Five Lines of Assurance: A New Paradigm in Internal Audit & ERM

Transcription

1 Five Lines of Assurance: A New Paradigm in Internal Audit & ERM Tim Leech, Managing Director Risk Oversight Solutions Inc. timleech@riskoversightsolutions.com

2 Speaker Professional Profile Tim J. Leech, FCPA CIA CRMA CCSA CFE is Managing Director at Risk Oversight Solutions Inc. based in Oakville, Ontario, Canada and Sarasota, Florida. He has over 30 years of experience in the risk governance, internal audit, IT, and forensic accounting/litigation support fields. His experience base includes setting up a new business unit, a first of its kind, for Coopers & Lybrand, Control & Risk Management Services in 1987; founding in 1991, building, and successfully selling CARD decisions, a global risk and assurance consulting and software firm, to Paisley/Thomson Reuters in 2004; serving as Paisley s Chief Methodology Officer from ; and 30+ years of global experience helping clients around the world with internal audit transformation initiatives and the design, implementation, and maintenance of integrated and more powerful ERM/IA methodology and technology frameworks. He developed and successfully released CARD map, the world s first integrated risk and assurance software, in The web-enabled cloud version of CARD map was released in Tim was the first in 2009 to develop and deliver training on IIA IPPF Standard 2120 to equip internal auditors to assess and report on the effectiveness of risk management processes. He is the author of the Conference Board Director Notes December 2012 publication Board Oversight of Management s Risk Appetite and Tolerance, co-author of the highly acclaimed January 2014 Risk Oversight: Evolving Expectations for Boards, and most recently, Paradigm Paralysis in ERM and Internal Audit in the summer 2016 issue of Ethical Boardroom. His ground breaking article, Reinventing Internal Audit, published in the April 2015 issue of Internal Auditor magazine has attracted global recognition and was awarded a 2016 Outstanding Contribution Award from IIA global. In 2013 he launched a second generation of disruptive innovation with a breakthrough approach to risk and assurance management Five Lines of Assurance: Board & C-Suite Driven/Objective-centric ERM and Internal Audit. The goal respond to the rapid escalation in board risk oversight expectations and deliver substantially more bang for the buck from formal assurance spending. Leech was the recipient of IIA Canada s first Outstanding Contributions to the Profession award at the first IIA Canada national conference in Quebec City in 2009, and is currently working with IIA Global in Florida to roll-out training on Five Lines of Assurance/Board & C-Suite Driven/Objective Centric ERM and internal audit to CAEs, IIA National Institutes, and in-house IIA training clients around the world. 2

3 Presentation Agenda Part 1: Escalating Expectations Escalating Expectations: Regulators Escalating Expectations: Credit Agencies Escalating Expectations: Institutional Investors Escalating Expectations: Director Associations Escalating Expectations: Internal Audit & ERM Customers IIA Response to date The Way Forward: Five Lines of Assurance-A New Paradigm in ERM & Internal Audit 3

4 Presentation Agenda Part 2 Five Lines of Assurance- A New Paradigm in ERM and IA 5LoA Design Objectives 5LoA Core Elements 5LoA Key Benefits 5LoA Examples 5LoA Tools 5LoA Implementation Overview 4

5 Escalating Expectations: Regulators 5

6 Escalating Expectations: Regulators CSA Expectations: Canadian Public Companies Material risks are required to be disclosed in regulatory filings such as an AIF or a prospectus. The way in which an issuer manages those risks may vary between industries and even between issuers within an industry according to their particular circumstances. It is important for investors to understand how issuers manage those risks. Disclosure regarding oversight and management of risks should indicate: the board s responsibility for oversight and management of risks, and any board and management-level committee to which responsibility for oversight and management of risks has been delegated. The disclosure should provide insight into: the development and periodic review of the issuer s risk profile the integration of risk oversight and management into the issuer s strategic plan the identification of significant elements of risk management, including policies and procedures to manage risk, and the board s assessment of the effectiveness of risk management policies and procedures, where applicable. Source: CSA STAFF NOTICE CORPORATE GOVERNANCE DISCLOSURE COMPLIANCE REVIEW December 2, 2010, page24 6

7 Escalating Expectations: Regulators Financial Stability Board ( FSB ) November 2013: 7

8 Escalating Expectations: Regulators Financial Stability Board ( FSB ) November 2013: 8

9 Escalating Expectations: Regulators Board responsibilities per FRC UK Sept 2014 Code Boards are responsible for: determining the extent to which the company is willing to take on risk (its risk appetite ); ensuring that an appropriate risk culture has been instilled throughout the organization; identifying and evaluating the principal risks to the company s business model and the achievement of its strategic objectives, including risks that could threaten its solvency or liquidity; agreeing how these risks should be controlled, managed, or mitigated; 9

10 Escalating Expectations: Regulators 10

11 Escalating Expectations: Regulators Integrated Risk Management Risk management cannot be practiced effectively in silos. As a result, integrated risk management promotes a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective in a cohesive and consistent manner. It is about supporting strategic decision-making that contributes to the achievement of an organization's overall objectives. It requires an ongoing assessment of risks at every level and in every sector of the organization, aggregating these results at the corporate level, communicating them and ensuring adequate monitoring and review. Integrated risk management involves the use of these aggregated results to inform decision-making and business practices within the organization. Source: TBS Guide to Integrated Risk Management May

12 Escalating Expectations: Regulators Deputy Heads Deputy Heads are responsible for managing their organization's risks by leading the implementation of effective risk management practices, both formal and informal. This includes establishing the organization's overall risk management approach and ensuring that supporting processes are in place. In doing so, Deputy Heads are encouraged to apply the principles outlined in section 2.3. A key role of the Deputy Head is to ensure that risk management principles and practices are understood and integrated into the various activities of his/her organization. Deputy Heads are also responsible for monitoring risk management practices in their organizations, as well as considering risks that arise when partnering with organizations within and external to the federal public service. This includes ensuring that issues affecting the organization's risk management approach, whether identified through assessments or internal and external monitoring, are examined, reviewed and addressed effectively. In addition, Deputy Heads play an important role in creating a learning environment that promotes continuous improvement in risk management competencies and capacity within their organization. Through their leadership, Deputy Heads foster a risk-informed organizational culture that supports riskinformed decision-making, enables dialogue on risk tolerance, focuses on results and enables the consideration of both opportunity and innovation. Source: TBS Guide to Integrated Risk Management May

13 Escalating Expectations: Regulators Generally, there are numerous tools and techniques for analyzing (e.g. workshops, surveys) and prioritizing (e.g. risk maps) risks. Organizations are encouraged to design a process that is appropriate for their own operating environment. In defining risk assessment activities within the risk management process, organizations may wish to provide direction regarding: who should be involved in the assessment of risks; how much rigour is required for a particular risk assessment exercise; what type of information needs to the collected and what level of detail is required; and how assessed risks should be documented for response purposes. Source: TBS Guide to Integrated Risk Management May

14 Escalating Expectations: Credit Agencies 14

15 Escalating Expectations: Credit Agencies S&P: We believe that successful risk culture begins with fostering open dialogue where every employee in the organization has some level of ownership of the organization's risks, can readily identify the broader impacts of local decisions, and is rewarded for identifying outsize risks to senior levels. In such cultures, strategic decision-making routinely includes a review of relevant risks and alternative strategies rather than a simple returnon-investment analysis. (page 4) 15

16 Escalating Expectations: Institutional Investors 16

17 Escalating Expectations: Institutional Investors 17

18 Escalating Expectations: Director Associations 18

19 Escalating Expectations: IA Customers 19

20 Escalating Expectations: IA Customers 20

21 IIA Response to Date 2120 Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of the risk management process 21

22 IIA Response to Date 22

23 IIA Response to Date 23

24 The Way Forward: Reinvent Internal Audit 24

25 The Way Forward: Five Lines of Assurance 25

26 The Way Forward: Paradigm Shift Required 26

27 5LoA Design Objectives Redefine risk management from being seen primarily as hazard avoidance/management to a tool to increase certainty key objectives are achieved while still operating with a tolerable level of retained risk Provide management and boards with a practical solution to meet escalating board risk oversight and risk governance expectations Generate higher levels of management and board participation in ERM and internal audit Put the focus and resources on top value creation and potential value erosion end result objectives 27

28 5LoA Design Objectives Transition organizations from supply driven to board/demand driven assurance Provide a platform to optimize risk treatment design (i.e. lowest possible cost combination of risk treatments capable of producing an acceptable residual risk status) Integrate the work of all assurance functions including IA, risk, safety, compliance, insurance, legal, and others 28

29 5LoA Design Objectives Elevate the stature of and value added by Internal Audit and ERM support staff Integrate strategic planning and ERM Engage boards and senior management defining the amount of risk assessment rigor and independent assurance. This is a key risk decision in its own right that hasn t been sufficiently recognized Clarify accountabilities and role of all key assurance players including the board, senior management, work units, ERM staff and internal audit Meet emerging risk oversight expectations 29

30 5LoA Core Elements Use an OBJECTIVES REGISTER with top value creation/strategic objectives and top potential value erosion objectives as the foundation for all ERM and internal audit work, not a risk register or audit universe 30

31 5LoA Core Elements Top potential value erosion objectives are also called foundation objectives and include compliance with laws, reliable external disclosures, safety and other social responsibility objectives. 31

32 5LoA Core Elements Engage senior management and the board in the process used to decide which objectives to include in the OBJECTIVES REGISTER 32

33 5LoA Core Elements Engage senior management and the board in the process used to decide Risk Assessment Rigor and Independent Assurance Level 33

34 5LoA Core Elements Conscious and transparent decisions on Risk Assessment Rigor/Rigour 34

35 5LoA Core Elements Conscious and transparent decisions on Independent Assurance Level NIA No independent assurance LOW A high level assurance review has been completed and a feedback report provided to the OWNER/SPONSOR and RISK OVERSIGHT COMMITTEE MEDIUM An independent review has been completed to assess the completeness of risks identified, risk treatments and residual risk status information provided and a report provided to the OWNER/SPONSOR and RISK OVERSIGHT COMMITTEE HIGH In addition to the steps defined for MEDIUM, steps have been taken to confirm the existence and effectiveness of the risk treatments identified. 35

36 5LoA Core Elements Assign primary responsibility to report upwards on the residual risk status linked to each objective to a OWNER/SPONSOR 36

37 5LoA Core Elements Consider the full range of Risk Treatments when completing Risk Treatment Strategy section 37

38 5LoA Core Elements Focus on the acceptability of Residual Risk Status, specifically whether it is, or is not, within the entity s risk appetite and tolerance 38

39 5LoA Core Elements Conscious and transparent decisions on Composite Residual Risk Rating 39

40 5LoA Core Elements After the decision on acceptability of residual risk status has been made, assess whether the Risk Treatment strategy is Optimized 40

41 5LoA Core Elements Provide consolidated reports on residual risk status to the board 41

42 5LoA Key Benefits Boards are provided with a concise enterprise level report on the state of residual risk for the company s top value creation and potential value erosion objectives The work of the assurance silos including IA, risk, safety, environment, compliance, legal, insurance and others is integrated Key information is provided to senior management and the board to assess if the current residual risk status linked to top objectives is, or is not, within the company s risk appetite/tolerance 42

43 5LoA Key Benefits Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company s risk appetite framework ( RAF ) The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities. The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB. The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes 43

44 5LoA Key Benefits Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company s risk appetite framework ( RAF ) The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities. The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB. The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes 44

45 5LoA Key Benefit to Federal Departments: Meets TSB Expectations Generally, there are numerous tools and techniques for analyzing (e.g. workshops, surveys) and prioritizing (e.g. risk maps) risks. Organizations are encouraged to design a process that is appropriate for their own operating environment. In defining risk assessment activities within the risk management process, organizations may wish to provide direction regarding: who should be involved in the assessment of risks; how much rigour is required for a particular risk assessment exercise; what type of information needs to the collected and what level of detail is required; and how assessed risks should be documented for response purposes. Source: TBS Guide to Integrated Risk Management May

46 5LoA Examples SVG Capital plc London Stock Exchange Jan 2015 Annual Report Page 29 46

47 5LoA Examples Ottawa Humane Society: The first charity in the world to implement BDO/OC 47

48 5LoA Examples Western University is a licensed user of Risk Oversight Solutions training tools and materials 48

49 5LoA Tools 49

50 5LoA Implementation Overview 50

51 QUESTIONS??? Thank you 51