INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R
Operational Risk Management Today Companies are struggling to obtain a holistic view of risk and show ROI on risk management activities Volume of Risks Risk Complexity Risk Volatility Resource Demands 2
Internal Audit today Are internal audit departments positioned to keep up with the audit requirements imposed by complex, increasing risks and drive strategic value? Variety Frequency Complexity 3
Emerging Risks IT risks such as cyber, cloud, IoT Reputation and social media Third-party relationships Accountability to ensure effective oversight of risks Convergence of risk management activities for a holistic view Increased Regulations, e.g., Compliance with the EU General Data Protection Regulation The risk culture of the organization Strategic change management Talent recruitment and retention Complex financial and operating models Resiliency risks 4
Risk noise Who is responsible for this loss? Is this really a high risk? Why aren t we using the same language to talk about risks across the company? Why is the same risk being assessed in different ways? This metric shows the risk profile changing, how is it being addressed? Are the auditors aware of this / where were the auditors? We believe organizations need to embrace risk to remain competitive but are not positioned to optimally manage risk. 5
A siloed, static approach will not survive We believe organizations today face more risks and changes than their audit groups are positioned to keep up with. In order to enhance Internal Audit s value within the organization, they must take a coordinated, risk-based approach. 6
Auditor Independence 1100 - Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. Free from conditions that restrict unbiased activity CAE has direct access to senior management and the board Objective, unbiased mental attitude and judgment 7
Auditor Risk Management 2010.6 Internal audit planning needs to make use of the organizational risk management process, where one has been developed. 2120 The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. 2200-2.6 Internal auditors need to assess whether management s identification and assessment of the key controls is adequate. 8 2210.A1 Internal auditors consider management s assessment of risks relevant to the activity under review.
Similarities between Audit and ORM Audit Universe Organizational units, such as a department or process Standards and regulatory topics Regular frequency of audits Risk Universe Business Context Risk register Standards and regulatory topics Regular frequency of evaluation 9
Similarities between Audit and ORM Audit Risk Assessments Audit universe risk assessment Tier Two risk assessment (i.e., scoping the audit engagement) Events ORM Risk Assessments Risk register assessments Risk Projects Top down or bottoms up assessments Risk Events 10
Similarities between Audit and ORM Audit Risk and Control Matrix Risks and their potential impact Controls that mitigate the risks Audit procedures to test the controls Findings Remediation ORM Risks and Key Controls Risks and their potential impact Key Mitigating Controls Other 2 nd and 3 rd LOD test the controls Findings Remediation 11
Key ORM Program Components Risk Events Any circumstance where, through lack or failure of a control, a loss was sustained or could have been sustained Includes situations where loss could have incurred, but in fact a gain was realized (positive risks) Risk Events inform improvements to processes or controls to reduce the recurrence and/or magnitude of risk events Lessons learned also gathered from external risk event information to support and inform risk identification, assessment and measurement 12
Key ORM Program Components Key Risk Indicators Key Risk Indicators (KRIs) are metrics which allow organizations to monitor their risk profile KRIs include measurable thresholds that reflect the risk tolerances of the business KRIs are monitored to alert management when risk levels are or may exceed acceptable ranges, individually or collectively (usually aspirational) KRI monitoring drives timely, proactive, decision-making and actions 13
Key ORM Program Components Risk Scenario Analysis Considers array of abnormal, extraordinary, maximum severity events for key risks throughout organization Assesses potential frequency and impact of such events Includes analysis of internal and external loss experience, KRIs, and RCSAs Considers circumstances and contributing factors that could lead to an extreme event and controls that would limit its likelihood and impact Management concludes whether potential risk is acceptable or whether changes in control or business strategy are required 14
Key ORM Program Components Issue Management Central repository of all internal, external, regulatory audit issues Specifies management accountability for issue and due date Captures and tracks remediation plans Escalation of past due issues and remediation plans Provides assurance that all issues are captured and addressed in accordance with severity 15
Key ORM Program Components Change Management Ensure the identification and assessment of risk inherent in all material changes to products, activities, processes and systems to make sure the inherent risks and incentives are well understood Process for all new products, partners, activities, processes & systems that fully assesses operational risk 1st Line Responsibility to identify, assess and implement 2nd Line Must be aware, challenge, and verify alignment to risk management framework and risk appetite 16
A New Risk World We must build business context, consistently understand significant risks regardless of their source, streamline processes, and engage the first line of defense 17
A New World for Audit Audit must drive consistency with and leverage ORM to drive greater efficiency in the execution of the audit plan. We need to change our approach to move from compliance to be risk-driven to ensure a focus on the right priorities as they change. 18
Governance & Oversight Risk Management Framework Board / Executive Team Business Strategy Risk Strategy Risk Appetite First Line Business Lines & Support Functions Product, process, risk, & control ownership & management Business strategy execution Revenue generation & support Identify Where is Risk? Internal & External threat-sources How Risk Arises Business Context Scenarios/What-if Assess Inherent/Residual Likelihood/Impact Volatility/Speed Rating scales Top-Down/Bottom-Up Qualitative/Quantitative RCSAs & Modeling Lines of Defense Second Line Independent Risk Oversight Functions: ERM, ORM, Compliance, Credit Review, etc. Risk Management Framework; Alignment Monitoring; Challenging 1 st Line; Facilitation Risk Management Activities Decision Accept, Reject, Reduce Manual/Automated Decision Escalation based on Risk Tolerances & Delegated Authorities Third Line Internal & External Audit Independent validation and reporting of program design & effectiveness; Leverage information Treat Right People Policies, Procedures, Controls, Incentives Risk Transfer (Insurance & Hedging) Risk Reserves & Risk Based Pricing Culture, Communications & Training Risk Profile Monitor Risk Profile Biz Changes KRIs, KCIs, KPIs Losses, near miss, external events Outstanding Issues Model output Tolerances & Authorities 19
ORM and ERM RESPONSIBILITY AUDIT CAE X CEO, CRO, ERM CHIEF CREDIT OFCR ORM STRATEGY, FINANCIAL HEALTH X X CREDIT X X LIQUIDITY, MARKET, FX X X PEOPLE, TALENT MGMT X X X ALL ERRORS & FRAUD X X ERM FINANCIAL REPORTING, SOX X X X LITIGATION MGMT X X X ORM CFO, TREASR CHRO CLO CCO CISO BCM INFORMATION SECURITY X X X BUSINESS CONTINUITY, DR X X X VENDOR RM 3RD PARTY RISK & PERF X X X X X X X X X X REGULATORY COMPLIANCE X X X X X X X X X X REPUTATION X X X X X X X X X X 20
Key Adjacencies Siloed Managed Advantaged Foundation Issues Management Risk Inventory & Top-Down Assessment Loss Event Management Bottom-Up Risk Assessment Key Indicator Management Static Risk Evaluation Regulatory Driven Universe Static Controls Testing Operational Risk Management Dynamic Risk Evaluation Policy Program Management Audit Entity and Risk Universe Controls Assurance Program Management Continuous Controls Monitoring IT Risk Management Separate Risk Assessments Project Risk Assessments 21 Operational Risk Use Cases Adjacent GRC Use Cases Audit Use Cases
Does Risk Management Really Drive Growth? References: Journal of Accountancy, EY and PwC 22
ORM and Audit Must enable organizations to: Establish common business context for risk Consistently assess risk Evaluate loss events and perform root cause analysis Monitor changes in risk using key risk and control indicators Obtain a holistic view of risk 23
Inspire Everyone to Own Risk Engage business units to more easily identify and manage the increasing volume and complexity of risk Address risk consistently across your organization Tie strategy to execution 24
Thank You patrick.potter@rsa.com Patrick Potter on LinkedIn @pnpotter1017 25
EMC, RSA, Archer, the EMC logo and the RSA logo are registered trademarks of EMC Corporation in the U.S. and other countries.