Risk Management and the Internal Audit profession Two sides of the same coin? 30 th September 2015
Risk Management and the Internal Audit profession Two sides of the same coin? Mike Wilson Partner M: 07557564333 E:Michael.wilson2@kpmg.co.uk Sam Arshad Director M:+44 7747 532 970 E:sameena.arshad@kpmg.co.uk Definitions Risk management; Internal Audit; and Two sides of the same coin. Roles and responsibilities Risk governance: Three lines of defence; and Potential roles of Internal Audit. Emerging themes Leading Practices in Governance, Risk and Compliance; Risk Management trends; and UK Corporate Governance Code Update. 1
Definition of Risk Management Risk Management (taken from the Institute of Risk Management). Risk is part of life. Avoiding all risk would result in no achievement, no progress and no reward. It is the combination of the probability of an event and its consequence. Consequences can range from to Risks: Strategic, tactical and operational. Risk management: Includes an assessment of the relative priority of risks and a rigorous approach to monitoring and controlling them. To be effective, risk management must be proportionate to the size and nature of an organisation. 2
Definition of Internal Audit Definition of internal auditing (Institute of Internal Audit). Independent objective assurance. Systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 3
Definition of Two sides of the same coin If two things are two side of the same coin, they are very closely related although they seem different: Violent behaviour and deep insecurity are often two sides of the same coin. 4
Risk Governance: Three lines of defence Risk Governance Third line of defence Assurance providers Risk process and content monitoring Liaise with senior management and/or board; Rationalise and systematise risk assessment and governance reporting; Provide oversight; and Provide assurance that riskmanagement processes are adequate and appropriate. Risk process accountability Second line of defence Standard setters of first line Establish policy and process for risk management; Strategic link for the enterprise in terms of risk; Provide guidance and coordination; Identify enterprise trends, synergies, and opportunities for change; Liaison between third line of defence and first line of defence; and Oversight over certain risk areas (e.g., credit, market) and in terms of certain enterprise objectives (e.g., compliance with regulation). First Line of defence Business owners of risk management, control and compliance Risk content accountability Manage risks/implement actions to manage and treat risk; Comply with risk-management process; Implement risk-management processes where applicable; and Execute risk assessments and identify emerging risk. 5
Potential roles of Internal Audit Effectiveness and efficiency of controls Adequacy of response to new/emerging risks Effectiveness of policies & procedures Business performance Compliance with laws and regulations Shaping the future Compliance with policies & procedures Strategic support Potential roles for Internal Audit Core assurance (value preservation) Drivers of the role of Internal Audit Low Maturity of controls/environment Maturity of risk management processes Role/existence of other assurance activities High Consultancy (value creation) Other considerations Degree of independence of Internal Audit from the business How much is budgeted, and where the priorities lie 6
Efficiency Effectiveness Leading Practices in Governance, Risk & Compliance (GRC) Current State Effectiveness Future State Blurring of risk and control responsibilities between 1 st Line and risk and compliance functions (2 nd Line) Limited risk awareness at 1 st Line; Low risk/control experience Risk and compliance skills pertaining to new regulations are limited/unavailable Inconsistent quality of control testing and test result documentation limits leverage Maintaining EFFECTIVENESS by applying Three Lines of Defense to clarify roles/responsibilities, closing skills gap, and establishing Centers of Excellence for consistency and quality Three Lines of Defense Control Testing E.g., development of test scripts, scheduling of testing, conducting tests of controls, exception analysis, documentation of test results, etc. Skills & Learning Development Center E.g., skills tracking, skills database maintenance, facilitate development of risk and compliance curriculum, delivery of risk and compliance training, etc. Risk and compliance touch points lack coordination and planning Limited linkage of issues repositories/databases Efficiency Lack of leveraging work among risk and compliance functions due to timing Risk and compliance skills and knowledge are not tracked, corroborated (tested) and documented Improving EFFICIENCY of risk and compliance processes via Centers of Excellence, streamlined to help alleviate burden on BUs and allow focus on core responsibilities Knowledge & Data/Issues Management Center E.g., execution and distribution of knowledge, provision of standards and guidance framework, methodology, policies taxonomy reference, escalation rules, data repository / warehouse Master Calendar Planning Center E.g., coordination of risk and compliance calendars for risk assessment and controls testing to streamline touch points at 1 st Line, establishment of a Master Calendar Plan taking into account critical paths and minimum requirements, etc. 7
Trends in Risk Management From Governance and compliance perspective Towards Strategy and performance perspective Focused on risk categories Focused on value chains, what is at risk Single risks Interconnected view Within FY impact on liquidity and solvency Multi-year impact viability Hard controls policy, process, sanctions People-based controls behaviours 8
Trends in Risk Management: Connecting strategy and risk Innovating and pursuing opportunity while balancing upside and downside Financial Performance Targets Markets Risks to Strategy Acquisitions Pricing New markets New products Business model Growth profitability liquidity Leverage Propositions and Brands Clients and Channels Operating model cost Core Business Processes Operational & Technology Infrastructure Organisational Structure, Governance, Risk & Controls People and Culture Measures and Incentives External Risks Internal Risks Natural hazards Commodity prices Geopolitical events Cyber attack Regulatory violations Quality issues Technology and data events Product shortages Focus of the majority of today s risk investments and programmes is value preservation, not value creation 9
Trends in Risk Management: Understanding systemic risks Traditional risk map Inter-connected view 10
Trends in Risk Management: Risk Culture KPMG s ERM framework KPMG s Risk Culture Framework Cultural drivers Knowledge & Understanding Clarity Are rules, (risk) policies and procedures accurate, concrete and complete and do employees understand what is expected? Visibility Is the behaviour of staff consistent with the intended practices described in the policy and procedure? Belief & Commitment Involvement Do employees feel accountable for the proper use of risk policies and take ownership for the strategy of the organisation? Role Modelling Does management lead by example and display the behaviours that support riskbased decision-making Competencies & Context Practicability Do the organisation s targets correspond to the risk appetite and overall risk strategy and are employees enabled to do what is requested of them in terms of managing risks? Openness It is normal to discuss risks and is there an atmosphere of both challenge and mutual respect? Action & Determination Enforcement Are employees rewarded for responsible behaviour and is irresponsible behaviour disciplined? Improvement Are incidents and near misses evaluated to determine potential risks and do employees feel they learn from their mistakes? 11
UK Corporate Governance Code Update Highlights Key revisions covering: Risk management and internal control; Directors remuneration; and Shareholder engagement. New Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (what was the Turnbull Guidance ). Applicable for periods beginning on or after 1 October 2014. 12
UK Corporate Governance Code Update (cont.) Risk management and internal control A robust assessment of the principal risks facing the company; and Explicit disclosure of how they are being managed or mitigated. C.2.1 The directors should confirm in the annual report that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity. The directors should describe those risks and explain how they are being managed or mitigated. Expectation that the board monitors and reviews risk management and internal control systems on an ongoing basis. C.2.3 The board should monitor the company s risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls. Paragraph 40 Regular reports to the board should provide a balanced assessment of the risks and the effectiveness of the systems of risk management and internal control in managing those risks. The board should form its own view on effectiveness, based on the evidence it obtains, exercising the standard of care generally applicable to directors in the exercise of their duties. Key questions: What constitutes a robust assessment and what evidence will the directors need to support their statement? Does the principal risks disclosure need reassessing? Are they the right risks? Are the disclosures relating to the management and mitigation of the principal risks meaningful? Does the board need to reassess the scope, frequency of reporting and assurance required? Does the board have visibility over all the full universe of risk and all material controls including financial, operational and compliance? WHAT IS THE ROLE OF INTERNAL AUDIT? WHAT IS THE ROLE OF RISK? 13
Risk management and the Internal Audit profession Two sides of the same coin AGREE? DISAGREE? 14
Thank you
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.