Professional Documents
Culture Documents
Slides On ERM
Slides On ERM
A-123
Management’s Responsibility for Enterprise Risk
Management and Internal Control
CIGIE / GAO
Financial Statement Audit Conference
April 27, 2017
1
Opening Remarks
RISK
CXO/Operations Support
22
Current Risk Environment Facing Federal Government
• The Federal government is facing greater change than at any other point in time
• Current budget realities mean government agencies compete for limited
resources as never before
• Budgets will go to those who best show value
• There is greater scrutiny and expectations from internal and external
stakeholders for agencies to respond to risk faster and more effectively
• The continual focus of risk management on financial areas has limited the
broader considerations of risk within organizations
3
What will be next?
Enterprise Risk Management and Internal Control
• 3 Enterprise Components
• Communicate and Learn
• Extended Enterprise
• Risk Environment/Context
5
Background and Context
6
ERM and Internal Controls The Cube Version
Objective Setting
Control Environment
Business Unit
Subsidiary
Event Identification
Operating Unit
Function
Division
Entity-Level
Risk Assessment Risk Assessment
Division
Entity
Monitoring
Risk Response
Control Activities
Control Activities
Information and Communication
Information and Communication
Monitoring
Monitoring
Components of Internal Control
Control Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Operating Unit
Function
Control Activities
Division
Entity
Information and Communication
Monitoring
The introduction and
The inclusion of a refinement of ERM components
The organization of internal to be integrated into existing
strategic process to risk
controls as introduced in internal control processes
management and
the 2014 Green Book
internal control 8
What Is Required by A-123 to Implement ERM?
• Identification of Objectives
• Identification of Risk
• Inherent Risk Assessment
• Current Risk Response
• Residual Risk Assessment
• Proposed Risk Response
• Proposed Risk Response
Category
11
Risk Profile: An Illustrative Example
Policy/Guidance
A-11
A-123
Green Book
Playbook RISK
Risk Response
Strategic Objective
Management Challenge
12
ERM Implementation Playbook
Playbook Purpose: To provide an ERM Framework and practical guidance to support
A-123 compliance and effective ERM implementation across agencies.
ERM Playbook Working Group
ERM Playbook Steering Committee Implemented the project goals set by steering
Set project policy and established the timeline committee and keyed up decisions and
for the project. recommendations for the Steering Committee.
AFERM: www.aferm.org
13
OMB Circular A-123 and Playbook
Outreach Efforts and Major Milestones
Jan
Apr 2016 May June July Aug Sept Oct Nov Dec Feb Mar Apr May June July Aug Sept Oct
2017
7/15 A-123 Public Release 11/8 – NRC Release Draft President’s Release A-123 Appendix A
3/23 - BOAC 7/29 - Release ERM Management Agenda (Tentative)
3/24 - PIC
Implementation
10/27 – NRC IC
May – DOE
Playbook 1.0 10/3 – DOE Jan – Financial Systems Summit
May – ED
3/2 – Executive Council 7/15 – OMB 10/4 – HHS May – EPA
Blog Post 10/5 – OPM
12/8- AGA Montgomery 3/29 – Treas
4/21 - NOVAGA Spring Training Event /PG County May – VA
10/6 – NASA 4/3 – DOC May – GSA
4/24 – Performance Leads 8/2- IICW 10/12 – SSA 4/5 – NASA May – OPM
4/25- AGA Forum
8/8- AICPA Eastern 10/14 – ED May – DOT
Conference 4/6 – SBA
– PPS May – NRC
5/4- AFERM Luncheon 8/9- WG of Federal 10/18 April – DOD
5/5- AGA Montgomery Compliance 10/24 – GSA
6/3/2017 – Initial Risk Profile
/PG County Professionals April – HUD
10/27 – DHS (All agencies)
5/9- Joint Financial Management 9/16 – ERM April – SSA 6/3 – Annual discussion of
Improvement Program Town Hall April – NSF
Key Risk Findings as part
5/10- Partnership IG 8/16- CIGIE of A-11 Strategic Reviews
Round Table Discussion May – DOI (24 CFO Act Agencies)
5/23- American Assoc. for 8/23- Potomac Forum 11/7/8 – AFERM Summit
Budget & Program Analysis 8/24- AFERM Small Agencies COP May – State
9/15/2017 – Integration of
5/24 CAOC May – USAID ERM and Internal Control
8/30 – Treasury 10/19 – State (2017 Assurance Statements)
6/2 ASMC May – DOJ
9/7 - AGA Hawaii Chapter
6/15- COFAR/FACE 9/20-21 – AGA Internal Control Forum May – DOL
Higher Capabilities
Capabilities More Mature,
Agencies are at Higher
early stages of Capabilities
implementation, but Agencies are on
have the capabilities track. Look for
necessary to mature best practices.
More Mature,
Fewer
Less Mature,
Fewer Capabilities
Capabilities
Fewer Capabilities* *Agencies in this Agencies have
Agencies are at quadrant exhibit some mature
early stages of higher levels of processes, but
implementation and component capabilities
face significant autonomy. hinder further
hurdles in maturing
progress
15
A New Set Of Parameters
Towards a More Resilient Government
16
ERM and the Role of the Auditor
Consolidating
developing
Coor
work
f ERM
dinati
Coa pon
rd
the ERM frame
g
estab ampionin
chin din
rov or boa
ent g risk
res
ent o
risks
Fa ev
Maintaining &
n g ER
cil alu
gm
te
re
n
ita
eti
lishm
f
porting on
al
opi
an a
M ac
tin atio
pp
Ch
t
ma Devel
m
gi no
en
ka
g
em
gem
ap p
an R
to r
s em
de f r
tivitie
ri s
ag evi
n ag
nti isk
se a g
em ew
ent
he
isks
e s an
fic s
Ev en i n g
gt
a lu s
oc m
s
ce
ati
t o th in
ttin
ati
p r i sk
ra n
on
ng fk e
gr
ssu
Se
the ey
&
si n
ke t a
r r is en risk
po
y r ep ks m
isk orti
Im
e sk
s n a g on n ri
ma Evalu go a n s o
n ag atin f M io n
em
ent g r is d ecis nses
pro k a
g
kin respo
Givin c ess M i sk
g ass
u r
es
m e n ting r
a
are c
orrec n cet Imple onses on alf
tly ev hat risks resp nt ’s beh
aluat
ed geme
Giving assuran ma n a
for risk
risk manageme
ce on the Accountability
nt process management
Core internal audit roles in regard Legitimate internal audit roles Roles internal audit should not
to ERM with safeguards undertake
Source: Based on IIA model for internal audit role with ERM
17
Core Internal Audit Roles in Regard to ERM
18
Roles Internal Audit Should Not Undertake
Source: Based on IIA model for internal audit role with ERM
19
Legitimate Internal Audit Roles With Safeguards
Developing Risk
Management For Board Assisting and Improving ERM
Approval Development
Championing Establishment
of ERM
• Promoting ERM as a good
Maintaining & Developing management tool.
The ERM Framework
21
Why Do Cars Have Brakes?
• “Why does a car have brakes? A car has brakes so it can go fast. If
you got into a car and you knew there were no brakes, you’d
creep around very slowly. But if you have brakes you feel quite
comfortable going 65 miles an hour down the street. The same is
true of [risk] limits.”
22
Questions?
23
Please Contact