2014 Annual PARMA Conference Maturing GRC @ CalPERS · GRC - Big Picture OBJECTIVES strategic, operational, customer, compliance and reporting objectivesplace to drive toward objectives

Office of Enterprise Risk Management

2014 Annual PARMA Conference

Kathleen Webb, Chief of Risk & Compliance

Larry Jensen, Chief Risk Officer

Gary Bush, Chief Compliance Officer

February 11, 2014

Maturing GRC @ CalPERS


Challenges

- Common Language - Redundant Systems and Processes

- Common Methodology - Prioritization of Risk

- Poor Risk Visibility - Roles and Responsibilities

- Accountability - Transparency

- Enterprise-wide Reporting - Prevention vs. Value

OFAS ISOF ECOM ITSB SAS

INVO FCSD HRSD

GOVA

OTHER

LEGO

Where we were

2


• A process across the enterprise

• Overseen by Board of Directors

• Applied in strategy setting

• Used to identify potential events

• The management of risks within risk

appetites

• An assurance system

Risk Management is

everyone’s responsibility!

Enterprise Risk Management is:

3


• A program

• A method to eliminate all risks

• A guarantee there will be no losses

• A collection of longstanding and

disparate practices

• A rigid set of rules

• Limited to compliance and disclosure

• A replacement for internal controls

• Exactly the same for one

organization to the next

• A passing fad

Common ERM Misconceptions: ERM is Not

4


The Value of ERM

• Reduces silos of risk management activity by adopting

common risk management language, processes and metrics

• Supports the successful achievement of strategic objectives

and business goals

• Enhances the value driven by the three lines of defense

creating a more robust risk management program

• Fosters a risk-intelligent culture where risk awareness is

embedded into daily operations across the organization at all

levels

5


Delivering on the Value Proposition

How best does an organization effectively implement to

ensure integration with other performance oversight

functions, provide assurances and support achievement of

strategic goals?

6

GRC

Governance, Risk & Compliance


• 2009 - Approval of the Risk Management Initiative

• 2010 - Approval for Chief Risk Officer position

• 2010 – Establish the Office of Enterprise Risk

Management (OERM)

• 2012 - Establish the Risk and Audit Committee

• 2012 – Adopt Strategic Goal - “Cultivate a high-

performing, risk intelligent and innovative

organization”

• 2012 – Introduce Governance, Risk & Compliance

• 2013 – Introduce Integrated Assurance Model

The ERM-GRC Journey

7

The following milestones serve as the building blocks:


Introduction

• Improve governance, transparency, and accountability (reduce silo’s)

• Enhance risk intelligent decision-making for strategies, policies, processes

and programs

• Connecting performance management to risk management

• Align and embed risk management in key processes and functions

• Expanding responsibilities of oversight agencies coupled with increased

regulations, fines and sanctions

• Ensuring compliance with laws, rules, regulations and policy requirements

• Stakeholder scrutiny

• Adapt successfully to change

• Anticipate problems before they occur

Business Drivers for GRC

8


Governance

Risk

Compliance

Governance is the

culture, policies,

processes, laws,

and institutions that

define the structure

by which companies

are directed and

managed.

Risk is the effect of

uncertainty on

business objectives;

risk management is

the coordinated

activities to direct

and control an

organization to

realize opportunities

while managing

negative events.

Compliance is the act of adhering

to, and demonstrating adherence to,

external laws and regulations as well

as corporate policies and

procedures.

GRC Defined

9


Current State of GRC Processes

10

Source: Open Compliance & Ethics Group


GRC - Big Picture

OBJECTIVES strategic, operational, customer, compliance and reporting objectives

BUSINESS MODEL

strategy, people, process, technology and infrastructure in place to drive toward objectives

OB

STA

CLE

S

MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates.

VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies.


11


GRC Functional Alignment

Project

Management

Customer

Service

Program

Development and

Administration

Policy

Development

Governance, Risk and

Compliance

Enterprise

Governance

Asset/Liability

Management

Resource

Allocation

Strategic

Planning

12

Office of Enterprise Risk Management 13

Strategic Planning

Performance Compensation

Workload Management

Annual Planning

Resource Allocation

Board Action Items

Health Rate

Negotiations

Issue Memos

Asset Allocation

Actuarial

Assumptions

Embedding GRC in

Planning Processes

GRC in Planning Process


GRC — Desired State


14


Finance &

Administration

Committee

Investment

Committee

Pension &

Health Benifits

Committee

Performance,

Compensation &

Talent

Management

Committee

Board

Governance

Committee

Executive Risk Management CommitteeComposed of

Executive Staff

Division Chief Council

OPERATIONAL

Board of

Administration

Risk and Audit

Committee

Enterprise Risk Governance Structure

15


Enterprise Risk Governance Structure

16


Three Lines of Defense

Risk Management

INDEPENDENT ASSURANCE

Liaise with senior executives and RAC

Report on risk assessment and governance

Oversight of risk management content/processes

Provide assurance that risk management processes are adequate

and appropriate

Third

LINE OF

DEFENSE

Inte

rnal

Au

dit

Inte

rnal A

ud

it

OVERSEE RISKS AND COMPLIANCE

Establish policy and process for risk management

Provide guidance and coordination across business units/branches

Identify and initiate enterprise opportunities for change

Liaison between third line of defense and first line of defense

Oversight over certain risk areas (e.g., compliance with regulation)

Second

LINE OF

DEFENSE

Ex

ec

uti

ve

s/R

isk

Ma

nag

em

en

t E

xe

cu

tive

s/R

isk

Ma

nag

em

en

t

OWNS AND MANAGE RISKS

Manage risks/implement actions to manage and treat risk

Comply with risk management process

Implement risk management processes where applicable

First

LINE OF

DEFENSE Bu

sin

es

s

Ow

ners

/

Bra

nc

hes

Bu

sin

es

s

Ow

ners

/

Bra

nc

he

s

17


Internal Audit, Compliance and ERM Roles

18


CCO

OERM Organization Structure

CFO

CRCO

CRO

Emergency

Management

Risk

Assessment

Information

Security

Enterprise

Policy

Ethics

Oversight

Statutory /

Regulatory

Oversight

Program

Compliance


Our Vision Your success in managing risk is our mission. Establishing a

risk intelligent culture is our business.

Our Mission Collaborate with stakeholders to build a risk intelligent

organization that promotes governance, performance and

compliance.

20



Risk Management Framework

Establish Goals and Context

Identify Risks

Analyze Risks

Estimate Risk Level

Evaluate the Risks

Treat the Risks

Inherent Risk

Effectiveness of response

Residual Risk

Sta

ke

ho

lde

r C

on

su

lta

tio

n / C

om

mu

nic

ati

on

Mo

nit

or

/ R

ev

iew

21


Risk Intelligent Enterprise Management Policy

Guiding risk-intelligent principles:

Value and risk governance • Common definitions of “risk”

• Part of decision-making culture

• Common framework

• Key roles, responsibilities, and authority defined and delineated

• The Board has appropriate transparency and visibility

Risk infrastructure and management • Executive management responsible for designing, implementing, and maintaining

program

• A common risk management infrastructure

Risk Ownership • Business units responsible for the risks they take

• All staff, managers, and the Board have an affirmative responsibility to exercise

judgment regarding the awareness, identification, and management of risk

22


Risk Report Process Map


Risk Report Process Map

Risk 1

Su

bca

teg

ory

Risk 2

Risk 3

Risk 9

Risk 10

Risk 11

Risk 12

Ca

teg

ory

Risk Identification

Risk 4

Su

bca

teg

ory

Risk 5

Risk 6

Risk 7

Risk 8

Su

bca

teg

ory

Ca

teg

ory

Su

bca

teg

ory

Risk Taxonomy· Comprehensive listing of risk

events

· Risks may be identified at any level

of the organization

· List is organized and sorted by

program areas, control functions,

and risk unit

Risk Analysis

5 3 5

3 4 5

1 3 4

5 2 4

3 2 5

3 2 3

4 5 1

2 3 1

4 2 3

5 2 4

2 1 4

3 4 4

Heat Maps / Tracking Worksheets· Inherent risks are evaluated for impact,

likelihood, and velocity

· Risks are given an overall score that

accounts for mitigation strategies

· Risks evaluations are rolled up into

ratings for subcategories

Impact Velocity Likelihood Overall Rating

Risk Reporting

Risk Dashboard

Category Category Category Category

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Subcategory

Risk Dashboard· The dashboard provides an “at a glance” view of enterprise risk

exposures

· Risk ratings are rolled up into stoplight and trend reports for each

subcategory

· Major risk drivers for each subcategory will be displayed on the

dashboard

· Risk trends over a given period of time are monitored

Risk Focus List

Risk 1

Risk 3

Risk 11

Risk Focus List· This is a list of the risks with

the greatest potential impact to

the organization.

· This list should be reflective of

where management is

spending time and resources.

Emerging Risks

Risk 1

Risk 6

Risk 7

Emerging Risks List· This is a watch list of risks that

are new, emerging, or expected

to undergo significant

developments


Business Continuity Management

25

• The purpose of Business Continuity Management is to define

“Risks that may impact CalPERS ability to effectively plan for

recovery and business continuity in the event of a disaster,

hazard situation, or other business interruption.”

• The main objectives of a business continuity management are to

identify critical operations and risks, provide a plan to maintain or

restore critical operations during a crisis, and create a plan to

communicate with key people during the crisis.


Establish Risk Context

26


Identify Key Risks - Exercise

27

• Inability to restore critical systems a within the recovery time objective, as defined in

the Business Continuity Plan, following a major disaster, could result in significant

fiscal and reputational risk

• Inability to deliver critical customer services to CalPERS members and stakeholders

for a significant period while implementing business continuity plans

• Inability to perform financial operations including cash management and investment

trades for a significant period while implementing business continuity plans

• Lack of or inadequately designed and integrated emergency response plans:

- General Plan

- Business continuity plan

- Disaster recovery plan

- Pandemic plan

- Emergency operation activation plan

• Catastrophic event may impact the organizations ability to comply with laws, rules,

and regulations until business operations are fully restored


Impact # Name Financial Legal/Compliance Operational Reputational Strategic

0-2 Insignificant < $100,000 No legal/compliance violations

No impact to service levels and business activities

No impact to CalPERS reputation

No impact to achievement of goals and objectives

2.1-4 Minor $100k-$1M Minor legal/compliance violations

Minor impact to service levels and business activities

Limited criticism from a few media sources

Minor delays or modifications to goals and objectives

4.1-6 Moderate $1M-$100M Moderate violations lead to increased scrutiny

Impacts service levels or creates moderate business disruptions

CalPERS is subject to criticism from several media sources

Delays or modifications to goals and objectives

6.1-8 Major $100M-$1B Significant violations of law or loss of confidential data

Widespread disruption to service levels. Interruption of business functions.

Negative media reaches headlines of several publications

Significant delays or reductions in scope of goals and objectives

8.1-10 Critical > $1B Violations result in widespread data loss, loss of tax qualified status, etc.

Cessation of business services for foreseeable future. Possible loss of life.

Irreparable damage to CalPERS reputation and credibility

Failure to meet CalPERS goals and objectives

Velocity # Name Speed Considerations

0-2 Negligible > 3 years Early detection opportunities Reaction time available Current mitigation strategies Sudden or gradual impact Velocity may differ between risk categories

2.1-4 Slow 1-3 years

4.1-6 Medium 6-12 months

6.1-8 Fast 1-6 months

8.1-10 Immediate < 1 month

Risk Analysis Criteria (Part I)

28


Likelihood # Name Probability Considerations

0-2 Remote 0-5% Effectiveness of controls and mitigations in place Number of processes and systems involved Historical and industry peer experiences Skills and competencies managing the risk Political/regulatory environment Time horizon (3-years)

2.1-4 Unlikely 6-20%

4.1-6 Possible 21-50%

6.1-8 Likely 51-80%

8.1-10 Expected 81-100%

Trend # Name Description

Up The impact, likelihood, or velocity of the risk is predicted to increase over the next reporting period.

Steady The impact, likelihood, or velocity of the risk is predicted to remain constant over the next reporting period.

Down The impact, likelihood, or velocity of the risk is predicted to decrease over the next reporting period.

29

Risk Analysis Criteria (Part II)


Risk Analysis Criteria (Part III)

30


Risk Analysis - Inherent Risks

31

Risk

Category

Risk

Domain

Risk IDRisk

Risk

DescriptionImpact Likelihood

Inherent

Risk

Ranking

BC1 Business Interruption

Inability to restore critical systems a within

the RTO, as defined in the Business

Continuity Plan, following a major disaster,

could result in significant fiscal and

reputational risk. 8.00 10.00 80.00

BC2

Customer Services

Interruption

* pension

* healthcare

* other benefits

Inability to deliver critical customer services

to CalPERS members and stakeholders for

a significant period while implementing

business continuity plans

9.00 9.00 81.00

BC3

Financial Losses

* cash management

* investment trades

Inability to perform financial operations

including cash management and investment

trades for a significant period while

implementing business continuity plans

8.00 10.00 80.00

BC4Casualties/Property

Damage

Lack of or inadequately designed and

integrated emergency response plans:

• General Plan

• Business continuity plan

• Disaster recovery plan

• Pandemic plan

• Emergency operation activation plan

10.00 8.00 80.00

BC5Fines and

penalties/Lawsuits

Catastrophic event may impact the

organizations ability to comply with laws,

rules, and regulations until business

operations are fully restored. 8.00 8.00 64.00

Op

erat

ion

al

Bu

sin

ess

Co

ntin

uity

Man

agem

ent

Key Risk Inherent Risk

Identify Risks Assess Risks


Risk Analysis – Risk Response

32

Risk

Category

Risk

Domain

Risk IDRisk

Risk


Inherent

Risk

Ranking

Accept ReduceShare

(Transfer)Avoid






reputational risk. 8.00 10.00 80.00 x

Identify critical services to CalPERS

members and stakeholder and

develop emergency response

communication plans.

Continue to exercise and refine the

Disaster Recovery planning and

testing program.

BC2

Customer Services

Interruption

* pension

* healthcare

* other benefits





9.00 9.00 81.00 x

Develop and maintain business

continuity plans that identify critical

functions and associated business

resumption priorities.

BC3

Financial Losses

* cash management

* investment trades





8.00 10.00 80.00 x






Damage



• General Plan



• Pandemic plan


10.00 8.00 80.00 x

Develop and maintain emergency

response and crisis communication

plans;

Integrate business continuity and

disaster recovery plans for holistic

emergency management response

BC5Fines and

penalties/Lawsuits




operations are fully restored. 8.00 8.00 64.00 x

Seek waiver for compliance with

mission critical laws, rules, and

regulations while resuming business

operations.

Op

era

tio

na

l

Bu

sin

es

s C

on

tin

uit

y M

an

ag

em

en

tKey Risk Inherent Risk Risk Response Option

Risk Response Strategies

Identify Risks Assess Risks Respond to Risks


Risk Analysis – Residual Risks

33

May-13 Oct-13 Trend

Risk

Category

Risk

Domain

Risk IDRisk

Risk


Inherent

Risk

Ranking

Accept ReduceShare

(Transfer)Avoid Impact Likelihood

Residual

Risk

Ranking






reputational risk. 8.00 10.00 80.00 x

Identify critical services to CalPERS

members and stakeholder and

develop emergency response

communication plans.

Continue to exercise and refine the

Disaster Recovery planning and

testing program.

6.60 6.60 43.56

BC2

Customer Services

Interruption

* pension

* healthcare

* other benefits





9.00 9.00 81.00 x





6.00 6.00 36.00

BC3

Financial Losses

* cash management

* investment trades





8.00 10.00 80.00 x





6.00 6.00 36.00


Damage



• General Plan



• Pandemic plan


10.00 8.00 80.00 x

Develop and maintain emergency

response and crisis communication

plans;

Integrate business continuity and

disaster recovery plans for holistic

emergency management response

8.00 7.00 56.00

BC5Fines and

penalties/Lawsuits




operations are fully restored. 8.00 8.00 64.00 x

Seek waiver for compliance with

mission critical laws, rules, and

regulations while resuming business

operations.7.00 7.00 49.00

Weighted Average 45.19

Op

era

tio

na

l

Bu

sin

es

s C

on

tin

uit

y M

an

ag

em

en

t

Key Risk Inherent Risk Risk Response Option

Risk Response Strategies

Residual Risk

Residual Risk Ranking

Identify Risks Assess Risks Respond to Risks Assess Risks


Enterprise Risk Management Dashboard

34

Governance / Leadership

1

Business Planning

10

Financial Controls and

Systems

(Top Risk)

21

Laws, Rules, and Regulations

(Top Risk) 27

This domain identifies risks of ineffective delegations, governance

committees, policies and procedures, and leadership that may impact

timely decisions that guide CalPERS to meet its strategic goals and

objectives. This includes tone at the top.

This domain identifies risks that may impact creating and

achieving relevant business plan objectives and action plans that

are aligned with strategic risks. This includes effective

implementation and monitoring of objectives and alignment of

business planning process with other business decision

processes.

This domain identifies risks that may impact the effectiveness of

CalPERS financial controls to ensure accurate accounting for plan

assets and liabilities. This includes policies and processes,

implementation and management of controls for decision making,

and use of assets, including appropriate authorizations, and

segregation of duties.

This domain identifies risks that may impact CalPERS and staff

resulting from non-compliance with statutory requirements,

specifically non-compliance with relevant laws, rules and

regulations, including regulatory reporting and the effectiveness of

a compliance management framework as outlined in the United

States Federal Sentencing Guidelines (FSG).

Strategic Planning and

Implementation2

Organization11

Financial Planning22

Fraud Detection and Prevention28

This domain identifies risk of achieving strategic goals and effectively

planning and implementing objectives and initiatives to meet

CalPERS vision, mission, goals and objectives. Includes the ability to

effectively measure, report, and monitor achievement of strategic

goals, objectives, and initiatives outlined in the strategic plan.

This domain identifies risks that may impact CalPERS alignment

to be an effective organizational structure with clear roles and

responsibilities to achieve objectives and serve our employers and

members.

This domain identifies risks that may impact the effectiveness of

CalPERS budget and planning process which provides

appropriate financial resources for the organization to meet its

objectives.

This domain identifies risks that may impact the protection of

CalPERS assets, integrity, and credibility through effective fraud

detection and prevention and investigation capabilities.

Health Care Costs

(Top Risk) 3Procurement and Contract

Management 12 Financial Reporting

23 Policy and Procedures

(Top Risk) 29

This domain identifies risks in the health care environment that may

impact increases in health care benefit costs and may erode

CalPERS ability to provide its members with high quality, cost

effective health care services and adversely impact CalPERS as the

preferred health care choice for employers and employees.

This domain identifies risks that may impact CalPERS process to

cost effectively and efficiently acquire goods or services and

manage contracts consistent with applicable laws, regulations, and

policies.

This domain identifies risks that may impact the integrity of

financial and management reporting which meets management's

needs for decision making and legal and statutory requirements

for disclosure.

This domain identifies risks that may impact compliance with all

CalPERS policies and the effectiveness of a policy management

framework.

Long Term Care Program4

Business Continuity

Management (Top Risk) 13 Investment Risk Management

(Top Risk) 24 Ethical Conduct

30

This domain identifies risks that may impact CalPERS Long Term

Care program and that it is sufficiently funded to provide services

expected. This includes performance of third-party administrator and

overall fund status.

This domain identifies risks that may impact CalPERS ability to

effectively plan for recovery and business continuity in the event of

a disaster, hazard situation, or other business interruption.

This domain identifies risks that may impact the management,

measurement, monitoring and reporting of investment risk. This

includes adequacy of resources, tools and governance structure to

measure and manage risk.

This domain identifies risks that may impact adherence to

CalPERS standards of conduct, personal trading policy, and

conflict of interest policies.

Note: Final reporting period. This risk domain will be replaced

with a new Ethical Conduct & Standards domain (31).

California Public Employees' Retirement System

Residual Risk Report

Strategic Operational Financial Compliance / Ethics

FY2013-14 Projected Risk

May | Oct | Trend | Domain








Risk Management Maturity Matrix

35

Representative Attributes Describing Each Maturity Level

Initial Fragmented Top Down Integrated Risk

Intelligent

Stages of Risk Management Capability Maturity

Sta

ke

ho

lde

r V

alu

e

Integrated

Risk

Intelligent

Top Down Fragmented Initial

• Ad hoc/chaotic

• Depends primarily on

individual heroics,

capabilities, and verbal

wisdom

• Independent risk

management activities

• Limited focus on the

linkage between risks

• Limited alignment of

risk to strategies

• Disparate monitoring &

reporting functions

• Common framework and

policies

• Routine risk assessments

• Communication of top

strategic risks to the

Board

• Executive/Steering

Committee

• Knowledge sharing

across risk functions

• Awareness activities

• Formal risk consulting

• Dedicated team

• Coordinated risk

management activities

• Risk appetite is fully

defined

• Enterprise-wide risk

monitoring, measuring,

and reporting

• Technology

implementation

• Contingency plans and

escalation procedures

• Risk management

training

• Risk discussion is

embedded in strategic

planning, capital

allocation, etc.

• Early warning risk

indicators used

• Linkage to

performance measures

and incentives

• Risk modeling/

scenarios

• Industry benchmarking

used regularly

Although much has been accomplished so far, much more is still to be done

Source: Deloitte

Current Position


CalPERS Risk Management Evolution

36

Independent Reassurance

Initial Assessment of All Risks

Reassurance Review of Controls

Ongoing Monitoring of Controls and Metrics

Current Position

Risk Appetite

Defined Enterprise Risk Appetite Policies

Defined Subcategory Risk Appetite Policies

Ongoing Monitoring and Escalation of

Risk and Performance

Current Position

Active Risk Management

Initial Assessment of All Risks

Risk Embedded in Business Processes

Ongoing Improvement of Mitigations and Controls

Current Position


37

GRC Overview


• Provides an enterprise focus for collaboration

and integration

• Provides a common framework to identify,

monitor and measure compliance across the

organization

• Reduces risk of non-compliance, sanctions and

liabilities

• Drives principled performance results

38

Benefits of an Effective Compliance Framework


Features of an Effective Compliance Framework

• Oversight by high-level personnel

• Roles and responsibility

• Due Care in delegating substantial discretionary authority

• Effective Communication and training at all levels

• Reasonable and measurable steps to achieve compliance, which

includes reporting suspected wrongdoing without fear of reprisal

(Ethics Helpline)

• Consistent enforcement of compliance

• Reasonable steps to respond to and prevent similar offenses

upon detection of a violation

39


40

Integrated Compliance Model


Compliance Performance Metrics

• Communication Reach – percentage that receives

• Awareness – percentage who certify, report they understand and will uphold

• Training Coverage – percentage trained on contents

• Mastery – percentage that proves knowledge through testing

• Readability – Flesch reading score

• Questions – number of questions received

• Operationalization – percentage who believe the organization is compliant

• Organizational Alignment – percentage who believe organizational values are

aligned

• Personal Alignment – percentage who believe their personal values are aligned

• Reporting Readiness – percentage who know to report violations

• Reporting – percentage who believe violations are actually reported

• Incidents – number of reported or discovered incidents of violation

41


Effective Compliance Principled Performance

• Principle #1: Reliable achievement of objectives

- Intentional clear objectives

- Measured performance

- Visible to stakeholders

• Principle #2: Address uncertainty

- Holistic balance achieved between risk and rewards

- Proactive planning and managing of rewards mindful of risks

- Rigorous and thorough approach. Okay to be wrong, tempered with ongoing

improvement.

• Principle #3: Acting with integrity

- Focus on requirements set by mandates and promises established voluntarily by

contract

• Principle #4: Reliable

- Application of consistent processes to objectively measure performance

42


43

Path to an Effective Compliance Framework


Compliance Assessment Exercise

• Who runs the compliance and ethics program?

• Are Standards, Policies and Procedures written?

• What training do you provide your employees?

• Are you providing for open lines to communicate?

• How are you conducting compliance testing and monitoring?

• Do you respond appropriately to detected offenses and

misconduct?

• What does your Corrective Action Plan look like?

• How do you enforce your guidelines and discipline misconduct?


Accomplishments

• Establish Office of Enterprise Risk Management

• Conduct Enterprise-wide Risk Assessments

• Establish Risk Intelligent Enterprise Management Policy

• Establish Board Risk and Audit Committee

• Establish Executive Risk Management Committee

• Conduct strategic risk assessments

• FPPC Reporting with on-line filing capability

• Personal Trading Regulation – automation tools

• Ethics HelpLine

• Policy and Regulatory Libraries

• Selected eGRC IT solution

45


Next Steps

• Implement integrated assurance model

• Enhance risk management and compliance

frameworks

• Develop risk appetite statements, risk tolerances,

and key risk indicators

• Conduct Black Swan exercise

• Implement eGRC IT solution

• Conduct risk-based compliance assessments

46


Introduction

An integrated ERM-GRC framework unifies

governance, risk, compliance and assurance

functions to:

• Embed a risk-intelligent culture

• Support risk based decision making

• Drive Principled Performance Results

• Optimize investments made to achieve strategic

objectives and drive business value

• Improve Stakeholder Relations

• Increase transparency and accountability

What is the Final Goal?

47


Key Lessons Learned

48

Challenges Leading Practices

Identifying the right measurements for

ROI

KPIs and KRIs to be aligned with the organizations risk appetite and strategic

objectives

Integration with Audit Services Understand roles and responsibilities integrating risk assessment services once

risk management fundamentals are accepted by key leadership

Aligning risk management with

business planning objectives

Collaborate early with strategic and business planning departments.

Incorporate risk management principles with the development of organizational

strategies

Risk management silos are hard to

break-down

Develop cross-functional teams to break barriers using common risk

management language, processes and metrics

Maintaining effective risk management

across all three lines of defense

Cross-train between the lines of defense regarding risk management processes

and methods to support the identification, prioritization, measurement and

reporting of risks

Employee buy-in on risk mindset Consider linking risk management and employee performance measures

The following are ROI challenges faced by organizations and leading practices:


Questions?

49

Documents

2014 Annual PARMA Conference Maturing GRC @ CalPERS · GRC - Big Picture OBJECTIVES strategic, operational, customer, compliance and reporting objectivesplace to drive toward objectives