Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations...
Transcript of Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations...
![Page 1: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/1.jpg)
© Douglas W. Webster, 2020 1
Auditors and Risk Managers: Collaborators or Adversaries?
DR. DOUG WEBSTER
![Page 2: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/2.jpg)
© Douglas W. Webster, 2020 2
Setting the Stage
![Page 3: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/3.jpg)
© Douglas W. Webster, 2020 3
Are You a Collaborator or Adversary?
![Page 4: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/4.jpg)
© Douglas W. Webster, 2020 4
The Challenge of Change
• Life would be simple if only it were not for…
Change• External Change
• Internal Change
![Page 5: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/5.jpg)
© Douglas W. Webster, 2020 5
Today’sEnvironment
The FutureEnvironment
External Change
OrganizationActions
ReactiveInternal Change
ProactiveInternal Change
Exte
rnal
En
viro
nmen
tIn
tern
al
Envi
ronm
ent
© Douglas W. Webster
The Challenge of Change
![Page 6: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/6.jpg)
© Douglas W. Webster, 2020 6
Many organizations act as if in Groundhog Day, focused only on improving today’s organization.
Today’sEnvironment
The FutureEnvironment
External Change
OrganizationActions
ReactiveInternal Change
ProactiveInternal Change
Exte
rnal
En
viro
nmen
tIn
tern
al
Envi
ronm
ent
© Douglas W. Webster
The Challenge of Change
![Page 7: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/7.jpg)
© Douglas W. Webster, 2020 7
Many organizations act as if in Groundhog Day, focused only on improving today’s organization.
“A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be."
~ Wayne Gretzky
Today’sEnvironment
The FutureEnvironment
External Change
OrganizationActions
ReactiveInternal Change
ProactiveInternal Change
Exte
rnal
En
viro
nmen
tIn
tern
al
Envi
ronm
ent
© Douglas W. Webster
The Challenge of Change
![Page 8: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/8.jpg)
© Douglas W. Webster, 2020 8
The proverbial “Burning Platform”
The impact of different internal change responses to external change
ProactiveChange
ReactiveChange
Options
Urgencyand Risk
ReactiveChange in
Crisis
Do you React to Crises Or Manage Risks?
Responding to Change
![Page 9: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/9.jpg)
© Douglas W. Webster, 2020 9
“Life, business, everything you do, every decision you make – it’s all about risk and reward!”
~ Bill Kaplan, founder /leader of the MIT Blackjack Team that won millions in Vegas; inspired the movie 21 and the national bestseller, Bringing Down the House.
Results Resources
Value
Risks
Risk—whether managed or ignored—is an inherent part of every management decision,
![Page 10: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/10.jpg)
© Douglas W. Webster, 2020 10
The Evolution of Risk Management, Internal Control and ERM
![Page 11: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/11.jpg)
© Douglas W. Webster, 2020 11
The Evolution of Risk Management: The First 5000 Years
1950 BC Shipping insurance (Code of Hammurabi)
600 BC
1611
Life insurance (Greeks and Romans)
Fire insurance (after the Great Fire of London)
Sumerian commercial transactions show 2nd party checking of records
3400 BC
1300 BC Egyptian pharaohs have internal controls in treasury
Risk Internal Controls
![Page 12: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/12.jpg)
© Douglas W. Webster, 2020 12
The Evolution of Risk Management: Modern Times
1960s-1970s
American Institute of Accountants (now AICPA) first to offer an “official” definition of “Internal Control”
AICPA definition divides internal controls into:• Accounting control: safeguarding assets and checking
accuracy/reliability of accounting data• Administrative control: measures to promote operational
efficiency and to encourage adherence to prescribed managerial policies
1949
1958
Changes in banking; financial innovation
1974 Gustav Hamilton’s Circle of Risk
First text on risk management: “Risk Management and the Business Enterprise”
1963
Risk Internal Controls
1952 Harry Markowitz doctoral dissertation on “Portfolio Selection”
1977 Publically held corporations required by Congress to implement internal controls over financial reporting (Foreign Corrupt Practices Act)
![Page 13: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/13.jpg)
© Douglas W. Webster, 2020 13
The Evolution of Risk Management: “Recent” Advances
1992
1996
First journal article on “Integrated Risk Management” by Kent D. Miller
First book on “Enterprise-wide Risk Management” (Deloach and Temple)
First use of the term “Enterprise Risk Management” by Glyn A. Holton
2000
COSO ERM Framework2004
1982
1985
2002
Federal Managers Financial Integrity Act (FMFIA)
COSO establishedCOSO Internal Controls Framework
Sarbanes Oxley, Section 404
1999 AUS/NZ 4360 Risk Management Standard
ISO 31000 Risk Management Standard2009
Risk Internal Controls
COSO ERM Framework (update)2017ISO 31000 Risk Management Standard (update)2018
![Page 14: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/14.jpg)
© Douglas W. Webster, 2020 14
What is Risk Management that is beyond Internal Control?
Internal Controls vs. Risk Management
14
Governance
Internal Controls
Risk Management
Enterprise Risk Management
“Risk management refers to a coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives.” ~ ISO 31000
A-123
![Page 15: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/15.jpg)
© Douglas W. Webster, 2020 15
• Risk management is too often focused on internal control and operational risks
• Many risks to achieving mission and objectives result from failure to address external changes
Key Risks are NOT All Internal
15
38 bank failures 2003-2008versus
482 bank failures 2009-2014
![Page 16: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/16.jpg)
© Douglas W. Webster, 2020 16
Considering Going to the Moon
16
May 25, 1961President Kennedy announces
decision to go to the moon before a Joint Session of Congress
President Kennedy consults with numerous advisors on
going to the moon
Risks?
![Page 17: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/17.jpg)
© Douglas W. Webster, 2020 17
And Actually Getting There…
17
Internal Control
![Page 18: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/18.jpg)
© Douglas W. Webster, 2020 18
Risk management is too often “Bolted on” vs. “Built in”
• Risk management is frequently viewed as simply a compliance exercise (i.e., not an element of maximizing organizational value)
• Risk management is treated as a “gate” through which decisions based on costs and benefits must pass
• Risk management is too often limited to internal controls
Challenges with Traditional Risk Management
![Page 19: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/19.jpg)
© Douglas W. Webster, 2020 19
GAO Green Book
OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved (see fig. 2). These objectives and related risks can be broadly classified into one or more of the following three categories:• Operations - Effectiveness and efficiency of operations
• Reporting - Reliability of reporting for internal and external use
• Compliance - Compliance with applicable laws and regulations
Note: Not mandatory outside of the federal government, but based on COSO’s Internal Control—Integrated Framework (2013).
Is this truly all that is needed to deliver stakeholder value and meet organizational objectives?
![Page 20: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/20.jpg)
© Douglas W. Webster, 2020 20
Clarifying Risk Management vs. ERM
Governance
Internal Controls
ERM
A-123
Risk Management
• The COSO 2004 ERM Framework did not adequately explain the difference between ERM and traditional risk management.
• ERM is not simply risk management done well, or across the enterprise.
Enterprise Risk Management (ERM) is a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically-aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals, and objectives.”
Source: Association for Federal Enterprise Risk Management (AFERM), 2011
![Page 21: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/21.jpg)
© Douglas W. Webster, 2020 21
Incentives
“Tools”
Motivation
Understanding
21
The Importance of Cultural Change
![Page 22: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/22.jpg)
© Douglas W. Webster, 2020 22
1. Strategic Alignment
2. Rationalized Risk Appetite
3. Collaboration
4. Prioritization
5. Appropriate transparency
6. Centralized coordination
7. Delegated accountability
8. Formal governance process
9. Change Management
Concluding Thoughts:Nine Principles for Implementation
![Page 23: Auditors and Risk Managers: Collaborators or Adversaries? · 2020. 7. 23. · Many organizations act as if in Groundhog Day, focused only on improving today’s organization. “A](https://reader031.fdocuments.in/reader031/viewer/2022013023/60499d91f0c4073e4c45aa58/html5/thumbnails/23.jpg)
© Douglas W. Webster, 2020 23
Changing Your Thinking about Risk Management
The world we have created is a product of our thinking; it cannot be changed without changing our thinking.
~ Albert Einstein