The Proactive Risk Assessment: Keeping it Fresh

PRESENTER John Snell, CIA John is a partner at Moss Adams and has performed internal audit, enterprise risk assessment, Sarbanes-Oxley consulting, process analysis, and public accounting services since His focus is conducting risk assessments for clients to help determine their objectives and annual audit plan. His goal is to help clients achieve their business objectives and increase bottom-line results. John’s practice areas include internal audit, Sarbanes- Oxley compliance, enterprise risk management, and process analysis. He has experience directing all phases of SOX 404 compliance including risk assessment, documentation, and testing. John has developed methodologies and practices to apply SEC company guidance and Auditing Standard No. 5 (AS5) with a focus on a top-down approach with his clients | 2

PRESENTER Brian Taylor, CISA, CIA Brian is a senior manager at Moss Adams and has over ten years of experience specializing in risk-based internal audits and Sarbanes-Oxley (SOX 404) compliance. He currently assists both domestic and global companies through his involvement in all phases of the internal audit function including facilitating their risk assessment methodology, overall project management, annual and individual audit planning, performance of audits and reporting at all levels of the organization. Brian has managed numerous Sarbanes- Oxley Section 404 assessment projects from risk identification to final reporting | 3

OBJECTIVES Define risk and explain the components of the risk assessment process Explain the forces influencing a company’s risks and help increase understanding of the value and opportunity offered by a risk assessment Provide a practical approach to using an ongoing risk assessment methodology | 4

WHAT IS A RISK ASSESSMENT? Risk: A factor, thing, element or course involving uncertain dangers. A risk assessment is the identification, measurement and prioritization of likely relevant events or risks that may have a material consequence on an organization’s ability to achieve its objectives. | 5

When it comes to risk management, you need to be thinking about how to: 1.Create and protect value 2.Be an integral part of all organizational processes 3.Be part of decision making 4.Explicitly address uncertainty 5.Be systematic, structured, and timely 6.Be based on the best available information 7.Be tailored 8.Take into account human and cultural factors 9.Be transparent and inclusive 10.Be dynamic, iterative, and responsive to change 11.Facilitate continual improvement of the organization GET YOUR HEAD IN THE GAME | 6

WHY A RISK ASSESSMENT? Value is a function of risk and return. Every decision either increases, preserves, or erodes value. | 7

VALUE PROPOSITION The proactive risk assessment addresses all organizational goals, activities and relations with key stakeholders. The proactive risk assessment is more than expanded controls, compliance procedures, and audits. An ongoing risk assessment is an anticipatory process that becomes a key part of strategy and planning to minimize uncertainties and capitalize on opportunities. | 8

RISK INFLUENCES What is the risk? – Because risks are tied to an organization’s goals, risk influencers can come from many different directions. Common influencers include: Stockholder expectations Stakeholder demands Regulatory compliance State and local legislation Employee contracts Market or social perceptions (reputation) | 9

MANAGING RISK IS A CONTINUOUS PROCESS RISK MANAGEMENT IDENTIFYASSESSRESPONDMONITOR | 10

MANAGING RISK IS A CONTINUOUS PROCESS RISK MANAGEMENT IDENTIFY | 11

Objectives are the purpose of the organization and what it seeks to accomplish. Objectives may also be defined as goals. All stakeholders influence objectives including management, employees, customers, governments, communities and environment. Objectives are ranked by importance and urgency. IDENTIFY OBJECTIVES Objectives may generally include: Safeguarding of assets, both tangible and intangible, e.g., cash and property; IP and reputation Efficient and economical use of available resources by all departments Compliance with laws and regulations, company policies Accurate and reliable financial reporting, external and internal Fulfilling strategic, operational and tactical objectives | 12

Objectives are the purpose of the organization and what it seeks to accomplish. Objectives may also be defined as goals. All stakeholders influence objectives including management, employees, customers, governments, communities and environment. Objectives are ranked by importance and urgency. IDENTIFY OBJECTIVES Objectives in for a public company or planned IPO may include: Safeguarding of IP and reputation SOX 404 compliance Internal controls environment PCAOB or COSO framework compliance Accurate and reliable financial reporting Segregation of duties enforcement IT General Controls (ITGC) or management controls compliance | 13

Objectives are the purpose of the organization and what it seeks to accomplish. Objectives may also be defined as goals. All stakeholders influence objectives including management, employees, customers, governments, communities and environment. Objectives are ranked by importance and urgency. IDENTIFY OBJECTIVES Objectives for a healthcare organization may include: HIPAA compliance Physician contracting compliance Joint venture distribution reimbursements Patient care quality measures Meaningful use incentives accountability and documentation Financial close or financial process review | 14

RISK IDENTIFICATION PHASE Risk is inherent in the pursuit of objectives. Risk is anything that may impact the achievement of objectives, and may include things that go wrong (hazards), underperformance or missed opportunities. Risks are evaluated on likelihood of occurrence and impact. Damage to reputation Data integrity and protection Fall in stock price Disenfranchised workplace Safeguarding of assets Regulatory compliance Fraud Legal liability | 15

Brainstorming Brainstorming should include discussions of: Event Identification. Identifying those incidents, occurring internally or externally, that could negatively affect strategy or the achievement of objectives. The risk of management override of controls. The population of general risks relevant to the type of organization, department and process being evaluated. Information Gathering Review business process documentation, relevant policies and procedures, and related laws and regulations, etc. Review historical process walkthroughs Segregation of duties analyses Review of prior internal and external audit findings Conduct high-level interviews RISK IDENTIFICATION PHASE (cont.) | 16

MANAGING RISK IS A CONTINUOUS PROCESS RISK MANAGEMENT ASSESS | 17

RISK ASSESSMENT PHASE – RISK RANKING Risk ranking is the prioritization of risks that can prevent your organization from achieving its goals. Risks are evaluated on likelihood of occurrence and impact. Ranking organizational risk: Determine what constitutes high, medium and low likelihood of occurrence Define what constitutes high, medium and low impact (could be defined in terms of financial materiality, legal risk, damage to reputation, etc.) Prepare a summary and rating of risks | 18

LIKELIHOOD AND IMPACT Risk ranking categories help assess the likelihood and significance (potential impact) of inherent risks. Risk rankings should be frequently evaluated. Likelihood o High - Probable o Medium - Reasonably possible o Low - Remote Significance (Impact) o High - Material o Medium - Significant o Low - Immaterial

RISK ASSESSMENT PHASE – RISK HEAT MAP 20 Likelihood of Control / Process Issues Importance to Business Performance Construction Operations Contract Management Federal Contracting and Compliance Financial Close and Reporting Process Expense Reports Wireless Operations and Compliance Treasury Function Forecasts and Estimates Information Technology Public Safety Operations Purchasing & Contract Management Risk Management Property Tax Collections Segregation of Duties Human Resource Operations and Compliance Anti-Fraud Programs | 20

Risk Factors – Impact Effect on goals achievement Financial amounts at risk Regulatory compliance and system compliance Health and/or safety Billing and revenue capture exposures Cost or operational concerns Contractual compliance Risk Factors – Likelihood Probability of potential problem, loss or missed opportunity Potential timeframe for undesirable outcome Management concerns Operations structure, changes and complexity Regulatory changes Financial incentives Past issues Asset liquidity RISK ASSESSMENT PHASE – RISK RANKING (CONT.) | 21

MANAGING RISK IS A CONTINUOUS PROCESS RISK MANAGEMENT RESPOND | 22

RISK RESPONSE OPTIONS 1.Avoid (eliminate) the risk 2.Increase 3.Remove source 4.Reduce (mitigate) the risk 5.Share or transfer the risk 6.Accept the risk | 23

RESPONSE EXAMPLES Control activities are procedural actions taken to carry out management directives – e.g., approvals, authorizations, verifications, recommendations, employee performance reviews, asset security and segregation of duties. Common examples of response activities: o Strategic business plan that defines the organization’s goals o Facility lay-outs that prevent loss from theft o Separate cash collection and safeguarding from cash transaction processing – daily reconciliations and deposits o Three-way matching of payables o Disaster recovery planning for IT systems o Construction contract auditing o Employee code of conduct o Employee background checks | 24

RISK RESPONSE PHASE – SOLICIT FEEDBACK We recommend that you develop a set of actions to align risks with organizational risk tolerances and risk appetite. 1.How has your department responded to its material or high rated risk areas/events? 2.Has your feedback and recommendations been instrumental with stakeholders? | 25

MANAGING RISK IS A CONTINUOUS PROCESS RISK MANAGEMENT MONITOR | 26

STRUCTURE MONITORING CYCLE EXAMPLE Risk Assessment and Risk Mitigation Strategy Follow Up on Internal Audit Recommendations and Monitor Controls Compliance Actions Perform Internal Audits, Oversee Controls Compliance Activities and Report Results Internal Audit and Controls Compliance Plan Stakeholder Assurance of Controls Implementation Reliable Financial Reporting Mitigate Risk of Loss and Controls Override Operations Effectiveness and Efficiency | 27

RISK ASSESSMENT RECAP RISK MANAGEMENT IDENTIFYASSESSRESPONDMONITOR | 28

KEY TAKEAWAYS Risk assessments help prevent surprises Risk assessment and risk management build awareness and consensus across the organization Prioritizing risks focuses your organization’s attention and resources on the most significant areas of risk first Identifying risks increases your leadership’s awareness of things that could go wrong – before they occur Addressing risks before they occur saves time and effort and helps to avoid costly issues A risk assessment helps ensure resources are deployed in a way that fulfills your organization’s mission A good risk management program is continuous and is good business | 29

Constantly be aware of risks, the risk assessment is not just an annual event Set objectives! Ensure your risk assessment is focused on your specific objectives Not all risks are equal – consider factors of likelihood and impact and prioritize based on your goals Choose effective and efficient control activities On-going monitoring helps maintain the effectiveness of any risk management system Communicate results FINAL CONSIDERATIONS | 30

Questions answered. John Snell (949) Brian Taylor (360)