1

Learning Objectives
Understanding:
• Key Drivers for an Effective Control Framework
• Parallel to Government Control Requirements
• DOE Framework and Contractor
Requirements
• SEC/Public Company Requirements
• COSO Framework Maturity Over Time
• Enterprise Risk Management Objectives
• Processes and Controls
• Application of a Risk Maturity Matrix
 2

The Committee of Sponsoring Organizations of the Treadway Commission

(COSO) is a joint initiative of the five private sector organizations listed on the right
and is dedicated to providing thought leadership through the development of
frameworks and guidance on enterprise risk management, internal control and fraud
deterrence.

COSO updated its internal control guidance in 2013 with the issuance of a revised
Internal Control - Integrated Framework COSO introduced the concept of
principles related to the five components
of internal control. The Green Book adapts these principles for a government
environment.
http://www.coso.org/

The Green Book

Internal control helps an entity run its operations efficiently and effectively, report
reliable information about its operations, and comply with applicable laws and
regulations. Standards for Internal Control in the Federal Government, known as
the "Green Book," sets the standards for an effective internal control system for
federal agencies and was released by the Government Accountability Office (GAO)
in September of 2014.

http://www.gao.gov/greenbook/overview
Control Frameworks Contain Risk Assessment Component

2014

The functioning of an integrated control framework is an organizational process that can aid
agencies and companies in achieving operational, reporting and compliance objectives.

Risk assessment is a component of a control framework and risk management system which is
designed to evaluate and address potential events to reasonably ensure organizations are
working more efficiently and effectively, reporting accurately on their operations, and complying
with applicable laws and regulations.

Risk Assessment Applies to All Levels of an Organization 3

 Government Adoption of Similar Requirements

A. Background
In 1982, Congress enacted the Federal Managers’ Financial Integrity Act (FMFIA), which requires each
agency to establish and maintain internal control systems that allow:
• obligations and costs to be recorded in compliance with applicable laws;
• funds, property, and other assets to be safeguarded; and
• revenues and expenditures applicable to agency operations to be properly recorded and accounted for to
permit the preparation of accounts and reliable financial information and statistical reports and to
maintain accountability over the assets.
Following the publication of the initial GAO Standards, the Office of Management and Budget (OMB) issued
Circular A-123 to provide specific guidance for agencies to follow in implementing internal control programs.
In 1995, OMB revised Circular A-123 to require internal controls to support the purpose of the newly
enacted Government Performance and Results Act of 1993, namely the improvement of program
effectiveness and accountability. This revision required agencies to transmit a single annual Statement of
Assurance from the head of the agency to the President, Congress, and OMB, stating whether there is
reasonable assurance that the agency’s controls are achieving intended objectives.

Utilizing Controls to Support Agency Objectives

4
 DOE Internal Controls Evaluation Framework

Highlights Importance of Risk Assessment Process and Control Evaluations

5
Internal auditors in both assurance and consulting roles
contribute to ERM in a variety of ways, such as evaluating
the effectiveness of and recommending improvements to
ERM processes.2
2 The IIA International Standards for the Professional Practice of Internal Auditing
(Standards) specify that the scope of internal auditing should encompass evaluating
risk management and control systems.

Good Source for Assurance

Examples
6
 Contractor and Audit Responsibilities

Management controls are required under DEAR 970-5203-1 which is incorporated in DOE Prime Contracts under clause I .

According to DEAR 970-5203-1, Management Controls:

(a)(l) The contractor shall be responsible for maintaining, as an integral part of its organization, effective systems of
management controls for both administrative and programmatic activities. Management controls comprise the plan of
organization, methods, and procedures adopted by management to reasonably ensure that: the mission and activities assigned to the
contractor arc properly executed; efficient and effective operations are promoted; resources are safeguarded against waste, loss,
mismanagement, unauthorized use, or misappropriation; all encumbrances and costs that are incurred under the contract and fees
that are earned are in compliance with applicable clauses and other current terms, conditions, and intended purposes; all
collections accruing to the contractor in connection with the work under this contract, expenditures, and all other transactions and
assets are properly recorded, managed, and reported; and financial, statistical, and other reports necessary to maintain accountability
and managerial control arc accurate, reliable, and timely.
(2) The systems of controls employed by the contractor shall be documented and satisfactory to DOE.
(3) Such systems shall be an integral part of the contractor's management activities, including defining specific roles and
responsibilities for each level of management, and holding employees accountable for the adequacy of the management systems and
controls in their areas of assigned responsibility.
(4) The contractor shall, as part of the internal audit program required elsewhere in this contract, periodically review the
management systems and controls employed in programs and administrative areas to ensure that they are adequate to
provide reasonable assurance that the objectives of the systems are being accomplished and that these systems and
controls are working effectively. Annually, or at other intervals directed by the contracting officer, the contractor shall supply to
the contracting officer copies of the reports reflecting the status of recommendations that result from audits of business, financial, or
management controls performed by its internal audit activity and any other audit activity.
(b) The contractor shall be responsible for maintaining, as a part of its operational responsibilities, a baseline quality assurance
program that implements documented performance, quality standards, and control and assessment techniques.

Audit Provides Opinion On Elements Of A Control Systems

7
 Public Companies and Banking

Financial institutions and others considering going public:

• FDICIA requires senior management of financial institutions with $1 billion or more in assets to attest to the
adequacy of their internal controls over financial reporting
• SOX 404(b) which applies to any public company with a market capitalization of more than $75 million, which
would include many public financial institutions, also includes broad regulations covering operating
effectiveness of ICFR.
 
COSO is the de facto framework used to meet the internal controls requirements for SOX. Also, it is an accepted
framework for compliance with FDICIA requirements.

8
Requirements for US Public Companies

85 SECURITIES EXCHANGE ACT OF 1934 Sec. 13

http://www.sec.gov/
(A)
Make and keep books,
records, and accounts, which,
in reasonable detail,
accurately and fairly reflect
the transactions and
dispositions of the assets of
the issuer;
(B)
devise and maintain a system
of internal accounting controls
sufficient to provide
reasonable assurances that—

COSO IS The Chosen Framework By Most Public Companies

9
 SEC Requirements Cont.

(i) transactions are executed in accordance with management’s

general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit

preparation of financial statements in conformity with generally
accepted accounting principles or any other criteria
applicable to such statements, and (II) to maintain
accountability for assets;

(iii) access to assets is permitted only in accordance

with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared

with the existing assets at reasonable intervals and appropriate
action is taken with respect to any differences

This Act identifies and prohibits certain types of conduct in the markets and provides the
Commission with disciplinary powers over regulated entities and persons associated with
them http://www.sec.gov/about/laws/sea34.pdf.

Not Just About Accounting But About Authorization and Accountability

10
 SEC Control Exception
El Paso’s Failure Properly to Account for Its Purchases of Iraqi Crude Oil
32. El Paso’s accounting for its Oil for Food transactions failed properly to record the nature of the company’s payments. In at least fifteen
transactions, a portion of the company’s purchase price for Iraqi crude oil constituted surcharge payments to Iraq in violation of U.N.
regulations and U.S. and international trade sanctions. The company failed to so designate those payments, characterizing them instead simply
as part of Paso’s cost of goods sold. Thus, El Paso failed to accurately record these payments in its books, records, and accounts.
CLAIMS FOR RELIEF
FIRST CLAIM
[Violations of Section 13(b)(2)(A) of the Exchange Act]
33. Paragraphs 1 through 32 are realleged and incorporated by reference.
34. As described above, El Paso, through its officers, agents and subsidiaries, failed to keep books, records, and accounts, which, in reasonable
detail, accurately and fairly reflected its transactions and dispositions of its assets.
35. By reason of the foregoing, El Paso violated Section 13(b)(2)(A) of the Exchange Act [15 U.S.C. § 78m(b)(2)(A)].
SECOND CLAIM
[Violations of Section 13(b)(2)(B) of the Exchange Act]
36. Paragraphs 1 through 35 are realleged and incorporated by reference.
37. As described above, with respect to illegal surcharge payments made in connection with El Paso’s purchases of Iraqi crude oil, El Paso failed
to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that: (i) payments were made in
accordance with management’s general or specific authorization; and (ii) payments were recorded as necessary to maintain accountability for
its assets.
38. By reason of the foregoing, El Paso violated Section 13(b)(2)(B) of the Exchange Act [15 U.S.C. § 78m(b)(2)(B)]. 11
 
 

Holding Companies Accountable for Violating a Regulations

11
 SEC Control Exception
Recap of El Paso’s Failure Properly to Account for Its Purchases of Iraqi Crude Oil
• Violation of U.N. regulations and U.S. and international trade sanctions
• Failed to so designate payments correctly (should not have been cost of goods sold)

[Violations of Section 13(b)(2)(A) of the Exchange Act]

• Failed to keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflected its transactions and dispositions of its assets.
• illegal surcharge payments made in connection with El Paso’s purchases of Iraqi crude oil

El Paso failed to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:
(i) payments were made in accordance with management’s general or specific authorization; and
(ii)payments were recorded as necessary to maintain accountability for its assets.

38. By reason of the foregoing, El Paso violated Section 13(b)(2)(B) of the Exchange Act [15 U.S.C. § 78m(b)(2)(B)]. 11
https://www.sec.gov/litigation/litreleases/2007/lr19991.htm
 
 

Holding Companies Accountable for Violating Regulations

12
 Consequences of an SEC Violation

Scientific Industries CEO and Controller held accountable

Conspired to falsely inflate ESI's declining financial results by covering up significant expenses through various accounting devices
PRAYER FOR RELIEF
WHEREFORE, the Commission respectfully requests that the Court:
1. Permanently enjoin Dooley and his agents, servants, employees, attorneys, and all persons in active concert or participation
with them who receive actual notice of the judgment by personal service or otherwise from directly or indirectly violating, or
aiding and abetting violations of, Section 17(a) of the Securities Act, Sections 10(b), 13(a), 13(b)(2)(A), 13(b)(2)(B), and 13(b)(5) of
the Exchange Act, and Rules 10b-5, 12b-20, 13a-13, 13a-14, 13b2-1, and 13b2-2 thereunder;
2. Permanently enjoin Defendants from serving as an officer or director of any entity having a class of securities registered with
the Commission pursuant to Section 12 of the Exchange Act [15 U.S.C. § 78l] or that is required to file reports pursuant to Section
15(d) of the Exchange Act [15 U.S.C. § 78o(d)];
3. Order Defendants to disgorge all wrongfully obtained benefits, plus prejudgment interest;
4. Order Defendants to pay civil penalties under Section 20(d) of the Securities Act [15 U.S.C. § 77t(d)] and Section 21(d) of the
Exchange Act [15 U.S.C. § 78u(d)];
5. Retain jurisdiction of this action in accordance with the principles of equity and the Federal Rules of Civil Procedure in order to
implement and carry out the terms of all orders and decrees that may be entered, or to entertain any suitable application or
motion for additional relief within the jurisdiction of this Court; and

https://www.sec.gov/litigation/litreleases/lr18896.htm

Holding Officers and Others Accountable

13
 Consequences of an SEC Violation

Long-term repercussions from SEC actions

1. Permanently enjoin from not being in compliance with regulation
2. Permanently enjoin Defendants from serving as an officer or director of any public entity
3. Disgorge all wrongfully obtained benefits, plus prejudgment interest;
4. Pay civil penalties
In addition:
• Licenses and certifications are at risk
• Continued employment in US unlikely
http://www.sec.gov/divisions/enforce/friactions.shtml

Whistleblower laws increase potential for more actions

Washington D.C., April 22, 2015 — The Securities and Exchange Commission today announced an award of
more than a million dollars to a compliance professional who provided information that assisted the SEC in an
enforcement action against the whistleblower’s company. 

Holding Officers and Others Accountable

14
 COSO Evolution

Internal Internal
Control Control
- Integrated - Integrated
Framework Framework Draft 2017 ERM
(updated)

1992 2013 2016

2004
2009
Guidance on
Monitoring
Enterprise Risk
Internal
Management (ERM)
Control
- Integrated
Systems
Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO),

http://www.coso.org 15
COSO 2017 Exposure Draft

16
2018 ERM Update Draft Broadens Risk Universe

• This document was developed by the Committee of Sponsoring Organizations of the

Treadway Commission (COSO) and the World Business Council for Sustainable
Development (WBCSD).
• This draft guidance: Enterprise risk management: Applying enterprise risk management to
environmental, social and governance-related risks is designed to supplement COSO’s
updated enterprise risk management (ERM) framework, Enterprise risk management -
Integrating with strategy and performance. This supplemental guidance addresses an
increasing need for companies to integrate environmental, social and governance (ESG)-
related risks into their ERM processes.
• Businesses face an evolving landscape of emerging environmental, social and governance
(ESG)-related risks that can impact a company’s profitability, success and even survival.
COSO and WBCSD believe that leveraging a company’s enterprise risk management
governance and processes can support identification, assessment and mitigation of ESG-
related risks. This guidance is designed to facilitate the process.

17
18
Table shows how these megatrends translate to ESG-related issues, risks and opportunities that companies need to acknowledge and address.

19
Consequences from failure to manage ESG-related risks

20
 What Is Enterprise Risk Management ?
According to COSO,1 Enterprise Risk Management (ERM)
is “A process, effected by an entity’s board of directors,
management, and other personnel, applied in strategy
setting and across the enterprise, designed to identify
potential events that may affect the entity, manage risk
to be within its risk appetite, and to provide reasonable
assurance regarding the achievement of entity objectives.”

This enterprise risk management framework is geared to achieving an entity’s

objectives, set forth in four categories:

• Strategic – high-level goals, aligned with and supporting its mission

• Operations – effective and efficient use of its resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and regulations.

1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO),

http://www.coso.org 21
 COSO Enterprise Risk Management Changes
Suggested definition revision:
“the culture, capabilities, and practices, integrated with strategy and execution,
that organizations rely on to manage risk in creating, preserving, and realizing
value.”

Previously, ERM’s main focus was preventing the erosion of value and minimizing
risk to an acceptable level. Today, it is vital to strategy and identification of
opportunities to create and maintain value.

Adopting a structure of components and principles. The Draft framework would

have five components supported by 23 principles. The five interrelated
components are Risk:
• governance and culture
• strategy, and objective setting
• in execution
• information, communication, and reporting
• Monitoring ERM performance.

Provides Additional Attributes for Consideration / Assessment

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 22

http://www.coso.org
23
 Risk Framework Supports Maintaining
Residual Risk Within Risk Appetite

Residual Risk = Inherent Risk – Risk Responses

Management
Example: Risk appetite for accuracy of accounts payable Strategy
Accountability
Framework Risk Governance
• Management confirms their risk appetite by establishing an acceptable error effectiveness Guidelines
rate, say 3% Structure of the
• Controls are designed to reasonably ensure within a confidence level of 5 – 10 Framework
% that errors will range between 0-3 % (designed residual) Assignment of
• Monitoring efforts provide the actual error rate through audit or other Responsibilities
assessments/reports (Residual = < Appetite) Risk Appetite Statement
Monitoring of Results
If Actual Residual > Appetite - Framework Drives Corrections Corrective Action
• Actions are taken to address deficiencies following the barrier analysis and
root cause (the 5 why process)
• Risk events are identified for which control objectives / controls are modified
or added to lower likelihood

Management Establishes Risk Appetite / CAE Must Report High Risks to the Board

24
 Risk Analysis

Risk Risk Risk

Assessment Management Monitoring

Identification Control It Entity Level

Share or Process
Measurement
Transfer It Level

Diversify or Activity
Prioritization
Avoid It Level

Audit Will Typically Evaluate Risk Mitigation Through Controls at Various Levels 25
Risk Analysis Criteria
What is the likelihood the risk will occur? 5
Level Current Plan, Approach and Processes... High
5 Near Certainty: ...Cannot avoid this type of risk; no known 4

Likelihood
processes or workarounds are available

Likelihood
4 Highly Likely: ...Cannot avoid this risk, but a different approach 3 Moderate
might
3 Likely: ...May avoid this risk, but workarounds will be
required
2
2 Low Likelihood: ...Have usually avoided this type of risk with
Low
minimal oversight in similar cases 1
1 Not Likely: ...Will effectively avoid this risk based on standard
practices 1 2 3 4 5
Consequence
Given the risk is realized, what would be the magnitude of the impact?
Level 1 2 3 4 5
Type
Technical Minimal or Minor perf. Moderate perf. Unacceptable, but Unacceptable; no
no impact shortfall, same shortfall, but workarounds alternatives exist
approach workarounds available
Consequence

retained available
Cannot achieve
Schedule Minimal or Additional Minor schedule slip; Program critical key program
no impact activities will miss need date path affected milestone
required; able to
meet key dates
Budget increase or Budget increase
Cost Minimal or Budget increase unit production cost Budget increase or unit
no impact or unit increase <5% or unit production production cost
production cost cost increase increase >10%
increase <1% <10%
26
 Risk Assessment Tools/Templates

Organizations and Functions measure likelihood and impact of risk occurrences against
criteria:
Consequence
Likelihood • Escape results in loss of revenue?
• Recent organizational changes? • Escape results in loss of competitive
advantage?
• Recent public events?
Impact Score = • Escape effects company reputation?
• Recent escape(s)?
• Escape results in potential for fines
• Internal indicators show an
or penalties?
area of concern?
• Related to an oversight agreement?
• Recent regulatory change? = Likelihood Score
• Regulatory area complex?
• Internal control activities
mature? Results plotted

Likelihood
• Information flows? on a “heat”
chart
• External regulatory agency
monitoring?
Consequence
• Internal monitoring?

Evaluate Events Which Increase Likelihood of Consequence

27
 Compliance Risk Assessment

A Environmental Issues
B Health and Safety
C FCPA 5
D Compliance Risk Management
E Training B
F SOX 4

Likelihood
3 I 12
H E, F A
G Audit of Subcontractors
H Lobbying 2
k J G C, D
I Import
J Staffing
1
L

K Labor Charging
1 2 3 4 5
L IT Security
Consequence
Low Moderate High

Organizations and Functions can influence likelihood more than impact

28
 Risk Management Report 1 Page: 1 of
Risk #: H
Title: Lobbying Owner: Jack Frost
Resp. Team: Legal & Contracts Phone: 570.443.8425
Description: Last Updated : 8/6/2016 Reviewed
Risk of a violation of U.S. lobbying laws/regulations.
5 High
Moderate
4

Likelihood
Low
3 O
2
X
Likelihood Rationale:
All lobbying is coordinated through the Corporate office. Only a few employees 1
conduct any lobbying and it’s at a very low level. Affected employees are aware
of the procedure to report lobbying activity. Procurement and Accounts Payable
1 2 3 4 5
o - Original
suite of controls – see contract compliance risks / controls
Consequence x - Current

Consequence Rationale: Visibility Level Phase /Issue

A violation of law could subject the company to fines and cause harm to Entity Candidate
business or reputation. Lobbying cost not allowable on Government contracts
x Business Open
x Functional x Closed

Risk Handling Strategy & Summary Rationale: Risk Category

Assume lobbying activity is reported to Corporate on a quarterly basis. x Cost
Transfer Management communicates on a regular basis with the Corporate Schedule
x Mitigate Lobbying Team and is on the Lobbying distribution e-mail list. Technical
Avoid Lobbying costs distributed through unique corporate accounts x Contract
Handling Plan and Plan Status: G

Currently executing to plan.

BUSINESS SENSITIVE 29
 ERM Example
Action to streamline booking of material costs - eliminate need to capture costs by location
  Strategy Operations Reporting Compliance
Objectives   Lower Costs Accuracy Tax
Requirements
Action Alignment  
  

Operational objective – Efficiency related to capturing material costs – lower costs

Reporting objective – Effectively support needs of tax reporting groups – Tax Report Accuracy

Compliance objective – Accurate and timely sales tax returns - Required by law
30
Figure 1 – Internal audit’s role in ERM

Note: This diagram is taken from HB 158-2010 Delivering assurance based on ISO 31000:2009 Risk management, and is itself based on a diagram in a
position statement released by the Institute of Internal Auditors – UK and Ireland in September 2004 on The Role of Internal Audit in Enterprise-wide Risk
Management.
Broadleaf’s view is that the tasks in the dark-blue section of the fan should be separated from internal audit. Within most organizations there is a clear
conflict of interest between internal audit and risk management in these areas. Some of the specific roles and activities that may lead to conflicts of interest
are noted in Table 1.

Assurance Can Be Demonstrated Through Multiple Engagements 31

 Framework Adequacy & Effectiveness
Barrier or Design Analysis Control Objectives / Controls
Information and Communication
Triggering Management Preventive
Event Barriers
Organizational Detective
Barriers

Programmatic
Barriers
Individual
Barriers

Monitoring

Latent Organizational
Weaknesses: Implication or Impact
Poorly written procedures,
Failed or non-existent Barriers,
Ineffective Management

Active Errors: Actual Results

Poor control design, control not executed

Implication = What Can GO Wrong / Impact = What Did Go Wrong 32

 Example- Risk – Related to State or Federal Tax returns

Consequence
Risk Events?

Fines and Penalties

• Missing the deadline to submit timely state tax returns may result in fines and
penalties

Damage to company image or reputation

• Missing the deadline to submit timely state tax returns may damage company image or
reputation in the business community

Incurring additional costs to support an increase in frequency of state audits

• Continually missing the deadline to submit timely state tax return may result in an
increase in state audit frequency creating additional support costs

What might be some lower level risk events?

Conditional Probability
The probability that event A occurs given that event B has already occurred is called the
conditional probability of A given B. Symbolically, this is written as P(A|B). The probability
it rains on Monday given that it rained on Sunday would be written as P(Rain on Monday |
Rain on Sunday).

33
 Working Down The Risk Hierarchies

Missing the deadline to submit timely state tax returns may result in fines and penalties

 Determine what the key events are and to what extent they should be mitigated

  Risk # Risk Description

1 Approval signatures are not available in a timely manner
2 Approvals/signatures are not available until xx
3 The sales activity for the period is not available in a timely manner resulting in returns
not being completed timely
4 The payment process takes too long
5 Check processing takes 10 days after approval to deliver payment
 

Key Events are those events that are prioritized as more likely to occur and
cause a condition that would lead to the realization of a consequence.

What Increases the Probability / Likelihood of a Consequence?

34
 Risk/Control Mapping

Control Type

Risk # Control Description Preventive Detective Monitoring

State revenue tax return approvers are scheduled to

review and approve returns during the 10th through the
1 15th of each month - A list of approvers is maintained with x    
backups identified in an available database-Completion of
scheduled review tracked
 

Tax return completions are tracked within a database

program which notifies management when a scheduled
2   x  
tax return has not been approved within the designated
time period

Fines and penalties accounts are monitored for activity by

1-5 the appropriate accounting manager – Corrective actions     x
taken

Controls Addressing The Key Events 35

 Testing Results

Control Type Control Review

Design
Risk # Control Description Preventive Detective Monitoring Issue Effective Ineffective
              
              
              
              

 A deficiency in design exists when:

o A control necessary to meet the control objective is missing; or
o An existing control is not properly designed so that, even if it operates as designed, the
control objective is not always met.
 A deficiency in operation exists when:
o A properly designed control does not operate as designed; or
o When the person performing the control does not possess the necessary authority or
qualifications to perform the control effectively.

Significant Deficiency – a deficiency, or combination of deficiencies, that results in more

than a remote likelihood that a targeted event will not be prevented or detected leading to a high
probability of experiencing a consequence.

36
 The “Why” Analysis

Problem
Why from a Why from a
Why? people perspective?
process
perspective? Why did the problem happen?

Why?
And why did And why did
that happen? that happen
Why? Why?

And why did And why did And why did And why did
that happen? that happen? that happen? that happen?

OK Causal Factor Causal Factor OK

Control Designs Should Address Causal Factors

37
Corrective Actions

• Three essential elements to a corrective action:

• They address the cause(s) identified in the analysis
• They do not introduce new, unacceptable risks, i.e.,
do not degrade some other program or process
• Their implementation is feasible, within a reasonable
time frame, and within the capability of
management to implement

Ensure Identification of Risk Events

38
 Closely Evaluate Processes/Results

Business Objective

Risk Event 1 Risk Event 2 Risk Event 3

Process 1 Process 2 Process 3 Process 4 Process 1 Process 5

Process Process Process Process Process Process
Objective Objective Objective Objective Objective Objective

RE
RE RE RE RE
RE RE RE RE RE RE RE

Control
CO CO CO CO CO CO CO CO CO CO CO CO Control Objective CO

Control
Control Control Control Control Control Control Control Control Control Control Control Control
Control

Control Control Control Control Control Control CO Control

Control Control Control Control Control

Control
Control Control Control
CO

Control
Control Control

Control

Increasing The Probability of Achieving Objectives/Requirements By Utilizing Controls

39
Business Objective: Control Objective: Control:
Minimize Improper Payments Risk Prior approval for travel
was obtained
Employee attaches travel pre-
approval form to
reimbursement package.

Process:
Risk Manager’s review Control Objective:
Control:
Manager reviews the
of travel Risk Adequate documentation is
provided
reimbursement documentation
to ensure approval and adequate
support for expenses incurred &
signs the documentation
indicating approval.
Reimbursement package is sent
to accounts payable for review
and processing.
Business Services Objective:
Accurate & allowable travel
reimbursements Control Objective:
Expense is only for the Control:
Risk employee (i.e. no AP clerk reconciles expense report
airfare paid for spouse) to documentation provided by
employee, ensuring all costs on
the expense report are supported
with documentation.
Control Objective:
Process: Risk Expenses are incurred
Risk Accounts Payable’s Control:
review of travel Control Objective:
AP clerk reviews documentation
for compliance with FAR, FTR

Risk Expenses are compliant

with FAR, FTR, &
and company policy.

company policy Control:

AP clerk reviews documentation
to ensure only expenses for the
employee were submitted for
reimbursement and that the
expenses are reasonable.
40
 Design Considerations

• How do we determine the appropriate Understanding the objectives and underlying

Controls? Risk Events

• How do we determine what processes to Understanding where the Controls reside

Monitor? that would mitigate the Risk Events

• How do we align layering of controls to Understanding the relative strength of

ensure coverage of the highest risk areas? the controls that mitigate the Risk
Events

41
 Desired Leadership Attributes for Success
Consider Hiring and Development Objectives:

LEADING PEOPLE
Conflict Management, Leveraging Diversity, Developing Others, Team Building

RESULTS DRIVEN
Accountability, Customer, Decisiveness, Entrepreneurship, Problem Solving, Technical Credibility

BUILDING COALITIONS
Partnering, Political Savvy, Influencing/Negotiating
FUNDAMENTAL COMPETENCIES
Interpersonal Skills, Oral Communication, Written
Communication, Integrity/Honesty, Continual Learning, and
BUSINESS ACUMEN Public Service Motivation
Financial Management, Human Capital
Management, Technology Management

LEADING CHANGE
Creativity and Innovation, External
Awareness, Flexibility, Resilience, Strategic
Thinking, Vision
How Do You Achieve These Objectives? 42
 Integrated Risk Management

Compliance to Laws and Regulations

Policy Incorporates, Internal Controls and Compliance

Company Requirements and Responsibilities:
a. All managers are responsible to ensure effective compliance controls exist.
b. No less than annual compliance risk status assessments;
c. A defined set of criteria for: identifying, measuring, evaluating, monitoring, and reporting
compliance risk within the organization or function;
d. Appropriate assignment of authority vesting in executive leadership over compliance risk areas;
e. A compliance monitoring program appropriate to the size of the organization;
f. Appropriate compliance training be made available to employees as needed;
g. Measurement of the effectiveness of internal controls;
h. Periodic compliance audits;
i. Appropriate delegation of authority for compliance matters; and
j. Continued monitoring of critical risks.

Elements Needed to Help Ensure Compliance Objectives are Met

43
 (Notional) Compliance Risk Program and Strategic Roadmap (May 2015)

COMPONENT YEAR 1 YEAR 2 YEAR 3 YEAR 4

 Identify and engage subject  Convene subject matter  Survey organizations and  Integrate compliance risk
matter experts to surface experts across the functions regularly to assessments with
key risks across the firm. organization to assess key uncover changes in enterprise-wide risk
risks. compliance risk exposures. detection efforts.
 Conduct a gap analysis to
understand firm-wide  Document company and  Update potential list of risk  Develop detailed risk-
compliance and legal risks industry-specific legal and exposures with (potential) specific (e.g., EH&S, data
and current control gaps: regulatory requirements. changes to legal and privacy) compliance
- Develop an initial list regulatory landscape. standards for business
ETHICS AND COMPLIANCE

of core risks to review.  Create uniform criteria to units.

- Involve a small cross- assess legal and  Facilitate business unit-
RISK MANAGEMENT

functional group to compliance risks across owned risk self-  Align organizational and
assess and prioritize likelihood and severity. assessments that roll up to functional unit-owned risk
core risks. the corporate center. self-assessments and
mitigation plans with
 Work with the business to strategic business plans.
develop risk mitigation
plans.  Use an employee survey to
understand core culture,
employee perceptions, and
related risks.

Key Metrics / Milestones: Key Metrics / Milestones: Key Metrics / Milestones: Key Metrics / Milestones:
 Identification of top 5  Documentation and  Identification of top 5  Identification of top 5
corporate compliance risks assessment of most corporate compliance risks compliance risks to
significant compliance and to company (by location, company Year-over-year
legal risks to company business unit) changes in organizational
 Number of compliance  Percent of major business or functional risk
control issues documented units completing risk assessment results
in internal audit reports assessment  Number of citations issued
 Progress against risk by regulatory agencies
mitigation plans  Internal audit compliance-
testing results

© 2010 The Corporate Executive Board Company. All Rights Reserved. www.celc.executiveboard.com
44 44
Risk Management Maturity Model