Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Office of Enterprise Risk Management
2014 Annual PARMA Conference
Kathleen Webb, Chief of Risk & Compliance
Larry Jensen, Chief Risk Officer
Gary Bush, Chief Compliance Officer
February 11, 2014
Maturing GRC @ CalPERS
Office of Enterprise Risk Management
Challenges
- Common Language - Redundant Systems and Processes
- Common Methodology - Prioritization of Risk
- Poor Risk Visibility - Roles and Responsibilities
- Accountability - Transparency
- Enterprise-wide Reporting - Prevention vs. Value
OFAS ISOF ECOM ITSB SAS
INVO FCSD HRSD
GOVA
OTHER
LEGO
Where we were
2
Office of Enterprise Risk Management
• A process across the enterprise
• Overseen by Board of Directors
• Applied in strategy setting
• Used to identify potential events
• The management of risks within risk
appetites
• An assurance system
Risk Management is
everyone’s responsibility!
Enterprise Risk Management is:
3
Office of Enterprise Risk Management
• A program
• A method to eliminate all risks
• A guarantee there will be no losses
• A collection of longstanding and
disparate practices
• A rigid set of rules
• Limited to compliance and disclosure
• A replacement for internal controls
• Exactly the same for one
organization to the next
• A passing fad
Common ERM Misconceptions: ERM is Not
4
Office of Enterprise Risk Management
The Value of ERM
• Reduces silos of risk management activity by adopting
common risk management language, processes and metrics
• Supports the successful achievement of strategic objectives
and business goals
• Enhances the value driven by the three lines of defense
creating a more robust risk management program
• Fosters a risk-intelligent culture where risk awareness is
embedded into daily operations across the organization at all
levels
5
Office of Enterprise Risk Management
Delivering on the Value Proposition
How best does an organization effectively implement to
ensure integration with other performance oversight
functions, provide assurances and support achievement of
strategic goals?
6
GRC
Governance, Risk & Compliance
Office of Enterprise Risk Management
• 2009 - Approval of the Risk Management Initiative
• 2010 - Approval for Chief Risk Officer position
• 2010 – Establish the Office of Enterprise Risk
Management (OERM)
• 2012 - Establish the Risk and Audit Committee
• 2012 – Adopt Strategic Goal - “Cultivate a high-
performing, risk intelligent and innovative
organization”
• 2012 – Introduce Governance, Risk & Compliance
• 2013 – Introduce Integrated Assurance Model
The ERM-GRC Journey
7
The following milestones serve as the building blocks:
Office of Enterprise Risk Management
Introduction
• Improve governance, transparency, and accountability (reduce silo’s)
• Enhance risk intelligent decision-making for strategies, policies, processes
and programs
• Connecting performance management to risk management
• Align and embed risk management in key processes and functions
• Expanding responsibilities of oversight agencies coupled with increased
regulations, fines and sanctions
• Ensuring compliance with laws, rules, regulations and policy requirements
• Stakeholder scrutiny
• Adapt successfully to change
• Anticipate problems before they occur
Business Drivers for GRC
8
Office of Enterprise Risk Management
Governance
Risk
Compliance
Governance is the
culture, policies,
processes, laws,
and institutions that
define the structure
by which companies
are directed and
managed.
Risk is the effect of
uncertainty on
business objectives;
risk management is
the coordinated
activities to direct
and control an
organization to
realize opportunities
while managing
negative events.
Compliance is the act of adhering
to, and demonstrating adherence to,
external laws and regulations as well
as corporate policies and
procedures.
GRC Defined
9
Office of Enterprise Risk Management
Current State of GRC Processes
10
Source: Open Compliance & Ethics Group
Office of Enterprise Risk Management
GRC - Big Picture
OBJECTIVES strategic, operational, customer, compliance and reporting objectives
BUSINESS MODEL
strategy, people, process, technology and infrastructure in place to drive toward objectives
OB
STA
CLE
S
MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates.
VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies.
Source: Open Compliance & Ethics Group
11
Office of Enterprise Risk Management
GRC Functional Alignment
Project
Management
Customer
Service
Program
Development and
Administration
Policy
Development
Governance, Risk and
Compliance
Enterprise
Governance
Asset/Liability
Management
Resource
Allocation
Strategic
Planning
12
Office of Enterprise Risk Management 13
Strategic Planning
Performance Compensation
Workload Management
Annual Planning
Resource Allocation
Board Action Items
Health Rate
Negotiations
Issue Memos
Asset Allocation
Actuarial
Assumptions
Embedding GRC in
Planning Processes
GRC in Planning Process
Office of Enterprise Risk Management
GRC — Desired State
Source: Open Compliance & Ethics Group
14
Office of Enterprise Risk Management
Finance &
Administration
Committee
Investment
Committee
Pension &
Health Benifits
Committee
Performance,
Compensation &
Talent
Management
Committee
Board
Governance
Committee
Executive Risk Management CommitteeComposed of
Executive Staff
Division Chief Council
OPERATIONAL
Board of
Administration
Risk and Audit
Committee
Enterprise Risk Governance Structure
15
Office of Enterprise Risk Management
Enterprise Risk Governance Structure
16
Office of Enterprise Risk Management
Three Lines of Defense
Risk Management
INDEPENDENT ASSURANCE
Liaise with senior executives and RAC
Report on risk assessment and governance
Oversight of risk management content/processes
Provide assurance that risk management processes are adequate
and appropriate
Third
LINE OF
DEFENSE
Inte
rnal
Au
dit
Inte
rnal A
ud
it
OVERSEE RISKS AND COMPLIANCE
Establish policy and process for risk management
Provide guidance and coordination across business units/branches
Identify and initiate enterprise opportunities for change
Liaison between third line of defense and first line of defense
Oversight over certain risk areas (e.g., compliance with regulation)
Second
LINE OF
DEFENSE
Ex
ec
uti
ve
s/R
isk
Ma
nag
em
en
t E
xe
cu
tive
s/R
isk
Ma
nag
em
en
t
OWNS AND MANAGE RISKS
Manage risks/implement actions to manage and treat risk
Comply with risk management process
Implement risk management processes where applicable
First
LINE OF
DEFENSE Bu
sin
es
s
Ow
ners
/
Bra
nc
hes
Bu
sin
es
s
Ow
ners
/
Bra
nc
he
s
17
Office of Enterprise Risk Management
Internal Audit, Compliance and ERM Roles
18
Office of Enterprise Risk Management 19
CCO
OERM Organization Structure
CFO
CRCO
CRO
Emergency
Management
Risk
Assessment
Information
Security
Enterprise
Policy
Ethics
Oversight
Statutory /
Regulatory
Oversight
Program
Compliance
Office of Enterprise Risk Management
Our Vision Your success in managing risk is our mission. Establishing a
risk intelligent culture is our business.
Our Mission Collaborate with stakeholders to build a risk intelligent
organization that promotes governance, performance and
compliance.
20
Office of Enterprise Risk Management
Office of Enterprise Risk Management
Risk Management Framework
Establish Goals and Context
Identify Risks
Analyze Risks
Estimate Risk Level
Evaluate the Risks
Treat the Risks
Inherent Risk
Effectiveness of response
Residual Risk
Sta
ke
ho
lde
r C
on
su
lta
tio
n / C
om
mu
nic
ati
on
Mo
nit
or
/ R
ev
iew
21
Office of Enterprise Risk Management
Risk Intelligent Enterprise Management Policy
Guiding risk-intelligent principles:
Value and risk governance • Common definitions of “risk”
• Part of decision-making culture
• Common framework
• Key roles, responsibilities, and authority defined and delineated
• The Board has appropriate transparency and visibility
Risk infrastructure and management • Executive management responsible for designing, implementing, and maintaining
program
• A common risk management infrastructure
Risk Ownership • Business units responsible for the risks they take
• All staff, managers, and the Board have an affirmative responsibility to exercise
judgment regarding the awareness, identification, and management of risk
22
Office of Enterprise Risk Management 23
Risk Report Process Map
Office of Enterprise Risk Management 24
Risk Report Process Map
Risk 1
Su
bca
teg
ory
Risk 2
Risk 3
Risk 9
Risk 10
Risk 11
Risk 12
Ca
teg
ory
Risk Identification
Risk 4
Su
bca
teg
ory
Risk 5
Risk 6
Risk 7
Risk 8
Su
bca
teg
ory
Ca
teg
ory
Su
bca
teg
ory
Risk Taxonomy· Comprehensive listing of risk
events
· Risks may be identified at any level
of the organization
· List is organized and sorted by
program areas, control functions,
and risk unit
Risk Analysis
5 3 5
3 4 5
1 3 4
5 2 4
3 2 5
3 2 3
4 5 1
2 3 1
4 2 3
5 2 4
2 1 4
3 4 4
Heat Maps / Tracking Worksheets· Inherent risks are evaluated for impact,
likelihood, and velocity
· Risks are given an overall score that
accounts for mitigation strategies
· Risks evaluations are rolled up into
ratings for subcategories
Impact Velocity Likelihood Overall Rating
Risk Reporting
Risk Dashboard
Category Category Category Category
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Subcategory
Risk Dashboard· The dashboard provides an “at a glance” view of enterprise risk
exposures
· Risk ratings are rolled up into stoplight and trend reports for each
subcategory
· Major risk drivers for each subcategory will be displayed on the
dashboard
· Risk trends over a given period of time are monitored
Risk Focus List
Risk 1
Risk 3
Risk 11
Risk Focus List· This is a list of the risks with
the greatest potential impact to
the organization.
· This list should be reflective of
where management is
spending time and resources.
Emerging Risks
Risk 1
Risk 6
Risk 7
Emerging Risks List· This is a watch list of risks that
are new, emerging, or expected
to undergo significant
developments
Office of Enterprise Risk Management
Business Continuity Management
25
• The purpose of Business Continuity Management is to define
“Risks that may impact CalPERS ability to effectively plan for
recovery and business continuity in the event of a disaster,
hazard situation, or other business interruption.”
• The main objectives of a business continuity management are to
identify critical operations and risks, provide a plan to maintain or
restore critical operations during a crisis, and create a plan to
communicate with key people during the crisis.
Office of Enterprise Risk Management
Establish Risk Context
26
Office of Enterprise Risk Management
Identify Key Risks - Exercise
27
• Inability to restore critical systems a within the recovery time objective, as defined in
the Business Continuity Plan, following a major disaster, could result in significant
fiscal and reputational risk
• Inability to deliver critical customer services to CalPERS members and stakeholders
for a significant period while implementing business continuity plans
• Inability to perform financial operations including cash management and investment
trades for a significant period while implementing business continuity plans
• Lack of or inadequately designed and integrated emergency response plans:
- General Plan
- Business continuity plan
- Disaster recovery plan
- Pandemic plan
- Emergency operation activation plan
• Catastrophic event may impact the organizations ability to comply with laws, rules,
and regulations until business operations are fully restored
Office of Enterprise Risk Management
Impact # Name Financial Legal/Compliance Operational Reputational Strategic
0-2 Insignificant < $100,000 No legal/compliance violations
No impact to service levels and business activities
No impact to CalPERS reputation
No impact to achievement of goals and objectives
2.1-4 Minor $100k-$1M Minor legal/compliance violations
Minor impact to service levels and business activities
Limited criticism from a few media sources
Minor delays or modifications to goals and objectives
4.1-6 Moderate $1M-$100M Moderate violations lead to increased scrutiny
Impacts service levels or creates moderate business disruptions
CalPERS is subject to criticism from several media sources
Delays or modifications to goals and objectives
6.1-8 Major $100M-$1B Significant violations of law or loss of confidential data
Widespread disruption to service levels. Interruption of business functions.
Negative media reaches headlines of several publications
Significant delays or reductions in scope of goals and objectives
8.1-10 Critical > $1B Violations result in widespread data loss, loss of tax qualified status, etc.
Cessation of business services for foreseeable future. Possible loss of life.
Irreparable damage to CalPERS reputation and credibility
Failure to meet CalPERS goals and objectives
Velocity # Name Speed Considerations
0-2 Negligible > 3 years Early detection opportunities Reaction time available Current mitigation strategies Sudden or gradual impact Velocity may differ between risk categories
2.1-4 Slow 1-3 years
4.1-6 Medium 6-12 months
6.1-8 Fast 1-6 months
8.1-10 Immediate < 1 month
Risk Analysis Criteria (Part I)
28
Office of Enterprise Risk Management
Likelihood # Name Probability Considerations
0-2 Remote 0-5% Effectiveness of controls and mitigations in place Number of processes and systems involved Historical and industry peer experiences Skills and competencies managing the risk Political/regulatory environment Time horizon (3-years)
2.1-4 Unlikely 6-20%
4.1-6 Possible 21-50%
6.1-8 Likely 51-80%
8.1-10 Expected 81-100%
Trend # Name Description
Up The impact, likelihood, or velocity of the risk is predicted to increase over the next reporting period.
Steady The impact, likelihood, or velocity of the risk is predicted to remain constant over the next reporting period.
Down The impact, likelihood, or velocity of the risk is predicted to decrease over the next reporting period.
29
Risk Analysis Criteria (Part II)
Office of Enterprise Risk Management
Risk Analysis Criteria (Part III)
30
Office of Enterprise Risk Management
Risk Analysis - Inherent Risks
31
Risk
Category
Risk
Domain
Risk IDRisk
Risk
DescriptionImpact Likelihood
Inherent
Risk
Ranking
BC1 Business Interruption
Inability to restore critical systems a within
the RTO, as defined in the Business
Continuity Plan, following a major disaster,
could result in significant fiscal and
reputational risk. 8.00 10.00 80.00
BC2
Customer Services
Interruption
* pension
* healthcare
* other benefits
Inability to deliver critical customer services
to CalPERS members and stakeholders for
a significant period while implementing
business continuity plans
9.00 9.00 81.00
BC3
Financial Losses
* cash management
* investment trades
Inability to perform financial operations
including cash management and investment
trades for a significant period while
implementing business continuity plans
8.00 10.00 80.00
BC4Casualties/Property
Damage
Lack of or inadequately designed and
integrated emergency response plans:
• General Plan
• Business continuity plan
• Disaster recovery plan
• Pandemic plan
• Emergency operation activation plan
10.00 8.00 80.00
BC5Fines and
penalties/Lawsuits
Catastrophic event may impact the
organizations ability to comply with laws,
rules, and regulations until business
operations are fully restored. 8.00 8.00 64.00
Op
erat
ion
al
Bu
sin
ess
Co
ntin
uity
Man
agem
ent
Key Risk Inherent Risk
Identify Risks Assess Risks
Office of Enterprise Risk Management
Risk Analysis – Risk Response
32
Risk
Category
Risk
Domain
Risk IDRisk
Risk
DescriptionImpact Likelihood
Inherent
Risk
Ranking
Accept ReduceShare
(Transfer)Avoid
BC1 Business Interruption
Inability to restore critical systems a within
the RTO, as defined in the Business
Continuity Plan, following a major disaster,
could result in significant fiscal and
reputational risk. 8.00 10.00 80.00 x
Identify critical services to CalPERS
members and stakeholder and
develop emergency response
communication plans.
Continue to exercise and refine the
Disaster Recovery planning and
testing program.
BC2
Customer Services
Interruption
* pension
* healthcare
* other benefits
Inability to deliver critical customer services
to CalPERS members and stakeholders for
a significant period while implementing
business continuity plans
9.00 9.00 81.00 x
Develop and maintain business
continuity plans that identify critical
functions and associated business
resumption priorities.
BC3
Financial Losses
* cash management
* investment trades
Inability to perform financial operations
including cash management and investment
trades for a significant period while
implementing business continuity plans
8.00 10.00 80.00 x
Develop and maintain business
continuity plans that identify critical
functions and associated business
resumption priorities.
BC4Casualties/Property
Damage
Lack of or inadequately designed and
integrated emergency response plans:
• General Plan
• Business continuity plan
• Disaster recovery plan
• Pandemic plan
• Emergency operation activation plan
10.00 8.00 80.00 x
Develop and maintain emergency
response and crisis communication
plans;
Integrate business continuity and
disaster recovery plans for holistic
emergency management response
BC5Fines and
penalties/Lawsuits
Catastrophic event may impact the
organizations ability to comply with laws,
rules, and regulations until business
operations are fully restored. 8.00 8.00 64.00 x
Seek waiver for compliance with
mission critical laws, rules, and
regulations while resuming business
operations.
Op
era
tio
na
l
Bu
sin
es
s C
on
tin
uit
y M
an
ag
em
en
tKey Risk Inherent Risk Risk Response Option
Risk Response Strategies
Identify Risks Assess Risks Respond to Risks
Office of Enterprise Risk Management
Risk Analysis – Residual Risks
33
May-13 Oct-13 Trend
Risk
Category
Risk
Domain
Risk IDRisk
Risk
DescriptionImpact Likelihood
Inherent
Risk
Ranking
Accept ReduceShare
(Transfer)Avoid Impact Likelihood
Residual
Risk
Ranking
BC1 Business Interruption
Inability to restore critical systems a within
the RTO, as defined in the Business
Continuity Plan, following a major disaster,
could result in significant fiscal and
reputational risk. 8.00 10.00 80.00 x
Identify critical services to CalPERS
members and stakeholder and
develop emergency response
communication plans.
Continue to exercise and refine the
Disaster Recovery planning and
testing program.
6.60 6.60 43.56
BC2
Customer Services
Interruption
* pension
* healthcare
* other benefits
Inability to deliver critical customer services
to CalPERS members and stakeholders for
a significant period while implementing
business continuity plans
9.00 9.00 81.00 x
Develop and maintain business
continuity plans that identify critical
functions and associated business
resumption priorities.
6.00 6.00 36.00
BC3
Financial Losses
* cash management
* investment trades
Inability to perform financial operations
including cash management and investment
trades for a significant period while
implementing business continuity plans
8.00 10.00 80.00 x
Develop and maintain business
continuity plans that identify critical
functions and associated business
resumption priorities.
6.00 6.00 36.00
BC4Casualties/Property
Damage
Lack of or inadequately designed and
integrated emergency response plans:
• General Plan
• Business continuity plan
• Disaster recovery plan
• Pandemic plan
• Emergency operation activation plan
10.00 8.00 80.00 x
Develop and maintain emergency
response and crisis communication
plans;
Integrate business continuity and
disaster recovery plans for holistic
emergency management response
8.00 7.00 56.00
BC5Fines and
penalties/Lawsuits
Catastrophic event may impact the
organizations ability to comply with laws,
rules, and regulations until business
operations are fully restored. 8.00 8.00 64.00 x
Seek waiver for compliance with
mission critical laws, rules, and
regulations while resuming business
operations.7.00 7.00 49.00
Weighted Average 45.19
Op
era
tio
na
l
Bu
sin
es
s C
on
tin
uit
y M
an
ag
em
en
t
Key Risk Inherent Risk Risk Response Option
Risk Response Strategies
Residual Risk
Residual Risk Ranking
Identify Risks Assess Risks Respond to Risks Assess Risks
Office of Enterprise Risk Management
Enterprise Risk Management Dashboard
34
Governance / Leadership
1
Business Planning
10
Financial Controls and
Systems
(Top Risk)
21
Laws, Rules, and Regulations
(Top Risk) 27
This domain identifies risks of ineffective delegations, governance
committees, policies and procedures, and leadership that may impact
timely decisions that guide CalPERS to meet its strategic goals and
objectives. This includes tone at the top.
This domain identifies risks that may impact creating and
achieving relevant business plan objectives and action plans that
are aligned with strategic risks. This includes effective
implementation and monitoring of objectives and alignment of
business planning process with other business decision
processes.
This domain identifies risks that may impact the effectiveness of
CalPERS financial controls to ensure accurate accounting for plan
assets and liabilities. This includes policies and processes,
implementation and management of controls for decision making,
and use of assets, including appropriate authorizations, and
segregation of duties.
This domain identifies risks that may impact CalPERS and staff
resulting from non-compliance with statutory requirements,
specifically non-compliance with relevant laws, rules and
regulations, including regulatory reporting and the effectiveness of
a compliance management framework as outlined in the United
States Federal Sentencing Guidelines (FSG).
Strategic Planning and
Implementation2
Organization11
Financial Planning22
Fraud Detection and Prevention28
This domain identifies risk of achieving strategic goals and effectively
planning and implementing objectives and initiatives to meet
CalPERS vision, mission, goals and objectives. Includes the ability to
effectively measure, report, and monitor achievement of strategic
goals, objectives, and initiatives outlined in the strategic plan.
This domain identifies risks that may impact CalPERS alignment
to be an effective organizational structure with clear roles and
responsibilities to achieve objectives and serve our employers and
members.
This domain identifies risks that may impact the effectiveness of
CalPERS budget and planning process which provides
appropriate financial resources for the organization to meet its
objectives.
This domain identifies risks that may impact the protection of
CalPERS assets, integrity, and credibility through effective fraud
detection and prevention and investigation capabilities.
Health Care Costs
(Top Risk) 3Procurement and Contract
Management 12 Financial Reporting
23 Policy and Procedures
(Top Risk) 29
This domain identifies risks in the health care environment that may
impact increases in health care benefit costs and may erode
CalPERS ability to provide its members with high quality, cost
effective health care services and adversely impact CalPERS as the
preferred health care choice for employers and employees.
This domain identifies risks that may impact CalPERS process to
cost effectively and efficiently acquire goods or services and
manage contracts consistent with applicable laws, regulations, and
policies.
This domain identifies risks that may impact the integrity of
financial and management reporting which meets management's
needs for decision making and legal and statutory requirements
for disclosure.
This domain identifies risks that may impact compliance with all
CalPERS policies and the effectiveness of a policy management
framework.
Long Term Care Program4
Business Continuity
Management (Top Risk) 13 Investment Risk Management
(Top Risk) 24 Ethical Conduct
30
This domain identifies risks that may impact CalPERS Long Term
Care program and that it is sufficiently funded to provide services
expected. This includes performance of third-party administrator and
overall fund status.
This domain identifies risks that may impact CalPERS ability to
effectively plan for recovery and business continuity in the event of
a disaster, hazard situation, or other business interruption.
This domain identifies risks that may impact the management,
measurement, monitoring and reporting of investment risk. This
includes adequacy of resources, tools and governance structure to
measure and manage risk.
This domain identifies risks that may impact adherence to
CalPERS standards of conduct, personal trading policy, and
conflict of interest policies.
Note: Final reporting period. This risk domain will be replaced
with a new Ethical Conduct & Standards domain (31).
California Public Employees' Retirement System
Residual Risk Report
Strategic Operational Financial Compliance / Ethics
FY2013-14 Projected Risk
May | Oct | Trend | Domain
FY2013-14 Projected Risk
May | Oct | Trend | Domain
FY2013-14 Projected Risk
May | Oct | Trend | Domain
FY2013-14 Projected Risk
May | Oct | Trend | Domain
Office of Enterprise Risk Management
Risk Management Maturity Matrix
35
Representative Attributes Describing Each Maturity Level
Initial Fragmented Top Down Integrated Risk
Intelligent
Stages of Risk Management Capability Maturity
Sta
ke
ho
lde
r V
alu
e
Integrated
Risk
Intelligent
Top Down Fragmented Initial
• Ad hoc/chaotic
• Depends primarily on
individual heroics,
capabilities, and verbal
wisdom
• Independent risk
management activities
• Limited focus on the
linkage between risks
• Limited alignment of
risk to strategies
• Disparate monitoring &
reporting functions
• Common framework and
policies
• Routine risk assessments
• Communication of top
strategic risks to the
Board
• Executive/Steering
Committee
• Knowledge sharing
across risk functions
• Awareness activities
• Formal risk consulting
• Dedicated team
• Coordinated risk
management activities
• Risk appetite is fully
defined
• Enterprise-wide risk
monitoring, measuring,
and reporting
• Technology
implementation
• Contingency plans and
escalation procedures
• Risk management
training
• Risk discussion is
embedded in strategic
planning, capital
allocation, etc.
• Early warning risk
indicators used
• Linkage to
performance measures
and incentives
• Risk modeling/
scenarios
• Industry benchmarking
used regularly
Although much has been accomplished so far, much more is still to be done
Source: Deloitte
Current Position
Office of Enterprise Risk Management
CalPERS Risk Management Evolution
36
Independent Reassurance
Initial Assessment of All Risks
Reassurance Review of Controls
Ongoing Monitoring of Controls and Metrics
Current Position
Risk Appetite
Defined Enterprise Risk Appetite Policies
Defined Subcategory Risk Appetite Policies
Ongoing Monitoring and Escalation of
Risk and Performance
Current Position
Active Risk Management
Initial Assessment of All Risks
Risk Embedded in Business Processes
Ongoing Improvement of Mitigations and Controls
Current Position
Office of Enterprise Risk Management
37
GRC Overview
Office of Enterprise Risk Management
• Provides an enterprise focus for collaboration
and integration
• Provides a common framework to identify,
monitor and measure compliance across the
organization
• Reduces risk of non-compliance, sanctions and
liabilities
• Drives principled performance results
38
Benefits of an Effective Compliance Framework
Office of Enterprise Risk Management
Features of an Effective Compliance Framework
• Oversight by high-level personnel
• Roles and responsibility
• Due Care in delegating substantial discretionary authority
• Effective Communication and training at all levels
• Reasonable and measurable steps to achieve compliance, which
includes reporting suspected wrongdoing without fear of reprisal
(Ethics Helpline)
• Consistent enforcement of compliance
• Reasonable steps to respond to and prevent similar offenses
upon detection of a violation
39
Office of Enterprise Risk Management
40
Integrated Compliance Model
Office of Enterprise Risk Management
Compliance Performance Metrics
• Communication Reach – percentage that receives
• Awareness – percentage who certify, report they understand and will uphold
• Training Coverage – percentage trained on contents
• Mastery – percentage that proves knowledge through testing
• Readability – Flesch reading score
• Questions – number of questions received
• Operationalization – percentage who believe the organization is compliant
• Organizational Alignment – percentage who believe organizational values are
aligned
• Personal Alignment – percentage who believe their personal values are aligned
• Reporting Readiness – percentage who know to report violations
• Reporting – percentage who believe violations are actually reported
• Incidents – number of reported or discovered incidents of violation
41
Office of Enterprise Risk Management
Effective Compliance Principled Performance
• Principle #1: Reliable achievement of objectives
- Intentional clear objectives
- Measured performance
- Visible to stakeholders
• Principle #2: Address uncertainty
- Holistic balance achieved between risk and rewards
- Proactive planning and managing of rewards mindful of risks
- Rigorous and thorough approach. Okay to be wrong, tempered with ongoing
improvement.
• Principle #3: Acting with integrity
- Focus on requirements set by mandates and promises established voluntarily by
contract
• Principle #4: Reliable
- Application of consistent processes to objectively measure performance
42
Office of Enterprise Risk Management
43
Path to an Effective Compliance Framework
Office of Enterprise Risk Management 44
Compliance Assessment Exercise
• Who runs the compliance and ethics program?
• Are Standards, Policies and Procedures written?
• What training do you provide your employees?
• Are you providing for open lines to communicate?
• How are you conducting compliance testing and monitoring?
• Do you respond appropriately to detected offenses and
misconduct?
• What does your Corrective Action Plan look like?
• How do you enforce your guidelines and discipline misconduct?
Office of Enterprise Risk Management
Accomplishments
• Establish Office of Enterprise Risk Management
• Conduct Enterprise-wide Risk Assessments
• Establish Risk Intelligent Enterprise Management Policy
• Establish Board Risk and Audit Committee
• Establish Executive Risk Management Committee
• Conduct strategic risk assessments
• FPPC Reporting with on-line filing capability
• Personal Trading Regulation – automation tools
• Ethics HelpLine
• Policy and Regulatory Libraries
• Selected eGRC IT solution
45
Office of Enterprise Risk Management
Next Steps
• Implement integrated assurance model
• Enhance risk management and compliance
frameworks
• Develop risk appetite statements, risk tolerances,
and key risk indicators
• Conduct Black Swan exercise
• Implement eGRC IT solution
• Conduct risk-based compliance assessments
46
Office of Enterprise Risk Management
Introduction
An integrated ERM-GRC framework unifies
governance, risk, compliance and assurance
functions to:
• Embed a risk-intelligent culture
• Support risk based decision making
• Drive Principled Performance Results
• Optimize investments made to achieve strategic
objectives and drive business value
• Improve Stakeholder Relations
• Increase transparency and accountability
What is the Final Goal?
47
Office of Enterprise Risk Management
Key Lessons Learned
48
Challenges Leading Practices
Identifying the right measurements for
ROI
KPIs and KRIs to be aligned with the organizations risk appetite and strategic
objectives
Integration with Audit Services Understand roles and responsibilities integrating risk assessment services once
risk management fundamentals are accepted by key leadership
Aligning risk management with
business planning objectives
Collaborate early with strategic and business planning departments.
Incorporate risk management principles with the development of organizational
strategies
Risk management silos are hard to
break-down
Develop cross-functional teams to break barriers using common risk
management language, processes and metrics
Maintaining effective risk management
across all three lines of defense
Cross-train between the lines of defense regarding risk management processes
and methods to support the identification, prioritization, measurement and
reporting of risks
Employee buy-in on risk mindset Consider linking risk management and employee performance measures
The following are ROI challenges faced by organizations and leading practices:
Office of Enterprise Risk Management
Questions?
49