How to Measure the Value of Your Internal Audit Group Best practices to follow, pitfalls to avoid and success metrics to measure May 17, 2012
Agenda Strategic challenges: Implications for the enterprise How to address challenges and add value How technology can help?
Organizational Implications of the New Reality Operational Risk Management The new centerpiece of Organizational Strategy IMPLICATIONS FOR THE ORGANIZATION Strategic Increasing pace of regulatory changes Stringent enforcement New global and local regulations Differing interpretations Convergence in risk management Need for greater assurance Tactical Generating business value Increasing Volume BIG DATA Increasing complexity of information Revealing the opaque Need to rationalize Simplify to improve facilitation
Divergent Path: Operational Losses & Business Performance Increasing Increases Decreases Operational Losses Business Performance Internal Fraud Return on Investment External Fraud Employment Practices and Workplace Safety Clients, Products, & Business Practice Cost of Investment Growth Prospects Competitive Advantage Damage to Physical Assets Business Disruption & Systems Failures Reducing Operations Execution, Delivery, & Process Management Market Goodwill
Strategic Challenges for Internal Audit New product development: exposure to new risks Mobile banking and payments, multi-family lending, residential lending and refinancing Convergence in risk management Operational, IT, vendor, regulatory, credit, market Increasing pace of regulatory changes and related risks Stringent enforcement means financial and strategic impact Information overload and differing interpretations Need for greater risk assurance Rating agency, board, investor requirements
The rising cost of Operational Risk Credit Losses RISKS * UDAAP Late Projects Fair Lending Weak/anemic loan demand RISKS * Enforcement Actions Social Media Information asymmetry Concerned Customers Suspicious Investors Aggressive Competitors Strategic Costs Financial Costs Continuing Instability Economic Volatility Corporate Credit THREATS Politics Law & Regulations Corporate Governance Compliance Costs Operational Costs Scarcity of Resources Adapting Technology Changing Processes RISKS * Information Security National Mortgage Settlement RISKS * Vendor Management Incomplete Documentation
Implications for the Enterprise THREATS RISKS IMPLICATIONS FOR THE ENTERPRISE Compliance Costs UDAAP Fair Lending National Mortgage Settlement Act Civil money penalties Headline news Stock downgrades Re-classify loans to nonaccruing Financial Costs Enforcement Action Social Media Limits dividend payment Hold on M&A Consumer expectations regarding real time responses Information Asymmetry Inconsistent data taxonomy
Implications for the Enterprise THREATS RISKS Credit Losses IMPLICATIONS FOR THE ENTERPRISE Insufficient tier one capital Strategic Costs Late Projects Weak/anemic loan demand Loss of competitive edge De-risking the portfolio to re-set the product portfolio Vendor Management Risk assessments, oversight Operational Costs Inadequate documentation Information Security Loan buy-backs, hold for servicing Maintain trust
Confluence of Operational Risk and Reputational Risk in a Social World One reflects on the other Social Media Chief Marketing Officer Chief Risk officer Chief Communications Officer Marketing Sales Customer Service HR Risk Management convergence Integration Analysis
Operational Losses: Bigger than your calculations 1 Operational Loss Incident 5.6 Bn Personal Communication Devices 2 Bn People Connected to the Internet 3 Tr Interconnected intelligent devices 2.9 Mn 20 Hrs 50 Mn 700 Bn 375 MB Emails every second Youtube Video Upload/min Tweets per day Mins on facebook/month Household data consumption/day IMPLIES Word will spread Organizations can no longer hide Losses will spill over - Reputational impact on future business Incidents will be forever - Loss incidents will live on forever
How Well Organizations Manage These Risks? Source: PWC Survey Report 2012 State of Internal Audit
How to address challenges and add value?
Importance of IA s contribution to monitoring risks Source: PWC Survey Report 2012 State of Internal Audit
Risks that receive less attention from internal audit Source: PWC Survey Report 2012 State of Internal Audit
Risk areas in which stakeholders and CAEs want/plan to add internal audit capabilities Source: PWC Survey Report 2012 State of Internal Audit
Risk-driven Internal Audit System Helps align audits with risks and organizational goals Helps in identifying critical areas
Integrate Activities with Others Transcend organizational silos, and establishes an integrated audit management Help align audits with risks and organizational goals Help identify all issues, internal as well as external such as issues related to compliance reporting, regulations, self-assessments etc. Enhance collaboration with other assurance functions and senior management
Cross-Organizational GRC Platform Develop common risk & business framework for cross-organizational alignment Leverage cross-organization governance, risk & compliance activities Identify & mitigate issues across the organization (regulatory, compliance etc. ) Internal Audits Enterprise Risk Operational Risk Corporate Compliance Issue Tracking & Resolution Library Organizations Processes Controls Risks Tests IT Audits SOX Policy Management Fraud others
Communicate Clearly Specify & Simplify the Facts Adopt a highly structured & standardized method of reporting audit results Report should highlight critical information across the organization Should provide valuable risk insights and intelligence Should provide top-level visibility for CAEs, highlighting key risk areas Decision making process should be streamlined and real-time, based on hard facts and data
How Technology Can Help?
Technology Strategy Broad Communication of Company Centralized Visibility Technology Unified Risk Program Workflow-Based Solutions Reusable library of risks and Controls Centralized Repository Decentralized Point Solutions Risk Effectiveness
Universal and Consistent Information Model Comprehensive Definition of Risk Relating it to Business Growth and Profitability Board Directives Corporate Governance Organizational Structure Business Objectives Areas of Compliance Functions Processes Risks Controls Growth FSA IT Process 1 Op Risk Control 1 Profitability FIRNA Treasury Process 2 IT Risk Control 2 Market Share PCI Lending Process 3 Reputation Control 3 Services Quality ISO SOX Sales Marketing References Policies/Documents Risk Assessments Issues Regulation 1 Regulation 2 Standard 1 Standard 2 Policy 1 Procedure 1 Work Instruction 1 Risk-Based Requirement-Based Business Unit-Based Action Plan Implement Monitor
Information Model supports Audit Planning Process Risk Library Auditable Entities Annual Audit Plan Audit Universe Audit Projects Risk 1 Risk 2 Risk 3 Business Unit 1 Business Unit 2 Process 1 Process 2 Policy 1 Policy 2 Process 1 Process 2 Site 1 Site 2 Key Risks Audit Project 1 Audit Project 2 Audit Project 3 Risk 1 Risk 3 Template Repository Audit Project Work Program Template Checklists Questionnaires Control Test Plans Tasks & Milestones Work Paper Documents Workflows, Emails & Alerts Draft & Final Reports
Manage the Complete Audit Lifecycle Perform all types of audit-related activity on a single integrated platform Project Management Active Resource Management Calendar Control Milestone Tracking Enable a targeted, risk-based audit with consistent analysis & assessment of risks Eliminate errors & inconsistencies through standardized data collection Powerful reporting and analytics for real-time visibility Improve the overall efficiency and productivity
Things To Look After For Your Audit Infrastructure must Align business focus on the right set of business risks Provide an integrated framework to collate crucial information Ensure optimal resource utilization and effectiveness Simplify compliance with embedded regulatory content & standards Provide real-time business intelligence and risk insights Increase collaboration across the enterprise Respond to change quickly Better justify & manage costs
Succeeding in a Risk-Focused Environment Common information model leverages business line risk assessments Multiple sites, regulations, functions Collaboration driven Standardized data collection to eliminate errors and inconsistencies Manage compliance, risk and audits as a central function Integrated and real-time information flow Leveraging internal and external sources Decision making and performance management Easy access to analytics - with minimal manual work Tied to a closed-loop remediation, corrective actions processes Seamless integration between compliance, risk and audit process
Risk Monitoring and Reporting at Sterling Bank* Committees review their risks and KRIs according to a defined review schedule and report on actions taken to mitigate high residual risks ECER reviews key residual risks and actions plans Board committee receives business risk reports Credit and Risk Committee Executive Credit & Risk Committee Audit Committee Monitors Legal risk Governance and Compensation Committee *Used with permission
About MetricStream Vision Integrated Governance, Risk & Compliance (GRC) for Better Business Performance Solutions Audit Management Risk Management Corporate and Supplier Governance Regulatory and Operational Compliance Quality Management Partners Governance Differentiators Big 4 KPMG, PWC, Deloitte, E&Y System Integration Firms like Tata Consultancy, TBD Networks Associations SIFMA, IIA, GARP, RMA, NACD, Policy Makers Kleiner Perkins Caufield & Byers (Google, Amazon, Cisco, Genentech) Integral Capital Partners 650+ employees with strong-growth (60% year-on-year) Technology - Enterprise GRC Platform Breadth of Solutions Single Vendor for all GRC needs Cross-industry Best Practices and Domain Knowledge ComplianceOnline.com - Largest GRC Portal on the Web GRC Consulting & Advisory Services
Thank You Susan Palm Vice President, Industry Solutions MetricStream, Inc. spalm@metricstream.com