Enterprise Risk Management in the Public Sector July 28, 2016
ABOUT ME… Chris Wedor – Director of Audit for CDOT Trained as an engineer and became an auditor 14 year career in audit mixed with private and public experience PepsiCo, City and County of Denver, and CDOT ALGA Knighton Award Winner Colorado Native Have run for public office Have played at Red Rocks New Dad
AGENDA About Me About CDOT What is Risk? What is Enterprise Risk Management? Enterprise Risk Management at CDOT
About CDOT $1.43 BILLION BUDGET
healthy
OUR CHALLENGE continued growth
THEN AND NOW per capita spending vs. 1991 2015 population 3.3 million 5.4 million vehicle miles traveled 27.7 billion 49.3 billion vehicles miles traveled vehicle miles traveled $$$$$$$$$$$$$$$$$$$$$$$$$$ dollars $$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ spent/person $$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$ $$$$$$$$$$$$$$$$$$$$$$$ $68.94/person $125.70/person All dollar figures adjusted for inflation
FUNDING AND BUDGET use $2 federal for every $1 state
WHERE DOES COLORADO RANK? SYSTEM BRIDGE PAVEMENT FATALITIES RELIABILITY CONDITION CONDITION Richmond NV MA NV Salt Lake HI MN UT Milwaukee S CALE: BES T UT CT FL Jacksonville TX WA SC to WORS T … … … FL NJ KY Atlanta GA UT MO Indianapolis MD RI MT San Antonio AL Large Cities NH WY Las Vegas AZ CA KS Baltimore WI MD AL Phoenix KS NY ND Dallas OR IL AZ Miami Denver 34 out VA MN GA Denver KY IN 15th of 46 SD San Juan P.R. MI CO TN Chicago OH 17 th NM VA … … CO WV TN Portland OR ME AK San Jose NC OH WI Seattle OR DE VT SF VT MS NV LA NE NM NE MN VT GA ID ND ID MS SC Fresno ME NH WV IA Bakersfield Medium Cities AK ID MO Provo DE MT NC … .. VA WA AK CO Springs 14 El Paso IL IN DE CO Spgs TX NE out of 33 32 nd HI Albuquerque CO NJ FL MI ........ IN KS NH New Orleans PA OK Stamford CT MO PA WY LA Honolulu OH AL IL AZ IA ME Indio, CA TN MI NC Palmdale NM WI AK Small Cities TX Winston-Salem CT CA … … … SD WA OK OK Jackson LA IA MS MD Stockton SD LA NY … … . MA KY AK Eugene NY AR CA Madison PA ND HI Anckorage Boulder 22 out WY MT NJ Boulder CT of 22 SC MA Source: Source: Source: Slide updated RI WV RI Source: 2015 TTI Urban Mobility Report June,2015 FHWA NBI Data 2014 2014 FHWA Highway Statistics 2013 FHWA Highway Statistics
What is Risk? DEFINITIONS Institute of Internal Auditors The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Google A situation involving exposure to danger. Business Dictionary A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. Merriam-Webster The possibility that something bad or unpleasant will happen.
Evaluating Risk LIKELIHOOD The chance that the risk may actually be realized IMPACT The effect that risk being realized would have on your obj ectives
Risks Don’t Go Away • Even if you have: • Mitigated • Avoided • Transferred • Accepted • Risks are always present… Just less likely or somewhere else • Review them regularly (At least annually) • What has changed? • Evaluate your risk appetite… It can change too!
So What is ERM? • Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as: “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
So What is ERM? • Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as: “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
COSO IC vs. COSO ERM To help assist with the implementation of the ERM process, COSO developed the ERM Integrated Framework (2004), also known as the COSO Cube. This cube is an update to the initial COSO I framework developed in 1992 and then in 2013: Internal Control-Integrated Framework Enterprise Risk Management – Integrated Framework
What is ERM? These are the high level goals that are aligned with and support the institution’s mission.
What is ERM? Relate to the ongoing management process and daily activities of the organization.
What is ERM? Relates to the protection of the organization’s assets and quality of financial reporting.
What is ERM? Relates to the organization’s adherence to applicable laws and regulations.
What is ERM? The Internal Environment relates to the general culture, values and environment in which an organization or entity operates (e.g. – Tone at the top)
What is ERM? Objective Setting relates to the process management uses to set its strategic goals and objectives. Establishes the organization’s risk appetite and risk tolerance.
What is ERM? Event Identification is the process by which an organization identifies events that influence strategy and objectives, or could affect an organization’s ability to achieve its objectives.
What is ERM? Risk Assessment relates to the organization’s process of evaluating the impact and likelihood of events, and prioritizing related risks.
What is ERM? Risk Response relates to determining how management will respond to the risks an organization faces. Will they avoid the risk, share the risk, or mitigate the risk through updated practices and policies.
What is ERM? Control Activities represent policies and procedures that an institution implements to address the risks the organization chooses to accept.
What is ERM? Information and Communication relate to those practices that ensure that the right information is communicated at the right time to the right people.
What is ERM? Monitoring consists of ongoing evaluations to ensure controls are functioning as designed, and taking corrective action to enhance control activities if needed.
ERM Life Cycle Each of these components are considered at multiple levels of the organization, rather than within a single function, unit, or department.
ERM Life Cycle Evaluate Performance Implement Confirm next Evaluate steps options Identify and Goal prioritize risks Culture setting Risk Control Internal Objective Event Risk Information & Monitoring Response Activities Communication Environment Setting Identification Assessment
ERM… • ERM is broader than internal control, expanding and elaborating on internal control to form a more robust conceptualization focusing more fully on risk • Provides a common lexicon of risk terminology, and provides direction and guidance for implementing ERM • Internal control is encompassed within and an integral part of ERM • Requires that organizations: • Examine their complete portfolio of risks – No silos • Consider how those risks interrelate – Cross cutting • That management develops an appropriate risk mitigation approach to address these risks in a manner that is consistent with the organization’s strategy and risk appetite
So What Does This Mean? • Each ERM is unique to each organization • Not a “silver bullet” to prevent risks from occurring • Risk Appetite = Ability to Mitigate Risk • Not “One Size Fits All” • ERM is not a methodology or checklist of items that need to be completed that guarantee results or elimination of risks • ERM is not the only way organizations can take a more proactive approach to managing risk…
Other Frameworks • CoCo – “Criteria of Control” • Risk management tool developed by the Canadian Institute of Chartered Accountants to assist managers and internal auditors in designing, assessing, and reporting on control systems of an organization. • Cadbury Report • Published in 1992 and sets recommendations that focus primarily on practices related to transparency and accountability at the top levels of an organization rather than throughout the organization as a whole.
Recommend
More recommend