A proactive approach to auditing risk management

Transcription

1 A proactive approach to auditing risk management Anthony Garnett Head of Internal Audit, HM Government, Department for International Development 10 October 2017 Crown Copyright 2017

2 Agenda 1. What s the issue? 2. Solutions 3. Questions

3 The issue

4 1. Organisations struggle with risk management

5 2. Management teams issue manage Why? Don t value risk management Think it s too complex See failures and think not worth it No reward in preventing something far off Rewarded for solving problems Have poor MI and data Almost certain Likely Possible Unlikely Rare Issue Issue Issue Risk Insignificant Minor Moderate Major Severe

6 3. Internal Audit does not audit risk What does assurance mean here? Assurance over risk (as uncertainty?) In relation to what? In whose judgement? i.e. is IA imposing a risk appetite? Limited what? Assurance? Risk? Control? Is this conflating control as adequate risk mitigation? Something can be well risk managed but poorly controlled if there is no conflation Coverage Governance, risk management and control framework Assurance Opinion on mitigating controls over the risk to the delivery of objectives Core Definitions for Annual and Engagement Opinions Substantial The framework of governance, risk management and control is adequate and effective. Moderate Some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and control. Limited There are significant weaknesses in the framework of governance, risk management and control such that it could be or could become inadequate and ineffective. Unsatisfactory There are fundamental weaknesses in the framework of governance, risk management and control such that it is inadequate and ineffective or is likely to fail. Optional RAG Green Yellow Amber Red Factors influencing choice of opinion Adequacy and Effectiveness of the governance, risk management and control framework Impact of any weakness on delivery of objectives Extent of risk exposure Risk tolerance Materiality: by value to the entity, by value in the engagement context and by nature (e.g. irregularity and reputational risk) We may also take account of Management responses to recommendations/ management actions If there is no risk appetite, this scale drives risk aversion as green means risk is low. Or is there no risk appetite and only the most certain things score green? If the fixed scale is not risk but performance in relation to risk mitigation, this makes report ratings relative. i.e. thus a high risk area could be both green and red (depending on risk appetite applied). But something high risk could be satisfactory if there is a high risk appetite. So if not applying risk appetite then driving risk aversion.

7 4. Or offer risk based opinions? Good Full Minor Low Acceptable Partial Moderate Medium Weak Limited Major High Unacceptable Nil Severe Good what? Control? Assurance? Risk management? Full what? Assurance? Risk management? Control? Risk aversion? Sensitive enough? Meaningful?

8 5. Or worse no opinion No annual opinion too difficult, organisation too weak No assignment opinion Missing dialectic process with management and audit committee Dialectic or dialectics (Greek: διαλεκτική, dialektikḗ), also known as the dialectical method, is a discourse between two or more people holding different points of view about a subject but wishing to establish the truth through reasoned arguments. Cannot govern direct and control

9 6. Control risk management If control risk management then: Drive risk aversion Audit someone else s definition of risk appetite (i.e. compliance) Belie reality Almost certain Likely Possible Unlikely Rare Insignificant Minor Moderate Major Severe

10 My solution

11 1. Standalone audit risk management Audit risk management Then audit again And again Use a maturity framework Qualify or caveat your opinion

12 2. Recognise risks organisational structures

13 3. Change your underlying assumptions socially scientific internal audit Science Social Science Art Model implications There is a right and wrong Inclination to compliance audit Focus on doing things right, not are they the right things? Audits like experiments to discover the truth Auditors make recommendations that must be followed A lack of risk appetite and judgement in work Audits like experiments Model implications There is objective knowledge, but people have different views on it There is a substantively right but can be differing views on it Audit work will ask not just compliance questions, do we do things right? but do we do the right things? Audits like investigative research, taking various views, evidence etc. and forming an independent view over what feels right Model implications There is no right. All people are right, knowledge only exists as constructed by people. Audits more qualitative and describe what IA has been told No formal structured opinions or conclusions Narrative reports difficult to compare No formal recommendations Auditors listen to clients and are primarily passive

14 4. Rebalance 3 lines of defence SMART rules changes Country and programme teams Whitehall and AH IAD Country and programme teams Whitehall and AH IAD

15 Business / process risks 5. Broaden your types of review Strategic Secretariat SENIOR MANAGEMENT TEAM Governance Dept 1 Dept 2 Dept 3 Dept 4 Dept 5 Dept 6 Thematic and tactical Country, department, programme and project Consultancy audit to support development of DFID s systems

16 6. Implement a real RBIA planning model

17 7. Recognise audit simplifies Reality Audit opinion

18 8. Use risk layers

19 9. Issue a risk based opinion 1/3 Assessment of net risk An objective assessment of net risk and level of assurance (after application of management controls) faced by DFID in the area under review. Net Risk Rating Description [delete as required] Assurance Assessment Minor Moderate Major Severe The framework of governance, risk management and control provides substantial assurance over the achievement of objectives. Risks to objectives are minor (combined impact and likelihood). The framework of governance, risk management and control provides moderate assurance over the achievement of objectives. Risks to objectives are moderate (combined impact and likelihood). The framework of governance, risk management and control provides limited assurance over the achievement of objectives. Risks to objectives are major (combined impact and likelihood). The framework of governance, risk management and control provides very limited to nil assurance over the achievement of objectives. Risks to objectives are severe (combined impact and likelihood). Substantial Moderate Limited Nil

20 9. Issue a risk based opinion 2/3 Adequacy of controls compared to risk appetite With opinion and explanatory narrative

21 9. Issue a risk based opinion 3/3 Control awareness maturity Control awareness Optimised Mature Managed Baseline Developing We found controls to be comprehensive, consciously designed, with a risk basis, suitable oversight and governance over their implementation and a strong consideration of proportionality and value for money in their application. We found key controls to be in place, consciously designed, with a risk basis and suitable oversight and governance over their implementation. We found key controls to be in place, with some consciously designed and some consideration of risk. Oversight and governance was provided over key controls. We found controls to be in place, but not consciously designed. The controls in whole or part lacked a clear risk basis and oversight and governance over their implementation was partial or limited. We found some controls, but these were not consciously designed, and lacked a clear risk basis. Oversight and governance over their operation was limited.

22 9. Issue a risk based opinion Assignment assurance 3 opinions Net risk Whether risk mitigation brings risk within appetite / tolerance How well has the management team got there Annual assurance opinion In the IAD s opinion DFID had adequate and effective frameworks for: Governance Risk management Control covering the period 1 April to 31 March.

23 10. Understand what risk based auditing should achieve Objectives Risk mitigation Risk Appetite

24 Conclusion Audit needs to speak in risk terms Do not demonise risk Do not wait for management teams to risk manage Understand risk is complex and avoid a logicodeductive approach to audit Do not be afraid to qualify your opinion