Combined Assurance Approach

Transcription

1 Combined Assurance Approach IIA GRC Stockholm 9 October 2015 Group Internal Audit in Swedbank CAE Ingrid Harbo

2 AGENDA The Scope for Sharing Resources / Combined Assurance Ø Swedbank in brief Ø Group Internal Audit in Swedbank Ø Does Independence limit opportunities to share resources? Ø How Swedbank uses Combined Assurance to share resources Ø The importance of co operation and maintaining good relationships Ø The First Attempt in 2013 and Continuous Improvements Ø Conclusions and Some Advice 2

3 3

4 4

5 5

6 6

7 7

8 Swedbank Organisational Structure 8

9 Group Internal Audit Structure Chief Audit Executive Ingrid Harbo Senior Assurance Advisor Knowledge & Methodology LC&I Baltic Banking Group Functions Group Products Swedish Banking Acting CIO/Group IT Swedbank Estonia Swedbank Latvia Swedbank Lithuania CFO CRO Group Compliance Group Affairs Group Legal Group HR Group Insurance Products Group Asset Management Products Group Banking Products CENTRES OF COMPETENCE Investment Sales Payments Credit Trading / Treasury Support IT Risk & Compliance

10 About GIA: Group Internal Audit Geographical Presence (business activities also in US, China, Luxembourg covered by GIA) Sweden ( 40 auditors) Norway First Securities Sweden Finland Estonia (Local Presence) (6 auditors) Denmark Estonia Latvia Lithuania Lithuania (Local Presence) (5 auditors) Latvia (Local Presence) (8 auditors) 10

11 About GIA: Reporting Lines and Responsibilities The Chief Audit Executive (CAE) is directly subordinated and responsible to the Board of Directors. The CAE reports to the Board of Directors through the AC. GIA shall provide reliable and objective assurance to the Board of Directors and the CEO over the effectiveness of controls, risk management and governance processes mitigating current and evolving high risks and thus promoting a sound control culture within the Group. All activities and entities, including outsourced activities of the Group fall within the scope of GIA. 11

12 COMBINED ASSURANCE WHAT IS IT, WHY and WHO takes part? Integrating and aligning assurance processes in a company to maximize risk and governance oversight and control efficiencies, and optimize overall assurance to the audit committee and the board, considering the company s risk appetite. Three Lines of Defence or even Four Lines? 12

13 Does Independence limit opportunities to share resources? ü IIA Practice Advisory Relying on the Work of Other Assurance Providers Primary Related Standard 2050 Coordination The Chief Audit Executive should share information coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. ü EBA Guidelines on Interna Governance - GL 44 D. Internal control 24. Internal control framework An institution shall develop and maintain a strong and comprehensive internal control framework, including specific independent control functions with appropriate standing to fulfil their mission. The internal control framework of an institution should ensure effective and efficient operations, adequate control of risks, prudent conduct of business, reliability of financial and non-financial information reported, both internally and externally, and compliance with laws, regulations, supervisory requirements and the institution s internal rules and decisions. The internal control framework should cover the whole organisation, including the activities of all business, support and control units. 13

14 Does Independence limit opportunities to share resources? ü Basel Committee on Banking Supervision Guidelines Corporate Governance Principles for Banks October 2014 Principle 6 and 7 Risk Identification, Monitoring and Controlling and Risk Communication Risks should be identified, monitored and controlled on an ongoing banking wide and individual entity basis. The sophistication of the bank s risk management and internal control structure infrastructure should keep pace with the changes in the bank s risk profile, to the external risk landscape and in industry practice. An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. 14

15 Does Independence limit opportunities to share resources? ü IIA Position Paper The Three Lines of Defence in Effective Risk Management and Control January 2013 It s not enough that the various risk and control functions exist the challenge is to assign specific roles and to coordinate effectively and efficiently among these groups so that there are neither gaps in controls nor unnecessary duplications of coverage. Clear responsibilities must be defined so that each group of risk and control professionals understands the boundaries of their responsibilities and how their positions fit into the organization s overall risk and control structure. The stakes are high. Without a cohesive, coordinated approach, limited risk and control resources may not be deployed effectively, and significant risks may not be identified or managed appropriately. In the worst cases, communications among the various risk and control groups may devolve to little more than an ongoing debate about whose job it is to accomplish specific tasks. 15

16 16

17 17

18 18

19 19

20 How Swedbank uses Combined Assurance to share resources Why Combined Assurance? 1. Reduce information overkill or conflicting information 2. Eliminate unnecessary duplications (avoid business fatigue) 3. Identify Assurance Gaps 4. Increase coverage of assurance 5. Increase efficiency and reduce costs 6. Enable better decisions based on a common view re risks (A common risk report from all Assurance Providers and plans) 7. Increase transparency no surprises AC/Board get the information they need to make accurate assessments 8. Increase understanding of different assurance providers roles and responsibilities 20

21 How Swedbank uses Combined Assurance to share resources How do we get there? 1. Identify all relevant Assurance Providers and Assess their Maturity 2. Identify Risk Champions within these Assurance Providers 3. Generate Buy-In from all relevant Assurance Providers and Key Stakeholders 4. Agree on a overall global Combined Assurance process work plan 5. Agree on Risk Assessment framework (common taxonomy) 6. Gross list of Processes and related Risks provided by every assurance providers (linked to business objectives and value drivers) 21

22 How Swedbank uses Combined Assurance to share resources How do we get there? 7. Map risks to business unit/process/entity level all or one? 8. Agree on Main Key Risk Areas and ten biggest risks in each area 9. For all risks identified list activities (create a risk coverage map) 10. Insert Key Risk Areas and biggest risk in a GRC system to support risk identification, assessment, issue tracking, monitoring, assurance and reporting for each process or subprocess 11. Analyze the risk coverage map to determine adequate coverage - Identify duplications, gaps, what kind of competences needed, cycle approach 12. Agree with the Other Assurance Providers on who will do what 13. Reporting to Senior Management and Board of Directors/AC 22

23 How Swedbank uses Combined Assurance to share resources Who is doing what roles and responsiblities? 1. GIA is the Combined Assurance Owner - Facilitates the process on behalf of the AC - Best positioned to be the Coordinator of the Process - Establish the Risk Assessment Report with input from other Assurance Providers 2. Combined Assurance drives the Audit Plan, Compliance Plan and Risk Plan 23

24 The importance of co operation and maintaining good relationships Shared Goals Shared Knowledge Mutual Respect 24

25 AUDIT UNIVERSE - PROCESSES 25

26 References to IIA standards 2010 Planning; 2020 Communication and Approval, Resource Management; Coordination 2.1 Perform ARA AC and BoD Review and provide feedback on draft ARA report ARA and Annual plan Start ARA CAE Plan and Kick-off Finalise Group ARA Report GIA Management Review Risk Themes Risk calibration workshop Activity calibration workshop Draft Group ARA report to AC/BoD incl activities Run ARA debriefing session BA Teams Kick-off GIA Update risks Update Mandatory activities for BA Share and discuss risk information run CoCs Prepare BA risk assessment incl. Key risk area update Draft BA activites incl hours Finalise BA and entity ARA reports incl activites AIR system Risk Records (AIR) Risk Records (AIR) Risk Records (AIR) First Line Obtain and review risk self assessment Risk Plan Coordination BA/entitiy ARA and Annual plan Second Line Discuss risk assessments Risk Plan Coordination Final reconciliation Fourth Line Risk Plan Coordination Present and reconcile 26

27 Process Process: Client handling (onboarding/off- boarding) First Line of Defence Second Line of Defence Third Line of Defence Assuranc e Gap Process Risk Business Areas Link to business strategy Activity repository RCSA Other Operational risk Complianc e Other Group Internal Audit Know your Customer /Due Diligence Risk 1 Mandator y risks Emerging risks Inherent risks E.g.SB, GP, GF E.g. Increase customer value, reduce costs Reference to performed engagements the last two years related to the risk G xxx - Scope Short descriptio n of known activities Short description of known activities Short description of known activities S h o r t description of activity - Object ive G xxx - Scope - Object ive Risk 2. E.g.SB, GP, BB Maintenance and monitoring of client data Risk 3 Risk 1 Risk 2. E.g. SB, GP, LC&I and BB Analytics and reporting Risk 1 Risk 2 Risk 3 27 Risk 4

28 Different stages of aligning assurance Creating a shared database for findings Creating a common Taxonomy (incl rating scale) Building a combined risk assessment Building a combined reporting mechanism to management Building a combined reporting mechanism to AC / Board Creating a combined approach to audit work in the field Creating a reliance model for Internal audit to use the work of others 28

29 No single solution Consider if a combined assurance is right for your organisation Do not expect to get it right the first time Take small steps and set realistic expectations Allow flexibility Continuously improve the framework Be Transparent 29

30 CONCLUSION Developing a mature combined assurance programme is a journey not instant coffee! 30

31 THANK YOU! 31