Internal Audit

1. ERM
SUMMARY APPROACH GUIDE
ENTERPRISE RISK MANAGEMENT

2. TABLE OF CONTENTS
03 Enterprise Risk Management Summary
Approach Guide: Sample 1
04 Today’s Agenda
05 Welcome and Introductions
09 ERM Foundational Concepts
16 Moving to ERM
21 ERM Implementation Overview
2
28 Enterprise Risk Management Summary
Approach Guide: Sample 2
29 ERM Approach
36 Coordination and Oversight

3. 1
SAMPLE

4. TODAY’S AGENDA
4
• Welcome and Introductions
− New enterprise risk management (ERM) infrastructure
− Reasons for change
• ERM: What’s In It for XYZ and for You?
− How do we get there?
• ERM Foundational Concepts
• Moving to ERM
• ERM Implementation Overview
• Next Steps and Closing Remarks

5. WELCOME AND INTRODUCTIONS: NEW ENTERPRISE
RISK MANAGEMENT (ERM) INFRASTRUCTURE
5
Board of Directors
ERM Oversight
Committee
ERM Working Group
Estimated
Dates
The VP of ERM reports periodically to the audit
committee and routinely to the CEO/CFO.
The ERM oversight committee includes all
senior-level executives.
The ERM working group includes a member
from each risk and compliance group as well
as multiple business unit owners throughout
the organization.

6. WELCOME AND INTRODUCTIONS: REASONS FOR
CHANGE
6
1
Credit rating agencies are beginning to factor the company’s ERM processes into an overall
rating.
Legislators and the general public are pressuring companies to specifically disclose how both the
board and senior executives oversee and monitor the risk management practices of the company. 2
3 Dedicated resources should be focused fully on the development of an ERM process for XYZ.
Develop a process where the board and senior executives are routinely updated on the risk
profile of the company associated with its strategy and operations. 4
5
Integrate efforts of the risk and compliance groups to eliminate redundancies in work performed
(e.g., agency billing audits).

7. WELCOME AND INTRODUCTIONS: ERM – WHAT’S IN IT
FOR XYZ AND YOU?
7
1
2
3
4
5
Fewer surprises occur.
Exposure to loss is reduced and
rewards are increased.
Decision-making is more effective.
Corporate governance is improved.
Risk and control activities with the highest
corporate priorities are aligned.

8. WELCOME AND INTRODUCTIONS: HOW DO WE GET
THERE?
8
01
Ensure that front-line managers and above understand the importance of risk identification,
assessment and management and are willing to embrace it.
02
Evolve ERM from a special project to being part of your daily routine (e.g., ask yourself, “what are
the risks associated with XYZ?”).
03
Leverage existing tools, reports, etc. to assist with risk assessment and management where
possible. Also identify other methods or tools that can facilitate this in a more effective manner
across the entire company.
04
We may request meetings with you to understand the portion of the company’s overall risk profile
that you help to monitor and manage.
05
GRC software is implemented to support the ERM process, as well as PMO support from Protiviti.

9. ERM FOUNDATIONAL CONCEPTS: A DEFINITION OF
ERM
9
A definition provided by former Federal Reserve Board Governor Susan Bies:
A process that enables management to deal effectively with uncertainty and the associated risk and opportunity,
enhancing the capacity to build stakeholder value.
• Aligning XYZ’s risk appetite and strategies.
• Reducing the frequency and severity of operational surprises and losses.
• Identifying and managing multiple and cross-enterprise risks.
• Enhancing the rigor of XYZ’s risk-response decisions.
• Proactively seizing on the opportunities presented to XYZ.
ERM includes:

10. ERM FOUNDATIONAL CONCEPTS: RISK
10
Strategy
Risk
Appetite
Risk
Tolerance
Objectives
Governance
Execution
• Risk is a threat or barrier preventing the achievement of
organizational objectives.
• Risk appetite is the amount of risk that XYZ is willing to
accept. It sets the boundaries for the broad risk-taking
activities of an organization.
− This can be quantitative or qualitative.
− This may be expressed as an acceptable balance of
growth, risk and return, or as risk-adjusted shareholder
value-added measures.
− Risk appetite guides resource allocation.
• Risk tolerance is the acceptable level of variation relative
to the achievement of a specific objective.
− These are generally quantitative and measured in the
same units as the related objective.

11. ERM FOUNDATIONAL CONCEPTS: ILLUSTRATIVE RISK
APPETITE STATEMENT
11
Management will accept a moderate level of risk in pursuing strategies to grow revenue and earnings.
Management may choose to pursue product expansion and/or acquisitions that are complementary to the
existing business and capabilities and are expected to be accretive to earnings within a maximum of 18 months.
Management will accept earnings volatility of up to 50% over within a one-year timeframe, provided that long-
term operating margins can be maintained at 5% or higher.
Capital and liquidity must be maintained at a level that will not result in a reduction of our current dividend.
Management will not accept risks that result in more than an extremely remote threat to its state insurance
licenses or Medicare contracts.
Management will not accept risks that result in more than a remote chance that our members are not receiving
the level of medical care promised.
Management will not accept risks that result in a more than remote chance that our agents and providers are
not reimbursed properly.
The investment portfolio will be maintained with an aggregate rating of at least AA.

12. ERM FOUNDATIONAL CONCEPTS: ERM AS A PICTURE
12
Risk
Appetite
Determine your strategic
objectives based on your
risk appetite.
Determine the risk
management techniques to
meet your established risk
tolerances.
Understand the inherent
risks associated with
achieving your business
strategy.
Accept
Share
Reduce
Avoid
Feedback
Risk - Moderate to
High
Risk - High
Risk – Moderate to
High
Risk – Moderate
Risk – Very High
Risk - High
Risk – Low to
Moderate
Risk – Moderate
Risk – Low
Insignificant
Minor
Moderate
Major
Catastrophic
Remote
10%
Unlikely
25%
Reasonably Possible
50%
Probable
75%
Almost Certain
90%
7
13
5
10
3
11
15
8
6
4
2
12
1
IMPACT
LIKELIHOOD
Organizational Culture
15
Price- Interest Rate
11
Consumer Privacy
9
Competitor
1
Reg.- Price Integrity
10
IT- Systems Implement.
3
IT- Infrastructure
6
Customer Satisfaction
5
Taxation
13
Sourcing/Supply Chain
4
Business Model
14
Human Resources
7
Shrink/Loss Prevention
8
Rev. Rec.- Allowances
12
Business Interruption
2
9
8
7
6
4
3
2 5
1
9
8
7
6
4
3
2
5
1
14
9
Risk
Tolerances

13. ERM FOUNDATIONAL CONCEPTS: COMMON
FRAMEWORK FOR ERM PROGRAMS
13
Establish the Risk
Management Goals,
Objectives and
Infrastructure
Assess the Business Risk
• Identify
• Source
• Measure
Formulate the Business
Risk Management
Strategies
Measure/Monitor the
Risk Management
Process Performance
Design/Implement the
Risk Management
Process
Continuously Improve
the Business Risk
Management Process
Information
for
Decision-
Making
ERM is a continuous, formalized
process of:
• Establishing
• Assessing
• Developing
• Implementing
• Monitoring
• Improving
ERM is primarily focused on key
risks to the organization, not
necessarily all risks.

14. ERM FOUNDATIONAL CONCEPTS: ERM INTEGRATION
WITH STRATEGIC PLANNING
14
Key ERM Components
• Identify the risks to achieving objectives.
• Source the risks.
• Identify, monitor and respond to emerging risks.
Key ERM Components
• Assess and prioritize risks.
• Select strategies within the
organization’s risk
appetite.
Key ERM Components
• Set strategic measurements
and key risk indicators
(KRIs).
• Identify the strategic risk
owners.
Key ERM Components
• Enable communication on
achievement of strategic
objectives.
• Monitor, evaluate and
update KRIs and risk
management action
plans.
• Update operational plans.
Key ERM Components
• Allocate risk management resources.
• Develop risk mitigation plans.
• Develop additional KRIs.
Corporate
Mission, Vision
and Values
Assess the
External
Environment
Formulate
and Select a
Strategy
Set Strategic
Measurements
and Targets

15. ERM FOUNDATIONAL CONCEPTS: VALUE OF ERM
15
Sustain
Competitive
Advantage
• Incorporate operational risk management best practices.
• Identify, assess and manage emerging external risks, including regulatory changes, access
to capital and financial market volatility.
• Evaluate and manage risks associated with strategic business decisions (product/service
offerings, etc.).
• Respond effectively to low probability critical/catastrophic risks (e.g., Black Swan).
Optimize Costs
• Standardize the business process and collaborate efforts to integrate it.
• Allocate resources more efficiently.
• Eliminate unnecessary controls.
Improve
Business
Performance
• Manage KPI shortfalls and tightened margins.
• Better understand risks and improve risk management capabilities across business
functions and units.
• Improve strategic management and business planning processes.
• Expand and improve corporate governance, addressing expectations of and requests from
the board (including reporting needs).

16. MOVING TO ERM: FIRST VERSION HAS BASIC
FUNCTIONALITY
16

17. MOVING TO ERM: FAST FORWARD: RISK BECOMES
OPPORTUNITY
17

18. MOVING TO ERM
18
Risk Management Business Risk Management Enterprise Risk Management
Focus
Financial and hazard risks and internal
controls
Business risk and internal controls,
taking a risk-by-risk approach
Business risk and internal controls, taking
an entity-level portfolio view of risk
Objective Protect enterprise value Protect enterprise value Protect and enhance enterprise value
Scope
Treasury, insurance and operations are
primarily responsible
Business managers are accountable
Applied across the enterprise, at every
level and unit
Emphasis Finance and operations Management Setting a strategy
Application
Selected risk areas, units and
processes
Selected risk areas, units and
processes
Enterprisewide to all sources of value
“Current-State” Capabilities “Future-State” Vision
Physical
Assets
Financial
Assets
Physical
Assets
Financial
Assets
Employee/
Supplier
Assets
Customer
Assets
Physical
Assets
Financial
Assets
Customer
Assets
Organizational
Assets
Employee/
Supplier
Assets

19. MOVING TO ERM: POINT OF VIEW ON ERM
19
• ERM will never begin if you don’t know what your risks are.
• ERM is not something to build in a day. Start somewhere and build incrementally.
• The purpose of ERM infrastructure is to drive continuous improvement of ERM capabilities.
− The objective is to continuously improve capabilities around managing priority risks as
circumstances change.
• The tenets of effective ERM implementation:
− Leverage what you have.
− Integrate with what you do.
− Keep it simple.

20. MOVING TO ERM: COMMON ERM OBSTACLES AND
PITFALLS TO AVOID
20
02 An inability to demonstrate value to
operational personnel and risk owners.
01 Failure to get “buy-in” and support from
executive management (CEO).
03 Enterprise list management.
05 An inability to capture, summarize and
manage information.
04 A lack of dedicated resources with the
appropriate background.
07 Risk responsibility that is not linked to
rewards.
06 Ineffective or inefficient risk identification
techniques.
08 General counsel concerns exist over risk
documentation.
10 Failure to link risks to strategy.
09
ERM that is not integrated with other
activities and functions within the
organization.

21. ERM IMPLEMENTATION OVERVIEW: STEP 1
21
ERM Infrastructure
Key Elements
• Develop an ERM governance structure (e.g., charter, philosophy, risk appetite).
• Define a process/organizational classification scheme.
• Adopt a standardized risk model.
• Define roles and responsibilities.
• Conduct ERM awareness training.
• Understand existing risk management processes and/or areas of overlap.
• Gather information on company strategy and value drivers.
• Implement GRC software.
Key Outputs for XYZ
• ERM vision and responsibilities.
• Process/organizational classification scheme.
• Risk model (common language) and risk definitions.

22. ERM IMPLEMENTATION OVERVIEW: STEP 2
22
Risk Assessment and Prioritization
Key Elements
• Incorporate information from internal audit’s risk assessment, along with input from other executives on existing
and/or emerging risk areas for XYZ.
• Define risk ranking criteria (likelihood of occurrence and impact/significance to XYZ).
• Link strategic objectives/initiatives to risks.
• Prioritize key risks.
Key Outputs for XYZ
• Preliminary prioritization of identified risks.
• Risk map.

23. ERM IMPLEMENTATION OVERVIEW: SAMPLE RISK
MAP
23
Key risks on the XYZ risk model will eventually be mapped based on the significance and likelihood of each risk. The
risk profile associated with each quadrant of the Significance/Likelihood map is noted below.
• Black Swan
• Likelihood is lower but could
have a significant adverse
effect on the company’s ability
to achieve its objectives if risk
is realized.
• Monitoring is limited and
detective controls are needed.
• Critical risks potentially
threaten the achievement
of companywide
objectives.
• High-monitoring activity
and preventive controls
are essential in mitigating
these risks.
• The overall business impact
is not deemed as significant.
• Significant monitoring is not
necessary unless change
occurs in risk classification.
• Less significance exists but is
more likely to occur.
• Cost/benefit trade-off is
considered.
• Some monitoring and effective
detective controls are needed.
• Risks are often re-assessed to
evaluate changing conditions
(move to high significance).
Secondary Risks
Secondary Risks Key Risks
Low Priority Risks
Risk Appetite
Likelihood
Impact/Significance
1
3
5
3 5
2
4
2 4
High
High
Low
High
Low

24. ERM IMPLEMENTATION OVERVIEW: QUANTIFYING
RISK
24
The quality of data input
determines the quality of data
coming out of the model. This is
often the most challenging aspect
of quantifying risk.
1
These should align with the firm’s
goals and objectives as well as
current marketplace/industry
realities.
1
Create outputs that are relevant to
the overall firm and business units.
Link outputs to performance
measures/KPIs.
1
Inputs
Models and
Assumptions
Outputs

25. ERM IMPLEMENTATION OVERVIEW: RISK
MEASUREMENT VALUE
25
Allows for return to be evaluated on a risk-adjusted basis.
Provides a method to produce comparable results across businesses with different
risk profiles.
Provides a method to rank opportunities based on the opportunity risk profile.
Serves as feedback to the effect of changes in portfolio composition and risk policies (e.g.,
increasing % of hospice).

26. ERM IMPLEMENTATION OVERVIEW: STEP 3
26
Risk Response/Management
Key Elements
• Understand key controls/risk management activities that currently exist to address key risks, as well as gaps.
• Define key risk indicators (KRIs) and risk tolerance levels.
• Develop risk reports/dashboards and present information to executive management and the board.
Key Outputs for XYZ
• Key risk indicators for key risks.
• Risk reports/dashboards.

27. ERM IMPLEMENTATION OVERVIEW: WHAT DO WE DO
WITH RISK?
27
Eliminate risk by preventing exposure to future possible
events from occurring.
Avoid
Maintain the risk at its current level.
Accept
Implement policies and procedures to lower the risk to an
acceptable level.
Reduce
Shift the risk to a financially capable, independent
counterparty.
Share
• Divest
• Prohibit
• Stop
• Screen
• Eliminate
• Target
• Retain
• Reprice
• Self-Insure
• Offset
• Disperse
• Control
• Respond
• Diminish
• Isolate
• Test
• Improve
• Relocate
• Redesign
• Diversify
• Insure
• Reinsure
• Hedge
• Transfer
• Outsource
• Securitize
• Indemnify

28. 2
SAMPLE

29. ERM APPROACH
29
Identifying, understanding and evaluating an organization’s most significant risk areas will set the
foundation for a robust ERM program. The diagram below outlines an effective and proven approach to
building ERM capabilities that will ultimately:
• Enhance corporate governance.
• Align and integrate varying views of risk and risk management.
• Respond to the changing business environment.
Planning
Facilitating Risk
Discussion
Risk Analysis
External
Verification
Management
Review
Gap Assessment
Coordination and Oversight
The following pages detail each component of this ERM approach.

30. PLANNING
30
• Meet with ABC’s ERM project sponsor to confirm
the scope and risk management objectives
(including guidelines for defining “catastrophic”
risks).
• Leverage ABC corporate audit’s risk model and
confirm that it includes the necessary environment,
process and information for decision-making risk
categories. Adjust the model as necessary.
• Identify a cross-section of leaders within each
business/region/function to participate in a
facilitated risk discussion (workshop). If necessary,
there may be multiple workshops within each
business, region and function.
• Conduct interviews with workshop participants to
better understand key risk areas within each
business/region/function and to verify that the
necessary risk categories are included in the risk
model. Complete these interviews prior to
conducting the facilitated risk workshops.
• Distribute the risk model to attendees prior to
conducting each workshop to set the foundation
for a common risk language.
• ABC-specific risk model (inclusive of key risk
categories)
Activities Output/Deliverables

31. FACILITATING RISK DISCUSSION
31
• Conduct facilitated risk discussions to evaluate the
inherent significance and likelihood of identified
risks. Using real-time, anonymous voting
technology, identify ABC’s top nontraditional,
catastrophic risk categories.
− Facilitated workshops provide an effective and
efficient approach to holistically evaluating an
organizational risk. Participants can discuss
and verify issues and facts and reach
meaningful conclusions that ultimately enhance
risk management capabilities.
• Gather initial input on the top risk categories to
begin the process to identify specific events and/or
scenarios that cause each category to have an
elevated priority.
• A prioritized list of risk categories within each
business/region/function
• Information on risk-specific events and/or
scenarios that could significantly impact ABC
Activities Output/Deliverables

32. RISK ANALYSIS
32
• Explore the specific events within each top risk
category that could have a significant or
catastrophic impact on ABC. Evaluate these
events in the context of broad organizational
impact to identify the discrete risk points within
each risk area (i.e., catalog the Level 2 and Level
3 risks).
− Example: If “Illegal Acts” is identified as a top
risk category, outline and document the specific
illegal acts that would cause the most damage
to ABC. It may be necessary to approach these
risks using a worst-case scenario.
• Identify an expert panel of ABC management
relevant to each of the top five to six risk
categories and facilitate discussions to identify
potential risk events/scenarios within each top risk
category. Confirm that the agreed-upon events are
ABC-specific and adequately describe how each
would contribute to a potentially catastrophic
outcome.
• Consolidate and prioritize the top events in each of
the priority risk categories from each of the expert
panel workshops.
• Documentation of ABC’s prioritized catastrophic
risks supported by specific events and supporting
explanations
Activities Output/Deliverables

33. EXTERNAL VERIFICATION
33
• Identify external resources with expert
perspectives on industry and risk management
topics.
• Distribute ABC’s consolidated risk universe and
solicit feedback.
• Discuss external feedback with
business/region/function leaders and adjust the
risk universe as necessary.
• An updated universe of ABC’s most critical risks
that incorporates feedback from external experts
Activities Output/Deliverables

34. MANAGEMENT REVIEW
34
• Discuss the prioritized list of critical risks with
members of ABC’s executive leadership team.
Solicit feedback and update the risk list as
necessary.
• Develop summary materials to communicate ERM
activities and results to the board.
• A finalized list of ABC’s top risk areas
• A board-level reporting summary
Activities Output/Deliverables

35. GAP ASSESSMENT
35
• Through a discussion and documentation review,
evaluate ABC’s current capabilities to manage the
identified risk categories and potential risk
events/scenarios.
• Identify risks that may not be adequately controlled
and perform a gap analysis.
• Communicate gaps and confirm them with
business/region/function leaders.
• A summary of risk management activities to
address ABC’s top risk areas, including process
gaps and associated recommendations
Activities Output/Deliverables

36. COORDINATION AND OVERSIGHT
36
• Communication between management and each business/region/function is of paramount
importance to successfully complete this ERM initiative. In coordination with management, the
risk management project team will have responsibility for overseeing all engagement activities.
• Senior members of the risk management project team will coordinate ERM activities throughout
the entirety of this project.
• The risk management project team will facilitate risk workshops, summarize workshop results,
identify and introduce external experts, and present the results to management.
• As necessary, the risk management project team will be available to assist with preparing and/or
presenting relevant materials to the board.