30 th September 2015 Risk Management and the Internal Audit profession – Two sides of the same coin?
30th
September 2015
Risk Management and the Internal
Audit profession – Two sides of the
same coin?
1© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
■ Risk
management;
■ Internal Audit;
and
■ Two sides of the
same coin.
Risk Management and the Internal Audit profession – Two sides of the same coin?
Mike Wilson
Partner
M: 07557564333
Sam Arshad
Director
M:+44 7747 532 970
Definitions
■ Risk governance:
Three lines of
defence; and
■ Potential roles of
Internal Audit.
Roles and
responsibilities
■ Leading
Practices in
Governance,
Risk and
Compliance;
■ Risk
Management
trends; and
■ UK Corporate
Governance
Code Update.
Emerging themes
2© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Definition of Risk Management
Risk Management (taken from the Institute of Risk
Management).
Risk is part of life. Avoiding all risk would result in
no achievement, no progress and no reward.
It is the combination of the probability of an event and its
consequence. Consequences can range from
to
Risks: Strategic, tactical and operational.
Risk management:
Includes an assessment of the relative priority of risks and a
rigorous approach to monitoring and controlling them.
To be effective, risk management must be proportionate to
the size and nature of an organisation.
3© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Definition of Internal Audit
Definition of internal auditing
(Institute of Internal Audit).
Independent objective
assurance.
Systematic, disciplined
approach to evaluate and
improve the effectiveness of
risk management, control, and
governance processes.
4© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Definition of ‘Two sides of the same coin’
If two things are two side of the
same coin, they are very closely
related although they seem
different:
Violent behaviour and deep insecurity
are often two sides of the same coin.
5© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Risk Governance: Three lines of defence
Risk Governance
Assurance
providers
Third line of
defence
Standard
setters of
first line
Second
line of
defence
Business owners of risk
management, control and
compliance
First Line of
defence
■ Liaise with senior management
and/or board;
■ Rationalise and systematise risk
assessment and governance
reporting;
■ Provide oversight; and
■ Provide assurance that risk-
management processes are
adequate and appropriate.
Risk process and content monitoring
■ Establish policy and process for
risk management;
■ Strategic link for the enterprise in
terms of risk;
■ Provide guidance and coordination;
■ Identify enterprise trends,
synergies, and opportunities for
change;
■ Liaison between third line of
defence and first line of defence;
and
■ Oversight over certain risk areas
(e.g., credit, market) and in terms
of certain enterprise objectives
(e.g., compliance with regulation).
Risk process accountability
■ Manage risks/implement actions
to manage and treat risk;
■ Comply with risk-management
process;
■ Implement risk-management
processes where applicable; and
■ Execute risk assessments and
identify emerging risk.
Risk content accountability
6© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Potential roles of Internal Audit
Core assurance
(value preservation)
Consultancy
(value creation)
Maturity of controls/environment
Maturity of risk management processes
Degree of independence of Internal Audit from the business
How much is budgeted, and where the priorities lie
Drivers of the role of
Internal Audit
Role/existence of other assurance activities
HighLow
Other considerations
Potential roles for
Internal Audit
Compliance with
policies & procedures
Effectiveness of
policies &
procedures
Compliance with
laws and
regulations
Business performance
Adequacy of response
to new/emerging risks
Effectiveness and
efficiency of controls
Strategic support
Shaping the future
7© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Leading Practices in Governance, Risk & Compliance (GRC)E
fficie
ncy
E
ffe
ctiv
en
ess
Current State Effectiveness
Blurring of risk and control
responsibilities between 1st
Line and risk and compliance
functions (2nd
Line)
Risk and compliance skills
pertaining to new regulations
are limited/unavailable
Limited risk awareness at
1st
Line; Low risk/control
experience
Inconsistent quality of
control testing and test
result documentation limits
leverage
Efficiency
Risk and compliance touch
points lack coordination
and planning
Lack of leveraging work
among risk and compliance
functions due to timing
Limited linkage of issues
repositories/databases
Risk and compliance skills
and knowledge are not
tracked, corroborated
(tested) and documented
Improving EFFICIENCY of risk
and compliance processes via
Centers of Excellence,
streamlined to help alleviate
burden on BUs and allow
focus on core responsibilities
Maintaining EFFECTIVENESS
by applying Three Lines of
Defense to clarify
roles/responsibilities, closing
skills gap, and establishing
Centers of Excellence for
consistency and quality
Three Lines of Defense
Control Testing
E.g., development of test scripts, scheduling of testing,
conducting tests of controls, exception analysis,
documentation of test results, etc.
Skills & Learning Development Center
E.g., skills tracking, skills database maintenance,
facilitate development of risk and compliance
curriculum, delivery of risk and compliance training, etc.
Knowledge & Data/Issues Management Center
E.g., execution and distribution of knowledge, provision
of standards and guidance – framework, methodology,
policies taxonomy reference, escalation rules, data
repository / warehouse
Master Calendar Planning Center
E.g., coordination of risk and compliance calendars for
risk assessment and controls testing to streamline
touch points at 1st
Line, establishment of a Master
Calendar Plan taking into account critical paths and
minimum requirements, etc.
Future State
8© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Trends in Risk Management
From Towards
Strategy and performance
perspective
Focused on value chains,
what is ‘at risk’
Interconnected view
Multi-year impact – viability
People-based controls –
behaviours
Governance and compliance
perspective
Focused on risk categories
Single risks
Within FY impact on liquidity
and solvency
‘Hard’ controls – policy,
process, sanctions
9© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Trends in Risk Management: Connecting strategy and risk
Innovating and pursuing opportunity while balancing upside and downside
Financial Performance
Targets
Markets
Propositions
and Brands
Clients and
Channels
Core
Business
Processes
Operational &
Technology
Infrastructure
Organisational
Structure, Governance,
Risk & Controls
People
and Culture
Measures
and Incentives
Business
model
Growth
profitability
liquidity
Leverage
Operating
model cost
■ Acquisitions
■ Pricing
■ New markets
■ New products
Risks to
Strategy
■ Natural hazards
■ Commodity prices
■ Geopolitical events
■ Cyber attack
External
Risks
■ Regulatory violations
■ Quality issues
■ Technology and
data events
■ Product shortages
Internal
Risks
Focus of the majority of today’s risk
investments and programmes is
value preservation, not value creation
10© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Trends in Risk Management: Understanding systemic risks
Traditional risk map Inter-connected view
11© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Trends in Risk Management: Risk Culture
KPMG’s ERM framework KPMG’s Risk
Culture Framework
Action &
Determination
Competencies &
Context
Belief &
Commitment
Knowledge &
Understanding
Cultural drivers
Visibility
Is the behaviour of staff consistent with the
intended practices described in the policy
and procedure?
Clarity
Are rules, (risk) policies and procedures
accurate, concrete and complete and do
employees understand what is expected?
Role Modelling
Does management lead by example and
display the behaviours that support risk-
based decision-making
Involvement
Do employees feel accountable for the
proper use of risk policies and take
ownership for the strategy of the
organisation?
Openness
It is normal to discuss risks and is there an
atmosphere of both challenge and mutual
respect?
Practicability
Do the organisation’s targets correspond to
the risk appetite and overall risk strategy and
are employees enabled to do what is
requested of them in terms of managing risks?
Improvement
Are incidents and ’near misses’ evaluated to
determine potential risks and do employees
feel they learn from their mistakes?
Enforcement
Are employees rewarded for responsible
behaviour and is irresponsible behaviour
disciplined?
12© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
UK Corporate Governance Code Update
Highlights
Key revisions covering:
■ Risk management and internal control;
■ Directors’ remuneration; and
■ Shareholder engagement.
New Guidance on Risk Management, Internal
Control and Related Financial and Business
Reporting (what was the ‘Turnbull Guidance’).
Applicable for periods beginning on or after 1
October 2014.
13© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
UK Corporate Governance Code Update (cont.)
Risk management and internal controlKey questions:
■ What constitutes a robust assessment and
what evidence will the directors need to
support their statement?
■ Does the ‘principal risks’ disclosure need
reassessing? Are they the ‘right’ risks?
■ Are the disclosures relating to the
management and mitigation of the principal
risks meaningful?
■ Does the board need to reassess the scope,
frequency of reporting and assurance required?
■ Does the board have visibility over all the full
universe of risk and all material controls –
including financial, operational and compliance?
WHAT IS THE ROLE OF
INTERNAL AUDIT?
WHAT IS THE ROLE OF RISK?
■ A robust assessment of the principal risks facing the company; and
■ Explicit disclosure of how they are being managed or mitigated.
C.2.1 … The directors should confirm in the annual report that they have carried out a robust
assessment of the principal risks facing the company, including those that would threaten its
business model, future performance, solvency or liquidity. The directors should describe those
risks and explain how they are being managed or mitigated.
■ Expectation that the board monitors and reviews risk management and internal
control systems on an ongoing basis.
C.2.3 … The board should monitor the company’s risk management and internal control systems
and, at least annually, carry out a review of their effectiveness, and report on that review in the
annual report. The monitoring and review should cover all material controls, including financial,
operational and compliance controls.
Paragraph 40 … Regular reports to the board should provide a balanced assessment of the risks
and the effectiveness of the systems of risk management and internal control in managing those
risks. The board should form its own view on effectiveness, based on the evidence it obtains,
exercising the standard of care generally applicable to directors in the exercise of their duties.
14© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
AGREE?
Risk management and the Internal Audit profession – Two sides of the same coin
DISAGREE?
Thank you
The KPMG name, logo and “cutting through complexity” are registered trademarks or
trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address
the circumstances of any particular individual or entity. Although we endeavour to
provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate
in the future. No one should act on such information without appropriate professional
advice after a thorough examination of the particular situation.
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.