ENTERPRISE RISK SERVICES Managing Risk, Driving Results

Transcription

1 ENTERPRISE RISK SERVICES Managing Risk, Driving Results

2 Risk Management Solutions At MNP, our Enterprise Risk Services team assists organizations as they navigate through uncertainty by helping them effectively manage the risks, threats and vulnerabilities that could derail their success. MNP offers an integrated suite of corporate governance, risk management, regulatory compliance and Performance Improvement services. We provide innovative, pragmatic risk solutions that balance risks and rewards. Whatever your specific needs, MNP will work with you to implement a tailored, cost-effective risk solution. Forensics & Enterprise Security Governance & Risk Management Anti-Fraud Program Whistleblower Hotline Forensic Investigation Governance Effectiveness Risk Oversight Enterprise Security Management ERM Framework & Threat Vulnerability Risk Assessment Program Implementation ERM Maturity Assessment Risk Assessment & Mitigation IT Governance Cyber Security & Privacy Technology Controls Assurance IT Project Risk Management Third Party Reporting Data Analytics Payment Card Industry (PCI) Compliance Managed Services Access the experience of more than 3,500 MNP team members across Canada and valuable resources in more than 80 countries. Technology Risk 3

3 Performance Improvement Organizational Structure & Governance Business Process & Control Improvement People & Technology Effectiveness Lean Six Sigma Data Analytics Business Continuity Planning Crisis Management & Communications IT Disaster Recovery Emergency Preparedness & Response Scenario & Simulation Testing Establishment of an Internal Audit Function Internal Auditing CEO / CFO Certification Compliance Auditing Value for Money Auditing Quality Assurance Reviews Critical Infrastructure Protection Supply Chain Risk Business Resilience Internal Audit & Controls How MNP Can Add Value Our Enterprise Risk Services team possesses unrivalled expertise and thought leadership in risk management. MNP s enterprise risk professionals have extensive experience assisting organizations of all sizes and operating in major industries. This expertise ranges from implementing tailored Enterprise Risk Management solutions to leading the global Sarbanes-Oxley 404 compliance efforts for some of the largest organizations in the world. At MNP, we differentiate ourselves from our competitors by committing more senior personnel to help you achieve your goals. As we firmly believe an integrated partner-led approach is the key to add true enterprise value, our thought leaders work closely with you throughout each step of your engagement. MNP is an independent member of Praxity, AISBL, a global alliance of independent accounting firms. Praxity Global Alliance Limited strives to be the most advanced alliance of strong, like-minded, independent and committed accounting firms that deliver unmatched client service and quality solutions globally. With access to a network of more than 65 member firms in 80 countries across the globe, MNP is able to draw upon the expertise and international experience of these firms to deliver value-added solutions to our clients. 4

4 Governance & Risk Management In today s highly competitive, global and complex business environment, it s more important than ever for organizations to adopt prudent corporate governance practices and an enterprise-wide approach to risk management. MNP helps you develop these interdependent but distinct areas with a comprehensive, pragmatic approach based on sound governance and risk management principles that apply to organizations of all sizes and industries. Sound corporate governance is paramount to your organization s long-term success and resilience. How MNP Adds Value By understanding the different objectives and sophistication levels of the organizations we serve, MNP customizes our proven governance and risk management solutions to help you achieve your entity goals and objectives, mission and vision. Our governance and risk management professionals have provided solutions on an international scale to a wide range of industries and organizations of varying sizes and complexity. We leverage our deep expertise and experience to assist you in designing and implementing an effective governance and risk management framework and practices that are tailored to your organization s needs and aligned with your culture. Corporate Governance The financial crisis exposed widespread flaws in corporate governance practices. Since then, boards and executives have been under intense scrutiny, with stakeholders demanding greater vigilance, transparency and accountability and authorities introducing more rigorous governance standards and regulations. Sound corporate governance is paramount to your organization s long-term success and resilience. Our thought leaders have extensive experience providing governance solutions that are aligned with leading good governance principles and practices and evolving corporate governance regulatory requirements. We focus on establishing effective governance principles, policies, guidelines and processes to optimize value to the organization and its stakeholders. We can help you design and implement a tailored governance model right-sized for your organization that also complies with regulatory requirements and meets stakeholder expectations. 5

5 Achieve an optimal risk and reward balance to maximize your enterprise value. Our governance professionals deliver comprehensive solutions, including: Evaluating the effectiveness of current governance frameworks and practices Developing and implementing tailored corporate governance models Designing governance structures, committees and charters Providing board and committee education, training and coaching on all aspects of effective stewardship and oversight responsibilities Developing organization-wide policies and procedures Facilitating strategic and operational planning workshops Creating customized reporting and communication processes Evaluating board and committee effectiveness Providing special board assistance such as developing a skills matrix and resolving conflict at the board table Risk Management Enterprise Risk Management (ERM) presents a fundamental shift in the way organizations identify, evaluate, prioritize, manage and monitor risks moving away from silos to a holistic, integrated approach. In implementing formal risk management frameworks, we help organizations proactively manage threats that could derail the achievement of entity objectives while maximizing opportunities. Our ERM specialists have a proven track record for providing practical risk management solutions that are comprehensive and results-based, aimed at helping organizations make better decisions, reduce uncertainty, minimize costs and improve performance. We understand every organization is unique and therefore our focus is to customize risk management solutions to help you achieve your strategic, operational and financial goals and objectives. Our professionally certified risk professionals bring diverse expertise and in-depth knowledge in all aspects of leading ERM principles and practices, allowing us to offer a broad range of services, including: Performing a maturity assessment of your existing ERM program Developing and implementing an ERM framework and program that is integrated with existing processes and aligned with your unique culture Developing a risk appetite that defines the amount of risk your organization is prepared to accept in pursuit of entity objectives Working with you to identify, evaluate and prioritize your enterprise-wide, operational or project-related risks and delivering effective treatment plans to reduce threats to an acceptable level Providing board and management training on the fundamentals of ERM Establishing a monitoring process for new and emerging risks Developing ERM communication and reporting processes Our ultimate goal is to help your organization achieve an optimal risk and reward balance to maximize your enterprise value. 6

6 Internal Audit & Controls Performance Improvement We focus on improving the efficiency and effectiveness of your business processes by driving opportunities to automate, strengthen, streamline, standardize and centralize existing processes. Now more than ever, organizations must do more with less while continuing to effectively manage risks that may prevent them from reaching their goals and objectives. Business leaders across all industries and sectors are facing growing pressure to increase revenue, reduce costs, improve customer satisfaction, pursue new markets, increase shareholder value and comply with new regulations in an increasingly competitive environment. How do you plan on staying ahead of your competition? Organizations often respond by simply focusing on deep cost reductions to increase profitability. At MNP, we believe organizations must drive Performance Improvement to achieve sustained productivity gains and promote innovation to create a competitive advantage. But many organizations that undertake such initiatives to optimize performance typically fall short of expectations, mainly because processes are often improved on an ad-hoc basis or the improvement project is isolated to a certain area of the organization. MNP helps public and private organizations in a diverse range of industries optimize operational performance, fully leverage resources and manage risks ultimately to develop a strategic and competitive advantage. We believe that Performance Improvement must be achieved in a sustained, strategic manner. As a result, our methodology helps you to instill a culture of continuous improvement in the day-to-day fabric of your business and to implement an organization-wide approach to operational excellence whereby performance improvement initiatives are prioritized based on your strategic objectives. Our systematic methodology begins with strategically aligning your business processes by designing the appropriate operational structure and business processes with the right governance and controls required to achieve your organizational objectives. We then focus on improving the efficiency and effectiveness of your business processes by driving opportunities to automate, strengthen, streamline, standardize and centralize existing processes, as well as to develop new processes where necessary. It is critical we do not sacrifice proper internal controls for efficiency. As part of our process improvement solution, we will design and implement an optimal system of internal controls to address the priority risks that could derail the achievement of your goals and objectives. 7

7 Lean Six Sigma is a powerful tool to reduce waste, lead time, defects and errors. Our Performance Improvement experts have deep experience applying various process improvement methodologies and will employ the most appropriate methodology for the nature, size and complexity of your organization and the specific issue at hand. Lean Six Sigma is one methodology we may leverage. It is a powerful tool to reduce waste, lead time, defects and errors. Our Master Black Belts can help your organization translate process improvement initiatives into concrete financial results. To extract the most out of big data, you need to know what you want from it. Our analytic capabilities ensure you maximize your data s potential, from enhancing client experience to optimizing your business security capabilities. Operational excellence can only be achieved if processes are supported with the right people and technology. We work with you to define and develop programs to improve people effectiveness activities that lead, motivate, develop and support your human capital. We ll also evaluate your current and planned technologies, infrastructure and support systems to ensure your organization has the appropriate technological capabilities to support your operational processes and help determine if current systems are being used to their capacity. 8

8 Internal Audit & Controls Strategic co-sourcing is a cost-effective solution to ensure you have the right resources. Heightened focus on governance and the need for transparency with stakeholders has highlighted the growing importance of establishing and maintaining an effective system of internal controls. They will help to adequately safeguard assets, improve reliability of financial reporting and assess compliance with applicable laws and regulations. This includes having a mechanism in place that provides independent assurance your internal control systems are mitigating risk and highlights opportunities to improve operations and optimize performance through an effective internal audit function. Our risk professionals will work with you to develop an appropriate system of internal controls to address your top business risks. We can create a tailored, cost-effective internal audit solution to help you achieve effective corporate governance and provide senior management with timely and reliable business intelligence. Internal Audit We can assist your organization by establishing an internal audit function or extending the scope of your existing assurance program to both significantly contribute to shareholder value and assist management in fulfilling their operational responsibilities. Having an effective internal audit function is essential for managing risks and strengthening your ability to conduct business through a controlled environment. By applying our proven, risk-based internal audit methodology, we can provide your organization with a cost-effective, value-added internal audit solution. Our team can facilitate the development or execution of your internal audit plan through a range of sourcing options that enable you to expand scope and improve operations. Outsourcing part or all of this responsibility enables you to look after the overall strategy and operational priorities of your organization, while we handle the day-to-day function of internal audit. Strategic co-sourcing is a cost-effective solution to ensure you have the right resources. We can provide a resourcing solution if your internal audit department is challenged with issues related to operational priorities, specialized expertise, geography or capacity. Our specialists will partner with your existing internal audit team to provide assistance when and where it is needed most. We can also help ensure the effectiveness of your internal audit function by conducting a quality assessment review to benchmark your audit function against leading professional practices and industry standards. CEO / CFO Certification Complying with CEO / CFO certification requirements such as Sarbanes-Oxley 404 or National Instrument can be a complex process. Companies must adopt a practical, streamlined approach to avoid the excessive costs of a one-size-fits-all strategy. We employ a top-down, risk-based approach designed specifically to help organizations achieve sustained compliance in a cost-effective manner. Our methodology is firmly based on doing it right the first time and eliminates the need to rationalize or optimize key controls in future years. We will also leverage the benefits of the compliance process to create enterprise value by identifying operational improvement opportunities and benchmarking against leading industry practices. 9

9 While some organizations may choose a do-it-yourself approach, working with a qualified, independent party offers a number of significant benefits. Our team has extensive CEO / CFO certification experience and our third-party, independent reviews provide additional credibility to support management certifications when subject to external scrutiny. Engaging an independent team also enables internal staff to focus on other value-added priorities, while reducing the need for additional hiring costs during times of higher resource demands to meet certification requirements. Compliance Regardless of the sector, every organization is subject to some form of compliance requirement, whether it is regulatory, contractual, statutory or public sector mandates. We have a dedicated team that can help you understand your universe of compliance requirements, establish formal policies and procedures, implement a system of internal controls to address your priority risks and develop a program to evaluate and monitor compliance. Our team has deep experience in performing compliance audits both in the private and the public sectors. Through our proven methodology, we deliver reliable audit programs and reports to satisfy any of your compliance requirements. Our methodology is firmly based on doing it right the first time and eliminates the need to rationalize or optimize key controls in future years. 10

10 Business Resilience Our world has changed. We live and work amid new and emerging threats fiscal crises, extreme weather and environmental change, terrorism, fraud, workplace violence, pandemics and a host of natural and man-made threats that have wreaked havoc on our business and operating environments. To further complicate matters, globalization and fierce competition have created even greater risks and being prepared is critical to your organization s future success. Two out of five companies that experience a crisis do not survive. A disruption or crisis can have long-term effects on the financial, operational and overall health of your organization. Industry studies report that two out of five companies that experience a crisis do not survive. Many organizations do not have adequate programs in place to ensure continuity of operations that will protect the enterprise in the event of a crisis and satisfy the expectations of board members and key stakeholders. Today, organizations must be able to do more than just recover business processes and technology after a disruption. Organizations are expected to identify and mitigate: Major disruptions of key operations Loss of key vendors / partners Loss of key people Breaches to buildings, critical infrastructure, information and technology Threats and potential damage to revenue, customer service, reputation and brand Developing effective strategies to proactively identify and manage these threats is your best defense in an ever-changing world. Individual plans and programs are critical, but true resilience is achieved by integrating effective programs and linking them to your organization s overall risk based strategic planning process. MNP can help you develop plans and programs that integrate and mutually support one another to achieve the synergies for effective resilience. MNP s Integrated Methodology 11

11 MNP s business resilience solutions are customized to your needs and designed to ensure continuity of operations helping you maintain a competitive advantage. Risk & Vulnerability Assessments Enhance your organization s ability to effectively conduct operations by understanding your threats, risks and vulnerabilities. At MNP, we help you identify and evaluate countermeasures for risks and other issues that could affect your organization. Emergency Response Planning Develop clear, concise corporate directives to protect and safeguard customers and employees before decision makers are informed. MNP will work with you to develop a comprehensive plan that includes floor warden programs, evacuation plans, disability evacuation, notification protocols and assembly points. Anticipate, mitigate and respond to a wide range of threats transforming a potential crisis into a competitive advantage. Business Impact Analysis & Strategy Development Determine which business processes are critical to the ongoing viability of your business. We also measure the impact of loss to determine which resources are required to achieve continuity. Crisis & Communication Planning Determine the internal and external communications for your organization and a clear chain of command with a comprehensive crisis management plan. Protect your brand and effectively communicate to the media and your customers, before, during and after a crisis in order to maintain consumer confidence, market share and continuity of operations. Supply Chain Risk Develop a comprehensive supply chain strategy to identify critical risks and build contingency plans into each of your supply chain management processes. IT Disaster Recovery Planning Develop a comprehensive plan through a series of facilitated workshops and assessments to effectively recover your IT systems and infrastructure. Business Recovery Planning Develop instructive recovery plans for critical processes through the use of existing documentation and information sources. We will work with your employees to create a tailored action plan that best serves your needs. Testing & Maintenance Programs Ensure your programs will work when you need them to. Through comprehensive testing, we document gaps and errors and deliver solutions to maximize the real world effectiveness of your contingency plans. With help from MNP, you will gain the confidence of knowing your organization is better prepared to anticipate, mitigate and respond to a wide range of threats transforming a potential crisis into a competitive advantage. 12

12 Technology Risk Our security and privacy professionals assist organizations to identify and mitigate the critical security threats and risks pertaining to your environment. The protection of your information and communication technology assets is more critical than ever. From operational performance improvements to process efficiencies, today s technologies not only support global operations but are critical to enable key business opportunities and drive growth. You need to manage the risks of emerging technology today, while planning for tomorrow. At MNP, we understand the value technology can bring to your organization as well as the risks that it can present to your environment. Our specialists have successfully assisted organizations identify key risks, prioritize efforts and align the appropriate governance and controls to cost-effectively mitigate the risks of system interruption and failure. Our Technology Risk Services team delivers real business value by identifying and addressing complex enterprise issues and improving business performance. IT Governance Effective IT governance is essential to support the delivery of your strategic objectives and optimize the value of technology investment. Our experienced teams can help your organization align IT business operations and strategic objectives, evaluate IT risks and system performance and strengthen IT security management programs and controls. Our pragmatic and tailored methodology and tools provide a strong and efficient approach toward the implementation and maintenance of IT strategy and governance that provide value for the organization. Cyber Security and Privacy Our security and privacy professionals assist organizations to identify and mitigate the critical security threats and risks pertaining to your environment. Our Technology Risk Services team can assist you to safeguard information assets and manage the risk of unauthorized disclosure, modification or loss of critical information, including the challenges with emerging technologies such as cloud computing, social media and mobile devices. Our methodology begins with evaluating your risk profile and implementing an effective and practical security strategy to achieve your strategic, compliance and risk management objectives. Our tailored solutions address various security needs including: Offensive Security (Red Team) Penetration Testing Vulnerability Assessment (VA) Information Security Program Assessment Information Security Audits Compliance with Payment Card Industry Data Security Standard (PCI DSS), Privacy, Freedom of Information and Protection of Privacy (FOIP) ISO 27001/2:2005 Programs Threat and Risk Assessment (TRA) Security and Privacy Risk Assessment Defensive Security (Blue Team) Maturity and Threat Analysis (MTA) Cyber Secuity Managed Services Network and System Component Configuration Review Implementation of Security Controls Privacy Risk Assessment (PRA) and Compliance Audits Privacy requires a shift in perimeter centric security to data centric security. Even if Personal Information (PI) does not leave the organization s control, a breach or violation of rights may have occurred. You can have security without privacy, but you cannot have privacy without adequate security. 13

13 Our privacy professionals utilize a combination of relevant legislation, generally accepted privacy principles and client-specific criteria to guide the assessment of legislative compliance, security and privacy risks and controls, and develop prioritized recommendations. Technology Controls Assurance A robust IT control environment is critical to ensure the reliability and integrity of information processing. From strategic needs to compliance and processing requirements, organizations have varied exposure to IT system dependencies, data breaches, information security threats, system changes and business interruption. Our experienced team can assist you to implement an industry accepted IT risk and control framework for your specific environment that is aligned to your IT risk appetite and tolerance. Our proven controls assurance methodology provides an independent and objective assessment of your IT risks and control effectiveness, as well as highlights enhancement opportunities to strengthen your control environment. Implement an industry accepted IT risk and control framework for your specific environment that is aligned to your IT risk appetite and tolerance. IT Project Risk Management Large IT projects are notoriously complex transformations that each have their own unique challenges and factors that must be managed over the project life cycle to achieve success. But reaching the goals of being on time, on budget and on scope can be overwhelming and difficult to accomplish, resulting in additional costs, frustrations and compromised performance. MNP has a successful track record in delivering Project Risk Advisor services for complex implementation projects. Throughout the project s life cycle, we provide independent, timely, transparent and easy-to-understand updates for stakeholders in three key areas: Business readiness and benefits realization Project management effectiveness and controls Internal controls Third-Party Reporting With affordable and improved delivery of outsourced IT services, there is increased expectation for third-party service providers to provide independent assurance on the effective operation of their IT controls in accordance with industry standards. MNP technology risk professionals can provide third-party assurance services in accordance with U.S. standard SSAE 16, Canadian standard CSAE 3416 and International standard ISAE

14 Forensics & Enterprise Security Fraud and security issues are becoming more common and more complex. As the rate of fraud and security incidents continue to escalate, it is important organizations respond aggressively to these challenges. Working closely with you, our Forensic and Enterprise Security professionals deliver innovative strategies that help you proactively identify, assess and respond to these threats. Forensics Fraud can strike your organization at any time. Regardless of the known direct financial impact, anything less than a full and proper response will have a significant impact on your most important asset: your reputation. In a crisis, you must respond quickly and send a clear message that unethical conduct will not be tolerated. MNP s forensics team will help you meet those needs. In a crisis, you must respond quickly and send a clear message that unethical conduct will not be tolerated. Investigation In a recent economic crime survey, 55 percent of Canadian businesses reported being victims of economic crime. North American estimates put corporate losses due to fraud at six percent of revenues. Our forensics specialists have investigated complex financial crimes on a national and international scale in diverse industries. Using proven investigative and forensic accounting techniques in tandem with computer forensics and data mining tools, we will develop and deliver an independent, professional response to any issue, enabling you to focus on your core business. The MNP team will qualify and quantify the impact of ethical breaches and help you manage the administrative, regulatory or judicial process. We will also develop a remediation plan to minimize your losses and manage the risk of reoccurrence. Prevention Our risk professionals can show you the hidden exposures you didn t know existed to prevent losses and reputational damage. MNP s fraud risk assessment is designed to pinpoint gaps in your internal controls. Once the risks are identified, we will work with you to manage them in a way consistent with your corporate culture. Through our comprehensive fraud awareness training sessions, your staff will be able to recognize suspicious or fraudulent activity and come forward to report these activities to prevent losses or further damage. Detection Early fraud detection is a key step to cutting fraud losses, generating a return on your investment. MNP will provide proactive fraud audits of high-risk areas. By combining our team s expertise with your team s in-depth knowledge of your organization, we will customize our approach by focusing on key accounts and transactions and apply a broad range of investigative and forensic accounting techniques. This enables us to analyze large volumes of data for suspicious activity using computer-assisted audit techniques and special purpose software that quietly monitors the potential exposures that keep you awake at night. 15

15 Whistleblower Hotline Program According to the Association of Certified Fraud Examiners, the most common way to detect fraud is through a tip from an employee and others associated with your organization. Research indicates that establishing a whistleblower hotline can reduce fraud losses by 50 percent. Active 24 hours a day, 365 days a year, MNP s Whistleblower Hotline is bilingual and completely confidential. Callers identities are protected and any information gathered is presented to your organization s audit committee or compliance office. In addition, we will provide you with a comprehensive threat assessment and response plan. Enterprise Security In today s complex and competitive business environment, protecting your people, assets and reputation is more challenging than ever. Success depends on being proactive and focusing on identifying, assessing and responding to threats. Our experienced professionals follow comprehensive methodologies that link your security requirements to your overall risk management program and business needs. This will facilitate: safety of employees and customers, security of your logical and physical assets, mitigation of business risk, protection of your brand and reputation and overall enterprise resiliency and business sustainability. We harden your environment, thereby limiting exposure and reducing risks a key business continuity step in the protection of your employees, customers, assets and proprietary information. MNP s cost-effective enterprise security solutions are customized to meet your needs and enhance consumer confidence, customer/employee safety and continuity of operations enabling your organization to achieve their operational and strategic objectives. Threat Vulnerability & Risk Assessments Enhance your organization s ability to effectively conduct operations by understanding your threats, vulnerabilities and risks. MNP can help you identify and assess the risks and exposures that could affect your organization, as well as provide recommendations and countermeasures. Security Strategy & Planning Assess, design and implement efficient and effective control processes and security solutions. Our experienced security specialists use proven methodologies to engineer security solutions that protect your infrastructure, people, customers, assets and systems by integrating resiliency into your critical business functions. Security Crisis & Incident Response Services Plan for events such as logical or physical security incidents, key employee termination or man-made disasters so you can respond to an unexpected crisis. Our experienced teams are prepared to help you manage the response process which includes stabilization, preparation, investigation and business recovery support services. MNP will help with everything from coordinating your staff to assisting in the implementation of crisis management and crisis communication protocols. Counterterrorism We work closely with your existing security staff to reduce your risk of attack, kidnapping or harassment by implementing effective yet unobtrusive methods to enhance the safety and security of your people and assets, anywhere in the world. Operations Security Develop and implement an overall corporate resource protection program based on proven processes. We work with your staff to create a tailored solution that results in reduced risk to your employees, proprietary information and physical assets. Critical Infrastructure Protection Protect your assets with our experience in the secure design, construction and management of robust and sustainable critical infrastructure facilities. Through multiple security layers, we harden your environment, thereby limiting exposure and reducing risks a key business continuity step in the protection of your employees, customers, assets and proprietary information. 16

16 For more information on MNP s suite of Enterprise Risk Services, contact Mariesa Carbone, National Enterprise Risk Services Leader at or mariesa.carbone@mnp.ca. Praxity, AISBL, is a global alliance of independent firms. Organized as an international not-for-profit entity under Belgium law, Praxity has its administrative office in Epsom, England. Praxity Global Alliance Limited is a not-for-profit company registered in England and Wales, limited by guarantee, and has its registered office in England. As an Alliance, Praxity does not practice the profession of public accountancy or provide audit, tax, consulting or other professional services of any type to third parties. The Alliance does not constitute a joint venture, partnership or network between participating firms. Because the Alliance firms are independent, Praxity does not guarantee the services or the quality of services provided by participating firms.