Auditing the ERM Process – What Does It Mean and How Is It Done? June 3, 2010
www.theiia.org
Welcome to Today’s Webinar • Before We Begin – – – –
Sponsors CPE Requirements Demographic Polling Questions Q&A Session
• Copyright: These materials are presented by The IIA. Use without expressed written permission of it is prohibited.
www.theiia.org
A Word from our Sponsors…
www.theiia.org
www.theiia.org
CPE Requirements • Only registered participants are eligible to receive CPE credit. • A series of polling questions will be posed throughout the presentation. • You must respond to 70% of the polling questions to receive credit. • Be sure to select the submit button, after making your answer selection. • You must view the entire webinar. • Early departure could result in decreased CPE award. www.theiia.org
Demographic Polling Questions 1.
How many viewers are watching the Webinar at your location? a) b) c) d) e)
2.
1 – I am the only viewer 2 to 4 viewers 5 to 7 viewers 8 to 10 viewers More than 10 viewers
At what level in your internal audit career are you? a) b) c) d) e) f)
www.theiia.org
New to internal audit Staff Auditor Sr. Staff Auditor Audit Manager Audit Director Chief Audit Executive
Webinar Participation • Submitting Questions to the Presenter: – Type the question into the Q&A panel section. – Select the “Send” button. – We will have a dedicated question and answer session at the end of the presentation to address your questions.
• Technical Assistance – Type your issue into the Chat panel section to IIA Tech Support. – Select the “Send” button. – We will respond to your question privately.
www.theiia.org
Jim DeLoach Managing Director, Protiviti (Houston)
Bill Thomas Managing Director, Protiviti (Tampa)
John Beeler Senior VP Internal Audit, Salesforce.com
Paul Sobel Vice President Internal Audit, Mirant Corporation
www.theiia.org
On the Agenda • • • • • •
The ERM process – What is it ? Auditing the ERM process – What does it mean? Auditing the ERM process – How is it done?? Case example #1: Salesforce.com Case example #2: Mirant Corporation Questions
www.theiia.org
What You Can Expect • Suggestions on increasing relevance of IA with key stakeholders • Ideas on how to address ERM in the audit plan, and why • Ideas for differentiating your function now
www.theiia.org
Need to Recognize Where We Are • At best, many ERM efforts are “initiations” • The profession is just beginning this journey • Virgin territory – Not a place for the timid • Your opportunity is to become a “first mover” • Skills are generally lacking • Don’t expect detailed work programs for leveraging inexperienced staff
www.theiia.org
Polling Question 1. In my company (select best response): a) Enterprise risk management (ERM) is not practiced b) ERM is practiced but IA does not address it in the audit plan c) ERM is practiced and IA considers enterprise risks in the audit plan d) ERM is practiced and IA considers enterprise risks and addresses selected risk responses in the audit plan e) ERM is practiced and IA considers enterprise risks and addresses selected risk responses and risk metrics in the audit plan f) Don’t know/Not Applicable
www.theiia.org
Jim DeLoach Managing Director, Protiviti
The ERM Process – What is it?
www.theiia.org
What is ERM? Strategic Management choices and actions Tactical activities to reduce exposure to acceptable level
Risk
$
Exposure to Risk
Comprehensive and Holistic Risk Management Existing Risk Management Activities
2010 www.theiia.org
CHANGES IN THE OPERATING ENVIRONMENT
Risk Appetite
Time
2013
ERM: A Simple Definition ERM establishes the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a constantly changing operating environment
www.theiia.org
The Current State of ERM For companies participating: • 63% see change in volume and complexity of risks over last five years • 76% communicate key risks on ad hoc basis • Almost 70% don’t routinely report the entity’s top risks to the board • 48% must improve KRI reporting to senior executives • Risk management processes are relatively immature and ad hoc
* SOURCE: “2010 Report on the Current State of Enterprise Risk Oversight: 2nd Edition”, North Carolina State University, 2010.
www.theiia.org
Themes of Successful Initiations • High-level involvement and support vital • ERM lead non-authoritative, supported by small group • ERM lead drives the process, business units own risk and IA validates • Proactive emphasis • Consistency of risk language / frameworks important • Board risk oversight gravitating to broader Board participation
www.theiia.org
Integration with What Matters is Key Enterprise Risk Management Framework Infrastructure
Policies Processes Organization Reporting Methodology Systems & Data
Process
Integration
Identify risks Evaluate results Monitor risk responses
Business objectives and strategies
Assess risks
Core Management Processes
Prioritize risks
Develop action plans Culture: Enabling Activities / Minimal Dysfunctional Behavior
Become Part of the Way the Business Operates www.theiia.org
A Key Message… ERM and Board Risk Oversight Begin at the Same Place: •
Understand the company’s strategy and key drivers of success
•
Assess the underlying assumptions and inherent risks in company’s strategy
Effectively applied, ERM can help inform the board’s risk oversight Three Key Questions • What are our risks and what risks are we planning to undertake? • How well are they managed? • How do you know?
www.theiia.org
Three Best Practices The three tenants underlying our ERM Experience: • Leverage what you are currently doing to manage your risks • Integrate with your existing processes • Keep it simple
www.theiia.org
Common Pitfalls • Failure to obtain “buy-in” and support • Taking on too much too soon • Insufficient emphasis on defining reporting needs • Under-investing in closing priority risk gaps • Failure to integrate into management processes/performance scorecards • Vague / Unvalidated value propositions • Allowing ERM to become a compliance program • “Enterprise List Management” • Lead personnel do not have adequate time or clout
www.theiia.org
Polling Question 2. Successful implementations of Enterprise Risk Management typically include the following trait: a) Sponsorship of C-level executive(s) b) Lean support groups c) Delegation of primary responsibility for managing risk to business and functional units d) Avoidance of involvement with compliance activities e) Integration with core management processes f) All of the above g) None of the above
www.theiia.org
Polling Question 3. Enterprise Risk Management implementations fail because: a) b) c) d) e) f) g) h) i)
Executive management buy-in doesn’t exist Effort too complex Priority risk gaps are not addressed Failure to integrate ERM process into strategy setting and performance management Not clear what problem is being solved Getting mired into the minutiae of compliance program Failure to link risk assessments into business plans All of the above None of the above
www.theiia.org
Jim DeLoach Managing Director, Protiviti
Auditing the ERM Process – What It Means
www.theiia.org
Impetus for Auditing ERM Process • Boards are asking tough questions • The IIA definition of internal auditing recommends a consultative approach • We need to up our game to remain relevant • We’ve talked about this for years; it’s time to act
www.theiia.org
Definition of Internal Auditing IIA International Professional Practices Framework (IPPF)
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
www.theiia.org © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any other third party.
Six Elements of Infrastructure Business Policies
Business Processes
Process does not carry out the established policies or achieve the intended result
www.theiia.org
People and Organization
People lack the knowledge and experience needed to perform the process
Management Reports
Reports do not provide information for effective management
Methodologies
Systems and Data
Methodologies do Information is not not adequately available for analyze data and analysis and information reporting
Capability Maturity Model
Process Maturity
CONTINNUM
CAPABILITY ATTRIBUTES
METHOD OF ACHIEVEMENT
Optimizing
Continuous Feedback – Risk management a source of competitive advantage
• Increased emphasis on exploiting opportunities • “Best of class” processes • Knowledge accumulated and shared
Managed
Quantitative – Risks measured and managed quantitatively and aggregated enterprisewide
• Rigorous measurement methodologies/analysis • Intensive debate on risk/reward trade-off issues
Defined
Qualitative/Quantitative – Policies, processes and standards defined and institutionalized
• Process uniformly applied across the organization • Remaining elements of infrastructure in place • Rigorous methodologies
Repeatable
Intuitive – Process established and repeating; reliance on people continues; silos exist
• Common language • Quality people assigned • Defined tasks and initial infrastructure elements
Initial
Ad Hoc/Chaotic – Dependent on heroics; institutional capability lacking
• Undefined tasks • Relies on initiative (“just do it”) • Reliance on key people
Source: Adapted from the Capability Maturity model: Guidelines for Improving the Software Process, Carnegie Mellon University Software Engineering Institute, 1994.
www.theiia.org
Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE INITIAL STATE Business Policies
Business Processes
• Undocumented or vague policies
• No formal processes
• Unclear or no limits
• Few stable processes • Reactionary, ad hoc response • “Just do it”
www.theiia.org
People and Organization
Management Reports
Methodologies
• Individual heroics
• Sporadic, ad hoc
• Rough measures
• Spreadsheets
• Firefighting, crisis management
• Informal
• Unstable and unscalable
• Coordination is challenging
• Over-simplified views of complex issues
• Inconsistent
• Accountability is weak
• Incomplete • Untimely • Inaccurate
• Missed key risk characteristics
Systems and Data
• Ad hoc data collection • Data quality poor • Costs are high
Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE REPEATABLE STATE Business Policies • Business plans and risk policy articulated • Policy being followed • Limits established
Business Processes • Documented stable processes • Process gaps being identified and corrected
People and Organization
Management Reports
• Risk owners defined and supported with staff
• Regular reports are actionable
• Explicitly defined and well understood roles and responsibilities
• Consistent format / content
• People trained in the process
• Key metrics identified
Methodologies
Systems and Data
• Systematic data • Improved risk collection for a measures (not yet few risks integrated) • Consistent assumptions with caveats understood • Specified measurement methods • Improvements being developed
• Independent spreadsheet models • Improved system security and data integrity • Improved confidence in models • Costs still high
www.theiia.org
Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE DEFINED STATE Business Policies • Enterprise-wide policy guidelines documented • Enterprise limits established
Business Processes
People and Organization
Management Reports
Methodologies
• Improved and consistent measures of • Integrated crossperformance • Senior manage• Risk mitigation and functional teams variability monitoring • Backup capabilities ment comfortable • Systematic with consistent documented and • Standard roles and format / content approach to integrated training assessing loss • Exceptions and • Disciplined exposures “near misses” modeling process • Central function coordinates efforts • Expanded risk reported coverage • Audit reports • Processes are uniform across organization
• Accountabilities articulated clearly
• Risk reports – Multi-unit – Multi-risk
• Rapid analysis of • Status of alternatives improvement initiatives reported
www.theiia.org
Systems and Data • Data captured at the source • Stable client server application • Scalable component architecture • Improved functionality • Reliable webenabled data organization, analysis and reporting
Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE MANAGED STATE Business Policies
Business Processes
People and Organization
• Revised limits based upon updated analysis and experience
• Process benchmarks achieved
• Strong teamwork
• Cost and elapsed time reduced
• Prepared for contingencies
• Role models and • Business strategy/ • Risk management teachers evolving risk responses embraced by line • Requisite aligned management knowledge, • Aggregate risk expertise and • Corrective action limits assigned to experience fully taken when limits operating units in place exceeded • Action plans managed to completion
www.theiia.org
• Experienced personnel apply judgment to quantified results
Management Reports
Methodologies
Systems and Data
• Integrated risk reporting
• Enhanced functionality
•
• Expanded risk coverage
•
• •
• Integrated physical and financial models Risk-adjusted • Risk measures profitability applied to measures performance goals KRIs linked with • Early warning performance systems reporting • Risks measured Risks quantified quantitatively and versus tolerances aggregated Limits violations enterprise-wide reported • Exposures anticipated through time-tested models • Capital allocation techniques applied
• Risk analytics built into decision support systems • Risk analysis systems collect data as part of normal business routines • Database systems support management of risk and risk portfolios
Combining the Two Frameworks ATTRIBUTES OF RISK MANAGEMENT CAPABILITIES AT THE OPTIMIZED STATE Business Policies • Enterprise-wide risk strategies • Continuous improvement focus
www.theiia.org
Business Processes • Risk and strategy management fully integrated • Organized efforts made to remove inefficiencies • Formal costbenefit analysis effectively applied • Best practices identified and shared across organization
People and Organization
Management Reports
• Organization, process and people performance metrics fully aligned
• “What if” scenarios
• Knowledge and skills upgraded continuously
• Special reports
• Process / people performance incentives linked to enterprisewide risk strategies
• “Wind tunneling” testing of risk responses
Methodologies
Systems and Data
• Diversification of risk exploited competitively
• “Single version of the truth”
• Quality management concepts applied to all risk management capabilities
• Special purpose systems quantify pools / portfolios of risk
• Integrated risk measurement • Quantification of systems improved risk integrated into business decisions continuously
Some Key Points •
Working directly with risk owners is the best procedure
•
It is not intended to manage each risk at the optimized state – risk management involves resource allocation decisions
•
The goal is a fact-based determination of the current state – Consider improvement initiatives in addition to the infrastructure actually in place – Risk owner sign-off
•
Determine the desired future state using the current state as a baseline; the future state impacts: – The nature of the recommendations – The nature of the measurement methodologies needed – The timeline for implementation
www.theiia.org
Improved Risk Capabilities…
www.theiia.org
…Yield Greater Benefits
www.theiia.org
Auditing ERM – What Does It Mean? Auditing the ERM process is about… (1) Understanding the current maturity of risk management (2) Defining the desired maturity of risk management (3) Providing a catalyst for its continuous improvement (4) Increasing the value contributed of risk management
www.theiia.org
Polling Question 4. The Institute of Internal Auditors’ definition of internal auditing encompasses (select the best answer): a) Internal control, entity-level controls and code of ethics b) Operational and compliance auditing c) Risk management, control and governance processes d) Risk assessment and internal controls e) All of the above f) None of the above www.theiia.org
Bill Thomas Managing Director, Protiviti
Auditing the ERM Process – How It Is Done
www.theiia.org
Key Points • Internal audit’s appropriate role with respect to ERM • A few ideas for auditing the ERM process • Some issues to address
www.theiia.org
The Appropriate Role for Internal Audit
www.theiia.org
Core IA Roles Relative to ERM • Review management of key risks • Evaluate reporting of key risks • Evaluate risk management processes • Provide assurance that risks are evaluated correctly • Provide assurance on the risk management processes
www.theiia.org
Legitimate IA Roles with Safeguards • Developing ERM strategy for board approval • Championing establishment of ERM • Maintaining / Developing the ERM framework • Consolidated reporting on risks • Coordinating ERM activities • Coaching management in responding to risks • Facilitating identification and evaluation of risks
www.theiia.org
Roles IA Should Not Undertake • Setting the risk appetite • Improving risk management processes • Management assurance on risks • Making decisions on risk responses • Implementing risk responses on management’s behalf • Accountability for risk management
www.theiia.org
Auditing ERM Process is a Challenge • What is the standard? Who decides the standard? • What does “effectiveness” mean? • How do you evaluate “effectiveness?” • At this time, are we more concerned with signs of “ineffectiveness?”
www.theiia.org
Ideas for Auditing the ERM Process (1) Use a framework as a standard
• Choose a suitable framework – COSO ERM Integrated Framework – ISO 31000 – Standards Australia – S&P ERM Framework
• Use your framework of choice as a tool for planning, execution and reporting • Define “effectiveness” standard, i.e., the means by which to evaluate risk responses • While frameworks aren’t perfect, they’re better than starting with a blank sheet of paper
www.theiia.org
Ideas for Auditing the ERM Process (2) Become an active ERM • Play the roles of a champion: – Facilitate champion – – – –
Coordinate Educate Aggregate Integrate
• Be involved with company risk committees and councils • Expand skillsets of IA function
www.theiia.org
Ideas for Auditing the ERM Process (3) Expand your audit universe
• Identify auditable components for inclusion in the audit universe – Governance – Risk management
• Obtain input from senior management and the Board as to the components • Consider the components provided by your chosen framework • Focus more broadly on enterprise risk • Pay attention to the evolving risk oversight process of the Board
www.theiia.org
Ideas for Auditing the ERM Process (4) Focus on enterprise risks
www.theiia.org
• Link IA reporting to the enterprise’s critical risks • Acknowledge the key risks the IA plan doesn’t cover • Compare risks identified by IA to the risks reported through the ERM process • Ensure adequate focus on operational risks • Be alert for emerging risks, including the potential for “black swans” and “transforming events”
Ideas for Auditing the ERM Process (5) Keep your risk assess- • Understand business goals / objectives as a context ment evergreen • Know the industry and business • Stay abreast of changes in external and internal environment
www.theiia.org
Ideas for Auditing the ERM Process (6) Consider components of the ERM process in developing the audit plan
• Is there evidence that the process activities, including the supporting tools, are in place and used effectively? • Are the process activities integrated with core management processes effectively? • Key questions to consider: – How effective is the risk identification and prioritization process? – Are robust action plans formulated to address the critical risks?
www.theiia.org
Ideas for Auditing the ERM Process (7) Look for integration opportunities
• Strategy setting • Annual business planning • Performance management • Budgeting • Capital expenditure funding • M&A targeting. due diligence and integration
www.theiia.org
Ideas for Auditing the ERM Process (8) Pay attention to key indicators
• Are risk-management efforts mired down into minutiae? • Are there gaps and overlaps in accountability? • Are the warning signs escalated by risk management ignored? • Is there a lack of a “tone at the top” conducive to effective risk management? • Is the compensation structure incenting unacceptable risk taking? • Is anyone making higher than expected returns and no one understands why? • Is the Board engaged with key decisions timely?
www.theiia.org
Ideas for Auditing the ERM Process (8) Pay attention to key indicators (Cont’d)
• Is risk management an appendage from performance management? • Is risk an afterthought to strategy-setting? • Other signs of ineffective implementation of ERM: – – – – – – – –
www.theiia.org
Failure to obtain “buy-in” and support? Taking on too much too soon? Insufficient emphasis on reporting needs? Under-investing in closing priority gaps? Vague / Unsupported value propositions? Allowing ERM to become a compliance program? “Enterprise List Management?” Lead personnel lacking sufficient authority or time?
Ideas for Auditing the ERM Process (9) Increase relevance of the audit plan
• Evaluate completeness of ERM risk assessment • Link audit plan to the entity’s risk responses – Adequacy of policies in delineating roles, responsibilities and accountabilities – Effectiveness of established processes – Effectiveness of key control activities – Effectiveness of risk-based communications and information – Adequacy and reliability of risk measures used in monitoring
• Update audit plan for major changes in the external and internal environment • Increase value of face time with senior management and the Board
www.theiia.org
Ideas for Auditing the ERM Process (10) Watch for deficiencies • Report on “current state” maturity of ERM capabilities in infrastructure • Work with risk owners to ascertain a desired future state • Identify and prioritize gaps • Recommend improvements
www.theiia.org
Summary of Ideas (1) Use a framework as a standard (2) Become an active ERM champion (3) Expand your audit universe (4) Focus on enterprise risks (5) Keep your risk assessment evergreen (6) Consider components of ERM process in the audit plan (7) Look for integration opportunities (8) Pay attention to key indicators (9) Increase relevance of the audit plan (10) Watch for deficiencies in infrastructure
www.theiia.org
Some Issues to Address • Coordination mission and activities with others to eliminate redundancy – ERM – CCO
• General counsel’s preferences and concerns • Need to enhance skills
www.theiia.org
We Have a Choice
Do nothing and let the forces of change find us OR Become a catalyst for change
www.theiia.org
Polling Question 5. Enterprise Risk Management implementations fail because: a) b) c) d) e) f) g) h) i)
Executive management buy-in doesn’t exist Effort too complex Priority risk gaps are not addressed Failure to integrate ERM process into strategy setting and performance management Not clear what problem is being solved Getting mired into the minutiae of compliance program Failure to link risk assessments into business plans All of the above None of the above
www.theiia.org
Polling Question 6. Enterprise Risk Management is currently being implemented in my company: a) Yes b) No c) Don’t know/Not applicable
www.theiia.org
Polling Question 7. In my company, we use the following risk management framework: a) b) c) d) e) f) g) h)
COSO Internal Control Integrated Framework COSO ERM Integrated Framework ISO 31000 Framework Standards Australia Framework S&P ERM Framework Another framework We don’t use a framework at the current time Don’t know/Not applicable
www.theiia.org
John Beeler Senior VP Internal Audit, Salesforce.com
Case Example #1: Evolving Risk Management Through An Integrated Approach
www.theiia.org
Company Description •
salesforce.com was founded in 1999 with the concept of delivering business applications via the Internet or the “cloud” – The “cloud” refers to the use of Internet-based computing, storage and connectivity technology for a variety of different services
•
The company is a leading provider of enterprise and cloud computing applications, including: – Comprehensive customer and collaboration management services to businesses of all sizes and industries worldwide – A technology platform for customers and developers to build and run applications
www.theiia.org
Company Description (Cont’d) •
salesforce.com offers its services on a subscription basis
•
In total, the company has over 77,000 customers as of the most recent quarter ended
•
salesforce.com had sales in excess of $1.2 billion at the end of FY10 (1/31/10) with an over $1.5 billion annual run rate – Approximately 70% of its sales are in the US with 30% being derived from international markets
•
The company went public in 2004 and trades under the CRM symbol on the NYSE
www.theiia.org
Coordinated Risk Assessment •
In part due to our rapid growth, we have focused on developing effective risk management processes within the company – Our processes are continually evolving
•
Internal Audit partners with the ERM, SOX, and External Reporting teams to effectively coordinate and execute a detailed risk assessment process – The process includes detailed analysis of the company’s risks as well as interviews and focus groups with company executives and management – Results are evaluated and updated at least quarterly – The process in part drives internal audit’s annual audit plan – Each audit is mapped to the Top 10 risk themes
www.theiia.org
Participation on Risk Advisory Council •
Quarterly, Internal Audit participates with the ERM VP and other company leaders in Risk Advisory Council meetings – In these sessions, the top risks facing the company are discussed including a review of current and proposed project plans, owners, and timelines to effectively mitigate the risks – Any key project plans are documented in the form of the company’s strategic goals process (what we call Vision, Values, Methods, Obstacles, Metrics, or V2MOM) – The sessions and outcomes reinforce accountability to address the key risks and their mitigation plans
www.theiia.org
Other Key Points •
The Company’s Compliance Committee provides another key cadence – Every 6 weeks, senior members of the ERM, SOX, Legal, Technology Compliance, IT Security and Internal Audit meet to discuss key initiatives, including those that require coordination amongst the teams – Prior to these sessions, projects often had overlap causing duplication of effort as well as frustration for the internal client organizations and the respective compliance teams
•
Our ERM processes are continuing to evolve – An area of focus for salesforce.com over the next year is to deploy additional process and technology surrounding the linkage between our GRC and ERM capabilities
www.theiia.org
Some Closing Thoughts… •
You must have the support of the CEO, CFO, General Counsel and/or other key executives and make the process fit your culture
•
Internal Audit should provide leadership with respect to the company’s ERM activities
•
Start small and build the program – it won’t be optimal on day one
•
Monitor the efficiency and effectiveness of the processes and continually implement enhancements
www.theiia.org
Paul Sobel VP, Internal Audit, Mirant Corporation
Case Example #2: ERM – The Journey to Maturity
www.theiia.org
Company Description • Mirant is a wholesale energy producer • Own and operate power plants near large metropolitan areas – Washington D.C., New York City, Boston and San Francisco • Just over $2 billion in revenues and $10 billion in assets • Industry is subject to a variety of volatile market and regulatory risks
www.theiia.org
Key ERM Components • Comprehensive Business Risk Profile – Aligned with strategy – Formally updated annually – Discussed with Audit Committee
• Risk Management Policy • Risk Oversight Committee • Established monitoring and assurance activities, including Internal Audit
www.theiia.org
Risk Oversight Committee (ROC) •
Composed of senior operating and risk executives – Chaired by Chief Risk Officer – Does not include CEO or CAE
• •
Meets monthly Certain risks are discussed monthly – Commodity/market risks – Credit risks – Liquidity risks
•
Others are discussed 1-2 times per year – Business continuity risks – Insurable risks – Stress testing results
•
Risk management policy empowers ROC to make certain decisions
www.theiia.org
The Role of Internal Audit • Initially expanded Business Risk Profile (BRP) from a commercial to an enterprise risk focus – Now fully owned by the CRO – CAE continues to play an integral role in annual update of BRP
• Considers enterprise risks when preparing the audit plan – Audit plan linkage to BRP is presented to Audit Committee
• Audit reports identify relevant BRP risks and indicate how effectively sub-risks are managed • Maturity-focused review of overall ERM program • Ongoing advice to CRO
www.theiia.org
IA Approach to Strategic Risks • Annually, review strategic risks and answer the following questions: – What “could” we audit? – What “should” we audit?
• Update that assessment for known changes in strategy • Tend to focus on two primary areas: – Information used for strategic decision making – Entity-level controls and related factors
www.theiia.org
Risk Management-Based Reporting • Summary sentence that concludes on how effectively the underlying risks are managed • Overall risk map showing our assessment of the key risks in the area • Detailed report that discusses the +s and –s for each risk www.theiia.org
Inherent Risk
Overall Risk Map Example High
Medium
Low
Not Covered Within the Scope of This Audit Low
No Action Required
www.theiia.org
Medium Control Effectiveness
Opportunities for Improvement
High
Attention Required
Detailed Report Format 1. Policy Risk – If Environmental and Safety management systems are not clearly defined, fully communicated, updated and endorsed by all levels of management, assurance of compliance with laws and regulations may be compromised. Risk Management Analysis Agreed-Upon Solutions + Senior management communications and actions emphasize compliance. + The current Environmental and Safety management systems provide good policy guidance. The narratives in the Environmental and Safety management systems are well written and comprehensive. + EH&S management periodically reviewed its Environmental and Safety management systems. + The EH&S organization has implemented self-assessment programs to monitor environmental and safety compliance. - The Environmental and Safety management systems which • After current revisions to the management were updated in 200X, have not been adequately systems are complete, senior management communicated or implemented at certain company facilities. will communicate the documents to both EH&S personnel and operations personnel at the facilities. Management will emphasize the need to fully comply with the management systems. Annual assessments will be conducted to insure implementation. Inherent Risk – High Control Effectiveness – Moderate Target Date: March 30, 20XX Responsibility: I. Candoit
www.theiia.org
ERM Maturity Assessment • Used a “gap” approach based on the maturity of key ERM areas • Used ISO 31000 as the foundation – Supplemented with NACD, S&P and other leading practices
• Determined the “current state,” then discussed potentially appropriate “desired states” with management www.theiia.org
5.3 ESTABLISHING THE CONTEXT 5.3.2 External Context 5.3.3 Internal Context 5.3.4 Risk Management Process Context 5.3.5 Developing Risk Criteria
5.2 C O M M U N I C A T I O N & C O N S U L T A T I O N www.theiia.org
5.7 5.4.2 RISK IDENTIFICATION What can happen, when, where, how & why
5.4 R I S K
5.4.3 RISK ANALYSIS Determine existing controls Determine Determine Likelihood Consequences Estimate Level of Risk
5.4.4 RISK EVALUATION Compare against criteria. Identify & assess options. Decide on response. Establish priorities.
5.5 RISK TREATMENT 5.5.2 Selection of risk treatment options 5.5.3 Preparing and implementing risk treatment plans
A S S E S S M E N T
M O N I T O R & R E V I E W
Jim DeLoach
John Beeler
www.theiia.org
Bill Thomas
Questions
Paul Sobel
In Summary •
ERM is about elevating risk management to a strategic level and integrated it with core management processes
•
Internal audit can play a pivotal role in this transition
•
The key is to focus on the maturity of risk management capabilities and be a catalyst for continuous improvement
•
There are many ideas you can apply – Now
•
Progressive CAEs are looking at how incorporating ERM into the audit plan can increase value contributed by IA
www.theiia.org
82
Progress Through Sharing
Internal Audit can act …
… an agent for positive change in the organization
www.theiia.org
CPE Certificates • Registered participants who have met the CPE requirements will receive their CPE Certificate and a speaker evaluation by email in approximately one week.
www.theiia.org
Webinar Playback • Paid attendees of this live Webinar can access the playback at no cost by contacting our Customer Support Team at +1-407-937-1111 or by sending an email to
[email protected].
www.theiia.org
Thank You to Our Principal Partners!!!
www.theiia.org