COSO Enterprise Risk Management ' ' ' An Integrated Framework

1
COSOEnterprise Risk Management . . . An
Integrated Framework
2
Todays Agenda

• COSO ERM Framework Project Overview
• Key Concepts
• Key Components
• Relationship with Internal Control
• Example of Implementation of ERM Framework

3
Enterprise Risk Management

• Patricia Cochran, CFO
• VSP
• patrco_at_vsp.com

4
Project Background

• COSO
• Concluded that there was a need for a recognized
  framework despite an abundance of literature on
  the subject.
• Believes there is consensus that all
  organizations can benefit from improved risk
  identification and risk analysis procedures.
• Recognizes that many organizations are engaged
  in some aspects of enterprise risk management.

5
Project Overview

• Enterprise Risk Management Framework consists of
  two documents

6
Tools And Guidance

• Executive Summary - Free Download - COSO
• Framework and Application Guidance - AICPA
• Web cast on the Framework AICPA
• Audit Committee Tool - AICPA (ACEC Site)
• AICPA Journal of Accountancy Article (Summer
  2005)
• Small Business Guidance (forthcoming)

7
Enterprise Risk Management Defined

• Enterprise risk management is a process
• Effected by an entitys board of directors,
  management and other personnel,
• Applied in a strategic setting and across the
  enterprise,
• Designed to identify potential events that may
  affect the entity, and
• Manage risk to be within its risk appetite
• To provide reasonable assurance regarding the
  achievement of entity objectives.

8
ERM Key Concepts

• Risk Philosophy
• Risk Appetite
• Portfolio View of Risk

9
The Enterprise Risk Management Framework

• The Enterprise Risk Management framework has
  eight interrelated components
• Entity objectives can be viewed in the context of
  four categories
• Strategic
• Operations
• Reporting
• Compliance
• ERM considers activities at all
• levels of the organization

10
Relationship With Internal Control

• The ERM Framework is not intended to, and does
  not replace the IC-IF document.

11
COSO ERM vs. COSO I/C

• ERM extends into strategic domain
• Reporting category encompasses more than
  Financial Reporting
• Risk assessment- three separate ERM components

12
ERM and Internal Control

• Effective internal control is necessary for
  effective enterprise risk management.

You can have effective internal control without
effective enterprise risk management, you cannot
have effective enterprise risk management without
effective internal control.
13
VSP Overview

• Nations largest provider of eyecare benefits
• Founded in 1955
• About 44 million members (1 in 8 Americans)
• 1,900 employees
• Seventh year in a row - 7 on 2006 List

14
VSP Overview

• 2005 Revenue 2.2 billion
• 23,000 clients
• Cover 184 of the Fortune 500 companies
• Cover 39 of the Fortune 100 Best Places to Work
  companies

15
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
16
Internal Environment Component

• Establishes a philosophy regarding risk
  management. It recognizes that unexpected as
  well as expected events may occur.
• Risk appetite is set by management and approved
  by the board.
• Considers all other aspects of the organizations
  actions including allocation of authority, ethics
  and values, and human resources.

17
Elements of VSPs Risk Management Process

• Internal Environment
• One Clear Vision ethical values policy and code
  of conduct with annual recommitment
• Senior vice president serving as ethics and
  compliance officer
• Open door policy

18
Elements of VSPs Risk Management Process

• Internal Environment
• Human resource practices pertaining to
  orientation of new employees, counseling,
  promoting, compensating and taking remedial
  action
• Hiring practices to insure competence of staff,
  including background checks, drug testing and
  credit checks
• Ongoing training programs (Top 100 Training
  Company)

19
Objective Setting Component

• ERM is applied in objective-setting when
  management considers risks strategy in the
  setting of objectives.
• Objectives are set with regard to the risk
  appetite.
• Tolerances are established for related objectives.

20
Elements of VSPs Risk Management Process

• Objective Setting
• Annual goals provided by the Board of Directors
  to the CEO
• Strategic plan with high level goals aligned with
  the companys mission and vision
• Communication of company objectives to personnel
  at all levels, insuring requisite understanding
  to each employees sphere of influence (Meeting
  in a Box)

21
Elements of VSPs Risk Management Process

• Objective Setting
• Annual operating plans and budgets by division
• Key job accountability requirements for each
  employee, with regular performance evaluations
• Best practices and industry benchmarks (ABM)

22
Event Identification Component

• Identify those incidents, occurring internally or
  externally, that could affect strategy and
  achievement of objectives.
• Addresses how internal and external factors
  combine and interact to influence its risk
  profile.
• Distinguish risk and opportunity.

23
Elements of VSPs Risk Management Process

• Event Identification
• Monitor payments in default in accounts
  receivable monthly
• Identification and reporting of security and
  safety incidents to executive team
• Mitigate potential for natural disasters through
  insurance coverage (high flood risk in
  Sacramento)
• Monitor systems access and potential computer
  viruses

24
Elements of VSPs Risk Management Process

• Event Identification
• Current status of evolving electronic commerce
  and impact on the business
• Market intelligence activities and reporting
• Evaluation of competitor actions
• Determination of changing market demographics
• Evaluation of political threats or opportunities,
  such as national health insurance

25
Risk Assessment Component

• Allows an entity to understand the extent to
  which potential events might impact objectives.
• Assesses risks from two perspectives likelihood
  and impact.
• The unit of measure assess risks should be the
  same or congruent to measure used for related
  objectives.
• Employs a combination of both qualitative and
  quantitative risk assessment methodologies.
• Time horizons are related to objective time
  horizons.
• Assesses risk on both an inherent and residual
  basis.

26
Elements of VSPs Risk Management Process

• Risk Assessment
• Strategic planning review of strengths,
  weaknesses, opportunities and threats (SWOT)
• Benchmarking against competitors and like
  industries and reporting to Board of Directors
• Periodic reviews of business continuity plans,
  with regular testing at offsite vendor location

27
Risk Response Component

• Identifies and evaluates possible responses to
  risk.
• Evaluates options in relation to entitys risk
  appetite, cost vs. benefit of potential risk
  responses and degree to which a response will
  reduce impact and/or likelihood.
• Assessment of and response to risks are integral
  components of ERM which specific response is
  selected is not.
• Selects and executes its response based on
  evaluation of the portfolio of risks and
  responses.

28
Elements of VSPs Risk Management Process

• Risk Response
• Remote location data processing center
• Redundant call center services between Sacramento
  and Columbus
• Redundant telephone, IVR and eClaim equipment in
  Sacramento and Columbus
• Supervision with review and approval over key
  information processing procedures

29
Elements of VSPs Risk Management Process

• Risk Response
• Weekly executive meetings to share information
  and to determine appropriate responses to
  situations that involve risk
• Budget Oversight Committee review and approval of
  company budgets and major capital expenditures,
  as well as mid-year revisions
• Insurance coverage for errors and omissions,
  directors and officers, general liability,
  fiduciary and fidelity bonds

30
Control Activities Component

• Control activities are the policies and
  procedures that help ensure that the risk
  responses, as well as other entity directives,
  are carried out.
• Occur throughout the organization, at all levels
  and in all functions.
• Includes application controls and general
  information technology controls.

31
Elements of VSPs Risk Management Process

• Control Activities
• Formal job descriptions with proper segregation
  of duties
• Regular meetings of multi-divisional Internal
  Control Forum
• Regular review of activity based management
  reports
• Control procedures for recording journal entries
  or other post closing adjustments in general
  ledger

32
Elements of VSPs Risk Management Process

• Control Activities
• Use of banks lock boxes to collect client premium
• Cash controls, including positive pay, over check
  disbursements
• Established signature authority levels for
  approval of expenditures and routine verification

33
Elements of VSPs Risk Management Process

• Control Activities
• Controls over applications of information
  technology systems, such as control totals, edit
  checks, and authorization security
• Steering committee oversight over major
  information technology projects
• Standard controls over software acquisition,
  development and maintenance

34
Elements of VSPs Risk Management Process

• Control Activities
• Physical safeguards over frame and lens
  inventories and periodic physical inventory
  counts attended by Finance staff
• External security service for physical facilities
• Regular reporting of performance indicators

35
Information and Communication Component

• Information is needed at all levels of an entity
  in identifying, assessing, and responding to
  risk.
• Management identifies, captures and communicates
  pertinent information in a form and timeframe
  that enables people to carry out their
  responsibilities.
• Communication occurs in a broader sense, flowing
  down, across and up the organization.

36
Elements of VSPs Risk Management Process

• Information and Communication
• Quarterly ABM benchmark reporting for all
  administrative and ophthalmic materials
  activities
• Monthly financial statement reporting and
  analysis within five working days
• Monthly reporting of budget versus actual results
  to each supervisor
• Detailed expenditure reporting to the manager of
  each cost center

37
Elements of VSPs Risk Management Process

• Information and Communication
• Quarterly meetings of senior management and Board
  leadership to review progress of plans
• Semi-annual all-employee meetings with CEO
• Strategic planning intranet with current
  competitor information

38
Monitoring Component

• Monitors the ongoing effectiveness of the other
  enterprise risk management components through
• Ongoing monitoring activities
• Separate evaluations
• A combination of the two

39
Elements of VSPs Risk Management Process

• Monitoring
• Special investigative fraud auditing unit of
  certified fraud examiners
• Internal auditing of claims to verify processing
  accuracy and timeliness
• Audits by Insurance Departments with regulatory
  oversight responsibility
• Independent audit by CPA firm

40
Elements of VSPs Risk Management Process

• Monitoring
• Corroboration of billing data by clients,
  insuring accuracy of revenue reporting
• Regular reconciliation of operating reports, bank
  accounts and subsidiary systems to general ledger
  account balances
• Review and grade setting by insurance rating
  agency (AM Best)

41
Elements of VSPs Risk Management Process

• Monitoring
• Employee focus group meetings each quarter with
  CEO and VP of Human Resources
• External hotline phone for reporting illegal or
  improper acts anonymously (whistleblower
  protection)
• Routine surveying of the satisfaction levels of
  clients, patients, doctors and employees (bonus
  program)

42
Roles and Responsibilities

• Distinct roles and responsibilities are necessary
  to ensure effective enterprise risk management
• Management
• The Board of Directors
• Risk officers
• Internal auditors

43
Key Concepts In The Enterprise Risk Management
Framework

• Events and risks
• Applying risk management in strategy setting
• Risk appetite and risk tolerance
• Portfolio view

44

• Summary Questions