ERM - Enterprise Risk Management

10/25/2011

Assessing the Adequacy of Risk Management

Risk DiceRecently, there has been an increased focus on the importance of managing risk as part of an overall strong corporate governance and enterprise risk management (ERM) program. With this new emphasis comes a responsibility for Internal Audit to assess the effectiveness of the risk management strategy within the organization. Though there are multiple risk management frameworks, this guide uses ISO 31000 as the basis for the risk assessment. This article discusses management’s role and the types of approaches for Internal Audit to measure the effectiveness of risk management within their organization.

The organization should not conduct the ERM process in isolation. Instead, involve all key stakeholders and use the following control-based assurance framework:

  • Effectively identify and appropriately analyze risks.
  • Implement adequate and appropriate risk treatment and control.
  • Management effectively monitors and reviews processes to detect changes in risks and controls.

The organization’s ERM approach should change over time as internal and external factors change.  For example, changes may occur due to the arrival of new personnel, changes in entity structure, new processes, and if the business objective changes. In the same way, the assessment of the ERM process must occur on an ongoing basis.

Responsibilities

Management is responsible for determining the organization’s risk attitude and the Board is responsible for determining if the risk attitude supports the best interests of stakeholders.  Internal Audit should assess whether the company’s framework takes into consideration and defines risk management responsibilities and strategy, and whether the elements of the framework allow for building a risk-smart environment while still allowing for responsible risk-taking.

Monitoring and Assurance

Organizations must monitor risk management systems to ensure they are performing as intended.  Most organizations accomplish monitoring through ongoing activities, separate evaluations, or a combination of these two methods. Ongoing monitoring is often most effective since it is completed on a real-time basis, can react dynamically to changing conditions, and is ingrained in the organization.

Line management, internal audit, risk management specialists, and the compliance function often share the monitoring responsibility. As a result, it is important for the organization to coordinate assurance activities to ensure it uses resources efficiently and effectively.

Continue reading "Assessing the Adequacy of Risk Management" »

Posted at 10:37 AM in ERM - Enterprise Risk Management, Internal Audit | | Comments (1)

|

03/29/2011

Fourth Annual TRENDS Symposium – June 3, 2011

TrendsIV logo
Join McKonly & Asbury on Friday, June 3, 2011 for our fourth annual TRENDS symposium focusing on accounting and audit issues for the insurance industry. The session provides 6.5 CPE credits, which includes 1 tax credit and 1 ethics credit. McKonly & Asbury is an approved continuing professional education program sponsor through the Pennsylvania State Board of Accountancy.

We have an exciting array of speakers and topics planned, based on comments we received from previous participants.

  • Legislative Update - Patricia Vance, Pennsylvania State Senator and member of the Pennsylvania Banking & Insurance Committee.
  • Insurance Department Update - Stephen Johnson, Deputy Insurance Commissioner, and David DelBiondo, Director, Bureau of Financial Examinations.
  • Tax Update – McKonly & Asbury Tax Group
  • Business/Professional Ethics – Elaine Nissley, MBA, CISA, PMP, CCSA, CRISC, Principal, McKonly & Asbury Risk Management Services Group.
  • Cloud Computing & Social Media: Risks and Controls - Samuel BowerCraft, MIS, CISA, Senior Manager, McKonly & Asbury Risk Management Services Group.
  • Reinsurance –Jane Taylor, FCAS, MAAA, JD, Consulting Actuary, Huggins Actuarial Services.
  • Safeguarding Confidential Data – John Dormuth, MSIM, CPCU, ARM, Account Executive, McConkey Insurance & Benefits. 

Sponsored by McKonly & Asbury and McConkey Insurance & Benefits, the symposium will take place at the Radisson Penn Harris Hotel & Convention Center at 1150 Camp Hill Bypass in Camp Hill, PA on June 3rd!

Agenda and Details

  • June 3 (Friday)
  • Registration starts at 7:30am
  • The seminar will run from 8:00am to no later than 4:00pm. 
  • Radisson Penn Harris Hotel & Convention Center (Camp Hill)

The cost to attend is $50, which includes a continental breakfast and lunch.

To register, please contact Erin Hench at ehench@macpas.com or by calling 717-972-5814.

 

Posted at 12:37 PM in About Us, ERM - Enterprise Risk Management, Internal Audit, Internal Audit & Controls, IT, Risk & Internal Controls, Security, Social Media | | Comments (2)

|

12/07/2010

Strengthening ERM: A Wise Decision

Food

What is the state of Enterprise Risk Management (ERM) in your organization? What are the components of ERM and what can they do for your organization? The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued the paper, Enterprise Risk Management for Strategic Advantage, to assist management in addressing improvements in risk oversight. It highlights four important areas of ERM for management and the board to review and consider. The following presents some important questions for you to chew on.

Organization Risk Appetite and Philosophy: Is your board, executive management, and middle management all on the same page when making decisions on the level of risk to take on behalf of your organization? Does the Board set the “Tone at the Top” and influence corporate culture regarding risk appetite and philosophy? Is there a shared understanding from the Board down through middle management regarding the amount of risk that is acceptable in the pursuit of meeting corporate objectives?

Risk Management Practices: Do you understand your organization’s approach to risk management? Does the board challenge management and determine if key risk exposures are within acceptable risk levels?  Is there a threat for your executive compensation package to encourage risk-taking beyond acceptable risk levels? Do you reward strong performance without considering the risks assumed by the organization to meet the performance targets? Case in point: the sub-prime mortgage crisis. 

Portfolio of Risks: Do you understand all of the significant risks facing your organization? Do you know how management is addressing these risks? How do you know they are addressing the right risks? Does the board packet contain relevant risk information? Is risk a board agenda item?

Key Risk Indicators (KRI): Do you have a set of key risk indicators for your organization? Does everyone understand the KRIs and the appropriate risk responses? What is your process to report on KRIs?

Is this case, what you do not know can hurt you. As Warren Buffett said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” A corporate risk assessment can start your organization on the way to answering these questions.

For more information, contact Elaine Nissley at ENissley@macpas.com.

 

Posted at 03:20 PM in ERM - Enterprise Risk Management, Risk & Internal Controls | | Comments (0)

|

07/13/2010

Would Your Business Reopen if Struck With Disaster?

If your answer is “I am not sure” or “No”, read on to learn some small steps you can take to increase the likelihood that your business would reopen. According to the American Red Cross, as many as 40 percent of small businesses do not reopen after a disaster!

Within the last month, two friends have told me about two separate disasters caused by malfunctioning air conditioning systems. In both cases, there was extensive water damage on multiple floors destroying papers and electronic equipment. In one case, over 100 people were displaced and in the other, about 20 were displaced. Fortunately, due to having business continuity plans in place, they were able to react in a quick and efficient manner.

Continue reading "Would Your Business Reopen if Struck With Disaster?" »

Posted at 08:25 AM in Disaster and Business Continuity, ERM - Enterprise Risk Management | | Comments (0)

|

06/11/2010

SOCIAL MEDIA: THE NEW WATER COOLER

Picture20
This week I attended a leadership conference, which included a presentation by Tom Hood, Founder and CEO of the Business Learning Institute (BLI). He stated that young people coming into the workforce today have a network of over 1,000 people due to social media.

My first thought was: WOW! Imagine the business development power of these networks if we could get our young people to spread the word about our company. Next, I thought, I wonder what they are saying about our company? Then a colleague spoke up and said they were having issues with young employees bashing their company on Facebook.

Do you remember water coolers, where workers used to hang out and vent their frustrations? You know we all have to vent occasionally no matter how well we like our jobs. Well, guess where our young people are venting? The same place they have vented since high school or college: their social media network. Nowadays, frustrations are not vented within a small network of people in the office, but to a network of potentially thousands.

Later at the same conference, someone commented that their firm’s staff was engaged in client bashing via social media - while connected to the client’s internet! The client was tracking these  conversations and brought it to the firm’s attention. Not good for repeat business!  And knowing these risk, what do you think should be done?

Reduce the Risk

The following is a checklist that I recommend you apply to your company to see if you are taking steps to contain water cooler conversations.

  1. Implement a social media policy. Do not implement just a generic policy. Customize the policy to fit your business.
  2. Provide annual training on business ethics, including social media dos and don’ts.
  3. Monitor social media activity.
  4. Have a third party independent review of your social media policy implementation. Do your employees really get the message and are they complying?
  5. Implement an anonymous hotline for employees to report non-compliance with your social media policy.

Leverage the Opportunities

It is not just enough to tell your employees what they cannot do related to social media. This strategy leaves a void. Also provide employees positive ways to use social media to promote themselves and their company. It is important that they understand that the message they convey on social media can either limit their career or expand their career. Provide them with examples of positive messages to convey and the information you would like their network to understand. What are the services you provide? How does your company contribute and support the local community?

Feedback

I am interested to hear stories from you on your social media challenges and how you have addressed them.

For more information on this subject, contact Enissley@macpas.com

 

Posted at 09:20 AM in ERM - Enterprise Risk Management, Social Media | | Comments (0)

|

06/08/2010

Keeping Watch & Monitoring IT

More and more new technology is released into working environments each day, whether it be intentional installations of servers and software, or unintentional releases of viruses and malware.  Given all the possibilities of what might and can occur, vigilance over what is going on is more important than ever.

Historically, keeping watch has been an extremely important duty.  Sentries would be placed at key locations at all hours to look for invaders, storms, fires, and friends approaching a castle.  Depending on what the sentry saw, he would alert different groups of people to respond appropriately to the threat or the opportunity that was presented.

The success in these situations is to cut response times (and downtime), and improve customer satisfaction.  This also helps to cut costs, as preventing major problems and attacks is almost always better than repairing the aftermath of the issue.

Today, the analogy to IT is quite similar, but the methods have changed.  You can’t use a person to track all the events on a network, there are too many systems, and too many transactions per second for this to be viable.  Instead, we need to take a risk based approach by putting sentries on watch at the most important areas.  If we don’t, then the risk of invaders, fire, or other catastrophe increases, as does the risk that we won’t discover the problem until after it is far too late.

Step 1: The first step is to identify everything you want to monitor.  Areas to consider will be specific to your business but may include: firewall and network attacks, changes to systems, changes to logical access/user access, bandwidth usage, hard drive usage, server utilization, backup tape usage, database utilization, printer usage, and/or login times.

Step 2: Identify the areas of your network that you are able to monitor.  If you can track attacks on your network, that is something worth noting.  If your current system cannot track attacks on your network, that is also worth noting.

Step 3: Compare the list of things you want to monitor to the things you can monitor.  You now have to decide what you will be monitoring in the short term (items you want to monitor and can monitor) and make decisions about items you want to monitor in the future (those you want to monitor but cannot monitor now).  Further decisions must be made on how you will monitor these items (the criteria).  Monitoring hard drive space is a good idea, but how often will you check it, and what is the threshold for concern?  90% usage?  91%?

Moving ahead with monitoring of your IT investment will help to streamline and optimize your environment, and provide you with increased return on your investment (ROI).  Depending on the assessment, you may find that you can use existing tools, or conversely that you need a special monitoring tool.  Either way, by evaluating your environment, deciding what needs to be monitored, and posting sentries, you will be safer and better prepared for whatever may come your way.

“Never neglect details. When everyone's mind is dulled or distracted the leader must be doubly vigilant.”-          Colin Powell

By: Samuel BowerCraft

Posted at 02:42 PM in ERM - Enterprise Risk Management, IT, Risk & Internal Controls, SOX | | Comments (0)

|

04/28/2010

ERM and Free CPE Credits!

Picture1Picture2 

Do you want to learn more about Enterprise Risk Management and earn two free CPE credits at the same time? Would you like to do this without leaving your desk? Do you know anyone who needs CPEs or is interested in ERM? If so, I encourage you to take the time to complete this self-study course and share this opportunity with your colleagues. Please allow two hours to obtain the most benefit from this course.

The objectives of the course are to provide you with a basic understanding of ERM including the terminology, implementation steps and some key ERM concepts. The topics covered are:

  • COSO Introduction
  • ERM Framework vs. Internal Control Framework
  • ERM Implementation
  • Theorize and Quantify Key Concepts
    • Risk Appetite/Tolerance 
    • Inherent Risk
    • Strength of Controls
    • Residual Risk

The session provides information in both a visual and auditory format. Upon completion of the course, you will be requested to complete a 13 question multiple choice quiz and submit the quiz to M&A for grading. As long as you receive a 70% or higher and complete the course evaluation form, you will be awarded 2 CPE credits. McKonly & Asbury, LLP is an approved continuing professional education program sponsor through the Pennsylvania State Board of Accountancy.

Any questions or comments related to this training can be directed to Elaine Nissley, Principal at ENissley@macpas.com or by calling (717) 761-7910.

Step 1: To download the course click here. (Once downloaded. Begin slideshow)

Step 2: To download the quiz click here. (Check the box next to your answer)

Step 3: Please send your completed quiz (Including your name, company name, e-mail and phone) to Elaine@macpas.com.

Posted at 11:58 AM in ERM - Enterprise Risk Management | | Comments (0)

|

04/05/2010

Charities Beware: Does It Look Too Good To Be True?

Charity

The Case


Are you in a position to accept charitable donations, sit on the Board of Directors of a charity, or donate to charities? What would the organization(s) you are affiliated with do if an insurance company offered them a stock certificate for 226,112.55 shares of insurance company stock and a check for $20,000? Would they accept the stock certificate and check? Would they agree to write a receipt and have their picture taken with the stock certificate? That is exactly what 20 charitable organizations did and they are now left with 5% ownership in Walshire and unforeseen potential financial liabilities. More detail is in the court opinion located here. It is noted that these transactions were for the purpose of having the charitable organizations accept the detritus (debris). When you look at the list of organizations involved in this case, you find names of prominent organizations which many of you may have dealt with.

The Solution

What should an organization do to avoid becoming a victim of donation schemes? The following are several steps organizations should take.

Continue reading "Charities Beware: Does It Look Too Good To Be True?" »

Posted at 03:19 PM in ERM - Enterprise Risk Management, Fraud Risk Management, Non-Profit | | Comments (0)

|

04/02/2010

Breaking News in Information Security

87576588  This week there is breaking news in the world of information security that you will read about in this and 50 different blogs.  It is ground-breaking stuff that will astonish and astound you, and more than likely you will read it and be amazed.  AMAZED I say!

What is this revelation in the world of security?  What could so many be writing about this week?  It is this:

Security of information is mostly about doing the basics.

If you read 50 articles on information security, you will discover a common thread among them all: in one way or another they are talking about limiting rights, locking things up, reviewing access rights, and limiting exceptions to the rules.  While this is not rocket science, it does take time to complete, and more importantly, the effort to do it.

The most surprising part is that this is not new stuff.  Last week while perusing a text1, I found the following security principles regarding coding and IT: Seven Design Principles of Computer Security:

Continue reading "Breaking News in Information Security" »

Posted at 10:12 AM in ERM - Enterprise Risk Management, Internal Audit & Controls, IT, Security | | Comments (0)

|

03/11/2010

Internal Audit Benchmark Opportunities

Benchmark3
This is an opportunity for Internal Audit Management and Audit Committees to compare the activities of their Internal Audit function with what others are doing. This blog references three excellent publications that provide current trends and happenings within Internal Audit. I am curious, are these observations representative of what you are seeing or are you seeing different trends that our readers should consider?

Continue reading "Internal Audit Benchmark Opportunities" »

Posted at 08:00 AM in ERM - Enterprise Risk Management | | Comments (0)

|

Next »

Search

Links


McKonly & Asbury LLP.
News & Updates


The Affordable Housing Gurus


Contractors Center Point


The Lean Accountants


The Risk, Management, and Control Advisors


The Corporate Confidante