Enterprise Risk Management Integrating Compliance, ERM and Internal Control

Dan Kaneshiro, Office of Management and Budget Temika Edwards, Department of Homeland Security John Sammon, Transportation Security Administration Jacki Ponti, USDA Rural Development

Moderator: W. Todd Grams, Deloitte

2

AFERMSummit2017IntegratingCompliance,ERMandInternal

Control

DanKaneshiroOfCiceofManagementandBudget

November1,2017

3

BackgroundandContext

Integra2onofInternalControlsandERM

4

ERMandInternalControls

5

Governance

EnterpriseRiskManagement

RiskManagement

InternalControls

A-123FutureState

A-123Priorto2016

Source:BasedonCOSO

RiskManagement

InternalControls

ERMandInternalControlsTheCubeVersion

6

A-123Sec2onII.Update(EnterpriseRiskManagement)

Source:BasedonCOSO

LevelsofOrganizationalStructure

ComponentsofInternalControl

ControlActivities

InformationandCommunication

Monitoring

RiskAssessment

ControlEnvironment Function

OperatingU

nit

Division

Entity Monitoring

InternalEnvironment

Subsidiary

BusinessUnit

Division

Entity-Level

ObjectiveSetting

EventIdentification

RiskAssessment

RiskResponse

ControlActivities

InformationandCommunication

Monitoring

Source:GAOGreenBook

A-123Sec2onIII.Update(InternalControls)

AFERM Summit 2017 INTEGRATING COMPLIANCE, INTERNAL CONTROLS, ERM Temika Edwards Department of Homeland Security November 1, 2017

7

ERM AND INTERNAL CONTROL IN PRACTICE

8

InJuly2016OMBupdateditsCircularNo.A-123tomodernizeeffortstoimplementandcoordinateERMwithstrategicplanningandinternalcontrols.TSAChiefPerformanceandEnterpriseRiskfacilitatedanA-123workinggrouptoimplementthesesuggestedchanges.TheERMandInternalControlsImplementa2onPlanconsistedofthefollowing:

1. Develop Risk Profile

2. Align Risk Responses & Internal Controls

3. Evaluate & Report Internal Controls

4. Coordinate with Requirements &

Budget

KEYCHALLENGES:

Integra4ngERMandInternalControlTaxonomiescanbecomplexü  Iden2fyawaytoalignERMandInternalControls

Taxonomythatmakessensefortheopera2ons

Aligningtopriskandinternalcontroltechniquescanbecumbersomeü  Currentriskresponsealignmentwasmoreeffec2ve

1.

2.

3. Collabora4onsshouldbeins4tu4onalizedandnotbasedonrela4onshipsü  Embedintegra4onmethodsintopoliciesandbudget

ini4a4ves

9

ERM AND INTERNAL CONTROL INTERGRATION IS KEY TO MISSION SUCCESS

10

StrategicDecisions(OMBA-11)

BudgetDecisions(OMBA-11)

ProgramManagement(OMBA-11)

•  Opera4onalControlObjec4ves•  Repor4ngControlObjec4ves•  ComplianceControlObjec4ves•  RiskAssessments

•  AgencyPriorityGoals•  CrossAgencyPriorityGoals•  FedStat

•  Policy•  President’sBudget•  CongressionalJus4fica4on

•  Mission/Vision•  Goals/Objec4ves•  StrategicPlanning

CXO/Opera4onsSupport(OMBA-123)

RisksandUncertainty

•  Strategic•  Opera4onal•  Reputa4onal•  Financial•  Etc.

Source:OMB

TIPS TO AVOID PITFALS WHEN PREPARING TO IMPLEMENT ERM & INTEGRATE INTERNAL CONTROLS

11