Inherent risk register

Similar documents
Inherent risk register guideline

Draft risk-based planning principles

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

Assurance Approach Delivery assurance activities for Retail Market Release April 2019

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

Nagement. Revenue Scotland. Risk Management Framework

2.2 For Board Members to approve the five high risks the Trust is facing:

BE PREPARED FOR YOUR ANNUAL AUDIT

Bournemouth Primary MAT Risk Management Policy

Risk Management Policy and Framework

Risk Management. Webinar - July 2017

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

Risk Management Policy and Procedures.

Risk Management Policy

UNIVERSITY OF ABERDEEN RISK MANAGEMENT FRAMEWORK

Main Sections. Corporate Risk Policy Statement and Procedures AR-RMD-CR01. Executive Summary. Anglia Ruskin University Risk Management

Transmission Cost Allocation Methodology and Distribution Cost Allocation Method. As approved by AER

Themed Audit Schools Budget Setting, Management and Control

Kidsafe NSW Risk Management Plan. August 2014

EVENT OPERATIONS RISK ASSESSMENT WORKSHEET

RISK MANAGEMENT FRAMEWORK

RISK ADVISORY AURIZON NETWORK PTY LTD. Cost Review of 2017 Flood Claim Tropical Cyclone Debbie

Risk Management Framework

Fundamentals of Project Risk Management

Audit Report. Canada Small Business Financing Program

Business Auditing - Enterprise Risk Management. October, 2018

Linking Country Level Monitoring and Evaluation to FCPF Progress Reporting

UNCONTROLLED WHEN PRINTED

Liquidity Policy. Prudential Supervision Department Document BS13. Issued: January Ref #

Perpetual s Risk Management Framework

Presentation on. Risk Assessment. ICAI Seminar on Internal Audit

ASSET RISK MANAGEMENT Asset Health Framework

Special Considerations in Auditing Complex Financial Instruments Draft International Auditing Practice Statement 1000

Enterprise Risk Management Program

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

RISK AND OPPORTUNITY ASSESSMENT GUIDE RISK CRITERIA

University of Greenwich Risk Management Guide Revised October 2017

SEI Investments (Europe) Limited Pillar 3 Disclosure

Guide to Intervention

BEST PRACTICE 3: System Water Loss Control Overview Why a Best Practice? State Planning Requirements

Scouting Ireland Risk Management Framework

Guideline. Earthquake Exposure Sound Practices. I. Purpose and Scope. No: B-9 Date: February 2013

Risk Management Strategy

Risk Management Procedure. Version Number: 6.0 Controlled Document Sponsor: Controlled Document Lead:

Solvency II and Asset Data

RISK MANAGEMENT POLICY

APPENDIX D Examples of Significant Deficiencies and Material Weaknesses

Cost Allocation Methodology

PILLAR 3 REGULATORY DISCLOSURES REPORT AS AT 30 NOVEMBER 2017 LEUCADIA INVESTMENT MANAGEMENT LIMITED

Guidance Note. Securitization. March Ce document est aussi disponible en français. Revised in October 2018

Risk Management Policy and Processes

RISK MANAGEMENT POLICY AND STRATEGY

SEACO TAX POLICY. Seaco Tax Policy Page 1

Financial Governance Audits

MONITORING THE COUNCIL S INVESTMENTS

Certified Enterprise Risk Professional (CERP) Test Content Outline

Risk Management Policy

FLINTSHIRE COUNTY COUNCIL. Administering Authority for. Clwyd Pension Fund ADMINISTRATION STRATEGY

Procedures for Management of Risk

RISK MANAGEMENT POLICY October 2015

Integrated Risk Management Framework Sept Page 1 of 17

PANAMA MARITIME AUTHORITY

Draft Natural Resource Fiscal Transparency Code

Neutrality risk management in ICD-10 remediation

Practical aspects of determining and applying a risk appetite for SMEs

Risk. Protocol for the Management of Risk

Classroom and Class Lab Utilization

Derivatives Risk Statement 1 st July 2016

AUSTRAC Guidance Note. Risk management and AML/CTF programs

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

LOCAL GOVERNMENT AUDIT SERVICE. Statutory Audit Report. to the. Members of Cork City Council. for the

City of Markham. Property Tax Revenue Audit. October 26, 2016

Contents INTRODUCTION...4 THE STEPS IN MANAGING RISKS ESTABLISH GOALS AND CONTEXT IDENTIFY THE RISKS...8

New Zealand Clearing Limited. Clearing and Settlement Procedures

CORPORATE RISK 2017 ANNUAL REPORT

Policy No. Contact Brian Orpin Version 3.0 Issue Date 28/11/2014 Telephone Review Date IA Date 09/08/2013

DECISION ON RISK MANAGEMENT BY BANKS

Themed Audits Assurance on Financial Planning. Summary Report for Schools

Creditsafe s Sage 50 App. Seamlessly integrate credit, financial and contact data into your Sage account.

HSC Business Services Organisation Board

NEM SETTLEMENTS PROCESS

Data Governance Risk Calculation Forum. Challenges in Information Security Risk Analysis

Clearing and Settlement Procedures. New Zealand Clearing Limited. Clearing and Settlement Procedures

Information Security Risk Management

SUBMISSION TO GAS INDUSTRY COMPANY GAS OUTAGE AND CONTINGENCY MANAGEMENT ARRANGEMENTS. from MAUI DEVELOPMENT LIMITED

TAX RISK MANAGEMENT POLICY

Assessment of real-time pricing options

Managing Compliance Risk & Corporate Governance

ISA 315 (Revised), 1 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Risk Management Framework. Group Risk Management Version 2

RISK MANAGEMENT POLICY

REAL-LIFE LESSONS. Enhancing Your Plan s Operational Wellness:

HORIZON ENERGY DISTRIBUTION LIMITED

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document. Proposal for a Council Directive

Risk Management Framework

Closing Report to the WM Audit Committee for the year ended 30 June 2013

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

0470_022817_03_chap01.fm Page 11 Wednesday, September 8, :29 PM. Part I The basics of project risk management

CORPORATE RISK MANAGEMENT POLICY

Attachment. Specific Feedback by FPA to ASIC CP 247. ASIC Proposal B1

Transcription:

Inherent risk register Guidelines 21 February 2017 Market Performance

Contents 1 Introduction 1 The purpose of the participant audit regime 1 The key goals of the participant audit regime 1 A risk-based approach is used for planning audits 1 Two types of risk are assessed 1 2 Inherent risk 2 The Authority assesses inherent risks, in consultation with participants 2 Identify the risk 2 Assess the likelihood of the risk 2 Assess the consequence of the risk 3 Inherent risk rating 4 3 Approach followed in preparing the inherent risk register 5 Step 1 List the key goals of the participant audit regime 5 Step 2 Define the inherent risk 5 Step 3 List the participant audit for which inherent risk is assessed 5 Step 4 Identify risks to achieving the key goals 6 Step 5 Identify other risks 6 Step 6 Assess likelihood and consequence 7 Tables Table 1: Likelihood of risk 2 Table 2: Consequences of risk manifestation 3 Table 3: Inherent risk rating matrix 4 Table 4: Inherent risk score 5 ii

1 Introduction 1.1 The participant audit regime is the participant audit, approval, and certification process contained in Parts 1, 10, 11, 15, and 16A of the Electricity Industry Participation Code (Code). The purpose of the participant audit regime 1.2 The purpose of the participant audit regime has three limbs: to evaluate participants compliance with the Code provisions that are audited under the regime to enable the Authority to make informed decisions regarding the certification, approval and audit frequency of participants to support the efficient operation of the electricity industry. The key goals of the participant audit regime 1.3 Consistent with its purpose, the participant audit regime is intended to achieve the following three key goals: the timely and accurate settlement of the wholesale electricity market timely and error-free consumer switching for participants to provide accurate and complete information to others in a timely manner. A risk-based approach is used for planning audits 1.4 The participant audit regime uses a risk-based approach to planning audits. The following three documents are integral to this approach: 1. Risk and materiality guidelines These set out how to assess risk, the process for applying risk to focus audit effort and how to assess the materiality and likelihood of a risk. 2. Auditor protocol This sets out audit standards and the Authority s expectations of auditors when performing audits. 3. Inherent risk register This sets out the risks inherent in a participant s functions and processes that are audited. The auditor uses these inherent risks as a starting point for determining an audited participant s residual risk. Two types of risk are assessed 1.5 Two types of risk are assessed under the participant audit regime: 1. Inherent risk Inherent risk represents risk in the absence of any controls. Inherent risks are assessed by the Authority, in consultation with industry, and are used as the starting point for determining residual risk. Inherent risks apply to a class of participant, not to individual participants. 1

2. Residual risk Residual risk represents the risk once the auditor has assessed the effectiveness of controls in place for managing the risk. Residual risk is used by the auditors to determine audit priority and effort. Residual risks apply to each participant. 2 Inherent risk The Authority assesses inherent risks, in consultation with participants 2.1 Under the participant audit regime, the Authority is responsible for assessing inherent risks. The Inherent risk register summarises the Authority s assessment of inherent risks. The Authority intends to consult regularly with participants on the Inherent risk register. 2.2 Inherent risk is assessed using a four step process: 1. identify the risk 2. assess the likelihood of the risk (in the absence of any controls to manage the risk) 3. assess the consequence should the risk eventuate 4. combine the likelihood and consequence of the risk, to determine the inherent risk rating. Identify the risk 2.3 Risks are identified through industry consultation and the following process: (a) (b) (c) for each class of participant audited, identify the key risks that the participant audit regime is concerned with 1 for each key risk, identify the undesirable outcome(s) that would arise if the risk occurred 2 for each clause of the Code that is subject to audit, list the applicable key risk(s). Assess the likelihood of the risk 2.4 The likelihood of each identified risk is classified as follows: Table 1: Likelihood of risk Likelihood Highly likely Likely Probably Possibly 1 2 Examples of key risks may include inaccurate submission information or inaccurate registry records. For example, inaccurate submission information may lead to inaccurate invoices for reconciliation participants. 2

Likelihood Unlikely Source: Electricity Authority 2.5 Likelihood needs to take into account, but is not limited to, the following factors: (a) (b) (c) (d) (e) Opportunities for errors/failures/non-compliance to occur the greater the volume and frequency of process events that contribute to the risk, the greater the opportunity for an error to arise. Complexity of the business processes that contribute to the risk for example, a complex multi-step process involving multiple staff may be subject to more errors than a simple one-step process undertaken by a single staff member. Level of manual intervention in the process a high level of manual intervention within a business process increases both the scope for errors to occur and the likelihood of them occurring. Incentives surrounding the process where adverse incentives exist, there may be a greater likelihood that the process is completed with errors (eg, if performance is measured based on the number of transactions completed, there is more likely to be an incentive to complete tasks at greater speed, thereby potentially compromising accuracy). History of past performance of business processes that contribute to the risk eg, past instances of non-compliance. Assess the consequence of the risk 2.6 The consequence of each identified risk manifesting itself is classified as follows: Table 2: Consequences of risk manifestation Consequence Major Moderate Examples The risk has the potential to: lead to major settlement errors in the wholesale electricity market that adversely affect other participants; and/or cause a significant and adverse effect on multiple market participants and consumers; and it might not be possible to reverse these, or if it was, there would be difficulty or material costs to other participants in doing so. The risk has the potential to: adversely affect the settlement in the wholesale electricity market; and/or adversely affect one or more market participants, with the potential to cause minor adverse effects on consumers; and these could be reversed easily. 3

Consequence Minor Immaterial Examples The manifestation of the risk is not severe enough to adversely affect market participants or consumers, but is significant enough for the Authority and/or the electricity industry to consider remediating (ie, the benefit of remediation outweighs the cost). The consequence of the risk if the risk is manifested by multiple participants would be Moderate or Major The manifestation of the risk is not severe enough to adversely affect market participants or consumers, and could be remediated using normal business procedures (eg, workarounds), and/or the cost of remediation outweighs the benefit. The consequence of the risk if the risk is manifested by multiple participants would be Minor, Moderate or Major Source: Electricity Authority 2.7 Assessment of consequence needs to take into account, but is not limited to, the following factors: (a) (b) (c) Impact on settlement of the wholesale market the greater adverse effect on settlement or other participants the greater the impact of the risk. Impact on market participants and/or consumers the bigger the impact on a single participant or consumer or the more participants and/or consumers affected, the higher the consequence Ability to reverse or correct the impact of the risk for example correction of submission information through the wash-up process. Inherent risk rating 2.8 Inherent risk represents the risk in the absence of any controls. 2.9 The likelihood (Table 1) and consequence (Table 2) ratings are combined using the matrix (Table 3) to determine the inherent risk. Table 3: Inherent risk rating matrix Consequence Immaterial Minor Moderate Major Highly likely Medium Medium High High Likelihood Likely Low Medium High High Probably Low Medium High High Possibly Low Medium Medium Medium Unlikely Low Low Medium Medium Source: Electricity Authority 4

Table 4: Inherent risk score Inherent Risk Score High Medium Low Description High risk area with reasonable likelihood of manifestation and potentially severe/major adverse outcomes on the electricity industry and consumers. Medium risk area with low to reasonable likelihood of manifestation and moderate adverse outcomes on the electricity industry and consumers. Low risk area with low likelihood of manifestation and low/negligible adverse outcomes on the electricity industry and consumers. Source: Electricity Authority 3 Approach followed in preparing the inherent risk register 3.1 Set out below is the Authority s approach to preparing the Inherent risk register. Step 1 List the key goals of the participant audit regime 3.2 The first step in developing the Inherent risk register is to state what the participant audit regime is trying to achieve that is, to list the key goals of the regime. 3.3 Each risk in the inherent risk register should be a risk to successfully achieving one or more of the key goals of the participant audit regime. Step 2 Define the inherent risk 3.4 Inherent risk means risk in the absence of any controls/mitigation measures in place to manage, or even eliminate, the risk. 3.5 Inherent risk applies to a class of industry participant. Inherent risks are not specific to individual participants. Step 3 List the participant audit for which inherent risk is assessed 3.6 Included in the Inherent risk register are key risks considered as part of the following participant audits: dispatchable load purchaser audit distributor audit metering equipment provider (MEP) audit reconciliation participant audit retailer audit in respect of distributed unmetered load 5

approved test house (ATH) audit. The key risks considered part of the following audits are not included in the Inherent risk register: load profile audit market operation service provider audit. Step 4 Identify risks to achieving the key goals 3.7 List the main functions/processes that are audited under each participant audit. 3.8 These functions/processes are listed in the audit guidelines prepared by the Authority for the following participant audits: dispatchable load purchaser audit distributor audit MEP audit reconciliation participant audit. 3.9 For each of the main functions/processes, identify the key risks to one or more of the key goals: the timely and accurate settlement of the wholesale electricity market timely and error-free consumer switching for participants to provide accurate and complete information to others in a timely manner. 3.10 When identifying risks, systematically consider what might happen that puts at risk achieving the key goals of the participant audit regime. Also consider how it might happen, when, and why. 3.11 As a final check, consider risks to one or more of the key goals by looking first at the consequence rather than the cause. There may be risks with a significant consequence, but for which there is no readily identifiable source or cause. Any such risks should also be included in the Inherent risk register. Step 5 Identify other risks 3.12 For each of the main functions/processes listed in step 4, identify any other key risks that are not related to the three key goals, but which are risks to furthering the Authority s statutory objective ie, they are risks to: the promotion of competition in the electricity industry the reliable supply of electricity by the electricity industry the efficient operation of the electricity industry, for the long-term benefit of consumers. 3.13 When identifying such risks, systematically consider what might happen that puts at risk furthering the Authority s objective. Also consider how it might happen, when, and why. 3.14 As a final check, consider any risks to furthering the Authority s objective, and which are not related to the three key goals, by looking first at the consequence rather than the cause. There may be risks with a significant consequence, but for which there is no 6

readily identifiable source or cause. Any such risks should also be included in the Inherent risk register. Step 6 Assess likelihood and consequence 3.15 For each identified risk, assess the likelihood and consequence of the risk manifesting itself. 3.16 When assessing the significant consequence(s) of a risk manifesting itself, consider different scenarios. Be aware of initial consequences escalating through flow-on effects (e.g., via a number of outcomes happening quickly one after the other; via a number of outcomes building in magnitude over time). Also be aware of small and varied risks that have the potential to form a large risk at any point in time. 3.17 Other considerations may include regulatory risk caused by a lack of alignment across legislation, and disaster risk related to the functioning of common systems. 7

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback