siegfried addressing current governance and risk management challenges in governmental and...

ICGFM ‐Winter 2010 Conference

December 6, 2010

Addressing Current Governance and Risk Management Challenges in Governmental and

International Organizations

Alan SiegfriedCIA, CCSA, CFSA, CGAP, CPA, CISA, CBA, CSP, CITP, MBAAuditor General, Inter‐American Development Bank

IIA Chairman, North American Board

Addressing Current Governance and Risk Management Challenges in Governmental and International Organizations. Alan N. Siegfried 2

• Global economic challenges and issues• Changing regulatory environment• Financial markets turmoil• Shrinking workforce and massive layoffs• Budget restrictions• Risk management efforts ineffective• Stakeholder confidence shaken• Uncertainty and unpredictability

Our World at a Glance

Opportunity for internal audit profession to demonstrate leadership in risk management, control and governance


Risk of Not Responding• Diminished stature of Internal Audit in surfacing and

addressing emerging risks

• Significantly reduced credibility as a trusted governance partner

• Diminished value of internal audit activities

• Seen as being inflexible and non‐responsive to emerging risk

Where were the Internal Auditors?


Risk Management Lessons Learned• Short term cost‐cutting with destructive operational or control implications

• Reliance on a third party supplier, distributor, counterparty or joint venture partners with financial difficulties what contingency plans are in place

• Customer dissatisfaction over valued receivables• Liquidity issues due to the tightening of credit and reduced demand• Increased incentives for financial fraud• Disgruntled current and ex‐employees who sabotage, pilfer assets• Loss or damage to reputation

Internal Audit RoleHelp management identify risks, design risk management strategies, assess

and monitor effectiveness of applicable controls


Current Challenges for Governance and Risk Management

1. Aligning internal audit coverage to meet new expectations2. Fully embrace a risk‐centric strategy3. Realigning skills to address new requirements 4. Leveraging technology to achieve greater efficiencies 5. Coping with diminished resources6. Maintaining stature with the audit committee7. Integrate fraud and prevention and ethics investigations into audit

strategies8. Demonstrate stronger commitment to quality9. Enhance coordination internally10. Demonstrating value and adding to the bottom line

The IIA 2009


Potential Internal Audit Involvement in Risk Management and Governance

Participate in cross functional ‘what if’ discussions to reconsider risks and identify action plans

Help design risk management / monitoring processes (i.e., controls!) to address risks

Redirect audit resources to re‐assessed highest risk areas

Internal audit review of risk management and organizational governance


Videohttp://www.youtube.com/watch?v=laKprX‐HP94


Understanding the Difference• Risk management

“A process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives”

• Control“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved”

• Governance“The combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives”


What is Organizational Governance?

The process through which

(1) values and goals are established and communicated,

(2) the accomplishment of goals is monitored,

(3) accountability is ensured, and (4) values are preserved.

Executive Management EA

IABoard

RM

C

ORGANIZATION


Parties in the Governance Process

Oversight group – board and committees of the board

Stewardship group – executive management: Dual role of stewardship of resources allocated by board

and accountability of results of operations

Performance group – operating and support management and staff

Assurance group – internal and external auditing functions, and in some organizations, compliance and risk

management monitoring functions, are also part of the assurance group.


Two Basic Responsibilities of the Board

BOARDGovernance

Umbrella

Strategic Direction

ValuesBoundaries

Governance Oversight

AccountabilityValues

Preservation


Audit Committees

Areas of Focus

FinancialReporting

Risk Management

Internal Control

External Audit

Communicating& Reporting

MaintainingMeasuring

Effectiveness

RegulatoryCompliance &

EthicalMatters

InternalAudit

Audit Committee Areas of Focus


Key Components of Governance Oversight

StakeholdersGovernance

UmbrellaBOD

Risk Management

Senior Management -Risk Owners

Assurance Internal-External


Governance Opportunities“ Changing business and economic conditions provide an opportunity to reassess

board priorities and re‐focus the agenda”

KPMG

Board skills and capabilities reflect the changing business environment

Tighten risk management oversight

Keep ahead of the strategic agenda

Extract the most from board committees

Review the flow of information from management to the Board

Create and sustain an ethical organization

Recruit, develop and retain talented managers

Strengthen board governance and organizational policies


What can Internal Audit Bring to the Table?

Provide independent, objective assessments on:

Appropriateness of governance structure Operating effectiveness of governance activities.

Act as catalysts for change by:

Advising or advocating improvements in governance structure and practices

Providing assurance on the risk management, control, and governance The IIA


Risk and Risk Management

• Risk is the probability/likelihood of something happening that will have an adverse impact on objectives.

• Risk Management is the systematic application of processes and structures that enable an organization to identify, assess, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders.

Enterprise Risk Management (ERM) deals with risks and opportunities affecting value creation or preservation.

ERM is a process, effected by an entity’s board of directors and management which is applied in a strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage those risks to provide reasonable assurance regarding the achievement of objectives.

Source: Committee of Sponsoring Organizations, “Enterprise Risk Management – Integrated Framework, Executive Summary”,2004


Benefits of ERM Holistic view of risk in the organization Greater likelihood of achieving objectives Consolidated reporting of risks at board level Improved understanding of key risks and implications Identification and sharing of cross business risks Greater management focus on the issues that really

matter Fewer surprises or crises Increased likelihood of change initiatives being achieved Capability to take on greater risk for greater reward and More informed risk‐taking and decision‐making.


ERM Quality Classifications

Excellent

• Advanced capabilities to identify, measure, manage all risk exposures within tolerances

• Advanced implementation, development and execution of ERM parameters• Consistently optimizes risk adjusted returns throughout the organization

Strong

• Clear vision of risk tolerance and overall risk profile• Risk Control exceeds adequate for most major risks• Has robust processes to identify and prepare for emerging risks• Incorporates risk management and decision making to optimize risk adjusted

returns

Adequate

• Has fully functioning control systems in place for all of their major risks• May lack a robust process for identifying and preparing for emerging risks• Performing good classical “silo” based risk management• Not fully developed process to optimize risk adjusted returns

Weak• Incomplete control process for one or more major risks• Inconsistent or limited capabilities to identify, measure or manage major risk

exposures

Source: Standard & Poor’s


Fundamental Principles of an Effective Risk Management Strategy in International Organizations

Common definition of risk and risk framework

Clearly defined key roles, responsibilities and

authority

Common risk management infrastructure

Appropriate transparency and visibility of governing

bodies

Executive management responsible for designing,

implementing, and maintaining effective risk

management

Business units held responsible for risk

management

Support functions have pervasive impact on the

business and the management of risks

Oversight functions provide objective

assurance , monitoring and reporting


Effective Risk Management Practices

Adopt a risk management policy and specific risk

component definitions

Appoint a risk manager

Provide meaningful risk information to Senior Management

and the Board

Quantify and communicate losses

from risk

Set and review risk limits with the Board

Perform Regular assessments.

Transfer risks if cost is less that the cost of

retention.

Train Management and the Board in risk

matters.

Provide annual assurance on the state of risk management.


Responsibilities of the Risk Manager

Implement an enterprise‐wide risk management strategy, processes and controls

Propose risk management policy for Board approval Coordinate risk management efforts across the

organization Collect and combine risk information Assess the information collected Identify, assess and report risks Communicate risk information to the Board and

Management Provide annual assurance on the state of risk management Affirm policies are appropriate for the foreseeable future.


Internal Audit’s Role in ERM


Internal Audit Value Proposition

Moving the profession from recognized ‐ to trusted ‐ to valued contributions to your organization and assurance to stakeholders

Understand the business management’s strategies and objectives

Focus on the right areas and the right risks Provide practical, relevant and persuasive

recommendations Become proactive catalyst for positive change Balance consultative and assurance services Help protect AND grow the business Earn a ‘Seat at the table’ Act as trusted advisor on risk, control and governance

issues

Recognized.

Trusted.

Valued.


Responsibilities TODAY Seeking to understand stakeholder expectations and evaluating

effectiveness in meeting those expectations

Developing and demonstrating strong communication skills to effectively convey findings and recommendations

Embracing and executing a balanced risk based audit plan

Providing leadership on issues of corporate governance, fraud, risk management, internal control and financial reporting

Willing to challenge status quo, and operating as change agents

Providing a learning environment and career pathway


Useful ToolsRisk Management Evaluation Framework

Level Risk Evaluation Criteria

Level 1

Provide Clear Risk Management Policies and Procedures

Provide Clear Risk Management Corporate Governance Structures

Provide Tools and Frameworks to Train the Line to Manage Risk

Leverage Company Knowledge to Identify and Assess Risk

Focus on Both the Upside and Downside of Risk to optimize Strategic Risk Taking

Prioritize Risk Based on Probability and Inherent Impact

Provide Clear Visibility into Key Risks and Mitigation Status

Aggregate Risk and Mitigation Information into a Central Database

Level 2

Prioritize Risk Based on Probability and Residual Impact

Embed Risk Considerations into Day-to-Day Planning and Decision Making

Link Risk Management to Employee Performance

Assess Effectiveness of Risk Mitigation Efforts

Coordinate Risk Assurance Activities Across the Organization

Level 3

Assess Risk Velocity to Prioritize Risk Mitigation Efforts

Formally Define Business Unit Risk Appetite as Part of the Risk Opportunity Analysis

Embed Feedback Lops for Continuous Improvement in Risk Strategy

Leverage Predictive Risk Metrics to Assess Probable impacts and Mitigation Strategies

Develop a 360-Degree View of Counterparty Risk to Pinpoint Exposure Levels

Corporate Executive Board


Risks to Consider in 2010 Risk Type Risk

Financial • Reporting integrity• Financial statements/disclosures are misstated according to accounting standards• Lack of reliability in the systems reporting key financial data

• System security vulnerabilities• Inadequate recording/oversight of financial information• Estimates are not adequate• Interest rate/market risk• Foreign currency exchange• Insufficient liquidity

• Off balance sheet risk• Transactions are not properly approved• Inability to raise capital• Asset/liability risk• Investment risk• Credit risk

Compliance • Non‐compliance with employment practices

• Environmental contamination• Record retention policy• Inability to meet contractual obligations

• Breaching existing capital requirements

• Non‐adherence to debt covenants• Data used to support compliance is unreliable

• Adherence to pension planrequirements• Insider trading• Safety health privacy violations• Fraud

Strategic • Strategic alliances• Strategic planning does not consider external impacts• New products and services• Customer demand shortfall

• Competitive pressure• Loss of key customers• Counterparty failures• Customer pricing pressure• Disruptive technologies

• Litigious trends and judicial uncertainty• Reputation risk• Insufficient governance structure and practices

Operational • Loss of key personnel• Obsolete technology• Insufficient informationtechnology governance• Inadequate development effectiveness

• Natural disasters• Acts of terror• Third‐party outsourcing• Security breaches• Lack of business continuity /disaster recovery planning

• Service quality• Project/change management• Business disruption/system failures

• Lack of sufficient contractual oversight

• Process control risk

Grant Thornton,


Final Thoughts

Risks facing our organizations are unprecedented and stakeholders’ expectations continue to increase

Internal audit profession has an opportunity to step forward to be a key player in Governance and Risk Management

Individual practitioners and organizations must ‘raise the bar’ to most effectively represent and advocate for strong governance and risk management


Final Thoughts

Hindsight

Insight

Foresight

Value

Focus

Questions/Preguntas?