420 likes | 1.04k Views
The Role of Internal Audit & Audit Committee in ERM. Dr Howard Haughton Holistic Risk Solutions Limited. Rough TOC. What is ERM ERM Cliff Role of Internal Audit in ERM Ultimate responsibility for ERM Audit failures? Common audit mistakes Threats/opportunities for IA Priorities for IA
E N D
The Role of Internal Audit & Audit Committee in ERM Dr Howard Haughton Holistic Risk Solutions Limited
Rough TOC • What is ERM • ERM Cliff • Role of Internal Audit in ERM • Ultimate responsibility for ERM • Audit failures? • Common audit mistakes • Threats/opportunities for IA • Priorities for IA • Role of Audit Committee (AC) in ERM
What is ERM • CAS –Casualty Actuarial Society defines ERM as: • “ERM is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short and long-term value to its stakeholders”.
COSO view of ERM • COSO – Committee of Sponsoring Organizations of the Treadway Commission: • “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
ISO 31000 • This is a standard from the ISO regarding principles for the management of risk • There is no precise definition of ERM given but in a sister document “ISO Guide 73” risk is defined as: • “effect of uncertainty on objectives”
Could this be closer to a better definition? ERM is the framework by which companies identify, measure, manage, and discloseall key risks to increase value to primary stakeholders while satisfying other stakeholders.
What can we learn from definitions • Definitions largely emerge to suit the interests of the organizations issuing them and, often times, result in sub-optimal understanding of the inherent issues underlying ERM
ERM Cliff You have probably heard of the “Fiscal Cliff” as it relates to the US economy well the notion of an “ERM Cliff” exists until a commonly accepted standard prevails for the definition of ERM
Role of Internal Audit in ERM • Based on a position paper of the Institute of Internal Auditors (IIA) to its members (in 2004), the IIA has identified various roles for Internal Audit in ERM. • I classify these roles as the Good, the Bad and the Ugly!
The GoodCore internal auditing roles in regard to ERM • Giving assurance on risk management processes. • Giving assurance that risks are correctly evaluated. • Evaluating risk management processes. • Evaluating the reporting of key risks. • Reviewing the management of key risks.
The BadLegitimate internal auditing roles with safeguards • Facilitating identification and evaluation of risks. • Coaching management in responding to risks. • Coordinating ERM activities. • Consolidating the reporting on risks. • Maintaining and developing the ERM framework. • Championing establishment of ERM. • Developing risk management strategy for board approval.
The UglyRoles internal auditing should NOT undertake • Setting the risk appetite. • Imposing risk management processes. • Management assurance on risks. • Taking decisions on risk responses. • Implementing risk responses on management's behalf. • Accountability for risk management.
Overarching considerations • The considerations the Chief Audit Executive (CAE) should factor when deciding which role to play includes: • Assessing whether the activity raises any threats to the internal auditors’ independence and objectivity • Whether it is likely to improve the organization’s risk management, control and governance processes.
Ultimate responsibility for ERM • The Board is ultimately responsible for the effective implementation and management of ERM within an institution. • This act of implementing and management can be delegated but the responsibility cannot. • There are numerous examples where failures in risk management, have however, resulted in “delegated accountability”
Back to basics • What is the role of internal audit in general? • The provision of independent advice by an entity that can challenge management, recommend improvements, provide quality assurance with a view towards ensuring an organization can achieve its strategic and other objectives.
Well known failures • Barclays • Barclays bank have agreed to pay fees of $453 Million USD to settle charges by U.S. and UK regulators that its employees manipulated LIBOR. • It appears that Internal Audit failed to assure that the Compliance department were actively monitoring for such a situation. • Barclays have said the LIBOR incident was due to rogue traders.
Well known failures continued • Societe Generale • In January 2008 a “Rouge” trader Jerome Kerviel was accused of fraud which resulted in the firm losing around $6.7 Billion USD. • In May 2008 Internal Audit published a report stating that controls had been defective for the last 2 years and acknowledging that the bank had failed to follow up on 74 internal trading alerts since mid-2006.
Some common audit mistakes • Not carefully planning the amount of time required for the audit…heywe do this every year. It around x weeks last year so this year should be the same. • Trying to cram too much into one audit…you know we can’t afford to go back to the business and tell them that we will be doing another review two weeks following this one so we should just cram that other one into this review.
Common mistakes continued • Failing to ensure competency of staff…you know the Audit committee and agreed with the CEO regarding a freeze on recruitment of specialist staff for our team….I guess we’ll have to wing it again. • Failing to ensure that recommendations add value…it’s them versus us guys…we have to justify our existence…let’s hit them where it hurts with these recommendations.
Final common mistake • Failing to provide risk-based audits…you know what? It’s that time of the year again for that XYZ review…let’s just pull out last years report and focus on those issues.
A few words on risk-based audit • This will be a culture shock to some internal auditors….we have always done it this way…why change • Organizations benefit more from event-based than timing-based review…look to the KPI’s not the time when planning reviews
Threat from ERM for IA • IA could be much more accountable if control weaknesses persist • Since the use of technology and dashboard views provide for a more real-time and informed view of risk there might be less of a reliance on IA to update management of issues. • Danger of becoming part of the control (rather than reviewing the controls) if ERM is “championed” by IA • If 3 occurs then an additional threat could come from the Risk Management function regarding “ownership” of risk management.
Opportunities for IA from ERM • Real-time or near-time view of risk provided via “ERM systems” provide the opportunity for IA to more regularly update their review plans and audits. • Facilitates for risk-based audit reviews and focusing on areas not just of stated importance but emergent importance based on control environment. • Reduces the time to complete audits as much of the “information discovery process” could be provided by ERM systems prior to reviews • More assurance that risk-reviews will be objective and/or fair.
Priorities for IA • Based on an Ernst & Young report (conducted by Forbes Insight as part of a global survey) (January 2012) the top 5 improvement priorities for IA includes: • Improving the risk assessment process • Enhancing the ability to monitor emerging risks • Become more relevant to achieving the organization’s business objectives • Reducing overall internal audit function costs without compromising risk coverage • Identifying opportunities for cost savings in the business
ERM Cliff? Are the issues posed by ERM an “ERM Cliff” or an opportunity for IA professionals to take advantage of and jump in feet first?
Role of the Audit Committee in ERM • The audit committee’s responsibility for ERM should be reflected in its charter. • Most audit committee members are aware of their responsibilities as it relates to ensuring the adequacy of controls for financial risks but may be less clear as to what to do for non-financial risks. • Be trained in ERM. • Audit committee members should receive training in non-financial risks, the interrelationships between risk silos and hence how effective ERM should be managed.
Role of Audit Committee cont’d. • Ensuring alignment between business strategy and ERM • The AC should review strategic plans to ascertain whether ERM risks have been factored into plans and that both the board and senior management are aware of risks and have adequate controls in place • Contributing towards establishment/refinement of risk tolerance • The AC should ensure that a company’s tolerance limits for risk are documented and implemented. Note that tolerance implies an interval (not a single point estimate); • The AC should have some assurance that management have a well articulated policy relating to ERM and its objectives for the firm.
Structure & accountability • The AC must be assured that management have sufficiently defined levels of accountability for the identification, assessment and management of risk. • The AC must ensure that all relevant silos of risk are being analysed by each responsible staff/management level in the firm and not just those people are familiar with. • The AC must comment on the adequacy of the form and substance of board and senior management risk committees and whether they are effective in managing risk.
Risk identification & Assessment • The AC should closely monitor the risk register which logs details as to the types and nature of risks that have occurred in the firm. • The AC should ensure that the process for identifying risks to be logged in the risk register is based on a structured method providing an holistic view of the risks faced by the firm.
What is a risk register? • The register is a tool for managing and monitoring risk on a continuing basis. The register can be thought of as a database where the entries correspond to the risks inherent in a particular business activity. One can think of inherent risk here as being any failure (of an internal/external nature) of systems, people and/or processes that directly affects the outcomes of the business activity • Once the inherent risks are identified then risk assessment is used as a means of determining (given the set of current controls) any residual risks
Inherent risk details • An identifying number; • A brief description of the risk event; • An outline of the controls in place; • An analysis of the likelihood and potential severity of the risk, given the controls; • An evaluation of the importance (of the risk) to the organization, expressed as an agreed priority; • The level of the risk if the controls do not work as intended (i.e. probability and severity). This can be likened to the risk without controls; • Mapping of the risk to one of the seven event types listed by the Basel II standards;
Inherent risk details • The designated individual with overall responsibility for the risk. In fact at each level of an organization staff should be assigned to maintain the risk register relevant to the area for which they are responsible; • A summary of the actions to be taken to control the risk; • The current status of the actions; • Date of entry of the risk; • Latest revision date; • Reasons for the revision; • Name of revision editor
Effectiveness of controls • The AC should ensure that controls are “tested” for effectiveness. • Here the AC should focus on what-if type of scenarios to determine the robustness of controls. That is, do controls need to change for slight (or major) modifications of risk? • Testing effectiveness might be easier to perform for finance & operational than for strategic/reputational risks as these latter tend to have wide and more vague outcomes.
Measuring and monitoring • The AC should not only ensure that management have appropriate key performance indicators for measuring the quality of controls (or risk impacts) but should develop their own. • Internal audits should be driven by risk measures (state of KPI’s, risk database etc.); • AC should be able to suggest to management (based on IA assessment of adequacy of “management KPI’s”) that such management KPI’s be replaced with those devised by IA.
Risk reporting & optimization • The AC should provide input into determining the types of reports the board should view as it relates to risk reporting. • Such reports (Dashboards) should provide summary information of key risk characteristics; • Present the result of what-if type of analysis along with an assessment of the adequacy of controls. • The AC should ensure that management are able to use the outputs of ERM reports to drive the process of “portfolio optimization”. Here the term portfolio is taken to mean the diverse business activities of a firm and optimization serves to determine the optimal risk/reward payoff.
General AC ERM checklist • Ensure ERM is always on the board agenda at meetings • Ensure all board members are trained in ERM not just those part of specialist groups like board risk committee • Ensure that IA have the right staffing requirements to provide effective risk control for ERM • Ensure that management have a proper governance and accountability structure for the process of risk management • Ensure that a common language, culture and approach towards ERM is being adopted by all business silos • Ensure that ERM is intertwined in all business decisions