1

Strategic Value of Enterprise Risk Management

JOHN E. HOMAN

2015–2016 AGA National President

East Tennessee Chapter

Knoxville, TN

November 9, 2015

2

Key Issues in Government AccountabilityNEED TO ADDRESS RISK AT ALL LEVELS OF GOVERNMENT

3

• Severely reduced populations

• Failing physical infrastructure•

RISK IS PERVASIVE

• Budget shortfalls • Approaching “silver tsunami”

• Increased demand for new skillsets (e.g. analytics, cyber)

AT ALL LEVELS OF GOVERNMENT & IS AT HIGHEST LEVEL SINCE GREAT DEPRESSION

STATE AND LOCAL LEVEL FEDERAL LEVEL

FEDERAL LEVELRisk Experience of The Past Several Years

The economic downturn, slow recovery, political gridlock, and federal fiscal sustainability issues have created the highest risk environment since the Great Depression

The failure of Congress to approve a budget led to a temporary government shutdown in 2013 and fixed, across-the-board spending cuts

Multiple debt limit crises, in which Congress has only agreed to meet the full fiscal obligations of the nation at the very last minute

The 2008 mortgage crisis, which led to the institution of the Troubled Asset Relief Program (TARP), requiring more than $460 billion of capital infusions, guarantees, and loans to stabilize the financial system

STATE AND LOCAL LEVEL Risk Experience of the Past Several Years and Impact of Risk at the Federal

Level to the States

Bankruptcies have occurred in Detroit MI, San Bernardino and Stockton CA Pension crisis in Illinois Intergovernmental Financial Risk-Some States now rely on the federal government

for over one third of their revenue• In 2011, California, Louisiana, New York and Virginia received over 30% of their

revenue from the federal cash flows based on the SEFA (Schedule of Federal Expenditures) for each

California Louisiana New York Virginia0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

% Direct Federal Dollars Flowing to SelectedStates Stated as % of Total State Revenues

200920102011

6

FORMAL DEFINITION

The Committee of Sponsoring Organizations (COSO) defines ERM as a process affected by the entity’s Board of Directors, management and other professionals, applied in a strategy setting and across the enterprise, designed to identify potential events that could affect an organization, and then taking steps to reduce or eliminate the risk so the organization can achieve its objectives.

ERM AS A POSSIBLE SOLUTIONENTERPRISE RISK MANAGEMENT

• Framework for modeling and addressing risk• Structured approach to identifying, measuring, and assessing risks and

developing effective policy responses

7

Establishing the risk types

ONE

Defining the likelihood and

impact of the risks

TWODeveloping a

visual summary of the results

FOUR

Defining the level of risk

intensity

THREESynthesizing the information for decision-making

FIVE

A WELL IMPLEMENTED ERM MODEL CAN ADDRESS RISK AND OVERCOME THE CHALLENGES

A notional government model may have five stages:

ERM AS A POSSIBLE SOULUTION

Profile of Northeast County- A Sample Entity to which

we can apply the Five Stage Model

Department or Office Budget ($ millions)

Full-Time Employees

Number of Federal Grant

Programs

Federal Grants

State Grants

Public Policy Issues

1 Correction $ 24.0 211 2 County Executive $ 2.2 17 3 Education $ 209.0 1000 5 $ 40.0 $ 40.0 4 Emergency Management $ 0.5 3 1 $ 0.1 5 Environmental Protection $ 38.8 51 3 $ 4.0 6 Finance $ 19.8 42 17 Fire Services $ 65.8 442 1 $ 1.2 8 Health & Human Service $ 91.2 467 9 $ 39.0 $ 25.0 9 Housing $ 14.9 27 10 Human Resources $ 62.1 27 12 Police $ 83.7 555 13 Libraries $ 12.8 79 14 Technology Service $ 10.8 55 15 Transportation $ 64.2 447 3 $ 20.0 $ 10.0 2 Total ($ in millions) $ 700 3,423 22 104.3 75.0

16 Capital Improvement Program $ 300

1 Public pressure to have pension plans divest from companies invested in distilling, tobacco, sugar-

based foods, the defense industry and those producing products abroad

2 Public pressure to provide capital improvements to county facilities going beyond the scope of the Americans with Disabilities Act

9

ERM MECHANICSWHAT NEEDS TO BE DONE TO ASSESS THE RISKS — ESTABLISH THE RISK TYPE FOR LIKELIHOODTaxation and Regulatory Risk

Assessed on the basis of level of expenditure at risk compared to the overall this “notional” Northeast budget

Inter-governmental Risk

Assessed by the degree to which the department is dependent on federal funding as measured by the latest SEAFA and state funding as measured by the state grand receipts

Public PolicyRisk

Assessed by the degree to which political pressure at the governance level could alter existing plans at the department level

Strategic Risk Assessed as the inability to meet business objectives and strategies due to improper or unfocused strategic planning

Financial Operations Risk

Assessed by determining the quality of accounting and budget information

10

ERM MECHANICSWHAT NEEDS TO BE DONE TO ASSESS THE RISKS — ESTABLISH THE RISK TYPE FOR LIKELIHOOD

Information Technology Risk

Assessed by determining if the technology Northeast uses effectively supports its operation and whether its systems are opens to compromise or illegal access.

Legal & Regulatory Risk

Assessed by determining if Northeast complies with all major county, state or federal laws.

Integrity/ Fraud Risk

Assessed by reviewing the actual instances of waste, fraud and abuse which have been documented in the past several years and by assessing vulnerabilities in operations such as exposure to cash collection or inadequate segregation of duties

Customer Service/ Delivery Risk

Assessed by how well Northeast delivers its services. Considers the risk that a department may be susceptible to failing to respond to customers in a timely and effective fashion.

11

ERM MECHANICSWHAT NEEDS TO BE DONE TO ASSESS THE RISKS — ESTABLISH THE RISK TYPE FOR LIKELIHOOD

Environment, Health & Safety Risk

Assessed by looking for conditions or vulnerabilities that can have an adverse effect on the environment or which threaten the health and safety of the local community.

Human Resource Risk

Assessed by determining if the Northeast workforce has the proper skills sets, resources and training to complete its missions and whether its level of benefits is sufficiently competitive to attract a strong workforce.

Information & Communication Risk

Assessed by determining if there is consistent, accurate and timely communications to internal and external Northeast constituencies.

Overall Likelihood Risk A blend of the 12 factors weighted and tempered by judgment.

12

ERM MECHANICSWHAT NEEDS TO BE DONE TO ASSESS THE RISKS — ESTABLISH THE RISK TYPE FOR IMPACT

Reputation or Public Perception Impact

Assessed by determining risk that the state or locality suffers a diminution in reputation or public perception from a risk occurring.

Business Operations Impact

Assessed by looking for impacts occurring that lead to County operations not functioning effectively or efficiently or not meeting internal or external goals. This could include failures from changes in the volume, or complexity of transactions or activities.

Financial ImpactAssessed by significant financial implications to the department or the County such as misstated financial statements or the failure to meet financial obligations or comply with bond covenants or meet future funding requirement for benefits.

Overall Impact Risk

A blend of the three factors weighted and tempered by judgment.

13

WHAT NEEDS TO BE DONE TO ASSESS THE RISKS — DEFINE THE LIKELIHOOD AND IMPACT OF RISK AND LEVEL OF INTENSITY

VERY HIGH Immediate and high degree of vulnerability — if not controlled, could have a serious, long-term or detrimental effect

HIGH Less immediate and somewhat lower degree of vulnerability — if not controlled, could have significant, long-term or detrimental effect

MODERATE Risk present should be addressed and controlled but the probability is not as severe as defined above — if not controlled, could have some impact

LOW The threat of a serious event is possible. The area should be managed but the level of risk response is limited.

VERY LOW The threat of a serious event is either non-existent or remote. The area should be managed but the level of risk response is limited.

VERY HIGH Financial ramifications would be severe and/or operations would suffer long-standing consequences

HIGH The financial ramifications would be significant

MODERATE Consequences would be negative and must be managed, but would not have substantial effect

LOW Small impact financially or operationally

VERY LOW Little to no impact financially or operationally

LIKELIHOOD IMPACT

ERM MECHANICS

14

SAMPLE ERM RESULTSDEVELOPING THE VISUAL SUMMARY AND APPLYING THE RESULTS

SAMPLE RESULTS FOR “NORTHEAST COUNTY”Assessed Risk Areas

Finance

Health & Human Service Libraries Transportation

Taxation & Revenue Risk

1VH H M H

Inter Governmental Risk

2VH VH VL VH

Public Policy Risk 3VH VH VL VH

Strategic Risk 4M H L H

Financial Operations Risk

5H VH VL H

Information Technology Risk

6H VH VL H

Legal & Regulatory Risk

7M VH VL H

Integrity/ Fraud Risk 8M H VL VH

Customer Service/ Delivery Risk

9M H L VH

Environment, Health & Safety Risk

10L M L H

Personnel/ HR Risk 11M H L M

Information & Communication Risk

12M M L M

Overall Likelihood 13VH VH L VH

M

Reputation Impact 14M VH L H

Business Operations Impact

15H VH L M

Financial Impact 16VH VH VL H

Overall Impact 17VH VH VL H

OVERALL Overall Rating VH VH LVH

LIKELIHOOD

IMPACT

Selected Areas

15

• Apply them to audits, budgets and strategic plans

• Develop multi-year audit plan -- would emphasize HHS, Finance and Transportation and deemphasize Libraries

• Validate operating budgets

• Apply to strategic planning process -- makes consequences and trade-offs across departments transparent with regard to risk

SAMPLE ERM RESULTSSYNTHESIZING FOR DECISION MAKING

Assessed Risk Areas

Finance

Health & Human Service Libraries Transportation

Taxation & Revenue Risk

1VH H M H

Inter Governmental Risk

2VH VH VL VH

Public Policy Risk 3VH VH VL VH

Strategic Risk 4M H L H

Financial Operations Risk

5H VH VL H

Information Technology Risk

6H VH VL H

Legal & Regulatory Risk

7M VH VL H

Integrity/ Fraud Risk 8M H VL VH

Customer Service/ Delivery Risk

9M H L VH

Environment, Health & Safety Risk

10L M L H

Personnel/ HR Risk 11M H L M

Information & Communication Risk

12M M L M

Overall Likelihood 13VH VH L VH

M

Reputation Impact 14M VH L H

Business Operations Impact

15H VH L M

Financial Impact 16VH VH VL H

Overall Impact 17VH VH VL H

OVERALL Overall Rating VH VH LVH

LIKELIHOOD

IMPACT

Selected Areas

HOW THESE RESULTS MAY BE USED

16

ERM MODEL CONCLUSIONS

ERM is an excellent tool for addressing risk

Applicable to both the federal and state/local sectors

ERM has been reviewed at federal level in two meetings of president’s management council

New revisions of OMB Circulars such as A-123 explicitly incorporate ERM into the internal control process. OMB trying to get a full ERM plan by FY 2016

Key issue- who should own process at Federal Agencies: a separate risk officer or embed in an existing position?

AGA is encouraging its use and expansion and is assisting the Office of Management and Budget in implementing it throughout the Federal Government

AGA’ S ERM INITIATIVE - WHAT WE ARE DOING TO PROMOTE ERM IN THE FEDERAL GOVERNMENT

The AGA National Executive Committee has established a working group to assist OMB in implementing ERM throughout the Federal Government. The mission and core members of the ERM Working Group are as follows:

Mission: To bring about strategic change in Federal, State, and local governments in the area of Enterprise Risk Management (ERM) through the leveraging and coordination of AGA’s thought leadership and its Agency, Industry, and Academic relationships to meet OMB’s goals for the adoption of ERM.

Core Members:• Sheila Conley, Deputy CFO, Department of Health and Human Services• Doug Glenn, Deputy CFO, Department of Interior• Dan Kaneshiro, Policy Analyst, Office of Management and Budget• Christine Jones, Associate Deputy Assistant Secretary for Finance, Department of Health and Human Services• Tim Soltis, Deputy CFO, Department of Education• Teresa Taber, Deputy Director Office of Financial Management, Department of Interior• Dr. Doug Webster, Director, Government to Government Risk Management at US Agency for International

Development• Mike Wetklow, Branch Chief, Office of Management and Budget (Chair)

AGA’ S ERM INITIATIVE – THE WORK PRODUCTS

The Working Group is developing an AGA sponsored ERM Webinar Series to provide training and implementation guidance. Timing: 2015 – 2016 and ongoing

Webinar Number One (by March 2016), sample learning objectives: What is Enterprise Risk Management? What is a CRO and what are the roles and responsibilities of the CFO and other CXOs (i.e., good

governance)? What is the nexus between Federal and State governments in implementing ERM? What does success look like? What are the best practices? How do I get started? How to build ERM into existing processes rather than add on?

Webinar Number Two (by March 2016), sample learning objectives: Overview of ERM Standards. Comparisons between COSO and ISSO. The link between ERM and Internal Control Standards. Applied Case Studies: Improper Payments and the DATA Act

AGA’ S ERM INITIATIVE -- THE WORK PRODUCTS

Webinar Number Three (by June 2016), sample learning objectives: What are the tools and templates of ERM? Do I have to do it all at once, what’s a sample maturity model? What are the differences between COSO and ISSO Standards?

Webinar Number Four (by June 2016), sample learning objectives: What role does the Inspector General play in ERM? What are the road rules for management engagement of inspector generals

in ERM?

AGA PDT 2016 (July 2016) Session based on the Webinars

An AGA sponsored research survey of the current state of Enterprise Risk Management in the Government, similar to AGA CPAG Report No. 26, “The Maturity of GRC in the Public Sector: Where are we today and where are we going?”

Timing: June 2016 Table of contents based off of portions of Webinar Project Above Develop survey and interview instruments based off of prior CPAG

Report No. 26 and AICPA/NC State Annual Report of the Current State of Enterprise Oversight

Conduct Survey and Interviews

AGA’ S ERM INITIATIVE -- THE WORK PRODUCTS

The Group will also Facilitate Faculty Networking Opportunities between the AGA and other associations and business lines:

• Identify whether efforts by other professional associations (e.g., Association Federal ERM, Partnership for Public Service, National Association of State Auditors, Comptrollers and Treasurers, International Federation of Accountants and others) and or government bodies (e.g. OMB, CFOC, CIOC, CAOC, PIC, CHCO, CIGIE) are underway in the area of enterprise risk management and determine whether partnerships with those organizations are prudent.

• Brief management councils on A-123 and future A-11 efforts.

• Create an electronic portal for AGA members to connect with one another, and to share best practices.

• Publicize academic research in the area of ERM to the members of the AGA.

AGA’ S ERM INITIATIVE -- THE WORK PRODUCTS

ERM -- KEY CHALLENGES IN APPLYING IN A GOVERNMENT SETTING -- GENERAL ISSUES

Liquidity Pressures : Since the government has the power to tax and, in the case of the Federal Government borrow from the capital markets, governments have not traditionally had the short-term liquidity pressures of the private sector. But today the federal government faces liquidity pressures as it struggles to meet the rising costs of Medicare, Medicaid, Social Security, pensions, and services for a growing population.

Laws and Regulations: Another major challenge is the vast array of laws and policy regulations imposed on federal agencies and governments in general. From the financial reporting regulations and internal controls required by the Office of Management and Budget, to complex appropriations laws, federal government administrators face a constant uphill battle. State and localities likewise have the risk from federal and state regulations.

Cultural: There needs be strong culture surrounding ERM where everyone, not just financial staff look for and recognize risk and where everyone is encouraged to identify problems and raise questions.

Key issue: Who should own the process -- a separate risk officer or embed in an existing position?

ERM -- FINAL THOUGHTS

“Risk comes from not knowing what you're doing” ― Warren Buffett

With a well designed and properly implemented ERM program, our governments will know what they are doing and where the external and internal threats to carrying out its mission lie

By embracing Risk we enhance the mission of our governments- The desire for safety stands against every great and noble enterprise.”

― Tacitus