CalPERS Risk & Audit Committee – June 17, 2014

CalPERS Risk & Audit Committee – June 17, 2014


CHAIRPERSON DIEHR: Secretary, please call
the roll. COMMITTEE SECRETARY COOPER: George Diehr?
CHAIRPERSON DIEHR: I’m here. COMMITTEE SECRETARY COOPER: Ron Lind?
VICE CHAIRPERSON LIND: Here. COMMITTEE SECRETARY COOPER: Michael Bilbrey?
COMMITTEE MEMBER BILBREY: Present. COMMITTEE SECRETARY COOPER: Rob Feckner?
COMMITTEE MEMBER FECKNER: Good morning. COMMITTEE SECRETARY COOPER: J.J. Jelincic?
COMMITTEE MEMBER JELINCIC: Well, if George is
here, I must be. (Laughter.)
COMMITTEE SECRETARY COOPER: Priya Mathur? COMMITTEE MEMBER MATHUR: Here.
COMMITTEE SECRETARY COOPER: Bill Slaton? He’s excused.
CHAIRPERSON DIEHR: Excused. Thank you. All right. Ms. Eason, Executive Report.
CHIEF FINANCIAL OFFICER EASON: Good morning. And thank you Mr. Chair and Committee Members.
Cheryl Eason, CalPERS staff.
The first action agenda item today is the annual
review of the Risk and Audit Committee’s delegation. The
delegation has been updated for the Committee’s consideration, and there will be further discussion
on this item later in the agenda.
But as we begin the transition to the closing of
the 2013-14 fiscal year at the end of this month and
looking forward to the start of the next fiscal year,
2014-15, there are several plans being presented today for
your review and recommendation, including the two-year
plans for the Office of Audit Services, Risk Management,
Compliance, as well as the annual external auditor’s plan.
Additionally, staff will present the enterprise risk reports that includes a refreshed risk
dashboard, displaying our enterprise-wide risk assessment
results, a review of the top risks, and the impact of
these results on the strategic objectives.
You will hear details outlining the assessment of
the risks where their have been shifts in those risk
ratings, both positive and negative, and the mitigation
steps being taken to address our risk results. Looking forward to September’s Committee meeting,
staff will be presenting the Parallel actuarial valuation
services Request For Proposal and the 2013-14 annual
compliance report. Thank you, Mr. Chair. This concludes my report.
I’d be happy to take any questions. CHAIRPERSON DIEHR: Seeing none.
Before we move on to the next item, I’d like to
take a moment here of personal privilege. With the recent
departure of Gary Bush, Chief Compliance Officer, and the
upcoming departure of our Chief Risk Officer, Larry
Jensen, the Risk and Audit Committee would like to take
this opportunity to recognize the contribution of both of
these managers. Gary Bush joined CalPERS in July 2012 and
was instrumental in the development of the Compliance
Program for CalPERS. Gary’s contributions are greatly
appreciated and we wish him well in his new assignment
as the first Chief Financial Officer for the California
Prison Industry Authority.
Let’s see, is Gary here? Well, we’ll give him applause anyway.
(Applause.) CHAIRPERSON DIEHR: He’s — maybe he’s watching.
Yes. Larry, has been serving as our Chief Risk
Officer since March of 2011, prior to that served
in a number of leadership capacities. He first joined CalPERS
almost 20 years ago in the Office of Audit Services
in 1995 and became CalPERS Chief Auditor in 2002.
More recently, as CalPERS Chief Risk Officer, Larry was instrumental in the development
of the Enterprise Risk Management Program and a critical
partner on the personal trading regulation. We appreciate
the opportunity to personally thank Larry for
his many years of service to CalPERS before he embarks on
his new role as CalSTRS Chief Auditor effective on July the
1st. Thank you both for all your contribution to
CalPERS, and on behalf of the Risk and Audit Committee, I
extend our congratulations. (Applause.)
CHAIRPERSON DIEHR: All right. That brings us to
Agenda Item 3, action consent items. Approval of the
March 17 meeting minutes. Is there a motion?
COMMITTEE MEMBER BILBREY: Move approval. VICE CHAIRPERSON LIND: Second.
CHAIRPERSON DIEHR: Moved by Bilbrey and seconded.
All in favor with aye? (Ayes.)
CHAIRPERSON DIEHR: Opposed? Item 4, Information Consent Items. I have
no requests to pull any items out. And seeing
none, so we’ll move to Agenda Item number 5, Action Agenda
Items, 5a Review of the Risk and Audit Committee Delegation.
Ms. Eason. CHIEF FINANCIAL OFFICER EASON: Thank you,
Mr. Chair. I’d also like to thank Gary and Larry
for their valuable contributions to the Compliance and
Risk Programs respectively, and wish them all the best.
We will be hearing from Larry later in the agenda, so
he’s not getting away without at least one more presentation
today. (Laughter.)
CHIEF FINANCIAL OFFICER EASON: Included in the
agenda item for 5a, staff are recommending proposed
changes to the Risk and Audit Committee delegation. In
addition to edits providing greater clarity and some
elimination of duplication, I wish to draw your attention
to a suggested word change subsequent to the release of
this agenda item starting on page 50 of 135 of the agenda
item on the iPad. On line item (B)(4), it has been suggested
that the word “activities” be added to the end
of line (B)(4) for further clarity. Therefore reading as,
“Approve, as required, and oversee actuarial, external,
financial, internal, and real estate audits and reassurance
activities”. Another item more notable is the line item
(B)(13), page 51 of 135 on the iPad, adding the
responsibility to the Committee to conduct the selection
of the external actuary engaged in performing parallel
valuations and other actuarial reassurance functions.
The proposed delegation is consistent with the
Committee’s delegation to approve and oversee actuarial
reassurance, which they currently do. This addition is to
address the selection of that actuary. I wish to point out that the Board of
Administration still reserves the power to conduct the
selection of the Board’s actuary. I’d be happy to take any questions on this
item. CHAIRPERSON DIEHR: Thank you.
Seeing no requests on this item. It is an action
item. We need a motion. VICE CHAIRPERSON LIND: Move approval.
COMMITTEE MEMBER MATHUR: Second. CHAIRPERSON DIEHR: Moved Lind, second Mathur.
Any — Mr. Jelincic. COMMITTEE MEMBER JELINCIC: We have gone through
a whole series of changes to delegations. It was common
language that was added to every committee. Did it ever
get added here? CHIEF FINANCIAL OFFICER EASON: Common language
added to this particular item? COMMITTEE MEMBER JELINCIC: Yeah. Every
Committee’s delegation got changed to add some specific
language about referencing back to the Board. And I’m
wondering if this Committee ever had its delegation language changed. I notice it was not in the
last meeting.
CHIEF FINANCIAL OFFICER EASON: Thank you. No.
This Committee has the overall delegation — or has the
overall delegation for overseeing of risk. What was added
to the previous committees was their responsibilities as
it relates to risk, so that’s why those items were added
to the other committees. COMMITTEE MEMBER JELINCIC: Okay. Thank you.
CHAIRPERSON DIEHR: Ms. — okay. All right. I
see no further requests to speak. All in favor motion with aye?
(Ayes.) CHAIRPERSON DIEHR: Opposed, nay?
Motion passes. All right. Agenda Item 6, Audits, 2014-16
Audit Plan, Office of Audit Services.
Ms. Junker. CHIEF AUDITOR JUNKER: Thank you, and good
morning, Mr. Chair and members of the Committee. I’m
Margaret Junker, CalPERS staff. And this is Item 6a.
This is an action item. The 2014-16 audit plan for the
Office of Audit Services. Staff’s recommendation is to
approve the proposed audit plan for fiscal years 2014-15
and 2015-16. So the background on this is under internal
auditing standards. It’s the Chief Auditor’s responsibility to establish a risk-based plan
to determine the priorities of the internal audit activity
consistent with the organization’s goals. The Risk and
Audit Committee’s delegation of authority provides
for approval of the annual audit plan.
The Office of Audit Services plans and performs our risk assessment every year, and includes
management and Board input as required by our auditing
standards. Attachment 1 to this agenda item shows our
detailed plan. And Attachment 2 provides a graphical overview
of the risk assessment inputs and process.
So as a quick overview, Office of Audit Services has two main areas that we focus on. One is
contracting public agencies, and the other is internal
audits. So first of all, for contracting public agency
risk assessment, that’s described on page two of
the agenda item itself. As you may know, we have approximately
3,000 contracting public agencies that contract
with CalPERS for retirement benefits. And we plan approximately
90 audits of these agencies this year, where we’ll review
their compliance with membership enrollment and
payroll reporting laws and regulations.
We plan to specifically focus on agencies that
have never been reviewed by our office yet, and that are
considered high risk. And that we also will select a few
agencies based on random selection in response to special
requests from management or from the agencies, and on any
kind of other information we may receive during the course
of the year. Now, for internal audits, which is our other
main area, this is described on pages two to three
of the agenda item. We perform audits all over many
areas of CalPERS, including retirement, health, investments,
information technology, fiscal, operations support
services, and so on. And our audits, which are risk based, look
at various aspects of internal operations, including
reliability and integrity of financial and operational
information, safeguarding of assets, including information
assets, and compliance with laws, regulations, and
contracts. Our audit plan also includes a block of time
for ad hoc and unanticipated requests that come
up during the course of the year.
And again, the detailed audit plan is attached as
Attachment 1. And that concludes my presentation. I’m
happy to address any questions. CHAIRPERSON DIEHR: Mr. Jelincic.
COMMITTEE MEMBER JELINCIC: A couple of years ago, this Committee looked at you and said,
you know — at that point, you were doing 45 reviews a year.
We said is that really enough? And now we’ve gotten up
to 90, and that’s twice as good. But let me again ask
the question, is that really enough, given 3,000 agencies
to keep people on their toes? And if you think you need more,
I’d like you to share that with us. And if you need
more, I’m sure this Committee will support you, and Finance,
getting you more staff.
CHIEF AUDITOR JUNKER: Thank you. It is hard to
know exactly what the right number of agencies is. I
think it might be worth looking at expanding in the
future. We just got the staff that we got in the last
couple of years have — we’ve just not gotten those all
filled. We had some pretty high levels of turnover the
earlier half of this year. So we have — we’re staffed up now, and so
we’re trying to move forward and get that established,
but after we get going, I’d say another fiscal year,
I think it might be worth looking at expanding and doing
some more. COMMITTEE MEMBER JELINCIC: Okay. Because I’m
sure this Committee will support you, because, you know,
three percent — you know, if I’m Bell, I will take my
odds there. Thank you.
CHIEF AUDITOR JUNKER: Thank you. CHAIRPERSON DIEHR: Related to that, it occurred
to me, it might be useful to have a chart, a table, a
historical showing the number of audits by various
breakdowns, and maybe even a projection of what you would
like — or you’d like to go next year, when you do this
again. Mr. Boyken.
ACTING BOARD MEMBER BOYKEN: Thank you. The question that J.J. asked is a question the
Treasurer asks all the time. But one thing I think is important
to keep in mind, I think over the last few years we
have a lot more ways to review compensation with the
my|CalPERS system. So it’s not — you can’t just look
at the number of audits and say that’s the only thing that
we’re doing in that respect.
But I had a question about the 2015-16. I notices the pharmacy benefit manager is up
for being audited. And I just wondered, have we — do
we have that on a regular cycle? Have we audited the current
pharmacy benefit manager?
CHIEF AUDITOR JUNKER: We do have them on a regular cycle, and — I’m sorry. I’m getting
information from staff. We do have them on a regular cycle
to do the pharmacy benefit manager.
ACTING BOARD MEMBER BOYKEN: Okay. I just wondered, because that — I can’t remember
exactly, but I think that’s pretty much toward the end of
their contract period, and so I just wondered if we had done
that before? CHIEF AUDITOR JUNKER: Sorry. We have the
information coming for you. SUPERVISING MANAGEMENT AUDITOR MILLER: Hi.
Phyllis Miller CalPERS staff. We did an audit of the pharmacy benefit manager
a couple years ago. It was probably about — maybe about
four years ago. And we usually have to come — we have to
work with Health as far as financing that, because it’s
funded differently. ACTING BOARD MEMBER BOYKEN: Thank you.
CHAIRPERSON DIEHR: Ms. Mathur. COMMITTEE MEMBER MATHUR: Thank you.
Yeah, I’m wondering how much of a — as you go
through the public agency audits, how much of a sort of —
how much you look back and say okay, are we getting the
same kind of issue coming — arising, and when did they
start? Like I’m wondering how much of it stems back to
when an agency first signs up with CalPERS and sort of a
very long-standing problem. So maybe we should be
auditing employers earlier in their life with us to avoid
having, you know, these problems build and become huge
untenable problem or how many of them just occur over —
you know, there’s some incident sometime along their life
with CalPERS. Do you have a sense of that? CHIEF AUDITOR JUNKER: Yes. We did get some
feedback from public agencies that requested us to come in
after they’ve been members for a few years just in case
they are engaging in a practice that is not compliant with
the laws or rules. And so that is one of our plans to try
to identify those agencies and go in and look at them
after they’ve been up and — you know, within membership
for a few years. I think that’s really good feedback and
it’s not something we had really particularly considered
before. COMMITTEE MEMBER MATHUR: And also if we find
— I’m sorry. I didn’t mean to interrupt you
if you had other things.
CHIEF AUDITOR JUNKER: I’m sorry. As far as the
types of findings, I’d say there’s sort of a core of five
or six kinds of findings that we have very frequently, and
that recur quite regularly, but we’re also finding that
we’re having some more — a lot more complex and kind of
difficult to unwind types of findings. So it’s kind of
both I’d say. COMMITTEE MEMBER MATHUR: So are we taking
the information that we learn from the audits
and translating that into communications or other efforts
to ensure that those types of problems don’t continue?
CHIEF AUDITOR JUNKER: Yes. One thing we’re doing is we are having some of the Audit staff
as well working with comp review going at the Ed Forum
this year, and have a couple of sessions to inform employers
on what the common findings are and how to avoid those.
And additionally, I recently participated in a
webinar with the California Society of Municipal Finance
Officers. And so that had probably believe more than 300
participants. And we talked about what the common audit
findings were. And I think it was pretty well received.
And I think there — people kind of learned things that
they didn’t really know before, so — COMMITTEE MEMBER MATHUR: Well, I think that’s
great. It seems like there is a need for even more. I
mean, I wonder if — you know, if we’re finding — having
more findings with smaller agencies or versus larger
agencies. I imagine that the smaller agencies have a
harder time sending people to the Ed Forum. I don’t know
if that’s the case, but, you know, maybe — so trying to
find these alternative ways of communicating with the
employers and maybe even requiring employers to have a
certain number of training hours per year or something
around those issues that are particularly pervasive would
be useful. That’s maybe something we should consider.
Maybe you already are. DEPUTY EXECUTIVE OFFICER LUM: Good morning.
Donna Lum, CalPERS staff. Just to add to what Ms. Junker
has provided to you in terms of some of the things that we
are doing as well in the program areas as we are reviewing
the audits, we do look at the audit findings. We do see
that there are some similar findings that cross multiple
employers. And so some of those are publicly available,
pay schedules, working after retirement. And so more recently, we have been reaching
out either through our circular letters or our
education programs with our employers, as well as the
recent employer response dialogues that we are hosting
at all of the regional offices, and we do highlight
some of the areas in which not only that we find audit
issues in, but where we feel that stronger more intense education
is needed.
We also look at if we have a similar finding within the same employer or group of employers,
we do reach out more directly, and we are doing
a lot more extensive education than we have in the past.
So the short answer is yes we’re looking at those
trends, and we are looking at ways and implementing currently
some ways to do some more proactive outreach and education,
so that we can minimize the same types of findings
from recurring. COMMITTEE MEMBER MATHUR: Good, because what
I’m particularly concerned about are findings
that then have an adverse impact on our members. I mean,
that is what we want to avoid. So to the extent that we can
prevent that or help prevent that by ensuring that employers
understand what their responsibilities are and what the
rules are in advance, that’s so much the better, or catch
it early, so much the better.
All right. Thank you. CHAIRPERSON DIEHR: All right. I have no further
requests to speak. We — it’s an action item. We need a
motion from? COMMITTEE MEMBER MATHUR: Move approval.
CHAIRPERSON DIEHR: Mathur. Second?
COMMITTEE MEMBER BILBREY: Second. CHAIRPERSON DIEHR: And seconded.
Any further discussion? Seeing none.
All in favor with aye? (Ayes.)
CHAIRPERSON DIEHR: Opposed, nay? Motion passes. Move to Agenda Item 6b, External
Auditor’ 2014 Annual Plan. I’ll call on Rick Green of
Macias, Gini & O’Connell with introductions by Margaret
Junker. CHIEF AUDITOR JUNKER: Thank you, Mr. Chair.
Margaret Junker, CalPERS staff. And this is Agenda Item
6b. This is also an action item. And staff’s recommendation is to accept the external auditor’s
annual plan for the audit of the financial statements
as of and for the year-ended June 30th, 2014.
I have the pleasure today to introduce our engagement partner, Rick Green, to my left,
and our director of engagement, Debbie Chan, who’s
seated to my right.
And this is the second year that we’ve had the
external financial statement auditor come and present
their annual plan to the Risk and Audit Committee. It
provides an opportunity for the Committee to hear from the
auditor up front at the beginning of the audit, to become
familiar with the planned financial statement audit, and
to ask any questions you might have of the auditors.
So with that, I’d like to turn it over to Rick
Green. MR. GREEN: Thank you, Margaret.
Mr. Chair, members of the Committee, I want to
thank you for the opportunity to present our service plan
for the year. This discussion is the first of multiple
discussions that will occur during the course of the year
in which we perform the audit of the June 30th, 2014
financial statements. I will have formal meetings such as
this and also individual meetings with certain members of
the Committee on an as-needed basis. That is part of the audit process, all with
the intent of communicating clearly the audit
process as we are going to discuss today, but also the status
of the audit as we’re going through it, and then
the results of the audit thereafter.
To begin with, I’d like to bring your attention to page nine of 25 of the document before
you, and speak briefly on the engagement team that will be
serving CalPERS this year. There will be two partners,
as Margaret indicated. I’ll be the engagement
partner responsible for ensuring that the audit is
performed in accordance with the professional standards
and meet all client service expectations.
And then there will be a second partner. This partner is Caroline Walsh. She is new to the
engagement. She will be responsible for ensuring quality
control, and primarily dealing with technical matters,
ensuring that we meet the — or address the more technical
issues associated with the audit in accordance with
the professional standards. Caroline is our national
liaison to the standard setters. She participates
on various committees with GASB, the accounting standards
board for government accounting standards, as well as
the AICPA. In addition to the two partners, we’ll have
three directors, two — all three of these directors
are long time directors on the engagement and have
deep experience with serving public employee retirement systems,
as well as the institutional knowledge for CalPERS.
Our audit team will be supplemented by three auditor specialists, two actuaries, and one
actuary will be working specifically with the defined benefit
pension plan — plans, and then another actuary will
be working with the OPEB. And then we’ll have the — excuse
me, the third actuary – there were three actuaries
– that will be addressing the health and long-term care liabilities.
Our professional standards allow and suggest strongly that auditors use specialists when
we deal with areas within the financial statement reporting
that go outside our areas of expertise. So when it
comes to the underlying actuarial information that may
reside in the financial statements or have a significant
impact to the organization in the reporting process that
we bring these people on. So these individuals will supplement
the expertise being brought forth by the core
audit team. In addition to the individuals I already spoke
to, we’ll have a manager and various assurance associates.
Next, I’d like to turn your attention to the audit timeline, which is on page 12 of 25.
This is just a very high level timeline, but it’s broken
down into the planning and execution, and then the report
issuance phase, and then finally the presentations
again to the Risk and Audit Committee.
The planning has already begun, and we’ve got
various timelines here from April into June, in which this
information will be communicated. The execution of our work is broken down into
two components, the interim field work. That’s
work done prior to the year-end, that being June 30th,
and then year-end which occurs thereafter. These timelines
are consistent with those in the past. And then
finally, when we look into the report issuance areas, we
plan on issuing our reports, the independent auditor’s report
communications to those charged with the governance, which
would be you in this case here, and then our management
recommend — comments and recommendations thereafter.
The two — the independent auditor’s report and
the communications with those charged with governance will
occur in October, no later than that, and then the
management recommendation comments in February. We’ll do
our formal presentation of — to you folks in two phases.
The first is in November, and then finally in March, where
we’ll wrap up the communications specific to our comments
and recommendations related to internal controls and
operations. Again, this timing is very consistent with
that of the previous years in which we’ve reported to you.
The — I’d like to now turn your attention to
page 15 of 25. In this area here, it talks about the
audit process. Excuse me. I’ve got to get to that page.
Okay. Hold on, 15 of 25. There we go. When we talk about the audit and the audit
process, it’s broken down into three phases, the planning
phase, the execution phase, and the reporting phase. In
the planning phase is where we begin to really apply what
we call our risk-based audit approach. During this phase, we identify audit risks.
And audit risk is the risk of material misstatement
in the financial statements. And in this area here,
we focus on areas of the financial statements that we
believe have a high inherent risk of subjecting the audit
process to — to have audit — material misstatements in
the financial statements.
And in those areas or the conditions that I look
to for increased audit risk are transactions that are
complex or accounting requirements that are complex. I
also look in areas where we’ve had previous errors or
misstatements, weaknesses in the internal control process.
I look to areas where if we have new IT systems that are
significant to the financial reporting process. If you —
when you have areas where there’s a lot of voluminous
transactions or — that’s also an indicator of a condition
where you may have high inherent risk, and thus a higher
level of audit risk associated with the financial reporting.
And finally, if I see areas where there are estimates, I will also focus in those areas
as well. And some of these areas that I’ve identified,
this is not an all-inclusive list. But if you’re to look
again on page 15 of 25 in the far — in the column to the
far right where it says — entitled, “Approach to the
Critical Audit Areas”, I’ve identified some specific audit
areas that are unique and tailored to CalPERS based upon
our past experience and our preliminary assessments during
the course of the planning process. Now, once we’ve performed our risk assessment,
we respond to that risk assessment through the
design of audit procedures. And those audit procedures
in these areas that are critical audit areas are much
more robust than general audit procedures, given the nature
of the high inherent risk that it poses to us.
That doesn’t mean that the other areas of the
financial statements are not looked at. It’s just that
there is just more — there are more traditional audit
procedures that are performed in those areas, as opposed
to the areas that are critical or have high inherent risk
to us. The audit process — or excuse me, the planning
process is ongoing throughout the audit. We’re constantly
looking at information and gaining an understanding in
areas that may change our initial assessment, all in
the — with the intent of ultimately being able to perform
the procedures that are necessary in order for us to
provide an opinion on those financial statements. The second phase of the audit process is
execution. And I spoke briefly about that second ago.
That is effectively where you take the audit procedures
and you perform them in order to get appropriate and
sufficient audit evidence. And finally, the reporting
process occurs thereafter. So that is, in general, the audit process.
It is a three-phased process that is grounded in
a risk-based audit approach. Risk again being the risk
of material misstatement in the financial statements.
Conditions we look to are those conditions that present
high inherent risk of material misstatement to the financial
statements. The next area I’d like to focus your attention
on is beginning on page 18 of 25, this is kind
of a catch-all area of the communications to you. It discusses
briefly our responsibilities as part of the audit
process. Again our responsibility are to plan and perform
the audit as I’ve just described to you to provide reasonable
assurance that the financial statements are free of
material error, which means that they are also presented in
accordance with the underlying accounting standards.
As part of that process, we do look at the internal control structure we’re financial
reporting for the purposes of our risk assessment and planning.
However, we do not provide any type of assurance on the
internal control structure. That is much different than
that of the private sector, where the auditors actually
provide assurance on the internal controls, or what it
effectively means is they provide assurance that those
internal controls are operating as designed. We do not do
that in the public sector. However, our responsibilities in this area
are to obtain understanding of that control structure,
again for the purposes of designing and planning our
audit. And should we come across deficiencies in the
internal control structure, we’re required to communicate those
to you as part of the audit process.
And if you recall from last year, we had identified various significant deficiencies
in the internal control structure that we’ll be following
up on during the course of this audit.
Now, when you contrast our responsibilities to
management, management is responsible for the preparation
of the financial statements in accordance with the
underlying accounting standards. Management is also
responsible for designing, implementing, and monitoring
the internal control structure over the financial reporting process to ensure that the financial
statements are free of material error and prepared in
accordance with the underlying accounting standards. Management
is also responsible for preparing a action plan to
follow up on the deficiencies in which we note during the
course of our audit.
Now, in addition to that, there are responsibilities — I want to just give you
a feel for the internal — some of the communication protocol
that occurs during the course of our audit. We have designed
with management this year a very clear communication
protocol where our respective management teams meet
on a weekly basis to convey the status of our work. And
then we have a separate meeting with the leadership of
our respective sides, the audit team as well as in finance.
We will meet to address other more significant issues,
again on a periodic basis.
And then in addition to those communications, I
will have formal meetings with you to do the things that I
spoke earlier about, including certain one-on-one meetings
as part of the audit process. And that basically completes the communication
protocol for the audit process. I now want to turn your attention to this
section. It is page 23 of 25. These identify some recent
developments in the landscape of accounting and financial
reporting. There are three new accounting standards that
will impact the financial reporting this year. The more significant one is GASB 67. It is
the — it is one of two new pension standards you probably
heard during the course of various communications here.
Sixty-seven is again specific to the system itself. We’re working closely with management
in discussing the technical elements of the standard,
reviewing position papers that speak to the more
significant elements of that particular standard, and
again working closely to make sure that we reach the right
conclusions on the implementation of that particular
standard. The potential impacts on this standard is
the definition of the pension plan or the plan
types, how many plans you have, and then also the types of
footnote disclosures that will occur thereafter.
As you may be aware, there is another significant accounting standard that is not specific to
the system, but to the plan sponsors. That’s GASB 68.
It is effective for the year-ending June 30th, 2015.
It is very unique in the sense that in order for the
plan sponsors or the employers to adhere to that standard,
it requires a great degree of communication between the
employers and the system, because most of the information,
if not all of it, will come from the system itself in order
for the employers to implement it properly. The biggest
impact of that is that the plan employers and sponsors
will now be recording a net pension liability on their
financial statements.
Finally, the last thing I want to mention is that
we had issued again a management comments letter and
recommendations letter last March, which indicated various
deficiencies in internal control. We have actively met
with leadership of CalPERS, and are working closely to do
what we can to assist management in addressing those and
rectifying those issues. So hopefully, when I report to
you at the end of this audit, the corrective action plan
that is set forth by management will be fully implemented.
With that, that completes my presentation. CHAIRPERSON DIEHR: All right. Thank you, Mr.
Green. Any comments, Margaret, on what they’re doing?
CHIEF AUDITOR JUNKER: I don’t have any additional comments.
CHAIRPERSON DIEHR: All right. We have Mr. Jelincic.
COMMITTEE MEMBER JELINCIC: I like the report, you know, because it kind of lays out the
whole audit process. But one of the things that I was
wondering is how much of that is boilerplate? Obviously,
the teams and the timelines are different. You identified
the approach to critical areas as an area that was unique
to us. What else is not really boilerplate. MR. GREEN: Well, in — when you say boilerplate,
a lot of the communications that I’m — that we’re — or a
lot of the ideas in which we’re communicating to you are
grounded in the underlying accounting standards, so by
virtue of that, it’s going to be, what you would call,
boilerplate is standard language. This is intended to not be a detail out the
specific audit plan that we use to execute the audit, but
rather give you a general idea of where we’re going in
critical areas of the process, you know, the service team,
the timelines, you know, the — you know the audit
approach from a risk-based perspective, and then give you
some details as to what we see as a response to that risk
assessment. So it is intended to be general in some respects, because it is information that we are required
to convey to you by virtue of the underlying — or the
accounting — or the audit standards with some detail that
is tailored specific to CalPERS.
COMMITTEE MEMBER JELINCIC: Okay. MR. GREEN: So it’s supposed to have a little
bit of both.
COMMITTEE MEMBER JELINCIC: Yeah. And when I use
boilerplate, it’s not necessarily judgmental. You know,
there’s a reason boilerplate becomes boilerplate, because
it’s things — MR. GREEN: Yeah.
COMMITTEE MEMBER JELINCIC: So other than the approach to critical areas, is any of this
really — and obviously the team is — any of this really
specific to us? And the other question I have is what’s
going to be different about this year’s audit than last
year’s? MR. GREEN: Well, there’s quite a bit that’s
going to be different from this year’s audit to last
year’s — or from last year’s to this year’s. It’s in the
of IT predominantly. We’re going to be looking at more
applications that are specific to the financial reporting
system. We’ll be doing quite a bit of follow up on the
my|CalPERS area, but I’m leaving it up to our IT and
consulting specialist to identify some areas that we think
would be critical to look at to supplement the work that
we’ve done in the past. And then that individual, that
director, will be reporting to me to get my concurrence,
along with the other partners. So that is one area that’s pretty unique compared
to last year. It’s an expansion of our looking at IT
applications, again, specific within the financial reporting process.
Another area that is very unique and specific is
in the areas of impact of the new accounting standards.
So that will be different as well. Another area that I am
considering strongly looking at is bringing on some
other — another specialist to look at certain areas of
valuations of certain investments. So that would be
something that is different as well. So we’re constantly expanding the audit focus
within the parameters in which we’re allowed to do by
virtue of the constraints of the professional standards,
and also considering involving circumstances that occur in
the operations internally and externally — external operations as well — or external operating
environment. So those are the ares that are different from
the — that will be different this year from last.
COMMITTEE MEMBER JELINCIC: And then a question for staff. In governmental services, they
really don’t do an assurance on controls. Although they do
in the public — or private sector. And so I want
to raise the issue, should we ask them to do that? I don’t
think we’d do it this year, because, you know, we’re
already into the beginning of it.
But going forward, should we look at that and the
pluses and minuses of asking them to comment on assurance
on controls? CHIEF AUDITOR JUNKER: Well, I — this is
Margaret Junker speaking, CalPERS staff. I can offer that my staff, internal audits,
does a lot of internal control work. We’re doing
specifically some of the various accounting cycles they
call them. We’re looking at — we have several in progress
now and we plan some more in the coming fiscal year.
We also are looking at doing specific series of reviews
of internal controls over financial reporting. You’ll
see that in the plan that I presented in the last agenda item.
So we haven’t planned to hire that out, but we do
a lot of internal control internally with our Office of
Audit Services. COMMITTEE MEMBER JELINCIC: Okay. Thank you.
MR. GREEN: You know, may I add one more point. I just recall this another area where we’ll
be performing more robust procedures this year than last
is in the census data area as well. Because of the new
standards and the impacts that they have on the financial
reporting, we’ll be digging into that much deeper as
well. Although we’ve done work in the past in that area,
it will be more robust this year as well.
CHAIRPERSON DIEHR: Thank you. Ms. Mathur.
COMMITTEE MEMBER MATHUR: Thank you, Mr. Chair. I can see you guys have hired a graphic designer on your report. Your plan looks a little different
this year than last year.
MR. GREEN: We’re trying to improve things. (Laughter.)
COMMITTEE MEMBER MATHUR: It looks very nice actually. I just wanted to ask, you know,
you mentioned that you’ve hiring someone to help you — or
your utilizing a specialist to look more specifically at
the investments and the reporting of the investments.
MR. GREEN: Yeah, I’m considering that. I want to wait and see what I see again this year.
I think it is always helpful to bring in additional sets
of eyes. I mean, I’m very comfortable with our expertise
in this area, but sometimes different models are used
for valuation purposes. I just need to look at
this. So that — I’m very open to that, but I haven’t
done that yet.
COMMITTEE MEMBER MATHUR: So is that — is your
thinking around that partly in response to the fact that
we had the same finding around investment reporting for
two years in a row. MR. GREEN: No. No, it’s not. It’s just knowing
that the complexities of the underlying investments, the
valuation techniques, the models that are used, you know,
they change. It constantly changes, or, in many cases, it
should, and maybe it doesn’t. I just want to get another
set of eyes on this. I’m constantly trying to get
different experience perspectives to help me make sure
that we’ve looked at everything significant in this area
financial reporting that we should properly. COMMITTEE MEMBER MATHUR: Okay.
MR. GREEN: So there is nothing prompting it, other than my desire to continue to, you know,
dig deeper. COMMITTEE MEMBER MATHUR: Okay. So this is
an action item. I would move that we accept the
external auditor’s annual plan for 2014.
COMMITTEE MEMBER BILBREY: Second. CHAIRPERSON DIEHR: Moved by Mathur, seconded
by Bilbrey.
Mr. Jones. BOARD MEMBER JONES: Yeah. Thank you, Mr. Chair.
Yeah. You mentioned that an additional area this year
will be in the census data area. MR. GREEN: We’re — yes, sir.
BOARD MEMBER JONES: Would you expand on just what that’s going to cover?
MR. GREEN: Well, what we do, we’ve have always considered it in the audit process predominantly
working through internal audits. But when we talk
about census data, we’re going to look at some of the more
significant elements of the census data of both the active
and inactive portions of that.
So we are going to think more — look at things from a — dig deeper into information coming
from the employer, and then once it gets into the system,
making sure that the information maintains its integrity
from that point to the actuaries and back as part
of the actuarial valuation process.
So basically, what we’ll do is we’ll expand our
sample sizes and just do more testing in that area, and
that’s — and really we’re looking at the critical
information that the actuaries use in order to determine
and prepare the actuarial valuations. So those critical
areas will be the focus of the procedures that we perform
to ensure that they’re accurate, and that they maintain
their integrity from the employer all the way through the
process. BOARD MEMBER JONES: And does your work — the
scope of your work require that you communicate with the
agencies? MR. GREEN: We haven’t worked through internal
audits with that yet, but there’s no doubt there will be
communications either by us directly or through internal
audits. BOARD MEMBER JONES: Okay. Thank you.
CHAIRPERSON DIEHR: Okay. We have a motion. All in favor with aye?
(Ayes.) CHAIRPERSON DIEHR: Opposed, nay?
Motion passes. Thank you very much. We’ll move to Agenda Item 7, Enterprise Risk
Management, 2014-16 Enterprise Risk Management Plan.
Ms. Webb, and Mr. Jensen with his swan song, I
guess you’d call it. CHIEF RISK AND COMPLIANCE OFFICER WEBB: Well,
I believe it’s good afternoon, Mr. Chair and
Committee members.
CHAIRPERSON DIEHR: Oh, it is. It’s morning somewhere.
(Laughter.) CHIEF RISK AND COMPLIANCE OFFICER WEBB: Kathleen
Webb, CalPERS staff and I’m presenting Agenda Item 7a,
which is an action item. As Ms. Eason shared with you
earlier, we are collectively presenting our annual plans
for risk management, compliance, and internal audits
providing the Committee with an enterprise-wide view of
the risk management activity for an integrated level of
assurance. Through the Three Lines of Defense model,
the assurance providers, Risk, Compliance, and
Audits, coordinate to expand our ability to evaluate
the management of risk and our control processes
providing this Committee with increased levels of assurance.
To develop the risk assessment plan, we considered the following, internal/external
environment, the enterprise-wide dashboard results, the
information security risk assessments, the internal audit
report findings, our available resources within Enterprise
Risk Management Division, and the proposed annual
plans for Compliance and Internal Audits for a coordinated
approach. The proposed risk assessment plan outlines
the risk assessments to be coordinated for fiscal
year ’14-’15 and ’15-’16 that identify the most critical
to our success of the organization in achieving our goals.
These risk assessments with our ongoing activities includes
enterprise-wide risk assessments, business plan risk
assessments, validation for completion of the business
plan initiatives as previously requested by the Board,
automation of our business processes, and then development
of key risk indicators. Through these efforts, we are committed to
maturing our program becoming a more risk intelligent
organization at CalPERS. Thank you, Mr. Chair, and that concludes my
report. And I appreciate the Committee’s approval and
support of this action item. CHAIRPERSON DIEHR: Mr. Jelincic.
COMMITTEE MEMBER JELINCIC: You will never have
unlimited resources. But the question I want to ask is do
you feel comfortable that you have sufficient resources at
this point? CHIEF RISK AND COMPLIANCE OFFICER WEBB: Thank
you, Mr. Jelincic, for that question. And that’s
something that Ms. Eason and I continue to evaluate
collectively together as we look at both the Risk and
Compliance Programs. With some new staff that we’re going
to bringing on board shortly, I’d like the opportunity to
assess our ability to handle increased work loads with the
new group we’re bringing on board. We’re hoping to be
fully staffed in probably the next two to three months,
and we’re excited about some of the staff we’re bringing
on board as well. So I can come back to you probably in the
next budget cycle if we feel that there is a need,
and we’ll work with Ms. Eason for submitting that proposal.
COMMITTEE MEMBER JELINCIC: Okay. Well, if people would quit leaving, you wouldn’t have
as much problem.
(Laughter.) COMMITTEE MEMBER JELINCIC: Larry. And going
across the river. CHIEF RISK OFFICER JENSEN: Bon voyage.
CHIEF RISK AND COMPLIANCE OFFICER WEBB: Bon voyage. I guess we could also say, we’re developing
really strong leaders through our Risk Management Program.
(Laughter.) COMMITTEE MEMBER JELINCIC: Thank you.
CHAIRPERSON DIEHR: Ms. Mathur. COMMITTEE MEMBER MATHUR: Thank you. Yesterday,
in the Investment Committee meeting, I suggested that the
Chief Compliance Officer in Investments also report in
closed session to the Risk and Audit Committee, similar to
the way you do, Kathleen, and Margaret does. And have you
had a chance to — I know it’s only been a day. Have you
had a chance to consider whether you think that’s
appropriate or whether — what your thoughts are on that?
CHIEF RISK AND COMPLIANCE OFFICER WEBB: You know, with respect to the Compliance Officer
that’s filled by Carol Moody right now, we have an assurance
function to all of you. And I think if you feel as a Board
that’s appropriate to have that closed session to
ensure that there’s no undue influence, that we’re providing
the appropriate levels of assurance to the Board,
then I think it merits adding that to the schedule.
COMMITTEE MEMBER MATHUR: Is there anybody else
that you think we ought to consider adding as sort of
closed session with the — solo with the Board or the
Committee? CHIEF RISK AND COMPLIANCE OFFICER WEBB: I
would offer that that’s a question that would be
worthwhile taking to the study and review we’re going
to be doing about really strengthening our integrated
assurance program across the organization, and what
does that mean at a multitude of levels? What does that mean
at the Board level? What does that mean at the executive
level? How do we provide that separate kind of open
line of communication, so that you can feel confident
that things are being done in the manner in which you
expect it to be. COMMITTEE MEMBER MATHUR: I think that’s a
very good idea. So I would ask, Mr. Chair, if you
would support and direct that we do have Carol Moody
report in closed session to this Committee along the
same schedule as the Chief Compliance — Risk Officer — or
the Chief Compliance Officer and the Chief of Internal
Audits, and that we incorporate sort of a broader assessment
of who the right individuals are, if there are additional
individuals we should consider having report directly to
this Committee. CHAIRPERSON DIEHR: All right. Is there any
comment from the Committee? Seeing none. Without objection then, that
will be the order.
COMMITTEE MEMBER MATHUR: Thank you. Thanks very
much. CHAIRPERSON DIEHR: I see no further requests
to speak. Do we have a motion on this item?
VICE CHAIRPERSON LIND: Move approval. COMMITTEE MEMBER MATHUR: Second.
CHAIRPERSON DIEHR: Mr. Lind and — moved and seconded.
Seeing no further discussion. All in favor with aye?
(Ayes.) CHAIRPERSON DIEHR: Opposed, nay?
Motion passes. Agenda Item 7b, 2014-16 Enterprise Compliance
Plan. Ms. Webb. CHIEF RISK AND COMPLIANCE OFFICER WEBB: Thank
you, Mr. Chair and Committee members. And again, I’m
pleased to present Item 7b, which is also an action item.
As we previously shared in the annual risk assessment
plan, again this reflects a coordinated approach by the
assurance providers for the organization with a focus on
monitoring our compliance with applicable laws,
regulations, and policies. The approach also supports the integrated
assurance model that we first introduced to the Committee
in June of 2013, which outlined the roles and
responsibilities for programs in first line of defense,
the Enterprise Compliance Division and the second line of
defense, and the internal audits in our third line of
defense. It is also consistent with the presentation
provided yesterday to the Investment Committee in the
investment compliance program review. To develop the
compliance plan, we considered legislative and regulatory
changes, the enterprise risk dashboard recalibration results, management input, ethics helpline
trends, ECOM available resources, and then the proposed
annual plans for both risk assessments and internal audits.
So the proposed plan is for two fiscal cycles and
considers the most critical, ensuring compliance and
achievement of our goals. Thank you, Mr. Chair, and that concludes my
report, and I appreciate your Committee’s approval.
CHAIRPERSON DIEHR: All right. This is also an
action item. VICE CHAIRPERSON LIND: Move approval.
COMMITTEE MEMBER MATHUR: Second. CHAIRPERSON DIEHR: Moved by Lind, seconded
by Mathur.
Any discussion on the matter? Seeing none.
All in favor with aye? (Ayes.)
CHAIRPERSON DIEHR: Opposed nay? Motion passes.
Moving now to Agenda Item 8, information item, Enterprise Risk Management Semi-Annual Enterprise
Risk Reports.
Continue with Ms. Webb. CHIEF RISK AND COMPLIANCE OFFICER WEBB: Thank
you, Mr. Chair and Committee members. And again, I’m
pleased to present now Agenda Item 8a, which is an
information item. I will be doing so in partnership for
his last time with me, Larry Jensen, our Chief Risk
Officer. So the enterprise risk management dashboard
and the Top Risk Report provides an overview of
CalPERS’ risk environment. These reports are designed to
promote governance, transparency, risk awareness,
and improvement in the enterprise management of risk. The
enterprise risk dashboard, which is Attachment 1, provides
an overview of the 32 risk domains that we’ve identified
and are managing to better serve our members, employers, and
other stakeholders.
The Top Risk Report identifies those risk domains
that are considered to have the most significance and
likelihood of impacting achievement of our strategic goals
and objectives for CalPERS. Since our last Risk and Audit Committee, we
did conduct an enterprise-wide risk assessment.
As we continue to mature the Risk Management Program
and increase the rigor of the risk assessment
process, we are improving our ability to identify the risks
and the subrisks, which includes the need for greater
integration of the programs and processes that previously
operated independently.
Through this assessment process, we involve participation of our division chiefs and the
executive team. We included in this process and internal/external
environmental scan, developed detailed risk registers for
each of the 32 risk domains, incorporated a
cross-functional analysis of the risks as appropriate, and
then worked with the Executive Risk Management Committee
to identify the top risks for the organization. Additionally, I want to apprise the Committee
on the progress of developing a reporting system
that aligns the risk domains by Board committee. The Committee
requested the January Board offsite to explore this
reporting capacity. And we’ve crafted a proposed reporting tool, but need to spend additional
time evaluating the management of those risk domains
that do not clearly align or cross over into two or
more committees. We propose to bring a reporting
format to the Committee in our September meeting for consideration.
At this juncture, I am prepared to turn it over
to my partner, Larry Jensen, who will be talking about the
risk dashboard changes, as well as the Top Risk Report.
CHIEF RISK OFFICER JENSEN: Thank you, Kathleen. Larry Jensen, CalPERS staff.
And, Mr. Chair members of the Committee, I’d like
to provide with you — for you today a few highlights from
our current enterprise risk dashboard, which is Attachment
1 of this agenda item. First recognizing the need to really focus
on a couple of enterprise-wide risks, we created
two new risk domains that were added to the dashboard.
The first one is asset allocation. That is item number four
on the dashboard. This really — this domain really
focuses on achieving our target rate of return, as well
as executing our asset allocation strategy and maintaining
adequate funds to fulfill our liabilities. And there’s
a dependency for the asset liability management
risk domain and the effectiveness of asset liability management
through achievement of our asset allocation targets.
The second one is data integrity and management, number 22. We spoke about the importance of
data integrity a little bit earlier in the presentation
today. This really focuses on the appropriate data
governance and ensuring the integrity and accuracy of data
for conducting CalPERS business, as well as financial reporting
and making decisions.
So these new domains allow us to really focus on
the key risks in that area and to mitigate, if necessary.
I’d like to point out that the asset allocation domain is
considered a top risk to the organization with a moderate
rating. The Board and management has taken action
to mitigate risk since our last reporting period,
and we’d like to highlight a few of those that have
actually been lowered since our last report to the Board.
First of all, in the participating employer financial hardship domain, CalPERS remains
actively engaged in defending and in working with — in
the current participating employer bankruptcy proceedings
to really defend the integrity and soundness of the
System. And then management has also implemented steps
to improve the effectiveness of our collections of employer
contributions. And additionally, we’ve seen improvements
in the State economy. As a result, the domain rating has
been lowered for this particular area. One of the most notable areas of improvement
has been in our customer service. An independent
survey indicates significant increase in customer
service satisfaction. And the customer service support
performance dashboard shows that they meet or exceed all
of the established performance targets as has been
presented to the Board. Another area is investment risk management.
Investment Office has established an improved governance
and enhanced governance process and implemented tools to
really measure and monitor risk across the portfolio. And
the Investment Office continues to build the risk
management program, and we see improvement in that area.
Finally, I’d like to highlight the improvements that the Board made with regards to actuarial
policies and practices. The Board adopted the recommended
mortality projections that were based on the experience
study of CalPERS, and revised a few of the relevant
demographic assumptions as well.
These changes really align the actual experience of the system to the actuarial assumptions
that’s used to project our pension liabilities, allows us
to better manage those pension liabilities.
Management and the Board has also taken other actions, since our last report, to mitigate
risk across the organization as reflected in the enterprise
risk dashboard.
As Kathleen indicated, we also completed development of the risk registers for all
of the domains on the risk — on the risk dashboard. This
included the involvement of more division chiefs in the
process. While the risk environment has not really significantly
changed, our awareness of risk and our risk assessment
capabilities have increased across the organization. And
as a result, we’ve identified several risk domains that
have actually elevated.
First of all, I’d like to highlight a couple of
those. Strategic planning and implementation, item number
two on your dashboard there. As the new strategic measures are being implemented, management
is really focusing on the availability of data to support
those measurements.
Another area was organization. As a result of
our Organizational Health Index survey, we identified the
need to clarify roles and responsibilities for
decision-making authority within day-to-day processes, and
practices. In our procurement and contract management
area, with the initial creation of this risk register,
management identified risks associated with procurement
and contracting processes, and making efforts to automate
the process, implement internal controls, and really drive
efficiencies in that process. Another area is financial controls and systems.
With the awareness of financial risks has increased with
the new CFO and also the hiring of our new Controller.
And really there’s been more focus over strengthening controls over treasury management, financial
reporting, and then also GASB 67 and 68.
We’ve also seen emphasis in the areas of compliance, in ensuring that we have adequate
assurances for the Board with regards to compliance with
laws, rules, and regulations.
And then also in our policy and procedures areas
is really a key area in establishing a enterprise-wide oversight function. And while we’ve made significant
progress in creating a centralized repository and
developing a policy management framework, it still needs
to be rolled out across the enterprise. And the policy
framework will be essential for building a strong
compliance and ethical environment within the
organization. There are ten domains on the enterprise risk
dashboard that are identified as top risks to the
organization. That is included as Attachment 2 of this
agenda item. The top risks were identified and agreed
upon by executive management and we developed a new report
format for you this time. The new report format includes
a rating comment section that includes remarks about why
the domain rating has changed for your additional information.
Also, the Top Risk Report shows management’s actions that are in place to mitigate the
risks, those that have been accomplished, those that are
in progress, and those that are still planned in order
to further mitigate those risks.
All in all, we continue to mature our risk assessment process and work towards becoming
a more risk intelligent organization, which allows us
to better serve our members.
That concludes my report and happy to answer any
questions. CHAIRPERSON DIEHR: Thank you very much, Mr.
Jensen. Mr. Jelincic.
COMMITTEE MEMBER JELINCIC: Well, I hope you’re right that PEPRA implementation is behind
us. Although, I have my doubts. Larry, since your — part
of the problem with this report is that it’s a consensus
report. I mean, that’s got some values, but it’s also got
some disadvantages. So since you’re on your way
out, I’m going to make you God for a little while. If it
were completely your report, which of these risks would be
higher than the consensus, just your sole opinion?
CHIEF RISK OFFICER JENSEN: Which of the top risks would be my areas of concern you mean?
First — COMMITTEE MEMBER JELINCIC: Any of them. Which
would you rate a higher risk than the consensus and it
could be none? CHIEF RISK OFFICER JENSEN: No, I want to just
take a minute and provide the Board a level of assurance
with regards to the framework that we have in place. When
we really go through this process, there is a lot of
judgment involved, both on behalf of management, the
executive team, but also by those that are risk
professionals. And so when we have and build that consensus,
you know, it needs our concurrence as well. And
so when we’re looking at the top risks of this organization,
it’s our presentation to the executive team of what
we believe are the top risks. And we design a heat map that
supports that based on impact and likelihood of a risk
and understanding the context of those risks,
and how that relates to achievement of our strategic mission
and goals of the organization.
And so while I believe that there’s some fine-tuning, if you will, throughout that
process and that consensus building, for the most part, there
are not significant changes that come forward as we
present this information to the executive team. And so,
you know, I concur that those are the top risks of the
organization. That’s the area where management should be
focused spending time and resources, and that’s where
we should be allocating our resources in order to achieve
our objectives and serve our members.
COMMITTEE MEMBER JELINCIC: And you would give those top ratings this same rating as the
consensus report?
CHIEF RISK OFFICER JENSEN: I believe the ratings are fair, yes, and consistent. We use a criteria
that’s consistent across the organization that provides
for some normalization of these risks. And in there,
there is some mathematical formula that drives it as well.
And so I think that it is a fair rating, yes.
COMMITTEE MEMBER JELINCIC: And then one of the
other concerns is there — you know, there’s some
dispersion in it. You know, everybody can agree that this
is a yellow, and so it gets rated yellow. On the other
hand, you could have half the people say it ought to be
red and half the people say it ought to be green and so
the consensus is yellow. Is there someway to capture the
degree of dispersion in the staff that’s helping to put
this together? CHIEF RISK OFFICER JENSEN: Yeah, I appreciate
your recognition of that in this process. And we
recognize that as well. And so, one of the tools that we
provide to the executive risk team is, what we call, the
key or elevated risks that are included within all of
those domains. And so just for your information, there’s
approximately 150 individual risks that are individually
monitored and rated. And so what we do is those that are of an
elevated state, meaning that it is either rated orange or
red to the organization, we provide a separate report that
shows what those specific risks are, the definition of it,
and what management actions are being taken, so that the
executive team can really focus on those areas of highest
concern to the organization. So while those are not individually reflected
in the domain, the aggregate rating is, management
is keenly aware and those risks have been identified.
COMMITTEE MEMBER JELINCIC: And I think that’s appropriate. But at some point, the Committee
has to get a sense on where there are internal disputes
about how it ought to be rated. You know, we need some
sense of, you know, this consensus is really very — you
know, if it were investments, you know, we could say the
standard deviation is really very small or we’ve got
a lot of perceptions of tail risk. And somehow — and
I’m not sure how to do it, but somehow I think that needs
to come through. And if I could tell you how to do
it, I would tell you, but —
CHIEF RISK OFFICER JENSEN: One of the things that we did this time, Mr. Jelincic, is we
actually prepared — you know, as we continue to involve
our division chiefs more in this process, and
the Executive Risk Committee as well, we noticed that there’s
gaps between the two committees, and we prepared
a gap analysis to show the differences in those perceptions
of risk. And they’re we’re able to focus on why that may
occur and help drive and build understanding and awareness
of that. And so we are focusing on that.
You know, amongst each committee, you know, there
may be some perceptions, but I think there’s very robust
discussion that occurs at the Enterprise Risk Management
Committee that allows, you know, a great deal of
understanding amongst the team. COMMITTEE MEMBER JELINCIC: Okay. Thank you.
CHAIRPERSON DIEHR: Mr. Lind. VICE CHAIRPERSON LIND: Thank you.
So as you know, I was originally kind of overwhelmed by these charts when I first came
on the Board and started looking at them, but now I find
them very helpful. And I really appreciate you adding
the additional information that we get around
sort of the management decision-making process, and what
went behind the choice of symbols and colors and arrows
and so forth. It was kind of, I think, responsive to some
questions I had a couple meetings ago.
I do have a little methodology question though. I’m looking at — it’s page 121 of 135. It’s
Attachment 2 kind of the risk domain dashboard.
CHIEF RISK OFFICER JENSEN: The Top Risk Report? VICE CHAIRPERSON LIND: The Top Risk Report.
That’s it. So the question — and I’m looking at, in
particular — well, let’s say laws, rules, and
regulations. So in May of ’13 you had the nice yellow
triangle, so it was, you know, moderate risk, the same
thing in October of ’13. And then it goes to a higher
risk level in May of ’14, but you show the trend as even.
It seems to me the risk is going up, why is the trend
still even? I mean, because May was just two weeks ago.
Has something changed since May until the time we’re
getting this report or — CHIEF RISK OFFICER JENSEN: That’s a good
question. Let me clarify that for you. We try to show
the previous reporting periods so that you get a sense of
the changes from one reporting period to the next — you
know, from prior reporting periods. The current trend is
a projection forward. And so it’s not an indicator of
what has happened previously, but it’s a projection of
what management anticipates over the next reporting
period. So in other words, if — with regards to the
one that you focused in on there that has the
level trend projection, they would expect that over the
next reporting period that it will still remain an elevated
risk. Meaning that the actions that they have created
those to mitigate the risks are going to take some
time to implement.
Our next reporting period is a six-month period. And they don’t expect that it will be fully
implemented in that time frame. However, what I would expect
is that over time you will see those trends change
to a downward, and then you’ll see in some of these, as I
indicated and highlighted a half dozen of them, that we
have seen improvement in the overall rating. I hope
that provides some clarity.
VICE CHAIRPERSON LIND: That does. I understand. Thank you.
CHAIRPERSON DIEHR: Ms. Mathur. COMMITTEE MEMBER MATHUR: Thank you.
I know that you’re doing some work to align this
to the Committee, so that we can more clearly see what
corresponds to which committee. Are there any plans, or
may I suggest that there maybe should be plans, to present
the risks that are associated particular committees at
those committees as well, if not — it doesn’t have to be
maybe quite as regularly, but maybe — well, this is
only — this is semiannual anyway. So maybe twice a year
we take a look at each committee. I don’t know if it
makes sense in advance of this Committee’s meeting or
after this Committee’s meeting, but somehow in a
coordinated fashion, so that we’re ensuring that all —
that the appropriate risks are being addressed in a robust
way at each committee. CHIEF FINANCIAL OFFICER EASON: Yes. Thank
you for that. And we have been working on a presentation
that would allow each of the committees of the
Board to see what their specific areas of risk. And as
the items come forward to those committees, they’ll see that
alignment. So we hope to present that format in September.
COMMITTEE MEMBER MATHUR: Okay. Terrific. Well, I will look forward to that.
CHIEF FINANCIAL OFFICER EASON: Thank you. COMMITTEE MEMBER MATHUR: Thanks.
CHAIRPERSON DIEHR: All right. Thank you very much for your report. Excellent work. Mr.
Jensen, you may now move on to —
(Laughter.) CHAIRPERSON DIEHR: — our small sister across
the river. (Laughter.)
CHAIRPERSON DIEHR: Thank you very much. No further comments — requests to speak here.
Do we have any public comments? Nobody submitted a written request.
Seeing none. This open session is adjourned.

Leave a Response

Your email address will not be published. Required fields are marked *