Integration of Risk Management and Internal Audit Chartered Institute of Management Accountants, New Zealand
Contents • Understanding the three lines of defense governance model • What is “Risk”? – Risk Management Framework – Risk Assessment • What is “Internal Auditing”? – Where does internal auditing fit into the risk management framework? • What is “Internal Control”? – Where does internal control fit in with risk management and internal auditing?
Three Lines of Defense Those creating risk (for First Line: reward) must also Sourcing, Supply Chain, Stores, control it Multi Channels, Financial Services, (Control Environment, Customer Support Risk Assessment, Information & Second Line: Communication, Operations, Finance, People, Control Activities and Providing Information Systems, Risk Monitoring) assurance over the effectiveness of Third Line: internal controls Internal Audit (both 1 st and 2 nd Providing support and policy LOD), and SME risk direction for the first line through and control procedures for managing risk, support, advise and strategies, budgets, reporting, recommendations communication, and training
What is Risk? Uncertainty of Outcomes Possible Upside of Risk Opportunities Striving to Achieve Strategy Downside of Risk Possible Threats 1: borrowed from Bill Sharon of SORMs
What is Risk? Dimensions What could be: (Offensive) Possible Strategic Objectives Upside of Risk Maximise Shareholder Value Opportunities & Business Sustainability What is: (Offensive / Defensive) Operating Performance Ensure earning stability & Striving to Achieve Strategy business sustainability Protect Shareholder Value What should be: Downside of Risk (Defensive) Compliance & Prevention: Protect against threats & losses Enhance Credit Ratings & Possible Threats Customer, Shareholder & Regulator Perceptions 1: borrowed from Bill Sharon of SORMs
What is Risk? Defensive Dimension Possible Upside of Risk Opportunities Striving to Achieve Strategy What should be: Downside of Risk (Defensive) Compliance & Prevention: Protect against threats & losses Enhance Credit Ratings & Customer, Shareholder & Regulator Perceptions Possible Threats • Incident logging and reporting • Protection of Directors & Officers liability • Security, and privacy • Business continuity and asset insurance • Asset Protection/ Minimise Loss 1: borrowed from Bill Sharon of SORMs
What is Risk? Offensive/ Defensive Dimension Possible What is: Upside of Risk Opportunities (Offensive / Defensive) Operating Performance Ensure earning stability & business sustainability Protect Shareholder Value • Risk control analysis (management of risk) • Sourcing, Merchandising, Supply Chain, Stock, Cash , Revenue, Financial and Store Management Striving to Achieve Strategy • Making risk based decisions to compliment financial decisions Downside of Risk • Maintain relationship with all key stakeholders – directors, staff, customers, suppliers, regulators and public • Constantly monitoring and remediating • Understanding boundary risk Possible Threats between Strategic, Operational, Financial & Compliance Risks 1: borrowed from Bill Sharon of SORMs
What is Risk? What could be: (Offensive) Offensive Dimension Strategic Objectives Maximise Shareholder Value & Business Sustainability Possible • Positively influence Regulators Upside of Risk & key Stakeholders Opportunities • Integrating Risk Management into Strategic Planning Process • Support business exploitation of opportunities for growth, reward and sustainability • Change Risk Management • Realising & exceeding strategy Striving to Achieve Strategy Downside of Risk Possible Threats 1: borrowed from Bill Sharon of SORMs
What could be: What is Risk? (Offensive) Strategic Objectives Maximise Shareholder Value & Business Sustainability Possible • Positively influence Regulators What is: Upside of Risk & key Stakeholders Opportunities (Offensive / Defensive) • Integrating Risk Management into Strategic Planning Process Operating Performance • Support business exploitation of Ensure earning stability & opportunities for growth, reward business sustainability and sustainability Protect Shareholder Value • Change Risk Management • Risk control analysis • Realising & exceeding strategy (management of risk) • Sourcing, Merchandising, Supply Chain, Stock, Cash , Revenue, Financial and Store Management Striving to Achieve Strategy • Making risk based decisions to compliment financial decisions What should be: Downside of Risk • Maintain relationship with all (Defensive) key stakeholders – directors, Compliance & Prevention: staff, customers, suppliers, Protect against threats & losses regulators and public Enhance Credit Ratings & • Constantly monitoring and Customer, Shareholder & remediating Regulator Perceptions • Understanding boundary risk Possible Threats • Incident logging and reporting between Strategic, Operational, • Protection of Directors & Financial & Compliance Risks Officers liability • Security, and privacy • Business continuity and asset insurance • Asset Protection/ Minimise Loss 1: borrowed from Bill Sharon of SORMs
Top Down Risk Management Approach Risk & Control Strategy Risk Appetite Risk Category Ownership and Statements Location Risk Assessment Risks Criteria Matrix (Impact & Likelihood) (Risk Register) RISK RATING – HEAT MAP RISK RATING – HEAT MAP ABSOLUTE RISK ABSOLUTE RISK RISK RATING – HEAT MAP Catastrophic 12 18 21 24 25 ABSOLUTE RISK Catastrophic 12 18 21 24 25 Target Risk Heat Map Inherent Risk Heat Map Residual Risk Heat Map Catastrophic 12 18 21 24 25 Major 10 14 19 22 23 Major 10 14 19 22 23 Assessed Controls Major 10 14 19 22 23 Treatments (Updated Moderate 6 9 15 17 20 (Register) Moderate 6 9 15 17 20 Controls Register) Minor 3 5 8 13 16 Moderate 6 9 15 17 20 Minor 3 5 8 13 16 Insignificant 1 2 4 7 11 Minor 3 5 8 13 16 Insignificant 1 2 4 7 11 LIKELIHOOD LIKELIHOOD Insignificant 1 2 4 7 11 Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain LIKELIHOOD Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain Rare (0-5%) Unlikely (6-15%) Possible (16-40%) Likely (41-70%) Almost Certain By Strategy, Risk Category, Ownership and Location
RISK UNIVERSE OR CATEGORIES Financial Risk Strategic Risk • • • • Funding Risk Investment Risk Investor Risk Strategic Initiatives • • • and Projects Capital Risk Credit Risk Customer Risk • • • • Interest Rate Risk Counterparty Risk Competitor Risk Product Risk • • • • Foreign Exchange Risk Liquidity Risk Supplier Risk Environmental Risk • • • • Brand Risk Insurance Risk Solvency Risk Market and • Economic Risk Geopolitical Risk Operational Risk Compliance Risk* • • • • People Risk Stock Management NZX, Governance All Financial Services • Risk & Financial Laws and Regulations Process Risk • • Merchandising Risk Reporting Risk Risk Systems and IT Security • • • Risk Loss of Revenue Risk Health, Safety & Product Safety Risk • • • Environmental Law Company Policies & External Events and Stores Management Risk Business Interruptions Risk Procedures Risk • • • • Commercial Law Employment Law Risk Fraud and Stock Sourcing and Logistics Risk Shrinkage Risk Risk *Non-compliance or cost of over compliance
Sources of and Identifying Risks & Opportunities – Risk Profiling • Understanding what must go right and what must not go wrong relative to Strategy (at any level) • External Loss Data, e.g. economic reports, industry reports • Internal Loss Data, e.g. incident & near misses registers, internal audit reports • Reference to the Risk Universe / Categories • Interviews* with Management and Team Members and completion of the “Risk Profiling Questionnaire” • Collating and analysing results* of the “Risk Profiling Questionnaire” • Presentation of the Summarised results* of the Risk Profiling Questionnaire the Risk Profiling Workshop • Facilitation* of Risk Profiling Workshops resulting in collective agreement on the list of risks and opportunities
Recommend
More recommend