Effective Assurance Frameworks

Transcription

1 Effective Assurance Frameworks NIGEL IRELAND, HEAD O F BARCUD S HARED S E R barcudss w w w.barcudsharedservices.org.uk

2 Today What an Assurance Framework is How an Assurance Framework can add value Use of an Assurance Framework in practice Understanding key terms like: Assurance; Risk appetite; and 3 lines of defence.

3 Barcud Shared Services Consortium of housing associations in South Wales Primarily Internal Audit Risk, projects, strategy, business continuity

4 Barcud Internal Audit Best of independence & internal Work in housing associations See & feel risks Boards, audit committees, management and staff In-sector information Support and advise Insight Money stays in the sector

5 Assurance Frameworks - History 2002/ Development of risk management processes

6 Assurance Frameworks - Purpose NHS Audit Committee Handbook: the pivotal tool underpinning the Audit Committee s remit of monitoring financial, clinical and all operational risks and the key source of evidence that links strategic objectives to risk. HM Treasury (2012): Should be structured and provide reliable evidence to underpin the assessment of the risk and control environment for the annual Governance Statement, supported by independent appraisal from the internal audit service.

7 Assurance Frameworks - Purpose Main elements: Natural development of risk management processes Provides an enhanced link between strategy and risks Based on reliable evidence Brings together risk management and the 3 lines of defence model

8 What is risk? The threat that an event or action will affect an organisation s ability to achieve its business objectives and execute its strategies

9 So, what is risk management? Being able to identify the risk cause at the earliest opportunity, measure the risk effect and apply a proportionate level of resources to mitigate, or take advantage of, the risk and obtaining assurance that the controls on which the organisation relies for mitigating the risk are effective.

10 What is assurance? Confidence, based on sufficient evidence, that internal controls are in place, operating effectively and objectives are being achieved (various Public Sector) Assurance is what gives you comfort that a control is working (and therefore informs whether a risk is being managed as you had envisaged)

11 What do you want from Risk Management? Tool for increasing the likelihood of achieving objectives Aid to entrepreneurship being risk aware not risk averse Greater exploitation of opportunities Understand and prevent / reduce risk impacts Increase efficiency

12 Role of the Board CHC Code of Governance (new): 3.2 The Board safeguards and promotes the organisation s reputation and, by extension, promotes public confidence in the wider sector. Principle 4 Decision-making, risk and control 4.1 The Board is clear that its focus is on strategy, performance and assurance New WG Governance requirements emphasises Board Assurance

13 Role of the Audit Committee Reviewing the effectiveness of risk management Reviewing, with management, the operation of risk management and responses to identified risks Reviewing the adequacy of assurance providing activities and challenging management s response to these

14 OBJECTIVE RISK INHERENT SCORE We will provide 24/7 365 access to customers An incident occurs which stops our organisation providing access for more than 24hrs 25 (5 x 5) CONTROLS 1) Business Continuity Plan 2) Resilient hardware 3) Regular testing, review and updating RESIDUAL RISK SCORE 8 (2 x 4) ASSURANCE FURTHER ACTION HOW DO YOU KNOW? TARGET RISK Easy review of risks directly against objectives (note cause and effect) which enables more effective assessment & scrutiny of the risk score. A clear understanding of the action being taken and the controls in place to address the risk which enables effective assessment & scrutiny of the residual risk score

15 OBJECTIVE RISK INHERENT SCORE CONTROLS RESIDUAL RISK SCORE ASSURANCE FURTHER ACTION TARGET RISK We will provide 24/7 365 access to customers An incident occurs which stops our organisation providing access for more than 24hrs 25 (5 x 5) 1) Business Continuity Plan 2) Resilient hardware 3) Regular testing, review and updating 8 (2 x 4) Insert assurance here The assurances give you comfort that the controls are working and therefore assurance that the residual risk score is accurate

16 So what s the issue? Risk Registers over-focus on controls: Audit Committee control v risk / objective Time to identify controls & Minor / insignificant controls Assurances are control-driven * Number over quality / effectiveness * Assurances seen as less important Quality of assurance unclear Assurance under-used information not used as such

17 Potential Sources of Assurance Internal Audit External Audit Certifications IIP / ISO9001 / ISO18001 / ISO32001 Specialist reviews HSE / Duty of Care / Penetration Testing Regulator feedback Customer feedback / complaints, including social media Local Authority / Partners Key Performance Indicators (KPIs) Management reports

18 3 Lines of Defence: First Line Day to Day Management Second Line Corporate Oversight Third Line Independent Assurance Maximise Benefit? 3. Independent Assurance 2. Corporate Oversight 1. Management RISK

19 Adding the 3 lines of defence: HM Treasury Guidance

20 Assessing Sources of Assurance Summarises previous identification stage Assessment

21 A lot to rationalise: AC Reporting Current Risk Registers Identifying sources of assurance Assessing sources of assurance Programme of Assurance

22 Proportionality & Adding Value Risk definition: Programme of Assurance Being able to identify the risk cause at the earliest opportunity, measure the risk effect and apply a proportionate level of resources to mitigate, or take advantage of, the risk Shouldn t we also apply this to assurance activities?

23 - Performance Indicators - Information from systems - RAG reports to senior management - Measured performance against targets and plans - Specialist review of process - Independent review of policies and procedures - ISO Accreditation Did the assurance provide VfM? 3. Independent Assurance 2. Corporate Oversight - Key Performance Indicators - RAG reports - Systems reports / management information - Customer satisfaction surveys - Corporate risk management 1. Management RISK

24 Barcud-led Project Aims: Upskill clients in risk management Programme of Assurance Greater understanding of assurance Development of a template Testing in practice Tailored Assurance Framework per-client

25 Programme of Assurance Risk-based like your Internal Audit (IA) Strategy Programme of Assurance & IA Strategy coordinated Should consider the Quality of assurance Should reflect the assurance you already have Should consider Value for Money & proportionality Report progress to the Audit Committee

26 OBJECTIVE RISK INHERENT SCORE CONTROLS RESIDUAL RISK SCORE ASSURANCE FURTHER ACTION TARGET RISK We will provide 24/7 365 access to customers An incident occurs which stops our organisation providing access 25 (5 x 5) 1) Business Continuity Plan 2) Resilient hardware 3) Regular testing, review and updating 8 (2 x 4) 1) Internal Audit of BCP 2017/18 Substantial Assurance 2) Incident in 2016/17 lessons learnt document 3) External Penetration testing report 2017/18 To address any gaps in control (c) or assurance (a) further action may be required

27 Building into current risk registers: Assurance Map

28 Building into current risk registers:

29 Developing a new focus:

30 Programme of assurance IA Plan?

31 Programme of assurance IA Plan?

32 How does an AF achieve efficiencies? KPIs System updates Customer Satisfaction Surveys Independent Review Mgmt Info. Do we need an Internal Audit? Compliments & Complaints RAG Reports Award Regulatory Judgement Accreditation ISO Certification

33 Risk Appetite

34 Risk Appetite (for Risk) The level of risk (taking into account both impact and likelihood) that the organisation is willing to tolerate. It can be at the organisational, departmental or individual risk level. Risk Appetite?

35 Risk Appetite Risk appetite needs to be measurable. Otherwise there is a risk that any statements become empty and vacuous 1 ; and Risk appetite is not a single, fixed concept. There will be a range of appetites for different risks which need to align and these appetites may well vary over time: the temporal aspect of risk appetite is a key attribute to this whole development 1. 1 Institute of Risk Management Risk Appetite & Tolerance Guidance Paper, 2010

36 Risk Appetite Where you might end up if something good happens Current performance direction Where you might end up if something bad happens - Based on Institute of Risk Management model

37 Risk Appetite Risk Universe Risk Tolerance

38 Risk Appetite Risk Appetite

39 Appetite for Opportunity? Different from risk appetite? Used for decision making New opportunities Words like: averse, open, hungry Work for decisions; not for risk?

40 Risk Appetite Removes some of the subjectivity about whether a risk is managed to an acceptable level or not. Enables more robust challenging by stakeholders on the scoring and mitigation of risks. Enables effective allocation of resources when seeking assurance.

41 OBJECTIVE RISK INHERENT SCORE CONTROLS RESIDUAL RISK SCORE ASSURANCE FURTHER ACTION TARGET RISK We will provide 24/7 365 access to customers An incident occurs which stops our organisation providing access 25 (5 x 5) 1) Business Continuity Plan 2) Resilient hardware 3) Regular testing, review and updating 8 (2 x 4) 1) Internal Audit of BCP 2017/18 Substantial Assurance 2) Incident in 2016/17 lessons learnt document 4 (2 x 2) 3) External Penetration testing report 2017/18 An example risk appetite at the individual risk level Should be set by the audit committee (or board) Target Risk

42 Risk Appetite Challenge? Development: Finance: Health & Safety / Legal Compliance: Housing:

43 Elements of Risk Appetite Statement in Risk Management Policy Departmental risk appetites (diagrams?) Your risk matrices / guidance for scoring Risk matrix colour distribution Your target risk scores on the risk register

44 Internal Auditors A key element of your programme of assurance: Do they truly understand your business? Do they know you? Are they too arms length? Do they give you ongoing support and advice? Are they sufficiently knowledgeable of your risks? Are they helping/supporting you pushing your risk/assurance framework forwards?

45 Why an Assurance Framework Greater understanding of risk status Promotes continual improvement Greater Value for Money Makes more use of what you already have More efficient and effective use of assurance, including Internal Audit, to fill gaps Helps you KNOW!

46 Thank you NIGEL IRELAND, HEAD O F BARCUD S HARED S E R barcudss w w w.barcudsharedservices.org.uk

47 Recommended reading ACCA Risk and the Strategic Role of Leadership (2018) - HM Treasury Assurance Frameworks (2012) - Institute of Internal Auditors Coordinating Risk Managemnt and Assurance (2012) - %20Management%20and%20Assurance.pdf ICAEW Assurance Mapping - Talk to us!