Enterprise Risk Enterprise Risk ManagementManagement

Presentation to the Committee on AuditPresentation to the Committee on AuditJanuary 2006January 2006

THE TEXAS A&M UNIVERSITY SYSTEM

What Is ERM?What Is ERM?

What is Enterprise Risk Management?What is Enterprise Risk Management?(Institute of Internal Auditor’s Definition)(Institute of Internal Auditor’s Definition)

A rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. This includes both upside and downside risks.

What is Enterprise Risk Management?What is Enterprise Risk Management?(Institute of Internal Auditor’s Definition)(Institute of Internal Auditor’s Definition)

A rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. This includes both upside and downside risks.

What is Enterprise Risk Management?What is Enterprise Risk Management?(Institute of Internal Auditor’s Definition)(Institute of Internal Auditor’s Definition)

A rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. This includes both upside and downside risks.

What is Enterprise Risk Management?What is Enterprise Risk Management?(Institute of Internal Auditor’s Definition)(Institute of Internal Auditor’s Definition)

A rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. This includes both upside and downside risks.

What is Enterprise Risk Management?What is Enterprise Risk Management?(Institute of Internal Auditor’s Definition)(Institute of Internal Auditor’s Definition)

A rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. This includes both upside and downside risks.

Institute of Internal AuditorsInstitute of Internal AuditorsKey Objectives of the Risk Management ProcessKey Objectives of the Risk Management Process

Internal auditors should obtain sufficient evidence to satisfy themselves Internal auditors should obtain sufficient evidence to satisfy themselves that the five key objectives of the risk management process are being that the five key objectives of the risk management process are being met in order to form an opinion on the adequacy of risk management met in order to form an opinion on the adequacy of risk management processes. processes.

Institute of Internal AuditorsInstitute of Internal AuditorsKey Objectives of the Risk Management ProcessKey Objectives of the Risk Management Process

Internal auditors should obtain sufficient evidence to satisfy themselves Internal auditors should obtain sufficient evidence to satisfy themselves that the five key objectives of the risk management process are being that the five key objectives of the risk management process are being met in order to form an opinion on the adequacy of risk management met in order to form an opinion on the adequacy of risk management processes. processes.

Risks arising from business strategies and activities are Risks arising from business strategies and activities are identified and prioritized.identified and prioritized.

Institute of Internal AuditorsInstitute of Internal AuditorsKey Objectives of the Risk Management ProcessKey Objectives of the Risk Management Process

Internal auditors should obtain sufficient evidence to satisfy themselves Internal auditors should obtain sufficient evidence to satisfy themselves that the five key objectives of the risk management process are being that the five key objectives of the risk management process are being met in order to form an opinion on the adequacy of risk management met in order to form an opinion on the adequacy of risk management processes. processes.

Risks arising from business strategies and activities are Risks arising from business strategies and activities are identified and prioritized.identified and prioritized.

Management and the board have determined the level of risks Management and the board have determined the level of risks acceptable to the organization, including the acceptance of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization’s strategic plans.designed to accomplish the organization’s strategic plans.

Institute of Internal AuditorsInstitute of Internal AuditorsKey Objectives of the Risk Management ProcessKey Objectives of the Risk Management Process

Internal auditors should obtain sufficient evidence to satisfy themselves Internal auditors should obtain sufficient evidence to satisfy themselves that the five key objectives of the risk management process are being that the five key objectives of the risk management process are being met in order to form an opinion on the adequacy of risk management met in order to form an opinion on the adequacy of risk management processes. processes.

Risks arising from business strategies and activities are Risks arising from business strategies and activities are identified and prioritized.identified and prioritized.

Management and the board have determined the level of risks Management and the board have determined the level of risks acceptable to the organization, including the acceptance of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization’s strategic plans.designed to accomplish the organization’s strategic plans.

Risk mitigation activities are designed and implemented to Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk at levels that were determined reduce, or otherwise manage, risk at levels that were determined to be acceptable to management and the board.to be acceptable to management and the board.

Institute of Internal AuditorsInstitute of Internal AuditorsKey Objectives of the Risk Management ProcessKey Objectives of the Risk Management Process

Internal auditors should obtain sufficient evidence to satisfy themselves that Internal auditors should obtain sufficient evidence to satisfy themselves that the five key objectives of the risk management process are being met in the five key objectives of the risk management process are being met in order to form an opinion on the adequacy of risk management processes. order to form an opinion on the adequacy of risk management processes.

Risks arising from business strategies and activities are identified Risks arising from business strategies and activities are identified and prioritized.and prioritized.

Management and the board have determined the level of risks Management and the board have determined the level of risks acceptable to the organization, including the acceptance of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization’s strategic plans.designed to accomplish the organization’s strategic plans.

Risk mitigation activities are designed and implemented to reduce, or Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk at levels that were determined to be otherwise manage, risk at levels that were determined to be acceptable to management and the board.acceptable to management and the board.

Ongoing monitoring activities are conducted to periodically reassess Ongoing monitoring activities are conducted to periodically reassess risk and the effectiveness of controls to manage risk.risk and the effectiveness of controls to manage risk.

Institute of Internal AuditorsInstitute of Internal AuditorsKey Objectives of the Risk Management ProcessKey Objectives of the Risk Management Process

Internal auditors should obtain sufficient evidence to satisfy themselves that the Internal auditors should obtain sufficient evidence to satisfy themselves that the five key objectives of the risk management process are being met in order to five key objectives of the risk management process are being met in order to form an opinion on the adequacy of risk management processes. form an opinion on the adequacy of risk management processes.

Risks arising from business strategies and activities are identified and Risks arising from business strategies and activities are identified and prioritized.prioritized.

Management and the board have determined the level of risks Management and the board have determined the level of risks acceptable to the organization, including the acceptance of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization’s strategic plans.designed to accomplish the organization’s strategic plans.

Risk mitigation activities are designed and implemented to reduce, or Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk at levels that were determined to be acceptable otherwise manage, risk at levels that were determined to be acceptable to management and the board.to management and the board.

Ongoing monitoring activities are conducted to periodically reassess risk Ongoing monitoring activities are conducted to periodically reassess risk and the effectiveness of controls to manage risk.and the effectiveness of controls to manage risk.

Enterprise risk management deficiencies are reported upstream, with Enterprise risk management deficiencies are reported upstream, with serious matters reported to top management and the board.serious matters reported to top management and the board.

IIA’s Risk Management ProcessIIA’s Risk Management Process

Identify and Prioritize Risks

IIA’s Risk Management ProcessIIA’s Risk Management Process

Identify and Prioritize Risks

Determine Level of Acceptable Risk

IIA’s Risk Management ProcessIIA’s Risk Management Process

Identify and Prioritize Risks

Determine Level of Acceptable Risk

Develop Mitigation Activities

IIA’s Risk Management ProcessIIA’s Risk Management Process

Identify and Prioritize Risks

Determine Level of Acceptable Risk

Develop Mitigation Activities

Conduct Ongoing Monitoring

IIA’s Risk Management ProcessIIA’s Risk Management Process

Identify and Prioritize Risks

Determine Level of Acceptable Risk

Develop Mitigation Activities

Conduct Ongoing Monitoring

Report Periodically on Risk Management Process

Today’s Organizations Approach Risk Management Today’s Organizations Approach Risk Management in Ways That Can Be Broadly Categorized into Five in Ways That Can Be Broadly Categorized into Five

LevelsLevels

Level I organizations see little value in proactive risk management.Level I organizations see little value in proactive risk management.

In Level II organizations, there is general awareness about risk In Level II organizations, there is general awareness about risk management and some conceptual appreciation for its value in management and some conceptual appreciation for its value in assuring that not all uncertainties become problems.assuring that not all uncertainties become problems.

Level III organizations are aware of risk management and they have Level III organizations are aware of risk management and they have set up some mechanisms to monitor risks.set up some mechanisms to monitor risks.

In Level IV, a broader risk management position is created to review In Level IV, a broader risk management position is created to review “hot” spots, assist in risk assessment within the business units, and “hot” spots, assist in risk assessment within the business units, and keep score.keep score.

Level V organization, the CEO believes that risk management Level V organization, the CEO believes that risk management should be imbedded in every part of the organization. Business should be imbedded in every part of the organization. Business units track their progress against action plans. Training programs units track their progress against action plans. Training programs are in place. Internal audit evaluates the program to assure that the are in place. Internal audit evaluates the program to assure that the process is in place and working effectively.process is in place and working effectively.

What is TAMUS SIAD Doing?What is TAMUS SIAD Doing?

Formal Presentation to CFO’s – Fall of 2003Formal Presentation to CFO’s – Fall of 2003

Initial Presentation to the Committee on Audit–December 2003Initial Presentation to the Committee on Audit–December 2003

AD HOC Discussions with TAMUS ExecutivesAD HOC Discussions with TAMUS Executives

Briefings with CEO’s – Fiscal Year 2004 and 2005Briefings with CEO’s – Fiscal Year 2004 and 2005

Preliminary Assessment of ERM Maturity Level – Fall 2004Preliminary Assessment of ERM Maturity Level – Fall 2004

Assessment of ERM Maturity Level – Fall 2005Assessment of ERM Maturity Level – Fall 2005

Presentation to the Committee on Audit - January 2006Presentation to the Committee on Audit - January 2006

  Level I Level II Level III Level IV Level V

System Member Little Value Placed

on Risk Management

General Awareness of the Value of Risk

Management

Some Risk Monitoring

Mechanisms in Place

Risk Management Officer Reviews "hot spots" and Assists

in Risk Assessment with Organizational

Units and Keeps Track of Risks

Risk Management is Imbedded in Every Part of the Organization; Risk

Manager, working with Senior Leadership, designs Risk Management

Processes, Forms and Training; Organization Units Track Progress

Against Action Plans

PVAMU √    

TSU     √    

TAMIU     √  

TAMU     √    

TAMUG     √    

TAMUC     √    

TAMUCC     √    

TAMUK     √    

TAMUT     √    

WTAMU     √    

HSC     √    

TAES       √  

TCE       √  

TFS     √    

TVMDL       √  

TEES       √  

TEEX       √  

TTI     √    

System Offices     √