Risk Management and the Internal Audit profession Two sides of the same coin? 30 th September 2015

Similar documents
Enterprise Risk Management (ERM) - Impact of 2017 COSO ERM Model

Internal Auditors and Enterprise Risk Management (ERM) ICPAK Presentation

Third Party Risk Management ( TPRM ) Transformation

Giving you clarity on your change programmes

Enterprise risk management Protecting and enhancing value Advisory

Enterprise risk management Protecting and enhancing value Advisory

Corporate governance for banks

Financial Services Internal Audit insights. Effective Internal Audit RAISING THE BAR. May 2014

The Concept: Moving from Data Analysis to Data Analytics

Risk Culture: The Heart and Soul of Enterprise Risk Management

KPMG Smart Controls. Putting you in control of your controls. kpmg.co.uk

Generating value within the Risk Ecosystem Risk powers performance

Ready for GDPR? Five steps to turn compliance into your advantage

Audit Committee Self Assessment

Astrus Third Party Intelligence

Risk Advisory Services Developing your organisation s governance for competitive advantage

The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be

Powered by technology, our experts are unlocking the value of your audit. Dynamic Audit

HCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.

LEVERAGING ERM BEYOND COMPLIANCE. July 25, 2017

The viability statement. Finding opportunities in the new regulatory challenge March 2015

Creating a Risk Intelligent Enterprise: Risk governance

Internal audit insights High impact areas of focus

pwc.co.uk Enterprise Risk Management

Enterprise Risk Management Survey 2011

Product serialization and traceability mandates. kpmg.com

GRI s G4 Guidelines: the impact on reporting

Emerging & disruptive technology risks

Insights into Mining Issue 12: Unlocking the value of D&A

CFOs: The catalyst for integrating strategy, risk and finance

Revenue recognition and leasing

Digital Labor Analytics

What is Digital Trust?

Auditing Governance at Board level October 2017

Culture: Why is it important?

Room for improvement. The KPMG Survey of Business Reporting. UK Findings. kpmg.com/betterbusinessreporting

Enterprise Risk Management in Health Care

KPMG s National Charity application form

Embedding Operational Risk

IIROC 2015 Financial Administrators Section Conference

September 9, 2016 kpmg.ca

MANAGING RISK AT SUNCORP

Certification - Good and poor practice seen in banks

Taking ERM to a. 6 GRC Today / October 2015

Leveraging ERM to meet. and create business value. Management Flora Do, Senior Manager, Enterprise Risk Management

KING IV IMPLEMENTATION

Data rich governance. Three keys to leading consumer data and information practices. kpmg.com

Key TSA provisions your M&A team needs to know now

GRI s G4 Guidelines: the impact on reporting

Planning to win. Deal Advisory / Australia. Driving value growth through competitive, flexible funding and supportive financing relationships.

Risk Management Culture: The Linkage Between Ethics & Compliance and ERM September 14, 2009

Corporate Governance and Financial Markets

Andrea ROSIGNOLI Partner KPMG

Bringing Solvency II alive in the boardroom are you doing enough?

EY Center for Board Matters Boards and internal audit

Boards and internal audit: Working together to strengthen risk management

The Value of Consulting Assuring Audit Committee & other Key Stakeholders of IA s Quality

<IR>: how does it fit into the UK corporate reporting landscape?

MiFID II - Product Governance

Lya Villasuso OECD Corporate Affairs Division Response ed to: RE: Corporate Governance and the Financial Crises

How to get the most out of your governance structures. Risk Series Paper 3

AIB Group plc (Holding Company)

Cultivating a Risk Intelligent Culture A fresh perspective

THE ARCG CHARTER. Issued in March 2008

Overview of service lines

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Building Trust in Regulation

Powered by DATA+ ANALYTICS. KPMG Audit

The compliance investment

Stakeholders. Shareholders. Societal licence Shareholders Corporate governance. Viability. Corporate governance reform

Risk consulting. Conduct risk: Aligning product, customer and value. kpmg.ie

Audit Committee Reports External Audit Effectiveness

Management Capability Index India 2016 report Executive summary

Environmental, social and governance (ESG) materiality assessment

An Overview of the 2013 COSO Framework. August 2013

REPORT 2015/077 INTERNAL AUDIT DIVISION

OJK Workshop: Conduct Risk. Tuesday 9 September 2014

Stakeholders. Shareholders. Societal licence Shareholders Corporate governance. Viability. Corporate governance reform

Positioning Internal Audit to Deliver Value

Right now! 26th Annual Insurance Conference Tuesday, November 28, kpmg.ca/insuranceconference2017

2013 Legislative & Regulatory Landscape

Top 5 reasons incident response is failing. kpmg.com

External Quality Assessment Review of University of Florida s Office of Internal Audit

Appendix 2 JFSA s views on the comments submitted in English

Group Chief Risk Officer

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

Internal audit in insurance: market issues and trends

Can the public sector deliver a zero tolerance approach to corruption risk?

Board Evaluation Is your Board ready for SREP governance reviews? Deloitte Malta Risk Advisory - Banking

CORPORATE GOVERNANCE FRAMEWORK

FARM MANAGEMENT CONSULTING Advisory Solutions to Enhance Farm Profitability and Operations

Enterprise Risk Management Report 2018

Accelerating your automation journey through outsourcing

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING (IVZW)

Internal controls over financial reporting

Aligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00

Enterprise Performance Management in the Pharmaceutical Industry. kpmg.co.uk

Commodity & Energy Risk Management

Transcription:

Risk Management and the Internal Audit profession Two sides of the same coin? 30 th September 2015

Risk Management and the Internal Audit profession Two sides of the same coin? Mike Wilson Partner M: 07557564333 E:Michael.wilson2@kpmg.co.uk Sam Arshad Director M:+44 7747 532 970 E:sameena.arshad@kpmg.co.uk Definitions Risk management; Internal Audit; and Two sides of the same coin. Roles and responsibilities Risk governance: Three lines of defence; and Potential roles of Internal Audit. Emerging themes Leading Practices in Governance, Risk and Compliance; Risk Management trends; and UK Corporate Governance Code Update. 1

Definition of Risk Management Risk Management (taken from the Institute of Risk Management). Risk is part of life. Avoiding all risk would result in no achievement, no progress and no reward. It is the combination of the probability of an event and its consequence. Consequences can range from to Risks: Strategic, tactical and operational. Risk management: Includes an assessment of the relative priority of risks and a rigorous approach to monitoring and controlling them. To be effective, risk management must be proportionate to the size and nature of an organisation. 2

Definition of Internal Audit Definition of internal auditing (Institute of Internal Audit). Independent objective assurance. Systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 3

Definition of Two sides of the same coin If two things are two side of the same coin, they are very closely related although they seem different: Violent behaviour and deep insecurity are often two sides of the same coin. 4

Risk Governance: Three lines of defence Risk Governance Third line of defence Assurance providers Risk process and content monitoring Liaise with senior management and/or board; Rationalise and systematise risk assessment and governance reporting; Provide oversight; and Provide assurance that riskmanagement processes are adequate and appropriate. Risk process accountability Second line of defence Standard setters of first line Establish policy and process for risk management; Strategic link for the enterprise in terms of risk; Provide guidance and coordination; Identify enterprise trends, synergies, and opportunities for change; Liaison between third line of defence and first line of defence; and Oversight over certain risk areas (e.g., credit, market) and in terms of certain enterprise objectives (e.g., compliance with regulation). First Line of defence Business owners of risk management, control and compliance Risk content accountability Manage risks/implement actions to manage and treat risk; Comply with risk-management process; Implement risk-management processes where applicable; and Execute risk assessments and identify emerging risk. 5

Potential roles of Internal Audit Effectiveness and efficiency of controls Adequacy of response to new/emerging risks Effectiveness of policies & procedures Business performance Compliance with laws and regulations Shaping the future Compliance with policies & procedures Strategic support Potential roles for Internal Audit Core assurance (value preservation) Drivers of the role of Internal Audit Low Maturity of controls/environment Maturity of risk management processes Role/existence of other assurance activities High Consultancy (value creation) Other considerations Degree of independence of Internal Audit from the business How much is budgeted, and where the priorities lie 6

Efficiency Effectiveness Leading Practices in Governance, Risk & Compliance (GRC) Current State Effectiveness Future State Blurring of risk and control responsibilities between 1 st Line and risk and compliance functions (2 nd Line) Limited risk awareness at 1 st Line; Low risk/control experience Risk and compliance skills pertaining to new regulations are limited/unavailable Inconsistent quality of control testing and test result documentation limits leverage Maintaining EFFECTIVENESS by applying Three Lines of Defense to clarify roles/responsibilities, closing skills gap, and establishing Centers of Excellence for consistency and quality Three Lines of Defense Control Testing E.g., development of test scripts, scheduling of testing, conducting tests of controls, exception analysis, documentation of test results, etc. Skills & Learning Development Center E.g., skills tracking, skills database maintenance, facilitate development of risk and compliance curriculum, delivery of risk and compliance training, etc. Risk and compliance touch points lack coordination and planning Limited linkage of issues repositories/databases Efficiency Lack of leveraging work among risk and compliance functions due to timing Risk and compliance skills and knowledge are not tracked, corroborated (tested) and documented Improving EFFICIENCY of risk and compliance processes via Centers of Excellence, streamlined to help alleviate burden on BUs and allow focus on core responsibilities Knowledge & Data/Issues Management Center E.g., execution and distribution of knowledge, provision of standards and guidance framework, methodology, policies taxonomy reference, escalation rules, data repository / warehouse Master Calendar Planning Center E.g., coordination of risk and compliance calendars for risk assessment and controls testing to streamline touch points at 1 st Line, establishment of a Master Calendar Plan taking into account critical paths and minimum requirements, etc. 7

Trends in Risk Management From Governance and compliance perspective Towards Strategy and performance perspective Focused on risk categories Focused on value chains, what is at risk Single risks Interconnected view Within FY impact on liquidity and solvency Multi-year impact viability Hard controls policy, process, sanctions People-based controls behaviours 8

Trends in Risk Management: Connecting strategy and risk Innovating and pursuing opportunity while balancing upside and downside Financial Performance Targets Markets Risks to Strategy Acquisitions Pricing New markets New products Business model Growth profitability liquidity Leverage Propositions and Brands Clients and Channels Operating model cost Core Business Processes Operational & Technology Infrastructure Organisational Structure, Governance, Risk & Controls People and Culture Measures and Incentives External Risks Internal Risks Natural hazards Commodity prices Geopolitical events Cyber attack Regulatory violations Quality issues Technology and data events Product shortages Focus of the majority of today s risk investments and programmes is value preservation, not value creation 9

Trends in Risk Management: Understanding systemic risks Traditional risk map Inter-connected view 10

Trends in Risk Management: Risk Culture KPMG s ERM framework KPMG s Risk Culture Framework Cultural drivers Knowledge & Understanding Clarity Are rules, (risk) policies and procedures accurate, concrete and complete and do employees understand what is expected? Visibility Is the behaviour of staff consistent with the intended practices described in the policy and procedure? Belief & Commitment Involvement Do employees feel accountable for the proper use of risk policies and take ownership for the strategy of the organisation? Role Modelling Does management lead by example and display the behaviours that support riskbased decision-making Competencies & Context Practicability Do the organisation s targets correspond to the risk appetite and overall risk strategy and are employees enabled to do what is requested of them in terms of managing risks? Openness It is normal to discuss risks and is there an atmosphere of both challenge and mutual respect? Action & Determination Enforcement Are employees rewarded for responsible behaviour and is irresponsible behaviour disciplined? Improvement Are incidents and near misses evaluated to determine potential risks and do employees feel they learn from their mistakes? 11

UK Corporate Governance Code Update Highlights Key revisions covering: Risk management and internal control; Directors remuneration; and Shareholder engagement. New Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (what was the Turnbull Guidance ). Applicable for periods beginning on or after 1 October 2014. 12

UK Corporate Governance Code Update (cont.) Risk management and internal control A robust assessment of the principal risks facing the company; and Explicit disclosure of how they are being managed or mitigated. C.2.1 The directors should confirm in the annual report that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity. The directors should describe those risks and explain how they are being managed or mitigated. Expectation that the board monitors and reviews risk management and internal control systems on an ongoing basis. C.2.3 The board should monitor the company s risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls. Paragraph 40 Regular reports to the board should provide a balanced assessment of the risks and the effectiveness of the systems of risk management and internal control in managing those risks. The board should form its own view on effectiveness, based on the evidence it obtains, exercising the standard of care generally applicable to directors in the exercise of their duties. Key questions: What constitutes a robust assessment and what evidence will the directors need to support their statement? Does the principal risks disclosure need reassessing? Are they the right risks? Are the disclosures relating to the management and mitigation of the principal risks meaningful? Does the board need to reassess the scope, frequency of reporting and assurance required? Does the board have visibility over all the full universe of risk and all material controls including financial, operational and compliance? WHAT IS THE ROLE OF INTERNAL AUDIT? WHAT IS THE ROLE OF RISK? 13

Risk management and the Internal Audit profession Two sides of the same coin AGREE? DISAGREE? 14

Thank you

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback