Inherent risk register guideline

Transcription

1 Inherent risk register guideline Guidelines 16 May 2017 Market Performance

2 Contents 1 Introduction 1 The purpose of the participant audit regime 1 The key goals of the participant audit regime 1 A risk-based approach is used for planning audits 1 Two types of risk are assessed 1 Relationship between inherent risks, residual risks, and audit 2 2 Inherent risk 2 The Authority assesses inherent risks, in consultation with participants 2 Identify the risk 2 Assess the likelihood of the risk 2 Assess the consequence of the risk 4 Inherent risk rating 4 3 Approach followed in preparing the inherent risk register 5 Step 1 List the key goals of the participant audit regime 5 Step 2 Define the inherent risk 6 Step 3 List the participant audit for which inherent risk is assessed 6 Step 4 Identify risks to achieving the key goals 6 Step 5 Identify other risks 7 Step 6 Assess likelihood and consequence 7 Tables Table 1: Likelihood of risk 3 Table 2: Consequences of risk manifestation 4 Table 3: Inherent risk rating matrix 5 Table 4: Inherent risk score 5 ii

3 1 Introduction 1.1 The participant audit regime is the participant audit, approval, and certification process contained in Parts 1, 10, 11, 15, and 16A of the Electricity Industry Participation Code (Code). The purpose of the participant audit regime 1.2 The purpose of the participant audit regime has three limbs: to evaluate participants compliance with the Code provisions that are audited under the regime to enable the Authority to make informed decisions regarding the certification, approval and audit frequency of participants to support the efficient operation of the electricity industry. The key goals of the participant audit regime 1.3 Consistent with its purpose, the participant audit regime is intended to achieve the following three key goals: the timely and accurate settlement of the wholesale electricity market timely and error-free consumer switching for participants to provide accurate and complete information to others in a timely manner. A risk-based approach is used for planning audits 1.4 The participant audit regime uses a risk-based approach to planning audits. The following three documents are integral to this approach: 1. Risk and materiality guidelines These set out how to assess risk, the process for applying risk to focus audit effort and how to assess the materiality and likelihood of a risk. 2. Auditor protocol This sets out audit standards and the Authority s expectations of auditors when performing audits. 3. Inherent risk register This sets out the risks inherent in a participant s functions and processes that are audited. The auditor uses these inherent risks as a starting point for determining an audited participant s residual risk. Two types of risk are assessed 1.5 Two types of risk are assessed under the participant audit regime: Inherent risk Inherent risk represents risk in the absence of any controls. Inherent risks are assessed by the Authority, in consultation with industry, and are used as the starting point for determining residual risk. Inherent risks apply to a class of participant, not to individual participants. 1

4 Residual risk Residual risk represents the risk once the auditor has assessed the effectiveness of controls in place for managing the risk. Residual risk is used by the auditors to determine audit priority and effort. Residual risks apply to each participant. Relationship between inherent risks, residual risks, and audit 1.6 Inherent risks are predetermined for each class of participant and are available to auditors via the inherent risk register. 1.7 Auditors assess the effectiveness of the participant s controls against each inherent risk to determine the residual risk specific to that participant. 1.8 Auditors use the residual risk of the participant to determine the level of effort required to audit each area. 1.9 Auditors then audit the participant applying the level of effort assessed to each auditable area Inherent and residual risk is not used in the context of assessing breach materiality, only in the context of planning audits. 2 Inherent risk The Authority assesses inherent risks, in consultation with participants 2.1 Under the participant audit regime, the Authority is responsible for assessing inherent risks. The Inherent risk register summarises the Authority s assessment of inherent risks. 2.2 Inherent risk is assessed using a four step process: (a) (b) (c) (d) identify the risk assess the likelihood of the risk (in the absence of any controls to manage the risk) assess the consequence should the risk eventuate combine the likelihood and consequence of the risk, to determine the inherent risk rating. Identify the risk 2.3 Risks are identified through industry consultation and the following process: (a) (b) (c) for each class of participant audited, identify the key risks that the participant audit regime is concerned with 1 for each key risk, identify the undesirable outcome(s) that would arise if the risk occurred 2 for each clause of the Code that is subject to audit, list the applicable key risk(s). Assess the likelihood of the risk 2.4 The likelihood of each identified risk is classified as follows: 1 2 Examples of key risks may include inaccurate submission information or inaccurate registry records. For example, inaccurate submission information may lead to inaccurate invoices for reconciliation participants. 2

5 Table 1: Likelihood of risk Likelihood Descriptor Indicative probability range 3 Almost certain Risk will occur in most circumstances 95 % + Likely Would probably occur in most circumstances % Possibly Could occur at some time % Unlikely Not expected to occur in most circumstances 5 25 % Rare May occur in exceptional circumstances 0 5 % Source: Electricity Authority 2.5 Likelihood needs to take into account, but is not limited to, the following factors: (a) (b) (c) (d) (e) Opportunities for errors/failures/non-compliance to occur the greater the volume and frequency of process events that contribute to the risk, the greater the opportunity for an error to arise. Complexity of the business processes that contribute to the risk for example, a complex multi-step process involving multiple staff may be subject to more errors than a simple one-step process undertaken by a single staff member. Level of manual intervention in the process a high level of manual intervention within a business process increases both the scope for errors to occur and the likelihood of them occurring. Incentives surrounding the process where adverse incentives exist, there may be a greater likelihood that the process is completed with errors (eg, if performance is measured based on the number of transactions completed, there is more likely to be an incentive to complete tasks at greater speed, thereby potentially compromising accuracy). History of past performance of business processes that contribute to the risk eg, past instances of non-compliance. 3 For inherent risk this is the probability in the absence of controls. 3

6 Assess the consequence of the risk 2.6 The consequence of each identified risk manifesting itself is classified as follows: Table 2: Consequences of risk manifestation Consequence Major Moderate Minor Immaterial Examples The risk has the potential to: lead to major settlement errors in the wholesale electricity market that adversely affect other participants; and/or cause a significant and adverse effect on multiple market participants and consumers; and it might not be possible to reverse these, or if it was, there would be difficulty or material costs to other participants in doing so. The risk has the potential to: adversely affect the settlement in the wholesale electricity market; and/or adversely affect one or more market participants, with the potential to cause minor adverse effects on consumers; and these could be reversed easily. The manifestation of the risk is not severe enough to adversely affect market participants or consumers, but is significant enough for the Authority and/or the electricity industry to consider remediating (ie, the benefit of remediation outweighs the cost). The manifestation of the risk is not severe enough to adversely affect market participants or consumers, and could be remediated using normal business procedures (eg, workarounds), and/or the cost of remediation outweighs the benefit. Source: Electricity Authority 2.7 Assessment of consequence needs to take into account, but is not limited to, the following factors: (a) (b) (c) Impact on settlement of the wholesale market the greater adverse effect on settlement or other participants the greater the impact of the risk. Impact on market participants and/or consumers the bigger the impact on a single participant or consumer or the more participants and/or consumers affected, the higher the consequence Ability to reverse or correct the impact of the risk for example correction of submission information through the wash-up process. Inherent risk rating 2.8 Inherent risk represents the risk in the absence of any controls. 2.9 The likelihood (Table 1) and consequence (Table 2) ratings are combined using the matrix (Table 3) to determine the inherent risk. 4

7 Likelihood Table 3: Inherent risk rating matrix Consequence Immaterial Minor Moderate Major Almost certain Medium Medium High High Likely Low Medium High High Possibly Low Medium Medium High Unlikely Low Medium Medium Medium Rare Low Low Medium Medium Source: Electricity Authority Table 4: Inherent risk score Inherent Risk Score High Medium Low Description High risk area with reasonable likelihood of manifestation and potentially severe/major adverse outcomes on the electricity industry and consumers. Medium risk area with low to reasonable likelihood of manifestation and moderate adverse outcomes on the electricity industry and consumers. Low risk area with low likelihood of manifestation and low/negligible adverse outcomes on the electricity industry and consumers. Source: Electricity Authority 3 Approach followed in preparing the inherent risk register 3.1 Set out below is the Authority s approach to preparing the Inherent risk register. Step 1 List the key goals of the participant audit regime 3.2 The first step in developing the Inherent risk register is to state what the participant audit regime is trying to achieve that is, to list the key goals of the regime. 3.3 Each risk in the inherent risk register should be a risk to successfully achieving one or more of the key goals of the participant audit regime. 5

8 Step 2 Define the inherent risk 3.4 Inherent risk means risk in the absence of any controls/mitigation measures in place to manage, or even eliminate, the risk. 3.5 Inherent risk applies to a class of industry participant. Inherent risks are not specific to individual participants. Step 3 List the participant audit for which inherent risk is assessed 3.6 Included in the Inherent risk register are key risks considered as part of the following participant audits: dispatchable load purchaser audit distributor audit metering equipment provider (MEP) audit reconciliation participant audit retailer audit in respect of distributed unmetered load approved test house (ATH) audit. The key risks considered part of the following audits are not included in the Inherent risk register: load profile audit market operation service provider audit. Step 4 Identify risks to achieving the key goals 3.7 List the main functions/processes that are audited under each participant audit. 3.8 These functions/processes are listed in the audit guidelines prepared by the Authority for the following participant audits: dispatchable load purchaser audit distributor audit MEP audit reconciliation participant audit. 3.9 For each of the main functions/processes, identify the key risks to one or more of the key goals: the timely and accurate settlement of the wholesale electricity market timely and error-free consumer switching for participants to provide accurate and complete information to others in a timely manner When identifying risks, systematically consider what might happen that puts at risk achieving the key goals of the participant audit regime. Also consider how it might happen, when, and why As a final check, consider risks to one or more of the key goals by looking first at the consequence rather than the cause. There may be risks with a significant consequence, 6

9 but for which there is no readily identifiable source or cause. Any such risks should also be included in the Inherent risk register. Step 5 Identify other risks 3.12 For each of the main functions/processes listed in step 4, identify any other key risks that are not related to the three key goals, but which are risks to furthering the Authority s statutory objective ie, they are risks to: the promotion of competition in the electricity industry the reliable supply of electricity by the electricity industry the efficient operation of the electricity industry, for the long-term benefit of consumers When identifying such risks, systematically consider what might happen that puts at risk furthering the Authority s objective. Also consider how it might happen, when, and why As a final check, consider any risks to furthering the Authority s objective, and which are not related to the three key goals, by looking first at the consequence rather than the cause. There may be risks with a significant consequence, but for which there is no readily identifiable source or cause. Any such risks should also be included in the Inherent risk register. Step 6 Assess likelihood and consequence 3.15 For each identified risk, assess the likelihood and consequence of the risk manifesting itself When assessing the significant consequence(s) of a risk manifesting itself, consider different scenarios. Be aware of initial consequences escalating through flow-on effects (e.g., via a number of outcomes happening quickly one after the other; via a number of outcomes building in magnitude over time). Also be aware of small and varied risks that have the potential to form a large risk at any point in time Other considerations may include regulatory risk caused by a lack of alignment across legislation, and disaster risk related to the functioning of common systems. 7