Enterprise Risk Management

------------------------------------------ This message has been cross-posted to both the Risk Professionals and the Enterprise Risk Management E-Groups. ------------------------------------------ In our case, SOX was already implemented (two years back) and we began our ERM journey last year. Since ERM is so much bigger than financial controls, we have not tried to tie things up with SOX. However, our Internal Audit group is reviewing our risk assessment / mitigation database to focus on areas to audit. We don't have a specific sotware tool that ties these together. However, one is not necessary, reports from the database allow the internal audit group to formulate their audit plan. ------------------------------- Riju Kumar MedImmune, Inc. Assistant Treasurer -------------------------------

In our expereince, COSO Internal Controls is explicitly incorporated into the COSO ERM framework, which we are adopting. That means SOX compliance work is supporting, and not duplicating, the ERM initiative work. The internal Auditor and Controller should be part of the ERM or risk management committee to ensure better ccordination/communication. ------------------------------- Robert Moussaid Ohio Casualty Corporation Risk Manager -------------------------------
Original Message----- Sent: July 13, 2006 11:06 Subject: RE: ERM and SOX ------------------------------------------ This message has been cross-posted to both the Risk Professionals and the Enterprise Risk Management E-Groups. ------------------------------------------ In our case, SOX was already implemented (two years back) and we began our ERM journey last year. Since ERM is so much bigger than financial controls, we have not tried to tie things up with SOX. However, our Internal Audit group is reviewing our risk assessment / mitigation database to focus on areas to audit. We don't have a specific sotware tool that ties these together. However, one is not necessary, reports from the database allow the internal audit group to formulate their audit plan. ------------------------------- Riju Kumar MedImmune, Inc. Assistant Treasurer -------------------------------

We are a very diversified manufacturing (aerospace and music) and industrial products distribution company just beginning to look at ERM. One early issue is that our head of internal audit is jockeying for position to head up the process. I feel this would relegate the process to a controls adventure rather than more concentration on true risk identification and mitigation. I also see a conflict with auditors heading operational functions. I would appreciate any advice or opinions on ERM organizational structures in a diversified environnment and/or any sample plans that may be available. I have found the RIMS library rather limited, are there any other resources you would suggest. ------------------------------- David Kuhnke Kaman Corporation AVP Corp. Risk Safety Env -------------------------------
Original Message----- Sent: July 14, 2006 09:43 Subject: RE: ERM and SOX In our expereince, COSO Internal Controls is explicitly incorporated into the COSO ERM framework, which we are adopting. That means SOX compliance work is supporting, and not duplicating, the ERM initiative work. The internal Auditor and Controller should be part of the ERM or risk management committee to ensure better ccordination/communication. ------------------------------- Robert Moussaid Ohio Casualty Corporation Risk Manager -------------------------------

David, We have partnered with audit to address the operational vulnerabilities that drive our top strategic risks with great success. Much of the success of an audit based approach lies in the type of work that your audit group does. Clearly, they have to be looking at global or cross organizational processes; a low level business unit level process audit will not be likely to address strategic risks. But even if there is a great fit with audit, the one piece that will be left out is the risk analysis. While some risks in the ERM framework require an audit type report, others require risk management evaluation and solutions. For example, supply chain vulnerability will have aspects of Hazard, contractual and risk mitigation/BCP strategies that would not necessarily fall within the scope of an audit. But what you are facing is most likely a political, rather than logical, issue. Regardless of the outcome, I have come to believe that a partnership with audit is necessary to implement effective operational ERM. ------------------------------- Beaumont Vance Sun Microsystems Inc. Senior Enterprise Risk Manager -------------------------------
Original Message----- Sent: July 17, 2006 10:28 Subject: RE: ERM and SOX We are a very diversified manufacturing (aerospace and music) and industrial products distribution company just beginning to look at ERM. One early issue is that our head of internal audit is jockeying for position to head up the process. I feel this would relegate the process to a controls adventure rather than more concentration on true risk identification and mitigation. I also see a conflict with auditors heading operational functions. I would appreciate any advice or opinions on ERM organizational structures in a diversified environnment and/or any sample plans that may be available. I have found the RIMS library rather limited, are there any other resources you would suggest. I have tremendous respect for the auditing profession and believe that our futures are linked. I have been reading publications from audit recently and now see how closely related they are to risk management. It might help if you were to start discussions from a point of commonality. Let me know how it works out. Regards, ------------------------------- David Kuhnke Kaman Corporation AVP Corp. Risk Safety Env -------------------------------

As respects Audit heading ERM, I refer the group to a release made by the Institute of Internal Auditors, dated September 29, 2004, that was made in conjuction with COSO ERM. The publication provides specific guidance to internal auditors and warns of the risk of compromising their independence and objectivity if they undertake ERM roles beyond traditional assurance to the board. The publication can be found on the institute's website. Please let me know if you have any difficulty downloading it and I'll e-mail it to the group (from an efficiency standpoint, we should create a link to the IIA site and add the relevant documents to the group's library.

Robert: Thank you for that information. I have been to the IIA site but have been unsuccessful in downloading most documents since I am not a member of the site. With reference to the September 29, 2004 document I would appreciate it if you could e-mail it to me. I have seen several spring and summer 2006 references to the same concern over independence and objectivity and the need for Audit to remain in an assurance role. Regards, David Kuhnke ------------------------------- David Kuhnke Kaman Corporation AVP Corp. Risk Safety Env -------------------------------
Original Message----- Sent: July 19, 2006 09:23 Subject: RE: ERM and SOX As respects Audit heading ERM, I refer the group to a release made by the Institute of Internal Auditors, dated September 29, 2004, that was made in conjuction with COSO ERM. The publication provides specific guidance to internal auditors and warns of the risk of compromising their independence and objectivity if they undertake ERM roles beyond traditional assurance to the board. The publication can be found on the institute's website. Please let me know if you have any difficulty downloading it and I'll e-mail it to the group (from an efficiency standpoint, we should create a link to the IIA site and add the relevant documents to the group's library.

Mr. Moussaid, Thank you for your suggestion regarding the IIAs position paper on the role of Internal Audit in ERM. There already resides a link for this commentary as well as many others on ERM related issues in the ERM Center of Excellence. To navigate to the ERM CoE from the RIMS home page, simply click on ERM > Papers and Studies on the silver menu bar. The link you refer to is the seventh entry in the list. You will then need to navigate the IIA web site to the document entitled, "The IIA's Position Statement: The Role of Internal Audit in Enterprise-wide Risk Management." Everyone should feel free to suggest or submit any other articles, papers, web links or presentations relevant to the advancement of the ERM discipline for posting in the ERM CoE. Just email the RIMS ERM Development Committee directly at ermcomm@rims.org for consideration. ------------------------------- ERM Development Committee Please be sure to visit the Enterprise Risk Management (ERM) Center of Excellence for tools and resources to assist you create a robust ERM program within your organization. -------------------------------
Original Message----- Sent: July 19, 2006 09:23 Subject: RE: ERM and SOX As respects Audit heading ERM, I refer the group to a release made by the Institute of Internal Auditors, dated September 29, 2004, that was made in conjuction with COSO ERM. The publication provides specific guidance to internal auditors and warns of the risk of compromising their independence and objectivity if they undertake ERM roles beyond traditional assurance to the board. The publication can be found on the institute's website. Please let me know if you have any difficulty downloading it and I'll e-mail it to the group (from an efficiency standpoint, we should create a link to the IIA site and add the relevant documents to the group's library).

IIA ERM Position Paper document in now on Resource Library. ------------------------------- Robert Moussaid Ohio Casualty Corporation Risk Manager -------------------------------
Original Message----- Sent: July 20, 2006 08:52 Subject: RE: ERM and SOX Robert: Thank you for that information. I have been to the IIA site but have been unsuccessful in downloading most documents since I am not a member of the site. With reference to the September 29, 2004 document I would appreciate it if you could e-mail it to me. I have seen several spring and summer 2006 references to the same concern over independence and objectivity and the need for Audit to remain in an assurance role. Regards, David Kuhnke ------------------------------- David Kuhnke Kaman Corporation AVP Corp. Risk Safety Env -------------------------------