© Douglas W. Webster, 2020 1

Auditors and Risk Managers: Collaborators or Adversaries?

DR. DOUG WEBSTER

© Douglas W. Webster, 2020 2

Setting the Stage

© Douglas W. Webster, 2020 3

Are You a Collaborator or Adversary?

© Douglas W. Webster, 2020 4

The Challenge of Change

• Life would be simple if only it were not for…

Change• External Change

• Internal Change

© Douglas W. Webster, 2020 5

Today’sEnvironment

The FutureEnvironment

External Change

OrganizationActions

ReactiveInternal Change

ProactiveInternal Change

Exte

rnal

En

viro

nmen

tIn

tern

al

Envi

ronm

ent

© Douglas W. Webster

The Challenge of Change

© Douglas W. Webster, 2020 6

Many organizations act as if in Groundhog Day, focused only on improving today’s organization.

Today’sEnvironment

The FutureEnvironment

External Change

OrganizationActions

ReactiveInternal Change

ProactiveInternal Change

Exte

rnal

En

viro

nmen

tIn

tern

al

Envi

ronm

ent

© Douglas W. Webster

The Challenge of Change

© Douglas W. Webster, 2020 7

Many organizations act as if in Groundhog Day, focused only on improving today’s organization.

“A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be."

~ Wayne Gretzky

Today’sEnvironment

The FutureEnvironment

External Change

OrganizationActions

ReactiveInternal Change

ProactiveInternal Change

Exte

rnal

En

viro

nmen

tIn

tern

al

Envi

ronm

ent

© Douglas W. Webster

The Challenge of Change

© Douglas W. Webster, 2020 8

The proverbial “Burning Platform”

The impact of different internal change responses to external change

ProactiveChange

ReactiveChange

Options

Urgencyand Risk

ReactiveChange in

Crisis

Do you React to Crises Or Manage Risks?

Responding to Change

© Douglas W. Webster, 2020 9

“Life, business, everything you do, every decision you make – it’s all about risk and reward!”

~ Bill Kaplan, founder /leader of the MIT Blackjack Team that won millions in Vegas; inspired the movie 21 and the national bestseller, Bringing Down the House.

Results Resources

Value

Risks

Risk—whether managed or ignored—is an inherent part of every management decision,

© Douglas W. Webster, 2020 10

The Evolution of Risk Management, Internal Control and ERM

© Douglas W. Webster, 2020 11

The Evolution of Risk Management: The First 5000 Years

1950 BC Shipping insurance (Code of Hammurabi)

600 BC

1611

Life insurance (Greeks and Romans)

Fire insurance (after the Great Fire of London)

Sumerian commercial transactions show 2nd party checking of records

3400 BC

1300 BC Egyptian pharaohs have internal controls in treasury

Risk Internal Controls

© Douglas W. Webster, 2020 12

The Evolution of Risk Management: Modern Times

1960s-1970s

American Institute of Accountants (now AICPA) first to offer an “official” definition of “Internal Control”

AICPA definition divides internal controls into:• Accounting control: safeguarding assets and checking

accuracy/reliability of accounting data• Administrative control: measures to promote operational

efficiency and to encourage adherence to prescribed managerial policies

1949

1958

Changes in banking; financial innovation

1974 Gustav Hamilton’s Circle of Risk

First text on risk management: “Risk Management and the Business Enterprise”

1963

Risk Internal Controls

1952 Harry Markowitz doctoral dissertation on “Portfolio Selection”

1977 Publically held corporations required by Congress to implement internal controls over financial reporting (Foreign Corrupt Practices Act)

© Douglas W. Webster, 2020 13

The Evolution of Risk Management: “Recent” Advances

1992

1996

First journal article on “Integrated Risk Management” by Kent D. Miller

First book on “Enterprise-wide Risk Management” (Deloach and Temple)

First use of the term “Enterprise Risk Management” by Glyn A. Holton

2000

COSO ERM Framework2004

1982

1985

2002

Federal Managers Financial Integrity Act (FMFIA)

COSO establishedCOSO Internal Controls Framework

Sarbanes Oxley, Section 404

1999 AUS/NZ 4360 Risk Management Standard

ISO 31000 Risk Management Standard2009

Risk Internal Controls

COSO ERM Framework (update)2017ISO 31000 Risk Management Standard (update)2018

© Douglas W. Webster, 2020 14

What is Risk Management that is beyond Internal Control?

Internal Controls vs. Risk Management

14

Governance

Internal Controls

Risk Management

Enterprise Risk Management

“Risk management refers to a coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives.” ~ ISO 31000

A-123

© Douglas W. Webster, 2020 15

• Risk management is too often focused on internal control and operational risks

• Many risks to achieving mission and objectives result from failure to address external changes

Key Risks are NOT All Internal

15

38 bank failures 2003-2008versus

482 bank failures 2009-2014

© Douglas W. Webster, 2020 16

Considering Going to the Moon

16

May 25, 1961President Kennedy announces

decision to go to the moon before a Joint Session of Congress

President Kennedy consults with numerous advisors on

going to the moon

Risks?

© Douglas W. Webster, 2020 17

And Actually Getting There…

17

Internal Control

© Douglas W. Webster, 2020 18

Risk management is too often “Bolted on” vs. “Built in”

• Risk management is frequently viewed as simply a compliance exercise (i.e., not an element of maximizing organizational value)

• Risk management is treated as a “gate” through which decisions based on costs and benefits must pass

• Risk management is too often limited to internal controls

Challenges with Traditional Risk Management

© Douglas W. Webster, 2020 19

GAO Green Book

OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved (see fig. 2). These objectives and related risks can be broadly classified into one or more of the following three categories:• Operations - Effectiveness and efficiency of operations

• Reporting - Reliability of reporting for internal and external use

• Compliance - Compliance with applicable laws and regulations

Note: Not mandatory outside of the federal government, but based on COSO’s Internal Control—Integrated Framework (2013).

Is this truly all that is needed to deliver stakeholder value and meet organizational objectives?

© Douglas W. Webster, 2020 20

Clarifying Risk Management vs. ERM

Governance

Internal Controls

ERM

A-123

Risk Management

• The COSO 2004 ERM Framework did not adequately explain the difference between ERM and traditional risk management.

• ERM is not simply risk management done well, or across the enterprise.

Enterprise Risk Management (ERM) is a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically-aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals, and objectives.”

Source: Association for Federal Enterprise Risk Management (AFERM), 2011

© Douglas W. Webster, 2020 21

Incentives

“Tools”

Motivation

Understanding

21

The Importance of Cultural Change

© Douglas W. Webster, 2020 22

1. Strategic Alignment

2. Rationalized Risk Appetite

3. Collaboration

4. Prioritization

5. Appropriate transparency

6. Centralized coordination

7. Delegated accountability

8. Formal governance process

9. Change Management

Concluding Thoughts:Nine Principles for Implementation

© Douglas W. Webster, 2020 23

Changing Your Thinking about Risk Management

The world we have created is a product of our thinking; it cannot be changed without changing our thinking.

~ Albert Einstein