Improve Your Risk Assessment Process in 4 Steps
-
Upload
resolverinc -
Category
Software
-
view
590 -
download
1
Transcript of Improve Your Risk Assessment Process in 4 Steps
IMPROVE YOUR RISK ASSESSMENT PROCESS, DRIVE TRANSFORMATIVE RESULTS…
…IN 4 EASY STEPS, TRULY
FUTUREPROOF 2014
I’VE HAD THE PRIVILEGE OF LEADING RISK ASSESSMENT
ACTIVITIES WITHIN MANY GREAT ORGANIZATIONS…
…WITNESSING WHAT WORKS AND, SOMETIMES, WHAT DOESN’T
• Lenovo
• Hewlett-Packard
• Verizon
• EDS
• Johnson Controls
• BHP Billiton
• Hong Kong MTR
• Kodak
• Gap
• Caterpillar
• General Motors
• Lear
• China - State-owned Assets Supervision & Administration Commission (SASAC)
• Etc.
RISK ASSESSMENTWITHIN THE BROADER, AND DYNAMIC, CORPORATE GOVERNANCE CONTEXT
4
KEY DRIVERS & INFLUENCES
Shareholder Expectations• Institutional• Individual
Government• Regulation• Monitoring• Support
Financial• Rating agencies• Listing
standards• Bondholders
Other Stakeholders• Employees• Suppliers• Customers• Trade unions• Special interest
groups
Other factors• Competition• Disruptive
technology• Macroeconomic
events
BOARD & AUDIT COMMITTEE
EXECUITVE MANAGEMENT
Business Unit
Finance & Accounting Legal
Human Resources
ITSupply Chain
Capital Projects
Key objectives, targets, KPIs, Balanced scorecard, risk appetite- Define - Communicate - Monitor & refine
Maximum foreseeable impact, likelihood, control effectiveness- Drive appropriate, responsive action - Define and monitor KRIs
Manual, automated, prevent/detect, mitigatingDocument - Test - Remediate - Transform - Monitor for exceptions
Compliance management program- Track regulations - Update policies - Train & enable
IDENTIFY & ASSESS KEY RISKS
MONITOR & ENHANCE CONTROLS
ENSURE COMPLIANCE
ESTABLISH THE CORPORATE STRATEGY
EXAMPLE - Internal Controls over Financial Reporting (SOX)
EXAMPLE - Foreign Corrupt Practices (FCPA)
EXAMPLE - Payment Card Industry (PCI)
ASS
UR
AN
CE
& M
ON
ITO
RIN
G
IT SYSTEMS & DATA
REP
OR
TING
& C
OM
MU
NIC
ATION
S
RISK ASSESSMENTAN IIA PERSPECTIVE
• “Practice Advisory 2120-2 - Every organization will experience control breakdowns. Often times when controls fail or frauds occur, someone will ask: “Where were the internal auditors?” The internal audit activity could be a contributing factor due to:
– Lack of an effective risk assessment process to identify key audit areas during the strategic risk assessment, as well as areas of high risk during the planning of individual audits – as a result, failure to do the right audits and/or time wasted on the wrong audits.”
RISK ASSESSMENTIF ONLY IT WERE SIMPLE
1. Identifying risks to achieving objectives requires – objectives. If a robust strategic planning process is absent, risk assessment may take on the role of surrogate.
2. Risk assessment is often relegated to “off-cycle” periods (after planning, budgeting and forecasting is complete) - wherein management is available but the results are significantly less relevant and/or impactful
3. Risk assessment output is unreliable due to insufficient information and/or requisite expertise, groupthink, dominant voice in the room, bias, anchoring, CYA behaviours, etc.
4. The process:
1. Promotes enterprise list management rather than enterprise risk management
2. Evokes unenthusiastic support from executive management:“I have a business to run”… “How long will this workshop last?”
3. Produces reports and heat maps that fail to drive appropriate, responsive action(s)
5. Other challenges?
RISK ASSESSMENTA TIME OF UNPRECEDENTED OPPORTUNITY
1. Boards are getting more progressive, proactive…and nervous
2. Management desires to reduce cost and increase value
3. Internal auditors desire to get more out of life
4. Simple shifts in your risk assessment approach have the potential to transform:
– levels of executive and board engagement
– value and relevance of outputs
– internal audit’s stature in the organization
– your relationship with the AC chair
4 SIMPLE STEPS
1. Get the timing right
2. Ensure that identified risks, are truly risks - and not simply stating the inverse of an objective, i.e. “Failure to…”
3. Review/enhance your risk assessment criteria – to better inform/drive responsive action
4. Produce simple, palatable risk reports - that align and integrate with the organization’s planning and performance management reports
#1 – GET THE TIMING RIGHT
• Align and integrate with:
– Planning, budgeting & forecasting cycles
– Board and executive reporting
– KPIs, key incentives
10
Planning
Risk Assessment
Budgeting
Forecasting
Planning
Budgeting
Forecasting
Risk Assessment
Typical Better practice
6. The organization specifies objectives with
sufficient clarity to enable the identification and
assessment of risks relating to objectives.
7. The organization identifies risks to the
achievement of its objectives across the entity
and analyzes risks as a basis for determining
how the risks should be managed.
8. The organization considers the potential for
fraud in assessing risks to the achievement of
objectives.
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control.
Risk Assessment
#1 – GET THE TIMING RIGHTCOSO 2013 UPDATE - PRINCIPLES OF EFFECTIVE INTERNAL CONTROL
#1 – GET THE TIMING RIGHT“ANCHOR” YOUR RISK ASSESSMENT
12
• Benefits
• Risk are more readily identified
• Greater ownership, relevance and value
• Often described by interviewees as the “risks that matter”
Strategic Objective 1
Strategic Objective 2
Strategic Objective 3
Key Risk 1
Key Risk 2
Key Risk 3
Key Risk 4
Key Risk 5
Key Risk 6
Core Operational Objective 1
Core Operational
Objective 2
Core Operational
Objective 3
#2 - ENSURE THAT IDENTIFIED RISKS -ARE TRULY RISKS
“Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.”
- Institute of Internal Auditors
Note – when most people think risk, they think downside
#2 - ENSURE THAT IDENTIFIED RISKS -ARE TRULY RISKS
14
Rather, encourage respondents to identify the specific events that might trigger a failure
Objective – Reach the moon safely, land on it, and then return to Earth.
Risk – Failure to land on the Moon.
Risk – Oxygen tank explosion
“Failure to…” is not an option.
And neither is, “Inability to…”
#2 - ENSURE THAT IDENTIFIED RISKS, ARE TRULY RISKS
THEN, PERHAPS OFFER A DUAL-VIEW HEAT MAP
IMPA
CT
MANAGEMENT PREPAREDNESS
MonitorRemediate
(+)
(-)
Business Objectives / Initiatives
Risks
HighLow
High
High
Formerly risks beginning with, “Failure to …
Inability to …”
#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIAA TYPICAL HEAT MAP
1
2
3
4
IMPA
CT
(res
idu
al)
LIKELIHOOD
Which risks should comprise the focus of:• Remediation• Internal audit• CSA• Etc?
HighLow
High
#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIACOMMON APPROACHES – AND RELATED CHALLENGES
• Inherent risk - Too abstract - the notion of all controls failing, or not being present, is viewed by management as an irrelevant, academic exercise
• Residual risk - Respondents tend to be overly generous and/or optimistic in their ratings
3MA
XIM
UM
FO
RES
EEA
BLE
IMPA
CT
CONTROL EFFECTIVENESS(or, MANAGEMENT PREPAREDNESS)
1
MonitorRemediate
4
2
What is a plausible, worst-case scenario/impact?
HighLow
High
Potential CSA-focus
Potential IA-focus
#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIAALTERNATIVE, ACTION-FOCUSED APPROACH
#3 – ENHANCE YOUR RISK ASSESSMENT
CRITERIAAND ENSURE A THOROUGH, RELIABLE PROCESS
Interviews
Surveys
Data Analytics
Subject Matter Specialists
External Research / Sector Risk Reports
Risk description here -
Causal factors•
•
Impacts•
•
Preventative / Detective Controls•
•
Mitigating Controls•
•
Improvement Opportunities•
•
Identify potential risks for discussion
Select and profile key risks
Procure• Voting hardware• AV equipment• Room
Develop• Risk rating criteria• Communications to
workshop participants
Assess within a workshop setting
#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIAEMPLOY ANONYMOUS VOTING TECHNOLOGY, AS APPROPRIATE
• Anonymous response reduces fear of reprisal and enhances candour
• Enables areas of varied perception to be identified, explored and addressed
• Highly efficient
• Novelty enhances engagement
• Enables remote participation
Finally, the truth comes out
Can’t believe it - but I’m actually enjoying this!
#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIABETTER INFORM YOUR ASSURANCE AND REMEDIATION STRATEGY
External auditInternal audit
(in-house)Internal audit
(co-source)
Internal Control
Function
General Counsel’s
OfficeCompliance
Control Self Assessment
Risk # 1 Monitor / Test
Risk #2 Monitor / Test
Monitor / Test
Review / remediate
Risk #3 GAP – NO COVERAGE
Risk #4 Review / remediate
Monitor / Test
Risk #6 Monitor / Test
Monitor / Test
Risk #7 Monitor / Test
Risk #8 Monitor / Test
Review / remediate
In-scope
#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIAADD VALUE TO ALIGNED PROCESSES
The risk assessment processAn overview
5
Corporate strategy
Shareholder value
Capital projects
Key initiatives
Identify & Assess Risks
• Strategic• Operational
• Compliance / Legal
• Financial
Drive Appropriate, Responsive Action(s)• Assurance planning• Ongoing monitoring
• Remediation planning• Further analyses• Update budgets
• Continuous improvement• Etc.
Performance targets
Feedback & report
Set Objectives
#3 – Enhance your risk assessment criteriaShifting sentiments, improving outcomes
• Pessimistic
• Apathetic
• Naysayer
• Optimistic
• Engaged
• Advocate
Stakeholder sentiment
LOW HIGH
#4 - PRODUCE SIMPLE, PALATABLE RISK
REPORTS
Characteristics of effective documentation• Simple, palatable & highly relevant• Common formats, measures• Providing timely information for decision making
Strategic Planning & Objective Setting
Budgeting & Forecasting
Assurance Planning, Execution & Reporting
Remediation
Capital Projects & Key Initiatives
Performance Management Systems
& Reporting
Risk Identification, Assessment & Management
IT Strategy & Governance
#4 - PRODUCE SIMPLE, PALATABLE RISK REPORTS
Objective Risk Rating(s) KPI and/or KRI
Responsive Action
Status or Planned Completion Date
Outcome
From planning documents
From risk register
From risk register
Assurance orRemediation activity
IN SUMMARYENHANCING THE RISK ASSESSMENT PROCESS & OUTCOMES
1. Thorough preparation
2. Timing the risk assessment to occur between strategic planning and budgeting cycles, as appropriate
3. Linkage to objectives – strategic, capital projects, etc.
4. Risk definitions that focus upon the risk events that could negatively impact achievement of objectives
5. Strong leadership support, e.g. a supportive “tone at the top”
6. Identification and exploration of the areas where perceptions of risk impact, likelihood and/or control effectiveness diverge
7. Input and support of relevant subject matter specialists; reliable data
8. Avoidance or reduction of group think and/or a dominant voice
9. Risk assessment criteria that effectively inform and drive responsive action
10. Simple, palatable risk reports aligned to and integrated with the organization’s planning and performance management reports – especially at the summary level
26
APPENDIX - FOR REFERENCE
SAMPLE RATING CRITERIA – IMPACT
Financial Operational Reputation People
5 Catastrophic • Financial loss >$X M• Loss of key systems
for 5 days or more• Sustained, highly negative
mentions in press
• Multiple members of the leadership team exit the company
• Event triggers significant, irrecoverable loss of employee morale
4 Very High• Financial loss $X to
XM• Loss of key systems
of 1 to 5 days
• Highly negative mention(s) in press but largely recoverable within 6 months through proper crisis management
• Loss of a senior leader; High turnover of experienced staff
• Event triggers significant loss of employee morale but recoverable within 6 months
• Generally-pervasive low morale
3 High• Financial loss $Xk to
XM• Loss of key systems
for 4 to 8 hours
• Some negative press mentions but readily addressed and recoverable in 1 month or less
• Turnover is generally higher than normal (>15%) across all areas of the company
• Multiple pockets of low morale
2 Moderate • Financial loss $X - Xk• Loss of key systems
for 1 to 4 hours
• Generally positive press with a few isolated instances of minor negative mentions
• Elevated turnover in some areas although non-critical
• One or two pockets of low morale
1 Low • Financial loss <$Xk• Loss of key systems
for less than 1 hour
• Positive press with only a few minorrecommendations for product improvement
• Very isolated instances of staff dissatisfaction and/or instances of above average turnover
APPENDIX - FOR REFERENCE
SAMPLE RATING CRITERIA – RECOMMENDED RESPONSE
Recommended Response
UrgentPerform Deep Dive
AnalysisReview and Enhance Enhance Monitor
Rating
Urgentlyconduct activities
Perform a deep dive analysis to better
understand what’s driving the risk
Review & remediate current risk management activities and/or controls,
as appropriate
Enhance risk management activities and/or controls
Monitor risk management activities and/or controls
5
4
3
2
1
ANY QUESTIONS?
30
Brian Link
Mobile - 1 647 381 5515
Alternatively, contact me via