GRC Examples

17
Advisory GRC Examples

Transcript of GRC Examples

Page 1: GRC Examples

Advisory

GRC Examples

[Date]This report contains 15 pages

document.doc

Page 2: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Table of Contents

II. Example Guiding Principles

II. Three Lines of Defense

III. Example Taxonomy

IV. Example Attribute Matrix for Risk Assessment’

V. Example Flowchart Process Documentation

VI. Example Process Hierarchy

VII. Enterprise Risk Management (ERM) Reporting

VIII. PMO – Example Project Financials Dashboard Used for a Project at [CLIENT NAME]

Page 3: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Guiding Principles

Shown below is an example of guiding principles, which have been used as a foundation and applied to a risk and control project.

One view of risk, a common language drives effective risk management actions and decisions.

Risk information takes into consideration constituencies (e.g., board, management, customers, regulators, rating agencies), aligns strategic objectives and drives business value.

Example Guiding Principles

CommonLanguage

Risk Content

1

2

Theme

Page 4: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Three Lines of Defense

Shown below are the Three Lines of Defense, which will provide a structure by which to organize the risk management roles and responsibilities of the company

The first line of defense (risk content ownership) includes the risk owners, who is accountable for managing risk content The second line of defense (risk process ownership / certain monitoring) includes the standard-setters and manages and provides guidance around the risk

management program The third line of defense (risk process and content monitoring) helps provide assurance over the effectiveness of the risk management process.

RISK CONTENT OWNERSHIP

• Manage risks/ implement actions to manage and treat risk• Comply with risk management process• Implement risk management processes where applicable• Execute risk assessments and identify emerging risk

First LINE OF

DEFENSE

Bu

sine

ss

Ow

ners

Bu

sin

ess

O

wn

ers

RISK CONTENT OWNERSHIP

• Manage risks/ implement actions to manage and treat risk• Comply with risk management process• Implement risk management processes where applicable• Execute risk assessments and identify emerging risk

First LINE OF

DEFENSE

Bu

sine

ss

Ow

ners

Bu

sin

ess

O

wn

ers

RISK CONTENT OWNERSHIP

• Manage risks/ implement actions to manage and treat risk• Comply with risk management process• Implement risk management processes where applicable• Execute risk assessments and identify emerging risk

First LINE OF

DEFENSE

Bu

sine

ss

Ow

ners

Bu

sin

ess

O

wn

ers

RISK PROCESS OWNERSHIP/ CERTAIN MONITORING

• Establish policy and process for risk management• Strategic link for the enterprise in terms of risk• Provide guidance and coordination among constituencies• Identify enterprise trends, synergies, and opportunities for change• Initiate change, integration, operationalization of new events• Liaison between third line of defense and first line of defense• Oversight over certain risk areas (e.g., credit, market) and in terms

of certain enterprise objectives (e.g., compliance with regulation)

Second LINE OF

DEFENSE

Sta

nd

ard

S

ett

ers

Sta

nd

ard

S

etters

RISK PROCESS AND CONTENT MONITORING

• Liaise with senior management and/ or board• Rationalize and systematize risk assessment and governance reporting• Provide oversight on risk management content/ processes, followed by

second line of defense (as practical)• Provide assurance that risk management processes are adequate and

appropriate

Third LINE OF

DEFENSEAss

ura

nce

P

rovi

der

s

Ass

ura

nce

Pro

viders

RISK PROCESS AND CONTENT MONITORING

• Liaise with senior management and/ or board• Rationalize and systematize risk assessment and governance reporting• Provide oversight on risk management content/ processes, followed by

second line of defense (as practical)• Provide assurance that risk management processes are adequate and

appropriate

Third LINE OF

DEFENSEAss

ura

nce

P

rovi

der

s

Ass

ura

nce

Pro

viders

Risk GovernanceRisk Governance

Page 5: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Taxonomy

Shown below is an example of risk taxonomy developed to provide a common language and set of guidelines to help identity and assess risks to the overall risk

program.

*Basel II Risk Categories

** Operational Risk Sub-Categories

People, process, systems, external events

such as privacy, data protection, change

management (mgt), document mgt, 3rd Party

mgt, model risk, and new product risk

Operational Risks*

Working capital, liquidity, interest rateMarket Risks*

Wholesale/Commercial, Retail, Securitization,

Trading and Equity

Credit Risks*

Innovation; expansion of business segments;

build new business – infrastructure, real

estate, globalization and emerging markets

Strategic Risks

Example Risk Sub-CategoriesExample Risk Category

Changes in the business

environment/market, competitor activity,

international

External Environment

Risks**

Succession planning, strategic focus, board

and/or committee oversight

Governance**

Talent acquisition and retention, skills,

competence, compliance with firm

policies/procedures

People Risks**

SEC (Sarbanes-Oxley, broker-dealer &

investment advisor requirements), NYSE,

federal and state tax authorities, lobby

registration, and consumer compliance

Legal & Compliance

Risks**

Example Risk Sub-CategoriesExample Risk Category

Page 6: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Attribute Matrix for Risk Assessment

Shown below is an example attribute matrix used to help rationalize the risk assessments and identify areas for convergence (Pages 1-5).

No.

Topic Function Internal Audit SOX Compliance Business ContinuityDifference Spectrum

Concept

  Objective / Content              

1What is the objective of the risk assessment?

 

- To prepare the risk-based internal audit plan that is validated by executive management- Risk-based plan evolves as risks in the organization evolve.

The Financial Statements are reviewed to determine which lines should be in scope for the annual SOX Assessment.

- Allocate resources appropriately- The risk assessment must address issues that come up in the regulatory environment and reassess risk level to overall process in cases where the risks carry from the prior year- Determine the best cost benefit approach.

Validate recovery priority and dependencies for each business function in the firm.

   

  Audience              

2 Primary Audience

End Deliverable-Target Audience Board and Management (Audit Committee, etc.)

Audit Committee

The Risk assessment is used by the SOX Group, verified by Controller and discussed with external auditor.

- Business entities that are exposed to compliance risks- Compliance function and team- Audit Committee.

Business Area Continuity Plans; Business Area planners and coordinators; Business Area leadership / EMT; IT Continuity Services (e.g., drives technical recovery priorities)

   

3Distribution (secondary audience)

Reporting of risk information (i) Is RA shared with others?(ii) If so, name dept

- Management Risk Committee- business owners

The RA is primarily used by the Internal Audit Department, but it is shared with the controllers and external auditor for input.

- Regulators- Business entities that are exposed to compliance risks - usually at the business / process owner level- Management Risk Committee.

See above; including Corporate Business Continuity

 

4Approver of End Deliverable

 

- Audit Committee- Senior management does NOT approve assessment - they provide input and support only.

Validated with Controller and external auditor.

Chief Compliance Officer (CCO)

Manager of business function; formal signoff process.

   

  Inputs              

5 Parties providing input Parties providing input (i) Department name / self(ii) Position/Level(iii) 3rd party

- EMT and direct reports- Audit staff talks to middle management to get input on areas that may need to be looked at or to get better understanding of the business process- Internal audit has their

Controllers, external auditors

- CCO will provide certain risks that are required objectives for that year- Compliance publications- SEC mandates- Results from exams.

All business functions in the Firm

Macro versus MicroAudit: top-downOthers:??

Three lines of defense

1

Page 7: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Attribute Matrix for Risk Assessment

No.

Topic Function Internal Audit SOX Compliance Business ContinuityDifference Spectrum

Concept

(pls specify)own view on the risks before talking to business leaders.

6Type of Information Collected

 

1. Company's business plan is presented for the upcoming year2. Discussions / interviews on how to achieve business objectives3. Concerns on compliance are brought into the discussion4. Things that audit is aware of b/c of experience ("hot spots") are also brought to the discussion.

See Risk Assessment Previously submitted - Lines evaluated on various attributes

- Compliance standards may dictate the format and content of deliverables- Information that is needed includes management review, sign-off, segregation of duties evidence.

For each business function: recovery time objective; recovery point objective; dependencies (applications, vendors, locations, number of staff, vital records)

   

7Other roles involved in risk assessment process

     

- Outside consultants work product- Audit reports- SOX information

See item 3; including Corporate Business Continuity

 

  Process              

8Team / Function / Area being assessed

 

Management Risk Committee and direct reports of business support areas

All areas

- Depends on the content and the regulatory requirements of the current year. The assessment may cross several business units and levels.

All business functions in the Firm

Macro RA:Audit -- level 2 / 3Compliance -- level 3 / 4SOX -- N / ABCP -- ??

Micro RA:Process / function -specific for all

Three lines of defense

9Parties performing risk assessment

Parties performing RA (i) How many members (ii) Their positions/levels(ii) Their roles in RA

Each focuses on different business support areas and then are split by business entities

2 members of Internal Controls perform the Risk Assessment

CCO generally performs the RA

Corporate Business Continuity in partnership with Business Continuity Coordinators, and planners.

Range varies from assessment done "internally" (e.g. SOX) to mostly in business (e.g. Business Continuity). Audit and Compliance in middle with Audit closer to the business than Compliance.

Three lines of defense

10 Risk Assessment Process

How RA is performed(i) Steps taken(ii) Interviews(iii) Work sessions

- Largely interviews: who is chosen and the type of content depends on prior years' risk assessments, internal audit plan, and input from audit staff

Review of Financial Statement Lines and evaluation of each line. Primarily done by ICU with validation by Controllers and AUDITOR.

- CCO's set initial risk focus based on industry knowledge, trends, and parties providing input- Conduct interviews, review documentation, and perform a walkthrough of day-to-day processes- Discussions usually take

Formal project plan, training, assessment criteria (EIC); data collection (Paragon); signoff; reporting

Macro versus Micro level risk assessments

Audit: interview-basedSOX: internal with external validationBCP: business

 

2

Page 8: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Attribute Matrix for Risk Assessment

No.

Topic Function Internal Audit SOX Compliance Business ContinuityDifference Spectrum

Concept

place with level 2 or 3 personnel.

Compliance:???

11Method of Risk Categorization

Risk Ranking Criteria (probability vs. impact)(risk directions)(High /Med/Low)

- High / Med / Low- 3 types: Control risk, inherent risk, total risk- Team effort / discussion- Team concludes on 10-12 key risks areas (themes) to the organization.

See Risk Assessment Previously submitted.

- High / Med / Low- 3 types: Inherent risk, control risk, total risk (based on COSO model)- Combined criteria to rank risks based on likelihood and probability

Recovery times are tiered based on an area's overall impact (EIC) to the Firm.

All high / medium / low except BCP (recovery times?)

Criteria different (see below #13)

Common language

12Risk Assessment Criteria

Assessment measures used (Timeliness, Quality, Materiality)

RA (excluding IT audits: - Materiality is based on the legal entity and has huge basis on determining priority- Complexity- External Compliance- Reputation- Fraud

- Business owners provide input on scale.

-Size and composition- Loss- Routine / non-routine- Transactions- Account type- Complexities- Loss exposure- Contingent liability- Related party- Changes.

- Standards (sources of information?) with Compliance are used in developing priority risks- Materiality based on the business entity - mostly subjective and open to discussion w/in the group- Determine impact and likelihood for both inherent and control risk.

Quantified based on an Enterprise Impact Chart- Criticality based on Financial statement lossCustomer serviceRegulatory / legal / complianceReputationalWorkforce.

Little consistency

A few terms overlap:Materiality / lossComplexityCompliance / regulatory

Common language

13Risk Assessment Techniques

Quantitative / Qualitative

Mostly qualitative- Quantitative risk assessments give "false sense of security"- Financial risk areas have some quantitative analysis

Both

Qualitative - Risks are largely reputational and regulatory

- Annual training on techniques

Quantitative

Ranges from Qualitative to Quantitative in the following order:Compliance --> Audit --> SOX --> BCP

 

14 Risk Aggregation Basis

Risk Aggregation Technique used (are detailed risks rolled into summary risks?)

Yes, themes (confirm?) Yes

- There are sublevels of risk related to the summary risks defined in the risk assessment

Yes

Risks are aggregated but are they at the same level?

 

15 Analysis Conducted

Analysis conducted (e.g. controllable vs. uncontrollable, discrete vs. ongoing, risk inter-relationships, Gross vs., residual etc)

- [Year] focus was on inherent risk- Controls are not well understood within the organization- Timing is key to determining what will go into the audit plan and Internal Audit tries not to focus on one specific area

 

- Assessment is based on how the current controls are performing (gross v. residual)

Yes; inter-relationships such as one critical application or vendor supporting many business functions, etc.

Analysis is kept at gross (inherent) versus residual

Common language

16 Actions to Manage RiskActions to manage risk (i) Are they

- Controls are not well understood and there are not many efficient control

From here, each line is broken down into the inputs to that line. The

- Business owners are assigned once the risk assessment is complete

RTO's and RPO's are incorporated into BC plans; assist in

Macro: ownership is at level 2  

3

Page 9: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Attribute Matrix for Risk Assessment

No.

Topic Function Internal Audit SOX Compliance Business ContinuityDifference Spectrum

Concept

documented? Where?(ii) Are they assessed?

areas in the organization- Build a risk based audit plan that will help business owners monitor and mitigate their risks.

activities within each line are reviewed for risks and related controls. Controls are documented in FCM by busines areas and signed off quarterly.

priortizing recovery resources during an event; critical vendors drive vendor recovery reviews (NASD); RTO's and RPO's set technical recovery priorities and planning.

Micro: ownership is assigned

17Quantification of Results (KPI, KRI)

Are any risk quantification methods used? (e.g. KRI, KPI etc)

- Only KPI may be the number resources allocated to managing risk

 

- Actions have been initiated to develop KPI / KRI- For example, inventory of key rules and regulations, the frequency of review, etc.

EIC In-process  

  Output              

18End Deliverable (sample)

End Deliverable from RA (e.g. risk profile, Internal Audit plan, etc)

Risk-based Internal Audit Plan

Financial Statement Risk Analysis

- The risk assessment with action plans, which are agreed to by the business owners

Enterprise summaries; updated BC plan RTO's; critical application listing; critical vendor listing; gap summaries

   

19Documentation of Risk Assessment Process (sample)

    Provided   See other document    

  Other              

20Frequency of Risk Assessment

Frequency RA is performed

annual Annual annualAnnual from time of completion

Annual  

21 Duration

Duration (time taken) to perform RA (weeks, mths)

Begins in Q1 3-4 weeksstarts in 1st quarter to the end of January / early February

BIA update was the first re-validation of data; a four month window was provided to the business to complete.

Macro:

Audit / Compliance 2 months in time for April audit committee

SOX / BCP ???

 

22Dates when Risk Assessment is performed

Date/s when RA is performed (month)

- Q1 to speak with key business owners

Commences when Financials for current year are completed

1st quarterCCO has done initial discussions with business and research in regulations in mid-January

Annual from time of completion

Audit / Compliance similar timeframes (April - Mar calendar)

SOX later in year due year-end

BCP every two years due year-end

 

4

Page 10: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Process Flow Documentation

Shown below is an example of process flow documentation, which was used to document the testing process and identify areas for convergence.

Level 1: Highest level of the flow articulating key phases of work (such as planning, assessment, testing, and reporting) and key steps in the phases for each of the functions. Steps where convergence opportunities exist would be called out for reference purposes.

Level 2: Each key phase is broken down to introduce positions involved in executing steps in the phase. Steps will include key decisions taken by staff in these positions.

Internal Audit – 1.1 Level 1 Overview

Pla

nn

ing 2

Conduct Risk Assessment

Tes

tin

gIs

sue

Man

agem

ent

1Set Up And

Maintenance Of Audit Universe

3Develop Annual Risk Based Audit

Plan

5Develop Audit

Program

6Conduct Testing

7Identify Issues

8Obtain

Management Action Plan

9Develop Audit

Report

13Develop And Issue

Consolidated Reporting

11Review Action

Plan Remediation

12Close Issue

10Close Audit

4Set Up Audit

Internal Audit – 1.2 Level 2 Planning

Gen

eral

Au

dit

or

An

d A

ud

it

Pla

nn

ing

Bo

ard

Au

dit

Pla

n O

wn

ers 1

Are Changes To Auditable Entity (AE)

Item Required?

2Set Up AE In GRC

4Conduct Auditable Entity Assessment

5Is This A Legal

Entity Or International

Entity?

6Conduct Universe Item Legal Entity Risk Assessment

7Conduct Universe

Item Country Significance Risk

Assessment

8Develop Annual

Risk Based Audit Plan

12Schedule Audits

10Approve Plan

Y

N

LE

Int

N

3Associate Process To Auditable Entity

Inte

rna

l Au

dit

GR

C

Co

mm

itte

e

N

9Review Plan

C

Convergence Opportunity

C

C C

11Set Up Shell Audit

13Plan Resources

Level 1

Level 2

Level 3

Page 11: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Process Flow Documentation Level 3: Each phase is broken down to its lowest step as performed. The narrative to the process documentation will go into further detail but not down to a “point and click” level, that is covered under the

technical user guidance. GRC screens used by staff at each step can be documented.

Page 12: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Process Hierarchy

Shown below is a sample process hierarchy which details the multi-level decomposition from mega process to process, sub-process and product.

Process Hierarchy

Risk Library

Page 13: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

ERM Reporting

Risk Assessment Reporting Process Chart

Shown below is an example of a risk assessment process once the areas of convergence have been identified and the direct lines and frequency of reporting are

established.

Board receives quarterly dashboard report

Management Risk Committee reviews and approves quarterly dashboard

Quarterly

1) Top Tier / Watch List Risks

Board receives operating committees’ review calendars

Firm Committee Chairs affirmto Management Risk Committee that all other risks have been reviewed/refreshed

ERM group updates Firm Committee Review Calendar for risks review dates of their committees

ERM group updates detailed risk reports with Risk Owner review and input for risks to which they are assigned

Annually

2) Tier 2 / Tier 3 Risks

Board receives report on new risks and adverse changes to other Tier 2 & 3 risks

Management Committee reviews and approves proposed changes to the risk profile

ERM Risk Executive proposes revisions/emerging risks to Management Committee for review and approval

ERM group meets with ERM Risk Executive to discuss emerging risks and changes to risks based on Management Risk Committee meeting discussions

Quarterly

3) All Risk Refresh / Emerging Risks

Risk Sponsor and Management Risk Committee review and approve detailed risk report and dashboard

ERM group updates dashboard report for Management Risk Committee based on activity noted in detailed risk reports

ERM group updates detailed risk reports with Risk Owner / Sponsor review and input for risks to which they are assigned

Page 14: GRC Examples

© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

ERM Reporting

Dashboard Report

Shown below is an example of an enterprise risk management dashboard report presented to senior management and / or the Board.

Provides insight on changes inProvides insight on changes inrisk direction since the priorrisk direction since the priorquarterquarter

The assessment uses five levels from The assessment uses five levels from ‘‘00’’(risk mitigating activities exceed (risk mitigating activities exceed requirement) to requirement) to ‘‘55’’ (risk management (risk management activities are activities are unestablishedunestablished). It assesses ). It assesses the combined appropriateness and the combined appropriateness and effectiveness of the current risk effectiveness of the current risk management processes.management processes.

Provides insight on the Provides insight on the progress of the enhancements to progress of the enhancements to current risk management processescurrent risk management processesrequired and uses three levels from required and uses three levels from ‘‘GG’’ (action is sufficient or no actions (action is sufficient or no actions in progress) to in progress) to ‘‘RR’’ (Action has not (Action has not substantially progressed or is substantially progressed or is substantially behind).substantially behind).

Internal Audit findings provide assessmentInternal Audit findings provide assessmenton related risk management processeson related risk management processes

Provides high level and notableProvides high level and notablecommentary/insight to the Risk commentary/insight to the Risk Assessment Score and the Action Assessment Score and the Action Plan Status. (e.g. implementationPlan Status. (e.g. implementationdates for actions in progress, dates for actions in progress, reasons for delays in reasons for delays in implementation, acceptance withimplementation, acceptance withcurrent risk assessment score, current risk assessment score, additional actions required to additional actions required to improve the risk assessment improve the risk assessment score)score)

Provides additional insightProvides additional insightinto the notable positive or into the notable positive or negative findings and/or negative findings and/or emerging trends of the riskemerging trends of the risk

Provides insight on status of theProvides insight on status of therisk grids from risk grids from ‘‘AA’’ (risk grid is(risk grid isoperational) to operational) to ‘‘CC’’ (risk grid is less(risk grid is lessthan substantially complete)than substantially complete)

‘‘TT’’ (Top Tier Risk)(Top Tier Risk)‘‘WW’’ (Watch List Risk)(Watch List Risk)