Effective Assurance Frameworks

Similar documents
Bournemouth Primary MAT Risk Management Policy

Risk Management Framework

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

Risk Management Policy and Strategy

Risk Management Strategy

Risk Management Policy and Framework

A Housing Association Internal Audit Annual Report 2014/15

Scouting Ireland Risk Management Framework

RISK MANAGEMENT POLICY AND STRATEGY

University Risk Management Policy

Risk Management Policy

Risk Management Strategy and Board Assurance Framework

D7 Risk Management Policy

Housing Risk Management

Perpetual s Risk Management Framework

UNIVERSITY OF ABERDEEN RISK MANAGEMENT FRAMEWORK

Practical aspects of determining and applying a risk appetite for SMEs

Trust Assurance Framework Reviews. (Structure, Engagement and Alignment 2017/18)

LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY

Risk Management Policy

What keeps Trust Boards awake at night? (2015 Edition) Foundation and NHS Trust Assurance Framework Benchmarking

Risk Management Strategy

Risk Management Strategy

Risk Management Framework

NHS WEST NORFOLK CLINICAL COMMISSIONING GROUP RISK MANAGEMENT STRATEGY AND POLICY FRAMEWORK

RISK MANAGEMENT FRAMEWORK

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

Risk Management Strategy

GOV : Enterprise Risk Management Policy

M_o_R (2011) Foundation EN exam prep questions

Risk Management & Assurance Strategy. Audit Committee. See reference page 38

Risk Management Strategy Highland Council Pension Fund

Risk Management Strategy (To be read in conjunction with strategic risk register)

Risk Management Strategy

University of Greenwich Risk Management Guide Revised October 2017

RISK MANAGEMENT POLICY October 2015

Integrated Risk Management Framework

Kidsafe NSW Risk Management Plan. August 2014

Procedure: Risk management

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

RISK MANAGEMENT FRAMEWORK

Integrated Risk Management Framework Sept Page 1 of 17

POLICY RISK MANAGEMENT AND REPORTING. Introduction

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Risk Management Policy and Procedures.

A proactive approach to auditing risk management

RISK REGISTER POLICY AND PROCEDURE

ENSURING EFFECTIVE GOVERNANCE AND FINANCIAL REPORTING

Network Rail Limited (the Company ) Terms of Reference. for. The Audit and Risk Committee of the Board

Risk Management Strategy, Policy and Procedure

Headline Verdana Bold Managing tax Balancing current challenge with future promise The EYE, Amsterdam, 30 November - 1 December 2016

Approved by: Diocesan Council 17 December 2015

Goodman Group. Risk Management Policy. Risk Management Policy

GRINDROD SOUTH AFRICA//Policy Risk and opportunity governance framework

An Introductory Presentation for ECU Staff

NHS North Somerset Clinical Commissioning Group Risk Management Strategy and Framework

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

British Library Risk Management Policy Framework (2017)

Discussion. Information

RISK MANAGEMENT STRATEGY Version 3

DOCUMENT TYPE: Strategy UNIQUE IDENTIFIER: RMS-01. DOCUMENT TITLE: Risk Management Strategy 2018/2019

Risk Management Framework

RISK MANAGEMENT POLICY

INTEGRATED RISK MANAGEMENT FRAMEWORK (STRATEGY AND POLICY)

Gift Aid and reliefs on donations

PS 152 Corporate Risk Management Policy

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Nagement. Revenue Scotland. Risk Management Framework

Risk Management Policy Adopted by:

Documentation Control. Hazard Identification, Risk Assessment and Management Procedure. (This document is linked GG/CM/007- Risk Management Policy)

RISK MANAGEMENT FRAMEWORK

Operational Risk Management

POLICY. Policy Title: Integrated Risk Management. Director, Strategic and Governance Services Centre

West Coast District Municipality. Risk Management Policy

Risk Management Framework

Trust Board Meeting: Wednesday 9 July 2014 TB

INVEST NI RISK MANAGEMENT STRATEGY AND POLICY

Version: th November 2010 RISK MANAGEMENT POLICY

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

Risk Management Plan PURPOSE: SCOPE:

Meeting of Bristol Clinical Commissioning Group Governing Body

NHS BROMLEY CLINICAL COMMISSIONING GROUP RISK MANAGEMENT STRATEGY

HSC Business Services Organisation Board

Risk Management Procedure. Version Number: 6.0 Controlled Document Sponsor: Controlled Document Lead:

University of the Sunshine Coast (USC) Risk Appetite Statement

South Lanarkshire College Risk Management Policy and Procedures

Reference Check Completed by Joanne Phizacklea.Date 02/02/2017

Risk Management Policy

Construction projects: manage risk to achieve success

Draft Head of Internal Audit Opinion 2012/13 Isle of Wight NHS Trust

CO14: Risk Management Policy

Risk Management ROYCE BRENNAN BT FINANCIAL GROUP

Topic RISK MANAGEMENT Procedure Category Risk Management Updated 07/2011

Risk Management Strategy

Finance and Asset Management for Long Term Delivery. ICSH National Social Housing Conference, Limerick. 27 September 2017

Pillar 3 Disclosure ICAP Europe Limited

Risk Management Policy

Risk Management Policy

Policy Number: 040 Risk Management August 2018

Risk Management. Policy and Procedures

Transcription:

Effective Assurance Frameworks NIGEL IRELAND, HEAD O F BARCUD S HARED S E R VICES @ barcudss w w w.barcudsharedservices.org.uk

Today What an Assurance Framework is How an Assurance Framework can add value Use of an Assurance Framework in practice Understanding key terms like: Assurance; Risk appetite; and 3 lines of defence.

Barcud Shared Services Consortium of housing associations in South Wales Primarily Internal Audit Risk, projects, strategy, business continuity

Barcud Internal Audit Best of independence & internal Work in housing associations See & feel risks Boards, audit committees, management and staff In-sector information Support and advise Insight Money stays in the sector

Assurance Frameworks - History 2002/3 2012 2017 2012 2017 Development of risk management processes

Assurance Frameworks - Purpose NHS Audit Committee Handbook: the pivotal tool underpinning the Audit Committee s remit of monitoring financial, clinical and all operational risks and the key source of evidence that links strategic objectives to risk. HM Treasury (2012): Should be structured and provide reliable evidence to underpin the assessment of the risk and control environment for the annual Governance Statement, supported by independent appraisal from the internal audit service.

Assurance Frameworks - Purpose Main elements: Natural development of risk management processes Provides an enhanced link between strategy and risks Based on reliable evidence Brings together risk management and the 3 lines of defence model

What is risk? The threat that an event or action will affect an organisation s ability to achieve its business objectives and execute its strategies

So, what is risk management? Being able to identify the risk cause at the earliest opportunity, measure the risk effect and apply a proportionate level of resources to mitigate, or take advantage of, the risk and obtaining assurance that the controls on which the organisation relies for mitigating the risk are effective.

What is assurance? Confidence, based on sufficient evidence, that internal controls are in place, operating effectively and objectives are being achieved (various Public Sector) Assurance is what gives you comfort that a control is working (and therefore informs whether a risk is being managed as you had envisaged)

What do you want from Risk Management? Tool for increasing the likelihood of achieving objectives Aid to entrepreneurship being risk aware not risk averse Greater exploitation of opportunities Understand and prevent / reduce risk impacts Increase efficiency

Role of the Board CHC Code of Governance (new): 3.2 The Board safeguards and promotes the organisation s reputation and, by extension, promotes public confidence in the wider sector. Principle 4 Decision-making, risk and control 4.1 The Board is clear that its focus is on strategy, performance and assurance New WG Governance requirements emphasises Board Assurance

Role of the Audit Committee Reviewing the effectiveness of risk management Reviewing, with management, the operation of risk management and responses to identified risks Reviewing the adequacy of assurance providing activities and challenging management s response to these

OBJECTIVE RISK INHERENT SCORE We will provide 24/7 365 access to customers An incident occurs which stops our organisation providing access for more than 24hrs 25 (5 x 5) CONTROLS 1) Business Continuity Plan 2) Resilient hardware 3) Regular testing, review and updating RESIDUAL RISK SCORE 8 (2 x 4) ASSURANCE FURTHER ACTION HOW DO YOU KNOW? TARGET RISK Easy review of risks directly against objectives (note cause and effect) which enables more effective assessment & scrutiny of the risk score. A clear understanding of the action being taken and the controls in place to address the risk which enables effective assessment & scrutiny of the residual risk score

OBJECTIVE RISK INHERENT SCORE CONTROLS RESIDUAL RISK SCORE ASSURANCE FURTHER ACTION TARGET RISK We will provide 24/7 365 access to customers An incident occurs which stops our organisation providing access for more than 24hrs 25 (5 x 5) 1) Business Continuity Plan 2) Resilient hardware 3) Regular testing, review and updating 8 (2 x 4) Insert assurance here The assurances give you comfort that the controls are working and therefore assurance that the residual risk score is accurate

So what s the issue? Risk Registers over-focus on controls: Audit Committee control v risk / objective Time to identify controls & Minor / insignificant controls Assurances are control-driven * Number over quality / effectiveness * Assurances seen as less important Quality of assurance unclear Assurance under-used information not used as such

Potential Sources of Assurance Internal Audit External Audit Certifications IIP / ISO9001 / ISO18001 / ISO32001 Specialist reviews HSE / Duty of Care / Penetration Testing Regulator feedback Customer feedback / complaints, including social media Local Authority / Partners Key Performance Indicators (KPIs) Management reports

3 Lines of Defence: First Line Day to Day Management Second Line Corporate Oversight Third Line Independent Assurance Maximise Benefit? 3. Independent Assurance 2. Corporate Oversight 1. Management RISK

Adding the 3 lines of defence: HM Treasury Guidance

Assessing Sources of Assurance Summarises previous identification stage Assessment

A lot to rationalise: AC Reporting Current Risk Registers Identifying sources of assurance Assessing sources of assurance Programme of Assurance

Proportionality & Adding Value Risk definition: Programme of Assurance Being able to identify the risk cause at the earliest opportunity, measure the risk effect and apply a proportionate level of resources to mitigate, or take advantage of, the risk Shouldn t we also apply this to assurance activities?

- Performance Indicators - Information from systems - RAG reports to senior management - Measured performance against targets and plans - Specialist review of process - Independent review of policies and procedures - ISO Accreditation Did the assurance provide VfM? 3. Independent Assurance 2. Corporate Oversight - Key Performance Indicators - RAG reports - Systems reports / management information - Customer satisfaction surveys - Corporate risk management 1. Management RISK

Barcud-led Project Aims: Upskill clients in risk management Programme of Assurance Greater understanding of assurance Development of a template Testing in practice Tailored Assurance Framework per-client

Programme of Assurance Risk-based like your Internal Audit (IA) Strategy Programme of Assurance & IA Strategy coordinated Should consider the Quality of assurance Should reflect the assurance you already have Should consider Value for Money & proportionality Report progress to the Audit Committee

OBJECTIVE RISK INHERENT SCORE CONTROLS RESIDUAL RISK SCORE ASSURANCE FURTHER ACTION TARGET RISK We will provide 24/7 365 access to customers An incident occurs which stops our organisation providing access 25 (5 x 5) 1) Business Continuity Plan 2) Resilient hardware 3) Regular testing, review and updating 8 (2 x 4) 1) Internal Audit of BCP 2017/18 Substantial Assurance 2) Incident in 2016/17 lessons learnt document 3) External Penetration testing report 2017/18 To address any gaps in control (c) or assurance (a) further action may be required

Building into current risk registers: Assurance Map

Building into current risk registers:

Developing a new focus:

Programme of assurance IA Plan?

Programme of assurance IA Plan?

How does an AF achieve efficiencies? KPIs System updates Customer Satisfaction Surveys Independent Review Mgmt Info. Do we need an Internal Audit? Compliments & Complaints RAG Reports Award Regulatory Judgement Accreditation ISO Certification

Risk Appetite

Risk Appetite (for Risk) The level of risk (taking into account both impact and likelihood) that the organisation is willing to tolerate. It can be at the organisational, departmental or individual risk level. Risk Appetite?

Risk Appetite Risk appetite needs to be measurable. Otherwise there is a risk that any statements become empty and vacuous 1 ; and Risk appetite is not a single, fixed concept. There will be a range of appetites for different risks which need to align and these appetites may well vary over time: the temporal aspect of risk appetite is a key attribute to this whole development 1. 1 Institute of Risk Management Risk Appetite & Tolerance Guidance Paper, 2010

Risk Appetite Where you might end up if something good happens Current performance direction Where you might end up if something bad happens - Based on Institute of Risk Management model

Risk Appetite Risk Universe Risk Tolerance

Risk Appetite Risk Appetite

Appetite for Opportunity? Different from risk appetite? Used for decision making New opportunities Words like: averse, open, hungry Work for decisions; not for risk?

Risk Appetite Removes some of the subjectivity about whether a risk is managed to an acceptable level or not. Enables more robust challenging by stakeholders on the scoring and mitigation of risks. Enables effective allocation of resources when seeking assurance.

OBJECTIVE RISK INHERENT SCORE CONTROLS RESIDUAL RISK SCORE ASSURANCE FURTHER ACTION TARGET RISK We will provide 24/7 365 access to customers An incident occurs which stops our organisation providing access 25 (5 x 5) 1) Business Continuity Plan 2) Resilient hardware 3) Regular testing, review and updating 8 (2 x 4) 1) Internal Audit of BCP 2017/18 Substantial Assurance 2) Incident in 2016/17 lessons learnt document 4 (2 x 2) 3) External Penetration testing report 2017/18 An example risk appetite at the individual risk level Should be set by the audit committee (or board) Target Risk

Risk Appetite Challenge? Development: Finance: Health & Safety / Legal Compliance: Housing:

Elements of Risk Appetite Statement in Risk Management Policy Departmental risk appetites (diagrams?) Your risk matrices / guidance for scoring Risk matrix colour distribution Your target risk scores on the risk register

Internal Auditors A key element of your programme of assurance: Do they truly understand your business? Do they know you? Are they too arms length? Do they give you ongoing support and advice? Are they sufficiently knowledgeable of your risks? Are they helping/supporting you pushing your risk/assurance framework forwards?

Why an Assurance Framework Greater understanding of risk status Promotes continual improvement Greater Value for Money Makes more use of what you already have More efficient and effective use of assurance, including Internal Audit, to fill gaps Helps you KNOW!

Thank you NIGEL IRELAND, HEAD O F BARCUD S HARED S E R VICES @ barcudss w w w.barcudsharedservices.org.uk

Recommended reading ACCA Risk and the Strategic Role of Leadership (2018) - http://www.accaglobal.com/scotland/en/professional-insights/risk/risk-and-thestrategic-role-of-leadership.html HM Treasury Assurance Frameworks (2012) - https://www.gov.uk/government/publications/assurance-frameworks-guidance Institute of Internal Auditors Coordinating Risk Managemnt and Assurance (2012) - https://global.theiia.org/certification/public%20documents/coordinating%20risk %20Management%20and%20Assurance.pdf ICAEW Assurance Mapping - https://www.icaew.com/en/technical/audit-andassurance/assurance/assurance-mapping#assurance Talk to us! www.barcudsharedservices.org.uk

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback