are

asked to focus on the same subject

• Risks affecting different areas are listed

• This list is reduced by voting conducted by a mediator

• The results must be shared with other groups who were unable
to participate in the process
 7

Key Risk Assessment

 8

• Probability & Uncertainty

 Important when a large set of risks are identified
 Ranges between 0.00 to 0.99
 Joint Probability of 2 separate events occurring is given by:
Pr(Event #1) * Pr(Event #2) = Pr(Both Events)

• Period of Analysis
When estimating occurrences and likelihoods, the ERM team
should take care to assure that all estimates are made over the
same period of time. (Usually 1 year)
 9

• Risk Interdependencies:
 10

• Risk Rankings
 11

The Delphi Method

• Interactive forecasting method that relies upon experts

• Experts answer questionnaires in 2 or more rounds

• After every round, facilitator provides an anonymous summary

of every round

• The experts are encouraged to revise their answers

• Thereby, helping the group to arrive at a correct answer

12
 13

Monte Carlo Simulation

• Computerized Mathematical Technique which lets you see all
possible outcomes of your decision

• Asses impact of risk thereby Improving decision making during

uncertainty

• Primarily used when:

Input data has uncertainties that can be quantified
Output data needs to accurately represent input data
The calculated uncertainty needs to be accurate

• Used in NASA, Nuclear Weapon Design

 14

Monte Carlo Simulation Process:

Probability Calculates
Distribution Results
 15

Decision Tree Analysis

• A graphical technique to look at multiple risk combinations to

come up with some estimates of the outcomes.

• Best used for probabilities covering a limited set of risks.

• It takes future events into consideration.

• Calculates EMV (Effective Monetary Value) in a complex way.

EMV= Probability * Impact
16
 17

COSO ERM FRAMEWORK

• What is it?

• ERM framework starts by defining enterprise risk

management as follows:
“Enterprise risk management is a process, effected by an
entity’s board of directors, management and other personnel,
applied in a strategy setting and across the enterprise, designed
to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.”
 18

Key COSO ERM Points

• ERM is a Process

• ERM Processes Are Implemented by People in the Enterprise.

• ERM Is Applied by Setting Strategies Across the Overall

Enterprise.

• Concepts of Risk Appetite Must Be Considered.

• ERM Provides Only Reasonable, Not Positive Assurance on

Objective Achievements
 19

COSO ERM Framework Model

• Four vertical columns that represent the strategic objectives of

enterprise risk.

• Multiple levels of the enterprise, from a ‘‘headquarters’’ entity

level to individual subsidiaries. Depending on the enterprise, there
can be many ‘‘slices’’ of the model here.

• Eight interrelated rows or risk components.

These are derived from the way
management runs an enterprise and are
integrated with the management
process.
 20

Internal Environment

“The internal environment encompasses the tone of an organization, and

sets the basis for how risk is viewed and addressed by an entity’s people,
including risk management philosophy and risk appetite, integrity and
ethical values, and the environment in which they operate.””

• Consists of 2 major outputs that feeds other components:

• The enterprise’s risk management philosophy
• Its relative appetite for risk
 21

COSO ERM Internal Foundation: Key Elements

• Risk Management Philosophy

• Risk Appetite

• Board of Directors’ Attitudes

• Integrity and Ethical Values

• Organizational Structure
 22

Objective Setting

“Objectives must exist before management can identify potential

events affecting their achievement. Enterprise risk management
ensures that management has in place a process to set objectives
and that the chosen objectives support and align with the entity’s
mission and are consistent with its risk appetite.”

• It outlines some necessary preconditions that must be established

before management can establish an effective enterprise risk
management process.

• A mission statement is often a crucial element in the strategic

planning of a business enterprise.
 23

Event Identification

“Internal and external events affecting achievement of an entity’s

objectives must be identified, distinguishing between risks and
opportunities. Opportunities are channeled back to management’s
strategy or objective-setting processes.”

Influencing factors:
• External Economic Events.
• Natural Environmental Events
• Political Events
• Social Factors
• Internal Infrastructure Events
 24

Risk Assessment

“Risks are analyzed, considering likelihood and impact, as a basis for

determining how they should be managed. Risks are assessed on an
inherent and a residual basis.”

• Risk Management Concepts

• Inherent Risk - potential for waste, loss, unauthorized use, or misappropriation
due to the nature of an activity itself
• Residual Risk - risk that remains after management responses to risk threats and
countermeasures have been applied

• Likelihood and Impact are the two key components necessary for
performing risk assessments.
 25

Risk Response

“Management selects risk responses – avoiding, accepting, reducing, or

sharing risk – developing a set of actions to align risks with the entity’s risk
tolerances and risk appetite.”

• How to handle Risk Responses?

• Avoidance
• Reduction
• Acceptance

• The process of developing risk responses requires a significant amount of

planning and strategic thinking in itself.
 26

Control Activities
“Policies and procedures are established and implemented to help ensure
the risk responses are effectively carried out.”

• Internal Control areas included in Control Activities:

• Separation of Duties
• Audit Trails.
• Security and Integrity.
• Documentation

• Management needs to think of risk categories in terms of major risk process

areas, such as revenue, purchasing, capital spending, information systems,
and others
 27

Information and Communication

“Relevant information is identified, captured, and

communicated in a form and timeframe that enable people to
carry out their responsibilities. Effective communication also
occurs in a broader sense, flowing down, across, and up the
entity.”

•  COSO ERM also talks about communication beyond just IT

applications.
 28

Monitoring

“The entirety of enterprise risk management is monitored and modifications

made as necessary. Monitoring is accomplished through ongoing
management activities, separate evaluations, or both.”

• The COSO ERM Application Framework document suggests this monitoring

could include the following types of activities:
• Implementation of a strong and ongoing management reporting mechanism
• Periodic reporting processes installed to specifically monitor key aspects of
established risk criteria
• Current and periodic status of risk-related findings
• Updated risk-related information from sources such as government-revised rules
industry trends, and general economic news
 29

U.S. Department of Homeland security

• DHS was created following the 9/11 attacks as announced by
former President George W. Bush
• Established November 25, 2002 by the Homeland Security Act
of 2002
• Department states 5 core missions:
• Prevent terrorism and enhance security
• Secure and manage our borders
• Enforce and administer our immigration laws
• Safeguard and secure cyberspace
• Ensure resilience to disasters
 30

U.S. Department of Homeland security

• Today there are more than 200,000 employees within the DHS
comprised over 22 agencies
• These 22 agencies were selected to integrate DHS:
• U.S. Customs Service
• Immigration & Naturalization Service
• The Federal Protective Service
• The Transportation Security Administration
• Federal Law Enforcement Training Center
• Animal & Plant Health Inspection Service
• Office for Domestic Preparedness
• Federal Emergency Management Agency
• U.S. Coast Guard
• U.S. Secret Service
 31

U.S. Department of Homeland security

• Strategic National Stockpile and the National Disaster Medical System
• Nuclear Incident Response Team
• Domestic Emergency Support Teams
• National Domestic Preparedness Office
• CBRN Countermeasures Programs
• Environmental Measurements Laboratory
• National BW Defense Analysis Center
• Plum Island Animal Disease Center
• Federal Computer Incident Response Center
• National Communications System
• National Infrastructure Protection Center
• Energy Security and Assurance Program
 32

U.S. department of homeland security

• March 12, 2002, the
Homeland Security Advisory
System was created as a
result of a presidential
directive to provide a
“comprehensive and
effective means to
disseminate information
regarding the risk of terrorist
acts to Federal, State, and
local authorities and to the
American people.”
 33

U.S. department of treasury

• Established by an Act of Congress in 1789
• Headed by the Secretary of Treasury (cabinet member)
• Organized into two major components:
• Departmental Offices – Responsible for formulation of policy and
management of the Department as a whole
• Operating Bureaus – Carry out the specific operations assigned to the
department
• 2003 reorganization several agencies were transferred out
following the 9/11 attacks
• ATF fell into the newly created DHS
 34

U.S. Department of treasury

• Basic Functions:
• Managing Federal finances
• Collecting taxes and paying all bills of the U.S.
• Currency and coinage
• Managing government accounts and the public debt
• Supervising national banks
• Advising on domestic & intl. financial, economic, trade and tax policy
• Enforcing Federal finance and tax laws
• Investigating and prosecuting tax evaders, counterfeiters and forgers
 35

U.S. department of health & human services

• Federal government dept, headed by a U.S. Secretary (cabinet
level)
• Goal is to protect the health of all Americans and provide
essential human services
• Services Include:
• Public Health & Medical Services Support
• International Preparedness & Response
• Public Health Emergency Response
36
 37

U.S. Department of Homeland Security

President Bush talking about The Department of
Homeland Security.
https://www.youtube.com/watch?v=JDLvmMlqqQY

Key Functions:
• Intelligence Agency Communication
Coordination of the efforts of the major intelligence agencies of the USA
• Enhanced National Security
Focus on increased security and law enforcement personnel in targeted areas across the
country.
• Natural Disasters
1. Better coordination of emergency preparedness and post-emergency services
2. Infrastructure designed to protect against natural disasters and increased personnel to
aid people.
 38

Concerns:
• Potential for abuse by federal officials.
• Perceived loss of individual freedoms and privacy
under the Homeland Security Act.
• The heavy financial burden the nation is required to
carry.
 39

U.S. Department of the Treasury

• Troubled Asset Relief Program (TARP)
40
41
42
 43

U.S. Department of Health & Human Services

• Mission
1. Help provide the building blocks that Americans need to live
healthy, successful lives.
2. Providing millions of children, families, and seniors with
access to high-quality health care.

• Affordable Care Act

1. Coverage
2. Costs
3. Care
 44

THANK YOU!