Auditing the ERM Process What Does It Mean and How Is It Done?

Auditing the ERM Process – What Does It Mean and How Is It Done? June 3, 2010 www.theiia.org Welcome to Today’s Webinar • Before We Begin – – – – ...
Author: Ralf Webster
0 downloads 1 Views 2MB Size
Auditing the ERM Process – What Does It Mean and How Is It Done? June 3, 2010

www.theiia.org

Welcome to Today’s Webinar • Before We Begin – – – –

Sponsors CPE Requirements Demographic Polling Questions Q&A Session

• Copyright: These materials are presented by The IIA. Use without expressed written permission of it is prohibited.

www.theiia.org

A Word from our Sponsors…

www.theiia.org

www.theiia.org

CPE Requirements • Only registered participants are eligible to receive CPE credit. • A series of polling questions will be posed throughout the presentation. • You must respond to 70% of the polling questions to receive credit. • Be sure to select the submit button, after making your answer selection. • You must view the entire webinar. • Early departure could result in decreased CPE award. www.theiia.org

Demographic Polling Questions 1.

How many viewers are watching the Webinar at your location? a) b) c) d) e)

2.

1 – I am the only viewer 2 to 4 viewers 5 to 7 viewers 8 to 10 viewers More than 10 viewers

At what level in your internal audit career are you? a) b) c) d) e) f)

www.theiia.org

New to internal audit Staff Auditor Sr. Staff Auditor Audit Manager Audit Director Chief Audit Executive

Webinar Participation • Submitting Questions to the Presenter: – Type the question into the Q&A panel section. – Select the “Send” button. – We will have a dedicated question and answer session at the end of the presentation to address your questions.

• Technical Assistance – Type your issue into the Chat panel section to IIA Tech Support. – Select the “Send” button. – We will respond to your question privately.

www.theiia.org

Jim DeLoach Managing Director, Protiviti (Houston)

Bill Thomas Managing Director, Protiviti (Tampa)

John Beeler Senior VP Internal Audit, Salesforce.com

Paul Sobel Vice President Internal Audit, Mirant Corporation

www.theiia.org

On the Agenda • • • • • •

The ERM process – What is it ? Auditing the ERM process – What does it mean? Auditing the ERM process – How is it done?? Case example #1: Salesforce.com Case example #2: Mirant Corporation Questions

www.theiia.org

What You Can Expect • Suggestions on increasing relevance of IA with key stakeholders • Ideas on how to address ERM in the audit plan, and why • Ideas for differentiating your function now

www.theiia.org

Need to Recognize Where We Are • At best, many ERM efforts are “initiations” • The profession is just beginning this journey • Virgin territory – Not a place for the timid • Your opportunity is to become a “first mover” • Skills are generally lacking • Don’t expect detailed work programs for leveraging inexperienced staff

www.theiia.org

Polling Question 1. In my company (select best response): a) Enterprise risk management (ERM) is not practiced b) ERM is practiced but IA does not address it in the audit plan c) ERM is practiced and IA considers enterprise risks in the audit plan d) ERM is practiced and IA considers enterprise risks and addresses selected risk responses in the audit plan e) ERM is practiced and IA considers enterprise risks and addresses selected risk responses and risk metrics in the audit plan f) Don’t know/Not Applicable

www.theiia.org

Jim DeLoach Managing Director, Protiviti

The ERM Process – What is it?

www.theiia.org

What is ERM? Strategic Management choices and actions Tactical activities to reduce exposure to acceptable level

Risk

$

Exposure to Risk

Comprehensive and Holistic Risk Management Existing Risk Management Activities

2010 www.theiia.org

CHANGES IN THE OPERATING ENVIRONMENT

Risk Appetite

Time

2013

ERM: A Simple Definition ERM establishes the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a constantly changing operating environment

www.theiia.org

The Current State of ERM For companies participating: • 63% see change in volume and complexity of risks over last five years • 76% communicate key risks on ad hoc basis • Almost 70% don’t routinely report the entity’s top risks to the board • 48% must improve KRI reporting to senior executives • Risk management processes are relatively immature and ad hoc

* SOURCE: “2010 Report on the Current State of Enterprise Risk Oversight: 2nd Edition”, North Carolina State University, 2010.

www.theiia.org

Themes of Successful Initiations • High-level involvement and support vital • ERM lead non-authoritative, supported by small group • ERM lead drives the process, business units own risk and IA validates • Proactive emphasis • Consistency of risk language / frameworks important • Board risk oversight gravitating to broader Board participation

www.theiia.org

Integration with What Matters is Key Enterprise Risk Management Framework Infrastructure

Policies Processes Organization Reporting Methodology Systems & Data

Process

Integration

Identify risks Evaluate results Monitor risk responses

Business objectives and strategies

Assess risks

Core Management Processes

Prioritize risks

Develop action plans Culture: Enabling Activities / Minimal Dysfunctional Behavior

Become Part of the Way the Business Operates www.theiia.org

A Key Message… ERM and Board Risk Oversight Begin at the Same Place: •

Understand the company’s strategy and key drivers of success



Assess the underlying assumptions and inherent risks in company’s strategy

Effectively applied, ERM can help inform the board’s risk oversight Three Key Questions • What are our risks and what risks are we planning to undertake? • How well are they managed? • How do you know?

www.theiia.org

Three Best Practices The three tenants underlying our ERM Experience: • Leverage what you are currently doing to manage your risks • Integrate with your existing processes • Keep it simple

www.theiia.org

Common Pitfalls • Failure to obtain “buy-in” and support • Taking on too much too soon • Insufficient emphasis on defining reporting needs • Under-investing in closing priority risk gaps • Failure to integrate into management processes/performance scorecards • Vague / Unvalidated value propositions • Allowing ERM to become a compliance program • “Enterprise List Management” • Lead personnel do not have adequate time or clout

www.theiia.org

Polling Question 2. Successful implementations of Enterprise Risk Management typically include the following trait: a) Sponsorship of C-level executive(s) b) Lean support groups c) Delegation of primary responsibility for managing risk to business and functional units d) Avoidance of involvement with compliance activities e) Integration with core management processes f) All of the above g) None of the above

www.theiia.org

Polling Question 3. Enterprise Risk Management implementations fail because: a) b) c) d) e) f) g) h) i)

Executive management buy-in doesn’t exist Effort too complex Priority risk gaps are not addressed Failure to integrate ERM process into strategy setting and performance management Not clear what problem is being solved Getting mired into the minutiae of compliance program Failure to link risk assessments into business plans All of the above None of the above

www.theiia.org

Jim DeLoach Managing Director, Protiviti

Auditing the ERM Process – What It Means

www.theiia.org

Impetus for Auditing ERM Process • Boards are asking tough questions • The IIA definition of internal auditing recommends a consultative approach • We need to up our game to remain relevant • We’ve talked about this for years; it’s time to act

www.theiia.org

Definition of Internal Auditing IIA International Professional Practices Framework (IPPF)

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

www.theiia.org © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any other third party.

Six Elements of Infrastructure Business Policies

Business Processes

Process does not carry out the established policies or achieve the intended result

www.theiia.org

People and Organization

People lack the knowledge and experience needed to perform the process

Management Reports

Reports do not provide information for effective management

Methodologies

Systems and Data

Methodologies do Information is not not adequately available for analyze data and analysis and information reporting

Capability Maturity Model

Process Maturity

CONTINNUM

CAPABILITY ATTRIBUTES

METHOD OF ACHIEVEMENT

Optimizing

Continuous Feedback – Risk management a source of competitive advantage

• Increased emphasis on exploiting opportunities • “Best of class” processes • Knowledge accumulated and shared

Managed

Quantitative – Risks measured and managed quantitatively and aggregated enterprisewide

• Rigorous measurement methodologies/analysis • Intensive debate on risk/reward trade-off issues

Defined

Qualitative/Quantitative – Policies, processes and standards defined and institutionalized

• Process uniformly applied across the organization • Remaining elements of infrastructure in place • Rigorous methodologies

Repeatable

Intuitive – Process established and repeating; reliance on people continues; silos exist

• Common language • Quality people assigned • Defined tasks and initial infrastructure elements

Initial

Ad Hoc/Chaotic – Dependent on heroics; institutional capability lacking

• Undefined tasks • Relies on initiative (“just do it”) • Reliance on key people

Source: Adapted from the Capability Maturity model: Guidelines for Improving the Software Process, Carnegie Mellon University Software Engineering Institute, 1994.

www.theiia.org

Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE INITIAL STATE Business Policies

Business Processes

• Undocumented or vague policies

• No formal processes

• Unclear or no limits

• Few stable processes • Reactionary, ad hoc response • “Just do it”

www.theiia.org

People and Organization

Management Reports

Methodologies

• Individual heroics

• Sporadic, ad hoc

• Rough measures

• Spreadsheets

• Firefighting, crisis management

• Informal

• Unstable and unscalable

• Coordination is challenging

• Over-simplified views of complex issues

• Inconsistent

• Accountability is weak

• Incomplete • Untimely • Inaccurate

• Missed key risk characteristics

Systems and Data

• Ad hoc data collection • Data quality poor • Costs are high

Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE REPEATABLE STATE Business Policies • Business plans and risk policy articulated • Policy being followed • Limits established

Business Processes • Documented stable processes • Process gaps being identified and corrected

People and Organization

Management Reports

• Risk owners defined and supported with staff

• Regular reports are actionable

• Explicitly defined and well understood roles and responsibilities

• Consistent format / content

• People trained in the process

• Key metrics identified

Methodologies

Systems and Data

• Systematic data • Improved risk collection for a measures (not yet few risks integrated) • Consistent assumptions with caveats understood • Specified measurement methods • Improvements being developed

• Independent spreadsheet models • Improved system security and data integrity • Improved confidence in models • Costs still high

www.theiia.org

Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE DEFINED STATE Business Policies • Enterprise-wide policy guidelines documented • Enterprise limits established

Business Processes

People and Organization

Management Reports

Methodologies

• Improved and consistent measures of • Integrated crossperformance • Senior manage• Risk mitigation and functional teams variability monitoring • Backup capabilities ment comfortable • Systematic with consistent documented and • Standard roles and format / content approach to integrated training assessing loss • Exceptions and • Disciplined exposures “near misses” modeling process • Central function coordinates efforts • Expanded risk reported coverage • Audit reports • Processes are uniform across organization

• Accountabilities articulated clearly

• Risk reports – Multi-unit – Multi-risk

• Rapid analysis of • Status of alternatives improvement initiatives reported

www.theiia.org

Systems and Data • Data captured at the source • Stable client server application • Scalable component architecture • Improved functionality • Reliable webenabled data organization, analysis and reporting

Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE MANAGED STATE Business Policies

Business Processes

People and Organization

• Revised limits based upon updated analysis and experience

• Process benchmarks achieved

• Strong teamwork

• Cost and elapsed time reduced

• Prepared for contingencies

• Role models and • Business strategy/ • Risk management teachers evolving risk responses embraced by line • Requisite aligned management knowledge, • Aggregate risk expertise and • Corrective action limits assigned to experience fully taken when limits operating units in place exceeded • Action plans managed to completion

www.theiia.org

• Experienced personnel apply judgment to quantified results

Management Reports

Methodologies

Systems and Data

• Integrated risk reporting

• Enhanced functionality



• Expanded risk coverage



• •

• Integrated physical and financial models Risk-adjusted • Risk measures profitability applied to measures performance goals KRIs linked with • Early warning performance systems reporting • Risks measured Risks quantified quantitatively and versus tolerances aggregated Limits violations enterprise-wide reported • Exposures anticipated through time-tested models • Capital allocation techniques applied

• Risk analytics built into decision support systems • Risk analysis systems collect data as part of normal business routines • Database systems support management of risk and risk portfolios

Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE OPTIMIZED STATE Business Policies • Enterprise-wide risk strategies • Continuous improvement focus

www.theiia.org

Business Processes • Risk and strategy management fully integrated • Organized efforts made to remove inefficiencies • Formal costbenefit analysis effectively applied • Best practices identified and shared across organization

People and Organization

Management Reports

• Organization, process and people performance metrics fully aligned

• “What if” scenarios

• Knowledge and skills upgraded continuously

• Special reports

• Process / people performance incentives linked to enterprisewide risk strategies

• “Wind tunneling” testing of risk responses

Methodologies

Systems and Data

• Diversification of risk exploited competitively

• “Single version of the truth”

• Quality management concepts applied to all risk management capabilities

• Special purpose systems quantify pools / portfolios of risk

• Integrated risk measurement • Quantification of systems improved risk integrated into business decisions continuously

Some Key Points •

Working directly with risk owners is the best procedure



It is not intended to manage each risk at the optimized state – risk management involves resource allocation decisions



The goal is a fact-based determination of the current state – Consider improvement initiatives in addition to the infrastructure actually in place – Risk owner sign-off



Determine the desired future state using the current state as a baseline; the future state impacts: – The nature of the recommendations – The nature of the measurement methodologies needed – The timeline for implementation

www.theiia.org

Improved Risk Capabilities…

www.theiia.org

…Yield Greater Benefits

www.theiia.org

Auditing ERM – What Does It Mean? Auditing the ERM process is about… (1) Understanding the current maturity of risk management (2) Defining the desired maturity of risk management (3) Providing a catalyst for its continuous improvement (4) Increasing the value contributed of risk management

www.theiia.org

Polling Question 4. The Institute of Internal Auditors’ definition of internal auditing encompasses (select the best answer): a) Internal control, entity-level controls and code of ethics b) Operational and compliance auditing c) Risk management, control and governance processes d) Risk assessment and internal controls e) All of the above f) None of the above www.theiia.org

Bill Thomas Managing Director, Protiviti

Auditing the ERM Process – How It Is Done

www.theiia.org

Key Points • Internal audit’s appropriate role with respect to ERM • A few ideas for auditing the ERM process • Some issues to address

www.theiia.org

The Appropriate Role for Internal Audit

www.theiia.org

Core IA Roles Relative to ERM • Review management of key risks • Evaluate reporting of key risks • Evaluate risk management processes • Provide assurance that risks are evaluated correctly • Provide assurance on the risk management processes

www.theiia.org

Legitimate IA Roles with Safeguards • Developing ERM strategy for board approval • Championing establishment of ERM • Maintaining / Developing the ERM framework • Consolidated reporting on risks • Coordinating ERM activities • Coaching management in responding to risks • Facilitating identification and evaluation of risks

www.theiia.org

Roles IA Should Not Undertake • Setting the risk appetite • Improving risk management processes • Management assurance on risks • Making decisions on risk responses • Implementing risk responses on management’s behalf • Accountability for risk management

www.theiia.org

Auditing ERM Process is a Challenge • What is the standard? Who decides the standard? • What does “effectiveness” mean? • How do you evaluate “effectiveness?” • At this time, are we more concerned with signs of “ineffectiveness?”

www.theiia.org

Ideas for Auditing the ERM Process (1) Use a framework as a standard

• Choose a suitable framework – COSO ERM Integrated Framework – ISO 31000 – Standards Australia – S&P ERM Framework

• Use your framework of choice as a tool for planning, execution and reporting • Define “effectiveness” standard, i.e., the means by which to evaluate risk responses • While frameworks aren’t perfect, they’re better than starting with a blank sheet of paper

www.theiia.org

Ideas for Auditing the ERM Process (2) Become an active ERM • Play the roles of a champion: – Facilitate champion – – – –

Coordinate Educate Aggregate Integrate

• Be involved with company risk committees and councils • Expand skillsets of IA function

www.theiia.org

Ideas for Auditing the ERM Process (3) Expand your audit universe

• Identify auditable components for inclusion in the audit universe – Governance – Risk management

• Obtain input from senior management and the Board as to the components • Consider the components provided by your chosen framework • Focus more broadly on enterprise risk • Pay attention to the evolving risk oversight process of the Board

www.theiia.org

Ideas for Auditing the ERM Process (4) Focus on enterprise risks

www.theiia.org

• Link IA reporting to the enterprise’s critical risks • Acknowledge the key risks the IA plan doesn’t cover • Compare risks identified by IA to the risks reported through the ERM process • Ensure adequate focus on operational risks • Be alert for emerging risks, including the potential for “black swans” and “transforming events”

Ideas for Auditing the ERM Process (5) Keep your risk assess- • Understand business goals / objectives as a context ment evergreen • Know the industry and business • Stay abreast of changes in external and internal environment

www.theiia.org

Ideas for Auditing the ERM Process (6) Consider components of the ERM process in developing the audit plan

• Is there evidence that the process activities, including the supporting tools, are in place and used effectively? • Are the process activities integrated with core management processes effectively? • Key questions to consider: – How effective is the risk identification and prioritization process? – Are robust action plans formulated to address the critical risks?

www.theiia.org

Ideas for Auditing the ERM Process (7) Look for integration opportunities

• Strategy setting • Annual business planning • Performance management • Budgeting • Capital expenditure funding • M&A targeting. due diligence and integration

www.theiia.org

Ideas for Auditing the ERM Process (8) Pay attention to key indicators

• Are risk-management efforts mired down into minutiae? • Are there gaps and overlaps in accountability? • Are the warning signs escalated by risk management ignored? • Is there a lack of a “tone at the top” conducive to effective risk management? • Is the compensation structure incenting unacceptable risk taking? • Is anyone making higher than expected returns and no one understands why? • Is the Board engaged with key decisions timely?

www.theiia.org

Ideas for Auditing the ERM Process (8) Pay attention to key indicators (Cont’d)

• Is risk management an appendage from performance management? • Is risk an afterthought to strategy-setting? • Other signs of ineffective implementation of ERM: – – – – – – – –

www.theiia.org

Failure to obtain “buy-in” and support? Taking on too much too soon? Insufficient emphasis on reporting needs? Under-investing in closing priority gaps? Vague / Unsupported value propositions? Allowing ERM to become a compliance program? “Enterprise List Management?” Lead personnel lacking sufficient authority or time?

Ideas for Auditing the ERM Process (9) Increase relevance of the audit plan

• Evaluate completeness of ERM risk assessment • Link audit plan to the entity’s risk responses – Adequacy of policies in delineating roles, responsibilities and accountabilities – Effectiveness of established processes – Effectiveness of key control activities – Effectiveness of risk-based communications and information – Adequacy and reliability of risk measures used in monitoring

• Update audit plan for major changes in the external and internal environment • Increase value of face time with senior management and the Board

www.theiia.org

Ideas for Auditing the ERM Process (10) Watch for deficiencies • Report on “current state” maturity of ERM capabilities in infrastructure • Work with risk owners to ascertain a desired future state • Identify and prioritize gaps • Recommend improvements

www.theiia.org

Summary of Ideas (1) Use a framework as a standard (2) Become an active ERM champion (3) Expand your audit universe (4) Focus on enterprise risks (5) Keep your risk assessment evergreen (6) Consider components of ERM process in the audit plan (7) Look for integration opportunities (8) Pay attention to key indicators (9) Increase relevance of the audit plan (10) Watch for deficiencies in infrastructure

www.theiia.org

Some Issues to Address • Coordination mission and activities with others to eliminate redundancy – ERM – CCO

• General counsel’s preferences and concerns • Need to enhance skills

www.theiia.org

We Have a Choice

Do nothing and let the forces of change find us OR Become a catalyst for change

www.theiia.org

Polling Question 5. Enterprise Risk Management implementations fail because: a) b) c) d) e) f) g) h) i)

Executive management buy-in doesn’t exist Effort too complex Priority risk gaps are not addressed Failure to integrate ERM process into strategy setting and performance management Not clear what problem is being solved Getting mired into the minutiae of compliance program Failure to link risk assessments into business plans All of the above None of the above

www.theiia.org

Polling Question 6. Enterprise Risk Management is currently being implemented in my company: a) Yes b) No c) Don’t know/Not applicable

www.theiia.org

Polling Question 7. In my company, we use the following risk management framework: a) b) c) d) e) f) g) h)

COSO Internal Control Integrated Framework COSO ERM Integrated Framework ISO 31000 Framework Standards Australia Framework S&P ERM Framework Another framework We don’t use a framework at the current time Don’t know/Not applicable

www.theiia.org

John Beeler Senior VP Internal Audit, Salesforce.com

Case Example #1: Evolving Risk Management Through An Integrated Approach

www.theiia.org

Company Description •

salesforce.com was founded in 1999 with the concept of delivering business applications via the Internet or the “cloud” – The “cloud” refers to the use of Internet-based computing, storage and connectivity technology for a variety of different services



The company is a leading provider of enterprise and cloud computing applications, including: – Comprehensive customer and collaboration management services to businesses of all sizes and industries worldwide – A technology platform for customers and developers to build and run applications

www.theiia.org

Company Description (Cont’d) •

salesforce.com offers its services on a subscription basis



In total, the company has over 77,000 customers as of the most recent quarter ended



salesforce.com had sales in excess of $1.2 billion at the end of FY10 (1/31/10) with an over $1.5 billion annual run rate – Approximately 70% of its sales are in the US with 30% being derived from international markets



The company went public in 2004 and trades under the CRM symbol on the NYSE

www.theiia.org

Coordinated Risk Assessment •

In part due to our rapid growth, we have focused on developing effective risk management processes within the company – Our processes are continually evolving



Internal Audit partners with the ERM, SOX, and External Reporting teams to effectively coordinate and execute a detailed risk assessment process – The process includes detailed analysis of the company’s risks as well as interviews and focus groups with company executives and management – Results are evaluated and updated at least quarterly – The process in part drives internal audit’s annual audit plan – Each audit is mapped to the Top 10 risk themes

www.theiia.org

Participation on Risk Advisory Council •

Quarterly, Internal Audit participates with the ERM VP and other company leaders in Risk Advisory Council meetings – In these sessions, the top risks facing the company are discussed including a review of current and proposed project plans, owners, and timelines to effectively mitigate the risks – Any key project plans are documented in the form of the company’s strategic goals process (what we call Vision, Values, Methods, Obstacles, Metrics, or V2MOM) – The sessions and outcomes reinforce accountability to address the key risks and their mitigation plans

www.theiia.org

Other Key Points •

The Company’s Compliance Committee provides another key cadence – Every 6 weeks, senior members of the ERM, SOX, Legal, Technology Compliance, IT Security and Internal Audit meet to discuss key initiatives, including those that require coordination amongst the teams – Prior to these sessions, projects often had overlap causing duplication of effort as well as frustration for the internal client organizations and the respective compliance teams



Our ERM processes are continuing to evolve – An area of focus for salesforce.com over the next year is to deploy additional process and technology surrounding the linkage between our GRC and ERM capabilities

www.theiia.org

Some Closing Thoughts… •

You must have the support of the CEO, CFO, General Counsel and/or other key executives and make the process fit your culture



Internal Audit should provide leadership with respect to the company’s ERM activities



Start small and build the program – it won’t be optimal on day one



Monitor the efficiency and effectiveness of the processes and continually implement enhancements

www.theiia.org

Paul Sobel VP, Internal Audit, Mirant Corporation

Case Example #2: ERM – The Journey to Maturity

www.theiia.org

Company Description • Mirant is a wholesale energy producer • Own and operate power plants near large metropolitan areas – Washington D.C., New York City, Boston and San Francisco • Just over $2 billion in revenues and $10 billion in assets • Industry is subject to a variety of volatile market and regulatory risks

www.theiia.org

Key ERM Components • Comprehensive Business Risk Profile – Aligned with strategy – Formally updated annually – Discussed with Audit Committee

• Risk Management Policy • Risk Oversight Committee • Established monitoring and assurance activities, including Internal Audit

www.theiia.org

Risk Oversight Committee (ROC) •

Composed of senior operating and risk executives – Chaired by Chief Risk Officer – Does not include CEO or CAE

• •

Meets monthly Certain risks are discussed monthly – Commodity/market risks – Credit risks – Liquidity risks



Others are discussed 1-2 times per year – Business continuity risks – Insurable risks – Stress testing results



Risk management policy empowers ROC to make certain decisions

www.theiia.org

The Role of Internal Audit • Initially expanded Business Risk Profile (BRP) from a commercial to an enterprise risk focus – Now fully owned by the CRO – CAE continues to play an integral role in annual update of BRP

• Considers enterprise risks when preparing the audit plan – Audit plan linkage to BRP is presented to Audit Committee

• Audit reports identify relevant BRP risks and indicate how effectively sub-risks are managed • Maturity-focused review of overall ERM program • Ongoing advice to CRO

www.theiia.org

IA Approach to Strategic Risks • Annually, review strategic risks and answer the following questions: – What “could” we audit? – What “should” we audit?

• Update that assessment for known changes in strategy • Tend to focus on two primary areas: – Information used for strategic decision making – Entity-level controls and related factors

www.theiia.org

Risk Management-Based Reporting • Summary sentence that concludes on how effectively the underlying risks are managed • Overall risk map showing our assessment of the key risks in the area • Detailed report that discusses the +s and –s for each risk www.theiia.org

Inherent Risk

Overall Risk Map Example High

Medium

Low

Not Covered Within the Scope of This Audit Low

No Action Required

www.theiia.org

Medium Control Effectiveness

Opportunities for Improvement

High

Attention Required

Detailed Report Format 1. Policy Risk – If Environmental and Safety management systems are not clearly defined, fully communicated, updated and endorsed by all levels of management, assurance of compliance with laws and regulations may be compromised. Risk Management Analysis Agreed-Upon Solutions + Senior management communications and actions emphasize compliance. + The current Environmental and Safety management systems provide good policy guidance. The narratives in the Environmental and Safety management systems are well written and comprehensive. + EH&S management periodically reviewed its Environmental and Safety management systems. + The EH&S organization has implemented self-assessment programs to monitor environmental and safety compliance. - The Environmental and Safety management systems which • After current revisions to the management were updated in 200X, have not been adequately systems are complete, senior management communicated or implemented at certain company facilities. will communicate the documents to both EH&S personnel and operations personnel at the facilities. Management will emphasize the need to fully comply with the management systems. Annual assessments will be conducted to insure implementation. Inherent Risk – High Control Effectiveness – Moderate Target Date: March 30, 20XX Responsibility: I. Candoit

www.theiia.org

ERM Maturity Assessment • Used a “gap” approach based on the maturity of key ERM areas • Used ISO 31000 as the foundation – Supplemented with NACD, S&P and other leading practices

• Determined the “current state,” then discussed potentially appropriate “desired states” with management www.theiia.org

5.3 ESTABLISHING THE CONTEXT 5.3.2 External Context 5.3.3 Internal Context 5.3.4 Risk Management Process Context 5.3.5 Developing Risk Criteria

5.2 C O M M U N I C A T I O N & C O N S U L T A T I O N www.theiia.org

5.7 5.4.2 RISK IDENTIFICATION What can happen, when, where, how & why

5.4 R I S K

5.4.3 RISK ANALYSIS Determine existing controls Determine Determine Likelihood Consequences Estimate Level of Risk

5.4.4 RISK EVALUATION Compare against criteria. Identify & assess options. Decide on response. Establish priorities.

5.5 RISK TREATMENT 5.5.2 Selection of risk treatment options 5.5.3 Preparing and implementing risk treatment plans

A S S E S S M E N T

M O N I T O R & R E V I E W

Jim DeLoach

John Beeler

www.theiia.org

Bill Thomas

Questions

Paul Sobel

In Summary •

ERM is about elevating risk management to a strategic level and integrated it with core management processes



Internal audit can play a pivotal role in this transition



The key is to focus on the maturity of risk management capabilities and be a catalyst for continuous improvement



There are many ideas you can apply – Now



Progressive CAEs are looking at how incorporating ERM into the audit plan can increase value contributed by IA

www.theiia.org

82

Progress Through Sharing

Internal Audit can act …

… an agent for positive change in the organization

www.theiia.org

CPE Certificates • Registered participants who have met the CPE requirements will receive their CPE Certificate and a speaker evaluation by email in approximately one week.

www.theiia.org

Webinar Playback • Paid attendees of this live Webinar can access the playback at no cost by contacting our Customer Support Team at +1-407-937-1111 or by sending an email to [email protected]

www.theiia.org

Thank You to Our Principal Partners!!!

www.theiia.org