The Top-Down Approach to Risk Management and Internal Control

1. The Top-Down Approach to Risk Management and Internal Control For CFIT, FEI – June 15, 2006 – Malcolm Schwartz – CRS Associates LLC

2. The Agenda • Some personal background • The key issue • The top-down approach to risk management and internal control • A demonstration of the top-down internal control and risk management template • Discussion

3. Some Personal Background • Prior to COSO • Operations and controllership, joining at controls and risk management • Design and implementation • COSO IC-IF and following • Input as a controls executive and consultant • Practitioner and applier, for over 10 years before SOX • Developer and refiner of approach, tools and template • Today • The current COSO guidelines – values, and concerns • Consulting, speaking, writing, and applying

4. The Key Issue – Operations Benefit, or Compliance? • Compliance • A narrow agenda • A limited involvement • Difficulty in identifying benefit relative to cost • Operations benefit • A broader agenda • A more integrated approach • Greater involvement • Lower net cost -- higher design cost, lower implementation and maintenance cost • Greater business benefit • It’s “your” choice

5. The Top-down Approach to Risk Management and Internal Control – for Operational Benefit While Enabling Compliance • Begin by addressing managerial issues; tailor a template • Having a business-process focus tied to business planning, to integrate management and governance with operations and transactions processes • Beginning with an aggregated risk assessment, to reduce effort to what is important • Using a process, before a financial accounts, point of view, to integrate documentation and tools and to reduce the cost of documentation • Relying on ongoing monitoring to test the performance of controls, to reduce the cost of separate testing • Then – and only then – provide the right systems support

6. Having a Business-Process Focus Tied to Business Planning, to Integrate Management and Governance with Operations and Transactions Processes • Deal with uncertainty in business planning • Continually address risk and related assumptions • Focus on business purpose and not just compliance • Emphasize process activities in business planning • Start with an integrative business model • Focus on work and results, and then accounts • Use The COSO Framework, as designed and intended • Use bottoms-up design for top-down planning, to connect design to what people do • Integrate risk and controls management, and improvement opportunities, into business planning

7. Beginning with an Aggregated Risk Assessment, to Reduce Effort to What is Important • Integrate risk management into business management • Use a bottoms-up, process-based design as a way to get to top-down risk assessment • Relate risks to activities in process, and then to financial statement accounts • Relate risks to measurable outputs of activities • Aggregate activity and process outcomes into a top-down risk assessment -- quantify, and preferably monetize • Document based on risk priorities • Only about one-fifth of operations activities merit documentation • And, document control activities

8. Using a Process and Not a Financial Accounts Point of View, to Integrate Documentation and Tools and to Reduce the Cost of Documentation • Use a comprehensive process design and documentation technique – such as IDEF • Incorporate transaction/operations, management and governance processes • Avoid spreadsheet and checklist documentation • Incorporate fraud management • Reduce duplication and overlap, and maintenance cost • Link process-centric documentation with risk management and with financial statement accounts • Use the process-activity approach to identify improvement opportunities and needs • Capture process and activity characteristics

9. Relying on Ongoing Monitoring to Test the Performance of Controls, to Reduce the Cost of Separate Testing • Integrate managing and monitoring • Build accountability for monitoring in to people’s sense of responsibility • Measure what is monitored • Use key control indicators – accuracy, completeness, compliance, timeliness • Correlate KCIs with statements of assertion • Report KCIs to target • Enable segment analysis of KCIs • Address problems as they occur • Reduce the scope, and cost, of separate evaluations

10. Supporting a Cost-Effective and Management-Centric Design with Software that Integrates Controls and Risk Management with Process and Business Management and Monitoring • For example, to support cost-effective monitoring • Documenting accountabilities, and relating them to position descriptions • Identifying KCIs, and capturing the information for recording and calculating them • Reporting baseline, target and current performance, in control charts and dashboards • Recording and reporting monitoring actions • Notifying auditors of the state of ongoing monitoring • Similar features can be identified for business planning, risk management, and process documentation

11. A Demonstration of the Top-down Internal Control and Risk Management Template • An integrated and comprehensive template, to be tailored • Process and activity documentation • Intelligent software for documentation and analysis • A focus on inputs and outputs • Activity characteristics • For analysis, and reporting • To manage documentation, testing, and auditing • Performance reporting • Results – three to six person-months to tailor, install and test; and about $25k for software, for a $75MM NASDAQ registrant

12. Discussion • Questions? • Answers • Call or write • malcolm@crsassociatesllc.com • 908-273-6967