internal audit conference internal audit & risk environments presentation by: kimeu, jones...
TRANSCRIPT
INTERNAL AUDIT CONFERENCEINTERNAL AUDIT & RISK ENVIRONMENTS
Presentation by:KIMEU, Jones Musyoki
ICPAK
Mombasa Continental Beach Resort
Wednesday 20th August, 2014
Introduction
Background MBA (For Executives) BCom. (Hons) CPAK CISA FCCA
Over 15 years experience in Risk Management, Audit, Consultancy in risk, internal controls, IT audits and Corporate Governance
2
KIMEU, Jones Musyoki+254 722 [email protected]
CONTENT
• Introduction• The Context• Internal and external risks
environments.• Factors affecting a firms risk
appetite and tolerance.• Integrated risk management.
Slide 3
Slide 4
INTRODUCTION
The possibility that an event will occur and adversely affect the achievement of objectives
• Committee of Sponsoring Organizations (COSO) Enterprise Risk
Management Framework
The chance of something happening that will have an impact upon objectives
• AS/NZS 4360:1999, Risk Management
Events that may have a positive impact represent opportunities
Slide 5
INTRODUCTION
• Risks can be defined as real or potential events which reduce the likelihood of achieving strategic and operational objectives
• Risk identification is the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern.
17
All Risk types
ReputationSecurity of confidential Information
Bad press reports
Transparency & AccountabilityFire
Labour strikes
Dynamic IT Industry
CONTEXT: In today's world, change and uncertainty are constants...
LANDSCAPE OF EMERGING RISKS
7
Invasionof privacy
Bogus parts
Powersystembreak
Organisedcrime
CO2 trading
Off-shore &internetmarkets
Spaceweather
ElectrosmogResistance to
antibiotics
Drinkingwater quality
Loss of reputation
Businessethics
Intercontinentaldata transmission
Customised drugs
NanotechnologyCalderaerruption
RSI
Cyberrisks
Dirtybombs
Implants
Indoorpollution
Toxic mold
Foodcontaminants
Stress atwork
EndocrinedisruptorsMedia
risks
Ageinginfrastructures
Tele-medicine
CloningDeteriorating
safetystandards
Alcohol
Contingent Business
Interruption
MegaTsunami
Pervasivecomputing
Privatisation
Botox
Spread ofDiseases - EBOLA
CONTEXT
Slide 8
People – fraud, vandalism, human error, strikes, miscommunication, riots etc
Systems – machine breakdown, internal control deficiencies, obsolescence etc
External factors – suppliers, customers, natural perils (earthquakes, floods) etc
ROLE OF INTERNAL AUDIT
Slide 9
Independent appraisal of the policies, processes, and controls relating to risk management framework and reporting to all levels of management
The Role of Internal Audit in Risk Management is important but one that can also present significant challenges- source IIA
IIA10
ROLE OF AUDIT AS A CATALYST
Board
Senior Management
Risk Management
Business Units
Internal Audit
Oversight
Ownership & Management
Assurance
Co-ordination
Action
Risk based surveys
BEST PRACTICE – Risk Based Internal Audits (RBIA)
RISK UNIVERSE
INTERNAL AND EXERNAL RISKS
RISK UNIVERSE
Definition: All risk types and categories across all business lines, functions, geographical locations and legal entities that could affect an organization.
14
ESTABLISH THE CONTEXT
15
External Environment
RISK UNIVERSE (Cont.)
16
RISK UNIVERSE (Cont.)A company focused on ERM constantly assesses risk
factors to ensure they reflect business realities – both quantifiable or non-quantifiable risks or Financial &
Non-financial risks
Ris
k
Fra
mew
ork
Ris
k
Fra
mew
ork
Liquidity
Liquidity
Corporate Funding
Corporate Funding
Collateral Requiremen
ts
Collateral Requiremen
ts
Contingency funding
Contingency funding
Fra
mew
ork
D
efi
nit
ion
s
Ability to generate/obtain sufficient
cash in a timely
manner to meet
demands as they arise
MarketMarket
Mkt factor sensitivity
Mkt factor sensitivity
Volume Risk
Volume Risk
Mkt LiquidityMkt Liquidity
Investment Performan
ce
Investment Performan
ce
Health Health
Contagion risk
Contagion risk
Chronic diseases
Chronic diseases
PandemicsPandemics
Operational
Operational
PeoplePeople
ProcessProcess
SystemSystem
Financial Reporting
Financial Reporting
ExternalExternal
Environmental
Environmental
Law Changes
Law Changes
Non-Complianc
e
Non-Complianc
e
Environmental Impact
Environmental Impact
Environmental
Positioning
Environmental
Positioning
Business &
Strategic
Business &
StrategicReputation
al
Reputational
Quality of Health care
Quality of Health care
Demand Changes
Demand Changes
Industry Changes
Industry Changes Unethical
behavior
Unethical behavior
Crisis Managem
ent
Crisis Managem
ent
Association Risk
Association RiskPolitical
Risk
Political Risk
Potential loss arising
from adverse
movements in external
market valuables
Risk of failure od market
intermediaries
Risk of loss from
inadequate or failed internal
processes, people, financial
reporting, systems or
external events
Risk of loss and associated
harm due to the company’s
interaction with the
environment
Risk of unsuccessful performance due to
potential threats, actions or events
adversely affecting the organization’s ability to achieve
objectives
Potential negative publicity
regarding business practice,
regardless of validity
Collateral Requiremen
ts
Collateral Requiremen
ts
Contingency funding
Contingency funding
RISKS AT 3 LEVELS
1. Strategic/Corporate Level Risk - Strategic alignment, Governance, Culture, Funding, etc.2. Business Level - Organization (structure / Segregation of duties, Infrastructure, Competence, Staff attitudes, etc.3. Transaction Level - P2P, Treasury Management, Financial Reporting, etc.
18
STRATEGIC /CORPORATE RISKS
• Organization structure• Resource Allocation• Governance• Reputation
19
STRATEGIC RISKS (Cont.)
Organization structure•Organization charts and reporting lines•Authority and Responsibility•Segregation of duties (SOD)
20
STRATEGIC RISKS (Cont.)
Resource Allocation•Budgeting and planning•Goal /Objective setting•Timelines •Metrics & Measurement
21
STRATEGIC RISKS (Cont.)
Governance•Culture•Ethical behavior•Board effectiveness•Succession planning•Tone at the top
22
STRATEGIC RISKS (Cont.)
Reputation•Image and Branding•Stakeholder Relations
23
FINANCE RISK
• Finance/Budget Management• Financial Reporting• Internal Controls• Accounting
24
FINANCE RISK (Cont.)
Finance/Budget Management•Cash forecast•Liquidity•Cash flow Management•AnalyticsFinancial Reporting•Financial Statement close process
25
FINANCE RISK (Cont.)
Internal Controls•Transaction management (Initiation, approval, recording and custody)Accounting•Application of accounting regulations, rules and procedures
26
OPERATIONAL RISK
• Infrastructure• People• Process• Technology
27
OPERATIONAL RISK (Cont.)
Infrastructure•Capability•Office Space•Assets•Tools•Physical Security•Business Continuity
28
OPERATIONAL RISK (Cont.)
People•Leadership – board /management expertise•HR – responsibility & accountability•Health & Safety•Risk-reward alignment•Performance Management•Empowerment
29
• Mindset• Buy-in--consensus• Balance between revenue
driven and control driven• Competitor pressure• Communication• Sustaining vigilance
OPERATIONAL RISKS - PEOPLE
People Risk
Supports or undermines strategy
…..alignment <within/out> of attitude, goals
…..strong ERM …….within risk appetite ……scandals and
collapses
OPERATIONAL RISK (Cont.)
Process•Fraud•Policies and Procedures•Outsourcing•Third Party Fraud•Business processes
31
OPERATIONAL RISK (Cont.)
Technology•Integrity •Accuracy•Availability /Timeliness•Relevance •Restricted Access
32
COMPLIANCE RISKS
• Regulatory risks• Contractual commitments (contract)• Policies and procedures• Code of Business Conduct
33
ENVIRONMENTAL RISKS
Economic: Such as; Donor Support, Skilled Labor supply, Forex Fluctuations
• Natural Environment: • Political: Will, priorities & political
stability• Social: demographics, attitudes, tastes and
preferences• Technological (IT Risk): Eg. Innovations
34
TECHNOLOGICAL (IT) RISKS
35
TEAM EXERCISE
Identify common risks affecting your organization and your industry
Classify these risks - strategic, business, operational
36
FACTORS AFFECTING A FIRMS RISK APPETITE AND
TOLERANCE
RISK APPETITE
Definition: Risk appetite can be defined as the amount of risk on a broad level, that an organization is willing to take on in pursuit of value. Or other words the total impact of risk an organization is prepared to accept in the pursuit of its strategic objectives.It goes to the heart of an organization, how it does business, perception by stakeholders (employees, customers, regulators, rating agencies etc):
RISK APPETITE
The following factors influence Risk Appetite of an organization;The external environmentPeopleBusiness systems and policies
NB/ Risk appetites vary from organization to organization, business units and risk types {For instance a banks lending to a mature market will differ with an emerging market}.
RISK APPETITE
From another perspective, smaller losses incurred as a consequence of fraudulent activity (such as cybercrime) can have a more adverse impact on a bank reputation than much higher lending losses incurred in the normal course of business.
Consequently financial institutions set a much lower risk appetite for fraudulent or unethical practices which could damage reputation.
RISK APPETITE
Ways to measure risk appetite;Simple qualitative {reputational, management effort
and regulatory compliance} measures (such as defining risk categories and setting target levels)Based on the above, develop complex quantitative models of economic capital and earnings volatility {capital adequacy, target debt rating, earnings volatility, credit rating etc}.
Conclusion: Provides a cornerstone for the organization’s Risk Management framework
RISK APPETITE - CHARACTERISTICS
A well defined Risk Appetite should have the following characteristics;1. Reflective of strategy, including objectives, business plans and stakeholder expectations;2.Reflective of all aspects of the business3.Acknowledge a willingness and capacity to take on risks4.Is documented as a formal risk appetite statement
RISK APPETITE - CHARACTERISTICS
5. Considers the skills, resources and technology required to monitor and manage the risk exposure in the context if risk appetite.6. Is inclusive of a tolerance for loss or negative events that can be reasonably quantified7.Is periodically review and reconsidered with reference to evolving industry and market conditions8.Has been approved by the board
RISK APPETITE RATING (Example)
WILLINGNESS TO ACCEPT RISK
Low Medium High
1 2 3 4 5Earnings Volatility Capital requirements Reputation Credit rating Regulatory standing
RISK TOLERANCE
Definition: Risk Tolerance: The degree of variability in investment returns that an individual is willing to withstand. An important component in investing. An individual should have a realistic understanding of his or her ability and willingness to stomach large swings in the value of his or her investments. Investors who take on too much risk may panic and sell at the wrong time
RISK TOLERANCE - Cont.
The factors affecting Risk Tolerance (assess using risk tolerance questionnaires) include;Review worst-case returns for different asset classes historically in order to get an idea of how much money one would feel comfortable losing if his or her investments have a bad year or bad series of years.The time horizon that one has to invest, future earning capacity, and the presence of other assets such as a home, pension, social security or inheritance{In general, one can take greater risk with investable assets when there are other, more stable sources of funds available}.
RISK TOLERANCE
Your investment time frame: cliché is what we'll refer to as ‘age-based’ investment risk tolerance. When will the capital be needed? If the time horizon is relatively short, risk tolerance should shift to be more conservative.
Your Risk capital: Money available to invest or trade that will not affect your lifestyle if lost (liquid capital).
Your Investment experience: Aim to get some experience under your belt before committing too much capital. Always remember the old cliché and strive for preservation of capital.
RISK TOLERANCE
Your investment objectives: If you are saving for your retirement, how much risk do
you really want to take with those funds?
The actual investment your are considering: Different investments carry different levels of risk. All
investments involve a degree of risk and returns can never be guaranteed so it is important to choose investments that suit your circumstances
RISK TOLERANCE
Illustration of a range of investment types and their associated risks
INTEGRATION:RISK LANGUAGE &
CULTURE
50
INTEGRATION – LANGUAGE & CULTURE
Develop a Common Risk and Control Language:
•Take an inventory of all current risk practices and taxonomies. •Determine which ones best meet our business needs. •Align remaining practices and taxonomies with the ones we determined are best.
INTEGRATED RISK MANAGEMENT
{ENTEPRISE RISK MANAGEMENT & GOVERNANCE}
52
RISK MANAGEMENT GOVERNANCE
GovernanceBoard, Audit & Risk committee, Exec Risk Committee(s), Risk
appetite, Risk universe
1. Governance Committees
• Audit committee – Expanded mandate to cover risk oversight
• Risk Management committee (new)– Executive committee chaired by CEO with representation by all HODs. Risk manager to be secretary (but can’t chair). Forum for risk discussions.
2. Risk appetite - The amount of risk that an organisation is willing to seek or accept in the pursuit of its mandate to be clearly defined through a delegation of authority matrix, policies, procedures
3. Tone at the Top – Board to set clear leadership (clarity of direction) and expectations for risk management (informed risk/reward)
Board
Audit and Risk Committee
Risk ManagementCommittee (Exec)
HOD 1
HOD 2
HOD 3
Management reporting
ERM Framework (ERMF)
3. Tools, resources, policies & procedures, training, risk culture, systems
5. GovernanceBoard, Audit & Risk committee, Exec Risk
Committee(s), Risk appetite
Risk Register
Risk monitoring & reporting
Risks / Opportunities
Risk assessment / measurement
Risk identification
4. Organisation StructureRoles and responsibilities, Risk domains, Risk Mgr, HODs, Departmental risk champions
Risk mitigation & Treatment
Risk Matrix
6. L
ines
of
Ass
ura
nce
Inte
rnal
/ Ext
erna
l aud
it
1. Risk Universe(All Risk Types)
2.
Understand/Appreciate
ERM
Develop Risk
Strategy
FormulateImplementation
plan
Create Budget
Develo
pBOD
Executive Mgt
TacticalMgt
OperationalLevel
Audit
DevelopAn ERM
Framework
Create Governance
Structure
Spread the Gospel – Culture
Imp
lemen
t
Risk –Reward
all operations
Assurance
QA
IMPLEMENTATION BUILDINGBLOCKS
ImplementRisk Mgt process
Risk Ownership
ARE WE SUCCEEDING? – MEASURING SUCCESS
1.1 Creating awareness & set tone on Importance of Risk Management
2.2 Risk Governance & policy design
2.1 Risk Identification & Risk Maps
3.2Key Risk Indicators (KRIs)
3.1 Self Assessment Tools - CRSAs
4.3 Internal Model to Quantify Risk & Capital number
4.2 ConsiderationConsideration of External Data
4.1 CaptureCapture Internal Risk Data
5.4 Reporting to Management and Stakeholders
5.3 Management Controls & Corrective Actions
5.2 Risk Return Metric
5.1 Integrate with existing systems
1. Culture2. Risk Identification
3. Qualitative Management
4.4 Quantitative Measurement
5. Integrated Management
MONITORING & EVALUATION
57
Monitoring - Internal control systems need to be monitored, a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.
INSTITUTIONALISING RISK MANAGEMENT
58
1.Crucial to set the tone at the top - leadership and consistency2. Promote Risk Management as a day-to-day management tool to, inter alia, ensure achieve of strategic objective/mandate and enhanced service delivery
3. Senior managers should establish clear risk management roles and responsibilities
INSTITUTIONALISING RISK MANAGEMENT (Cont.)
59
4. Staff should have capacity (skill, training, knowledge, information and resources necessary) to perform risk management roles
5. Integration with strategic planning, new initiatives and projects
6. Every person has a role a play (performance management)
RISK MANAGEMENT
60
The most important phases of risk management process include: the risk identification, risk analysis and risk response. a) The risk identification is achieved by completing checklists, organizing meetings for identifying risks and analysis of archived documents.
RISK MANAGEMENT (Cont.)
61
b) The risk analysis uses methods such as: determining the expected value, Monte Carlo simulation and decision trees. c) The risk response includes measures and actions to reduce, eliminate or risk allocation.
ERM IMPLEMENTATION CHALLENGES
62
ERM IMPLEMENTATION CHALLENGES
• People• Organization• Process• Systems• Change Management
63
ERM IMPLEMENTATION CHALLENGES (Cont.)
People•Lack of commitment buy-in from board/ senior management / staff•No in-house expertise or experience in performing risk management •Risk management culture not well established
64
ERM IMPLEMENTATION CHALLENGES
Organization•Inappropriate risk management organisation structure•Not aligned with institutions / departments objective
65
ERM IMPLEMENTATION CHALLENGES
Processes•Inadequate project funding •No clear understanding of policies and procedures to establish the risk management architecture•Failure to prioritise implementation activities
66
ERM IMPLEMENTATION CHALLENGES
Systems•Inadequate technologies to collect and measure risks•Inadequate communications systems to capture and communicate risk information•Disintegrated systems/ old traditional applications
67
ERM IMPLEMENTATION CHALLENGES
Change Management•Articulating and measuring the potential benefits of ERM•Integrating risk management into strategic planning processes
68
ERM IMPLEMENTATION CHALLENGES
Change Management (Cont.)•Understand industry specific risks and risk management standards/solutions•Risk management information not well communicated including risk appetite and risk tolerance
69
RISK REPORTING
RISK REGISTER
71
Central repository / log for all risks identified by the organisation
CONTENTS OF A RISK REGISTER
72
1.The risk2.Root cause3.Mitigating controls / correction action
plan4.Responsible party5.Target date6.Impact/probability assessment
Identification
Assessment
MonitoringReporting
Control / Mitigation
KRI RCSA
LDMCapital
Calculation
Risk Event Descriptio
n
Inherent Impact
Inherent Likelihoo
d
Description of Standard Controls
Control Rating
Residual Impact
Residual Likelihoo
d
Action plan
Responsible
Person
Due Date
RISK ASSESSMENT/MEASUREMENT
74
RISK ASSESSMENT MATRIXAlmost Certain: The event is expected to occur in most circumstances, say several times per month
5
Likely: The event will probably occur in most circumstances, say once per year
4
Probable: The event might occur, say once in every 3 years
3
Unlikely: The event could occur at some time, say once in every 5 years
2
Rare: Event may only occur in only exceptional ci rcumstances
1
Scale 1 2 3 4 5Budgetary control;- Fraud and theft; Loss of grants/funding; Lack of system integrity; Continuity planning; Repairs and maintenance of buildings – fire, flood & power interruption & Intellectual Propertycommercialisation;
Fin
an
cia
l /
Co
mm
erc
ial
KES 10,000.00 KES 100,000.00 KES 500,000.00 KES 1,000,000.00 >KES 1000,000.00
Non compliance with legislation
Re
gu
lato
ry
Minimal issueIsolated
compliance issueIsolated serious
compliance issuesystematic serious compliance issue
Sanction by regulator
Changes to Government Policy; Adverse media coverage; Reputation and goodwill; Quality Management; Equal Opportunities; Brand Image
Re
pu
tati
on
al
/
Po
liti
cal
Minor Issues resolved promptly
by day to day management
processes
Issue raised by stakeholders and/or local
press
Stakeholders and or community
concern, heavy local media
coverage
Embarrassment for the Trustee,
including adverse media coverage
Reputation and standing of the
Trustee affected nationally and internationally
Loss of staff & knowledge; Recruitment & retention; Health & safety; Inadequate communication; Training and development; S
taff
/
Cu
sto
me
rs
First AidMinor injuries /
treatmentInjury and /or
hospitalisationSingle death Multiple deaths
Chemical hazards; Environmental Health & Safety; Community & Stakeholder relationships;
En
vir
on
me
nta
l /
Co
mm
un
ity
Minor and brief pollution
Transient harm Moderate harm Significant harm Long term harm
Impact of the event occurring
Low Risk Medium Risk High Risk
Managed withindepartment
Reported to RiskManagement Committee
Reported to Board
Lik
eli
ho
od
of
the
Ev
en
t
CONTROLS EVALUATION
Risk Event Description
Inherent
Impact
Inherent Likelihood
Description of Standard Controls
Control Rating
Residual Impact
Residual Likelihoo
d
Maker
CONTROLS EVALUATION
Each Control or a set of controls effectiveness is /are rated on a four point scale;
1. Efficient - The internal control system is efficient and adequate2. Acceptable - A few corrections should make the internal control system satisfactory3. To Improve - The internal control system has to be enhanced and the process monitored more closely4. Poor - The internal control system of the process has to be reorganized immediately
LIKELIHOOD AND IMPACT
77
RISK HEATMAP - PROFILE
SAMPLE KEY RISK INDICATORS (KRIs)
-4
-3
-2
-1
0
1
2
3
4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Time
Perf
orm
an
ce
Staff Turnover
Customer Complaints
Internal Limit Violations
Computer Breakdowns
Electronic Security Breaches
GAINING RISK REPORTING
RISK REPORT ITEM
2
Risk D
irect
ion
Management Action Plan Report Status
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
RECAP – FUNDAMENTALS OF ERM
Source: COSO ERM Framework
Fundamental steps of Risk Management
RECAP - BEST PRACTICE IN ERM
Slide 86
Slide 87
Quote of the day
"…in all my experience, I have never been in an accident of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea… I never saw a wreck and have never been
wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort."
Edward J. Smith interviewed by the New York press, 1907
Slide 88
Slide 89
Think the unthinkable! Expect the unexpected!
On April 15, 1912, RMS Titanic sank with the loss of more than 1500 lives-one of which was its
Captain-E.J.Smith