Five Lines of Assurance: A New Paradigm in …...recently, “Paradigm Paralysis in ERM and Internal...

© Risk Oversight Solutions Inc.

Five Lines of Assurance: A New

Paradigm in Internal Audit & ERM

Tim Leech, Managing Director

Risk Oversight Solutions Inc. [email protected]

www.riskoversightsolutions.com


2

Speaker Professional Profile

Tim J. Leech, FCPA CIA CRMA CCSA CFE is Managing Director at Risk Oversight Solutions Inc. based in Oakville, Ontario,

Canada and Sarasota, Florida. He has over 30 years of experience in the risk governance, internal audit, IT, and forensic

accounting/litigation support fields. His experience base includes setting up a new business unit, a “first of its kind”, for Coopers &

Lybrand, “Control & Risk Management Services” in 1987; founding in 1991, building, and successfully selling CARD®decisions, a

global risk and assurance consulting and software firm, to Paisley/Thomson Reuters in 2004; serving as Paisley’s Chief

Methodology Officer from 2004 -2007; and 30+ years of global experience helping clients around the world with internal audit

transformation initiatives and the design, implementation, and maintenance of integrated and more powerful ERM/IA methodology

and technology frameworks.

He developed and successfully released CARD®map, the world’s first integrated risk and assurance software, in 1997. The

web-enabled “cloud” version of CARD®map was released in 2000. Tim was the first in 2009 to develop and deliver training on IIA

IPPF Standard 2120 to equip internal auditors to assess and report on the effectiveness of risk management processes. He is the

author of the Conference Board Director Notes December 2012 publication “Board Oversight of Management’s Risk Appetite and

Tolerance”, co-author of the highly acclaimed January 2014 “Risk Oversight: Evolving Expectations for Boards”, and most

recently, “Paradigm Paralysis in ERM and Internal Audit” in the summer 2016 issue of Ethical Boardroom. His ground breaking

article, “Reinventing Internal Audit”, published in the April 2015 issue of Internal Auditor magazine has attracted global recognition

and was awarded a 2016 Outstanding Contribution Award from IIA global.

In 2013 he launched a second generation of disruptive innovation with a breakthrough approach to risk and assurance

management – “Five Lines of Assurance: Board & C-Suite Driven/Objective-centric ERM and Internal Audit”. The goal – respond

to the rapid escalation in board risk oversight expectations and deliver substantially more “bang for the buck” from formal

assurance spending.

Leech was the recipient of IIA Canada’s first Outstanding Contributions to the Profession award at the first IIA Canada national

conference in Quebec City in 2009, and is currently working with IIA Global in Florida to roll-out training on “Five Lines of

Assurance/Board & C-Suite Driven/Objective Centric ERM and internal audit to CAEs, IIA National Institutes, and in-house IIA

training clients around the world.


3

Presentation Agenda

Part 1: Escalating Expectations

• Escalating Expectations: Regulators

• Escalating Expectations: Credit Agencies

• Escalating Expectations: Institutional Investors

• Escalating Expectations: Director Associations

• Escalating Expectations: Internal Audit & ERM Customers

• IIA Response to date

• The Way Forward: Five Lines of Assurance-A New Paradigm in ERM & Internal Audit


4

Part 2 Five Lines of Assurance- A New

Paradigm in ERM and IA

• 5LoA Design Objectives

• 5LoA Core Elements

• 5LoA Key Benefits

• 5LoA Examples

• 5LoA Tools

• 5LoA Implementation Overview

Presentation Agenda


5

Escalating Expectations: Regulators


6


CSA Expectations: Canadian Public Companies

Material risks are required to be disclosed in regulatory filings such as an AIF or a prospectus. The way in which an issuer manages those risks may vary between industries and even between issuers within an industry according to their particular circumstances. It is important for investors to understand how issuers manage those risks.

Disclosure regarding oversight and management of risks should indicate:

• the board’s responsibility for oversight and management of risks, and

• any board and management-level committee to which responsibility for oversight and management of risks has been delegated.

The disclosure should provide insight into:

• the development and periodic review of the issuer’s risk profile

• the integration of risk oversight and management into the issuer’s strategic plan

• the identification of significant elements of risk management, including policies and procedures to manage risk, and

• the board’s assessment of the effectiveness of risk management policies and procedures, where applicable.

Source: CSA STAFF NOTICE 58-306 2010 CORPORATE GOVERNANCE DISCLOSURE COMPLIANCE REVIEW

December 2, 2010, page24 http://bit.ly/ezvf3O

http://bit.ly/ezvf3O

http://bit.ly/ezvf3O


7


Financial Stability Board (“FSB”) November 2013:


8


Financial Stability Board (“FSB”) November 2013:


9


Board responsibilities per FRC UK Sept 2014 Code

Boards are responsible for:

• determining the extent to which the company is willing to take on risk (its “risk appetite”);

• ensuring that an appropriate “risk culture” has been instilled throughout the organization;

• identifying and evaluating the principal risks to the company’s business model and the achievement of its strategic objectives, including risks that could threaten its solvency or liquidity;

• agreeing how these risks should be controlled, managed, or mitigated;


10



11


Integrated Risk Management

Risk management cannot be practiced effectively in silos. As a result, integrated risk management promotes a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective in a cohesive and consistent manner. It is about supporting strategic decision-making that contributes to the achievement of an organization's overall objectives. It requires an ongoing assessment of risks at every level and in every sector of the organization, aggregating these results at the corporate level, communicating them and ensuring adequate monitoring and review. Integrated risk management involves the use of these aggregated results to inform decision-making and business practices within the organization.

Source: TBS Guide to Integrated Risk Management May 2016


12


Deputy Heads Deputy Heads are responsible for managing their organization's risks by leading the implementation of effective risk management practices, both formal and informal. This includes establishing the organization's overall risk management approach and ensuring that supporting processes are in place. In doing so, Deputy Heads are encouraged to apply the principles outlined in section 2.3. A key role of the Deputy Head is to ensure that risk management principles and practices are understood and integrated into the various activities of his/her organization. Deputy Heads are also responsible for monitoring risk management practices in their organizations, as well as considering risks that arise when partnering with organizations within and external to the federal public service. This includes ensuring that issues affecting the organization's risk management approach, whether identified through assessments or internal and external monitoring, are examined, reviewed and addressed effectively. In addition, Deputy Heads play an important role in creating a learning environment that promotes continuous improvement in risk management competencies and capacity within their organization. Through their leadership, Deputy Heads foster a risk-informed organizational culture that supports risk-informed decision-making, enables dialogue on risk tolerance, focuses on results and enables the consideration of both opportunity and innovation.



13


Generally, there are numerous tools and techniques for analyzing (e.g. workshops, surveys) and prioritizing (e.g. risk maps) risks. Organizations are encouraged to design a process that is appropriate for their own operating environment. In defining risk assessment activities within the risk management process, organizations may wish to provide direction regarding:

• who should be involved in the assessment of risks;

• how much rigour is required for a particular risk assessment exercise;

• what type of information needs to the collected and what level of detail is required; and

• how assessed risks should be documented for response purposes.



14

Escalating Expectations: Credit Agencies


15

Escalating Expectations: Credit Agencies

S&P: “We believe that successful risk culture

begins with fostering open dialogue where every

employee in the organization has some level of

ownership of the organization's risks, can readily

identify the broader impacts of local decisions, and

is rewarded for identifying outsize risks to senior

levels. In such cultures, strategic decision-making

routinely includes a review of relevant risks and

alternative strategies rather than a simple return-on-investment analysis.” (page 4)


16

Escalating Expectations: Institutional Investors


17

Escalating Expectations: Institutional Investors


18

Escalating Expectations: Director Associations


19

Escalating Expectations: IA Customers


20

Escalating Expectations: IA Customers


21

IIA Response to Date

2120 – Risk Management

“The internal audit activity must evaluate the

effectiveness and contribute to the

improvement of the risk management process”


22



23



24

The Way Forward: Reinvent Internal Audit


25

The Way Forward: Five Lines of Assurance


26

The Way Forward: Paradigm Shift Required


27

5LoA Design Objectives

• Redefine risk management from being seen primarily as hazard avoidance/management to a tool to increase certainty key objectives are achieved while still operating with a tolerable level of retained risk

• Provide management and boards with a practical solution to meet escalating board risk oversight and risk governance expectations

• Generate higher levels of management and board participation in ERM and internal audit

• Put the focus and resources on top value creation and potential value erosion end result objectives


28


• Transition organizations from “supply driven” to

“board/demand driven” assurance

• Provide a platform to “optimize” risk treatment

design (i.e. lowest possible cost combination of

risk treatments capable of producing an

acceptable residual risk status)

• Integrate the work of all assurance functions

including IA, risk, safety, compliance, insurance,

legal, and others


29


• Elevate the stature of and value added by Internal Audit and ERM support staff

• Integrate strategic planning and ERM

• Engage boards and senior management defining the amount of risk assessment rigor and independent assurance. This is a key risk decision in its own right that hasn’t been sufficiently recognized

• Clarify accountabilities and role of all key assurance players including the board, senior management, work units, ERM staff and internal audit

• Meet emerging risk oversight expectations


30

5LoA Core Elements

Use an “OBJECTIVES REGISTER” with top value creation/strategic

objectives and top potential value erosion objectives as the

foundation for all ERM and internal audit work, not a “risk register” or

“audit universe”


31

5LoA Core Elements

“Top potential value erosion objectives” are also called

“foundation objectives” and include compliance with laws,

reliable external disclosures, safety and other social responsibility

objectives.


32

5LoA Core Elements

Engage senior management and the board in the

process used to decide which objectives to include

in the “OBJECTIVES REGISTER


33

5LoA Core Elements

Engage senior management and the board in the

process used to decide “Risk Assessment Rigor”

and “Independent Assurance Level”


34

5LoA Core Elements

Conscious and transparent decisions on “Risk Assessment

Rigor/Rigour”


35

5LoA Core Elements

Conscious and transparent decisions on “Independent

Assurance Level”

NIA – No independent assurance LOW – A high level assurance review has been completed and a feedback report provided to the OWNER/SPONSOR and RISK OVERSIGHT COMMITTEE MEDIUM – An independent review has been completed to assess the completeness of risks identified, risk treatments and residual risk status information provided and a report provided to the OWNER/SPONSOR and RISK OVERSIGHT COMMITTEE HIGH – In addition to the steps defined for MEDIUM, steps have been taken to confirm the existence and effectiveness of the risk treatments identified.


36

5LoA Core Elements

Assign primary responsibility to report upwards on

the residual risk status linked to each objective to a

“OWNER/SPONSOR”


37

5LoA Core Elements

Consider the full range of “Risk Treatments” when

completing Risk Treatment Strategy section


38

5LoA Core Elements

Focus on the acceptability of “Residual Risk Status”,

specifically whether it is, or is not, within the entity’s risk

appetite and tolerance


39

5LoA Core Elements

Conscious and transparent decisions on “Composite

Residual Risk Rating”


40

5LoA Core Elements

After the decision on acceptability of residual risk status has been

made, assess whether the Risk Treatment strategy is Optimized


41

5LoA Core Elements

Provide consolidated reports on residual risk status to the

board


42

5LoA Key Benefits

• Boards are provided with a concise enterprise level report on the state of residual risk for the company’s top value creation and potential value erosion objectives

• The work of the “assurance silos” including IA, risk, safety, environment, compliance, legal, insurance and others is integrated

• Key information is provided to senior management and the board to assess if the current residual risk status linked to top objectives is, or is not, within the company’s risk appetite/tolerance


43

5LoA Key Benefits

• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)

• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.

• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.

• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes


44

5LoA Key Benefits

• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)

• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.

• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.

• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes


45

5LoA Key Benefit to Federal Departments:

Meets TSB Expectations

Generally, there are numerous tools and techniques for analyzing (e.g. workshops, surveys) and prioritizing (e.g. risk maps) risks. Organizations are encouraged to design a process that is appropriate for their own operating environment. In defining risk assessment activities within the risk management process, organizations may wish to provide direction regarding:

• who should be involved in the assessment of risks;

• how much rigour is required for a particular risk assessment exercise;

• what type of information needs to the collected and what level of detail is required; and

• how assessed risks should be documented for response purposes.



46

5LoA Examples

SVG Capital plc

London Stock Exchange

Jan 2015 Annual Report

Page 29


47

5LoA Examples

Ottawa Humane

Society:

The first charity

in the world to

implement BDO/OC


48

5LoA Examples

Western University is

a licensed user of

Risk Oversight Solutions

training tools and materials


49

5LoA Tools


50

5LoA Implementation Overview


51

QUESTIONS???

Thank you

[email protected]

Five Lines of Assurance: A New Paradigm in …...recently, “Paradigm Paralysis in ERM and Internal...

Documents

Transcript of Five Lines of Assurance: A New Paradigm in …...recently, “Paradigm Paralysis in ERM and Internal...