INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Similar documents
Business Continuity Management and ERM

Fiduciary Risk Range of Practice - April 2012

Presentation by: Nasumba Kizito Kwatukha CPA,CIA, CISA,CFE,CISSP,CRMA,CISM,IIK 6 th JULY 2017

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

American Academy of Actuaries Webinar: The Practice of ERM in the Insurance Industry. Enterprise Risk Management Committee November 19, 2013

Pillar 2 for Insurer s:

Rolling Up Operational Risk

ENTERPRISE RISK MANAGEMENT IN HEALTH CARE. April 27, 2017

Operational Risk Framework - Auditor s Perspective. Mr. Syed Rehan Ashraf United Gulf Bank SVP / Head of Credit & Risk Management

What Is Enterprise Risk Management?

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

Summary of Risk Management Policy PT Bank CIMB Niaga Tbk

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

FIRMA Nashville Tennessee April 21, 2015

Israeli off-shore exploration and development. How to manage the risks?

ERM/ORSA Training Thai General Insurance Association (TGIA)

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Pillar 3 Disclosure ICAP Europe Limited

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

RISK MANAGEMENT FRAMEWORK

Risk Management at the Deutsche Bundesbank March 2011

Journey of a Compliance Officer in ERM Implementation. SCCE Regional Conference September 8, Introduction

Energize Your Enterprise Risk Management

An Introduction to Enterprise Risk Management. Mark Brown, SVP, Chief Financial Officer First Carolina Corporate Credit Union

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

The Connected Disciplines of Risk Disclosure and Risk Management

1st Capacity Building Seminar on Enterprise Risk Management

Enterprise Risk Management

Three Lines of Defense: Working Together to Enhance Business Performance

Thirty-Second Board Meeting Risk Management Policy

D7 Risk Management Policy

Certified Enterprise Risk Professional (CERP) Test Content Outline

RISK MANAGEMENT POLICY

ERM CB Seminar Hotel Sea Princes, Mumbai 10th Aug Application and Challenges

Risk Report. 42 Introduction 43 Risk and Capital Overview 43 Key Risk Metrics 44 Overall Risk Assessment 44 Risk Profile

OCC s risk governance guidelines go beyond heightened expectations

Risk Management Policy

Beyond ERM - The Roles, Responsibilities and Costs of Risk Management March 28, 2012

GOV : Enterprise Risk Management Policy

The Proactive Quality Guide to. Embracing Risk

SOLVENCY II INSIGHTS FOR NORTH AMERICAN INSURERS. CAS Centennial Meeting Melissa Salton November 10, 2014

P I L L A R I I I D I S C L O S U R E

Delivering Clarity to Credit Unions Through Expertise and Experience

Section Defining Risk Management. 11. Principles of Risk Management

Sections of the ORSA Report

Amex Bank of Canada. Basel III Pillar III Disclosures December 31, AXP Internal Page 1 of 15

CAPITAL MANAGEMENT GUIDELINE

Key Themes. Organizational Dynamics and Effective Risk Management. Organizational Alignment. Risk Management Effectiveness

Risk Management Framework

Jointly with Oliver Wyman, RMA recently completed research on institutional practices in determining

Risk Management Policy Adopted by:

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT Framework

Excellence in Risk Management via Enterprise Risk Management. Presentation to: Audit Committee Ashok K. Roy, Ph.D., CIA, CFSA, CBA September 18, 2015

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

WHITE PAPER FOUR PRACTICAL WAYS TO CAPTURE AND MONITOR RISK APPETITE

SOLID GROUP INC. ENTERPRISE RISK MANAGEMENT POLICY

Preparing for an Own Risk & Solvency Assessment

Risk Appetite Survey Current state of the Insurance Industry

Policy No. Contact Brian Orpin Version 3.0 Issue Date 28/11/2014 Telephone Review Date IA Date 09/08/2013

RISK APPETITE. A short guide 2017

Risk Management ROYCE BRENNAN BT FINANCIAL GROUP

West Coast District Municipality. Risk Management Policy

INTEGRATING RISK MANAGEMENT AND BUSINESS CONTINUITY

The Challenges of Solvency II

Kidsafe NSW Risk Management Plan. August 2014

ERM Capability A Rating Agency s View. David N. Ingram, CERA Director Enterprise Risk Management, Financial Services Ratings Standard & Poor s

ORSA reports: gaps and opportunities

ENTERPRISE RISK MANAGEMENT (ERM) POLICY

Key Risk Indicators (KRI) Survey September 2011

360 Degrees of Enterprise Risk Management

Business Continuity Program Management Benchmarking Report

Enterprise Risk Management Program

AIA Group Limited. Terms of Reference for the Board Risk Committee

Achieving integrated risk management

INTEGRATED RISK MANAGEMENT GUIDELINE

Applying COSO s Enterprise Risk Management Integrated Framework

Aligning Risk Management with CU Business Strategy

Pillar 3 Disclosures. Invesco UK Limited

Enterprise Risk Management Sources. Universe. Tolerance. Appetite

OPERATIONAL DUE DILIGENCE 3.0 RESPONDING TO A REGULATED AND INSTITUTIONAL ALTERNATIVE ASSET INDUSTRY

Critical Reflection of Two State-of-the-Art Risk Management Frameworks (SRM004)

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Risk and Growth: Thrive, Survive or Fail

7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS

RISK MANAGEMENT POLICY October 2015

Guide to an ERM Risk Map and Working in Practice

Perpetual s Risk Management Framework

PILLAR 3 REGULATORY DISCLOSURES REPORT AS AT 30 NOVEMBER 2017 LEUCADIA INVESTMENT MANAGEMENT LIMITED

Heightened Expectations for Some a Message for All to Consider: The Evolution of the 3 Lines of Defense WHITE PAPER

Business Auditing - Enterprise Risk Management. October, 2018

Risk Management Strategy

OPERATIONAL RISK MANAGEMENT & MEASUREMENT Survey by ORIC International and Oliver Wyman Summary of results. March 2015

Pillar 3 Disclosure Statement

ITIL Practitioner Course 06 - Use Metrics & Measurement

RISK COMMITTEE CHARTER

Using Meaningful KRI s for Basel II Operational Risk Management

How Internal Audit Can Help Promote Effective ERM

Transcription:

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Operational Risk Management Today Companies are struggling to obtain a holistic view of risk and show ROI on risk management activities Volume of Risks Risk Complexity Risk Volatility Resource Demands 2

Internal Audit today Are internal audit departments positioned to keep up with the audit requirements imposed by complex, increasing risks and drive strategic value? Variety Frequency Complexity 3

Emerging Risks IT risks such as cyber, cloud, IoT Reputation and social media Third-party relationships Accountability to ensure effective oversight of risks Convergence of risk management activities for a holistic view Increased Regulations, e.g., Compliance with the EU General Data Protection Regulation The risk culture of the organization Strategic change management Talent recruitment and retention Complex financial and operating models Resiliency risks 4

Risk noise Who is responsible for this loss? Is this really a high risk? Why aren t we using the same language to talk about risks across the company? Why is the same risk being assessed in different ways? This metric shows the risk profile changing, how is it being addressed? Are the auditors aware of this / where were the auditors? We believe organizations need to embrace risk to remain competitive but are not positioned to optimally manage risk. 5

A siloed, static approach will not survive We believe organizations today face more risks and changes than their audit groups are positioned to keep up with. In order to enhance Internal Audit s value within the organization, they must take a coordinated, risk-based approach. 6

Auditor Independence 1100 - Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. Free from conditions that restrict unbiased activity CAE has direct access to senior management and the board Objective, unbiased mental attitude and judgment 7

Auditor Risk Management 2010.6 Internal audit planning needs to make use of the organizational risk management process, where one has been developed. 2120 The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. 2200-2.6 Internal auditors need to assess whether management s identification and assessment of the key controls is adequate. 8 2210.A1 Internal auditors consider management s assessment of risks relevant to the activity under review.

Similarities between Audit and ORM Audit Universe Organizational units, such as a department or process Standards and regulatory topics Regular frequency of audits Risk Universe Business Context Risk register Standards and regulatory topics Regular frequency of evaluation 9

Similarities between Audit and ORM Audit Risk Assessments Audit universe risk assessment Tier Two risk assessment (i.e., scoping the audit engagement) Events ORM Risk Assessments Risk register assessments Risk Projects Top down or bottoms up assessments Risk Events 10

Similarities between Audit and ORM Audit Risk and Control Matrix Risks and their potential impact Controls that mitigate the risks Audit procedures to test the controls Findings Remediation ORM Risks and Key Controls Risks and their potential impact Key Mitigating Controls Other 2 nd and 3 rd LOD test the controls Findings Remediation 11

Key ORM Program Components Risk Events Any circumstance where, through lack or failure of a control, a loss was sustained or could have been sustained Includes situations where loss could have incurred, but in fact a gain was realized (positive risks) Risk Events inform improvements to processes or controls to reduce the recurrence and/or magnitude of risk events Lessons learned also gathered from external risk event information to support and inform risk identification, assessment and measurement 12

Key ORM Program Components Key Risk Indicators Key Risk Indicators (KRIs) are metrics which allow organizations to monitor their risk profile KRIs include measurable thresholds that reflect the risk tolerances of the business KRIs are monitored to alert management when risk levels are or may exceed acceptable ranges, individually or collectively (usually aspirational) KRI monitoring drives timely, proactive, decision-making and actions 13

Key ORM Program Components Risk Scenario Analysis Considers array of abnormal, extraordinary, maximum severity events for key risks throughout organization Assesses potential frequency and impact of such events Includes analysis of internal and external loss experience, KRIs, and RCSAs Considers circumstances and contributing factors that could lead to an extreme event and controls that would limit its likelihood and impact Management concludes whether potential risk is acceptable or whether changes in control or business strategy are required 14

Key ORM Program Components Issue Management Central repository of all internal, external, regulatory audit issues Specifies management accountability for issue and due date Captures and tracks remediation plans Escalation of past due issues and remediation plans Provides assurance that all issues are captured and addressed in accordance with severity 15

Key ORM Program Components Change Management Ensure the identification and assessment of risk inherent in all material changes to products, activities, processes and systems to make sure the inherent risks and incentives are well understood Process for all new products, partners, activities, processes & systems that fully assesses operational risk 1st Line Responsibility to identify, assess and implement 2nd Line Must be aware, challenge, and verify alignment to risk management framework and risk appetite 16

A New Risk World We must build business context, consistently understand significant risks regardless of their source, streamline processes, and engage the first line of defense 17

A New World for Audit Audit must drive consistency with and leverage ORM to drive greater efficiency in the execution of the audit plan. We need to change our approach to move from compliance to be risk-driven to ensure a focus on the right priorities as they change. 18

Governance & Oversight Risk Management Framework Board / Executive Team Business Strategy Risk Strategy Risk Appetite First Line Business Lines & Support Functions Product, process, risk, & control ownership & management Business strategy execution Revenue generation & support Identify Where is Risk? Internal & External threat-sources How Risk Arises Business Context Scenarios/What-if Assess Inherent/Residual Likelihood/Impact Volatility/Speed Rating scales Top-Down/Bottom-Up Qualitative/Quantitative RCSAs & Modeling Lines of Defense Second Line Independent Risk Oversight Functions: ERM, ORM, Compliance, Credit Review, etc. Risk Management Framework; Alignment Monitoring; Challenging 1 st Line; Facilitation Risk Management Activities Decision Accept, Reject, Reduce Manual/Automated Decision Escalation based on Risk Tolerances & Delegated Authorities Third Line Internal & External Audit Independent validation and reporting of program design & effectiveness; Leverage information Treat Right People Policies, Procedures, Controls, Incentives Risk Transfer (Insurance & Hedging) Risk Reserves & Risk Based Pricing Culture, Communications & Training Risk Profile Monitor Risk Profile Biz Changes KRIs, KCIs, KPIs Losses, near miss, external events Outstanding Issues Model output Tolerances & Authorities 19

ORM and ERM RESPONSIBILITY AUDIT CAE X CEO, CRO, ERM CHIEF CREDIT OFCR ORM STRATEGY, FINANCIAL HEALTH X X CREDIT X X LIQUIDITY, MARKET, FX X X PEOPLE, TALENT MGMT X X X ALL ERRORS & FRAUD X X ERM FINANCIAL REPORTING, SOX X X X LITIGATION MGMT X X X ORM CFO, TREASR CHRO CLO CCO CISO BCM INFORMATION SECURITY X X X BUSINESS CONTINUITY, DR X X X VENDOR RM 3RD PARTY RISK & PERF X X X X X X X X X X REGULATORY COMPLIANCE X X X X X X X X X X REPUTATION X X X X X X X X X X 20

Key Adjacencies Siloed Managed Advantaged Foundation Issues Management Risk Inventory & Top-Down Assessment Loss Event Management Bottom-Up Risk Assessment Key Indicator Management Static Risk Evaluation Regulatory Driven Universe Static Controls Testing Operational Risk Management Dynamic Risk Evaluation Policy Program Management Audit Entity and Risk Universe Controls Assurance Program Management Continuous Controls Monitoring IT Risk Management Separate Risk Assessments Project Risk Assessments 21 Operational Risk Use Cases Adjacent GRC Use Cases Audit Use Cases

Does Risk Management Really Drive Growth? References: Journal of Accountancy, EY and PwC 22

ORM and Audit Must enable organizations to: Establish common business context for risk Consistently assess risk Evaluate loss events and perform root cause analysis Monitor changes in risk using key risk and control indicators Obtain a holistic view of risk 23

Inspire Everyone to Own Risk Engage business units to more easily identify and manage the increasing volume and complexity of risk Address risk consistently across your organization Tie strategy to execution 24

Thank You patrick.potter@rsa.com Patrick Potter on LinkedIn @pnpotter1017 25

EMC, RSA, Archer, the EMC logo and the RSA logo are registered trademarks of EMC Corporation in the U.S. and other countries.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback