Five Lines of Assurance: A New Paradigm in …...recently, “Paradigm Paralysis in ERM and Internal...
Transcript of Five Lines of Assurance: A New Paradigm in …...recently, “Paradigm Paralysis in ERM and Internal...
© Risk Oversight Solutions Inc.
Five Lines of Assurance: A New
Paradigm in Internal Audit & ERM
Tim Leech, Managing Director
Risk Oversight Solutions Inc. [email protected]
www.riskoversightsolutions.com
© Risk Oversight Solutions Inc.
2
Speaker Professional Profile
Tim J. Leech, FCPA CIA CRMA CCSA CFE is Managing Director at Risk Oversight Solutions Inc. based in Oakville, Ontario,
Canada and Sarasota, Florida. He has over 30 years of experience in the risk governance, internal audit, IT, and forensic
accounting/litigation support fields. His experience base includes setting up a new business unit, a “first of its kind”, for Coopers &
Lybrand, “Control & Risk Management Services” in 1987; founding in 1991, building, and successfully selling CARD®decisions, a
global risk and assurance consulting and software firm, to Paisley/Thomson Reuters in 2004; serving as Paisley’s Chief
Methodology Officer from 2004 -2007; and 30+ years of global experience helping clients around the world with internal audit
transformation initiatives and the design, implementation, and maintenance of integrated and more powerful ERM/IA methodology
and technology frameworks.
He developed and successfully released CARD®map, the world’s first integrated risk and assurance software, in 1997. The
web-enabled “cloud” version of CARD®map was released in 2000. Tim was the first in 2009 to develop and deliver training on IIA
IPPF Standard 2120 to equip internal auditors to assess and report on the effectiveness of risk management processes. He is the
author of the Conference Board Director Notes December 2012 publication “Board Oversight of Management’s Risk Appetite and
Tolerance”, co-author of the highly acclaimed January 2014 “Risk Oversight: Evolving Expectations for Boards”, and most
recently, “Paradigm Paralysis in ERM and Internal Audit” in the summer 2016 issue of Ethical Boardroom. His ground breaking
article, “Reinventing Internal Audit”, published in the April 2015 issue of Internal Auditor magazine has attracted global recognition
and was awarded a 2016 Outstanding Contribution Award from IIA global.
In 2013 he launched a second generation of disruptive innovation with a breakthrough approach to risk and assurance
management – “Five Lines of Assurance: Board & C-Suite Driven/Objective-centric ERM and Internal Audit”. The goal – respond
to the rapid escalation in board risk oversight expectations and deliver substantially more “bang for the buck” from formal
assurance spending.
Leech was the recipient of IIA Canada’s first Outstanding Contributions to the Profession award at the first IIA Canada national
conference in Quebec City in 2009, and is currently working with IIA Global in Florida to roll-out training on “Five Lines of
Assurance/Board & C-Suite Driven/Objective Centric ERM and internal audit to CAEs, IIA National Institutes, and in-house IIA
training clients around the world.
© Risk Oversight Solutions Inc.
3
Presentation Agenda
Part 1: Escalating Expectations
• Escalating Expectations: Regulators
• Escalating Expectations: Credit Agencies
• Escalating Expectations: Institutional Investors
• Escalating Expectations: Director Associations
• Escalating Expectations: Internal Audit & ERM Customers
• IIA Response to date
• The Way Forward: Five Lines of Assurance-A New Paradigm in ERM & Internal Audit
© Risk Oversight Solutions Inc.
4
Part 2 Five Lines of Assurance- A New
Paradigm in ERM and IA
• 5LoA Design Objectives
• 5LoA Core Elements
• 5LoA Key Benefits
• 5LoA Examples
• 5LoA Tools
• 5LoA Implementation Overview
Presentation Agenda
© Risk Oversight Solutions Inc.
5
Escalating Expectations: Regulators
© Risk Oversight Solutions Inc.
6
Escalating Expectations: Regulators
CSA Expectations: Canadian Public Companies
Material risks are required to be disclosed in regulatory filings such as an AIF or a prospectus. The way in which an issuer manages those risks may vary between industries and even between issuers within an industry according to their particular circumstances. It is important for investors to understand how issuers manage those risks.
Disclosure regarding oversight and management of risks should indicate:
• the board’s responsibility for oversight and management of risks, and
• any board and management-level committee to which responsibility for oversight and management of risks has been delegated.
The disclosure should provide insight into:
• the development and periodic review of the issuer’s risk profile
• the integration of risk oversight and management into the issuer’s strategic plan
• the identification of significant elements of risk management, including policies and procedures to manage risk, and
• the board’s assessment of the effectiveness of risk management policies and procedures, where applicable.
Source: CSA STAFF NOTICE 58-306 2010 CORPORATE GOVERNANCE DISCLOSURE COMPLIANCE REVIEW
December 2, 2010, page24 http://bit.ly/ezvf3O
© Risk Oversight Solutions Inc.
7
Escalating Expectations: Regulators
Financial Stability Board (“FSB”) November 2013:
© Risk Oversight Solutions Inc.
8
Escalating Expectations: Regulators
Financial Stability Board (“FSB”) November 2013:
© Risk Oversight Solutions Inc.
9
Escalating Expectations: Regulators
Board responsibilities per FRC UK Sept 2014 Code
Boards are responsible for:
• determining the extent to which the company is willing to take on risk (its “risk appetite”);
• ensuring that an appropriate “risk culture” has been instilled throughout the organization;
• identifying and evaluating the principal risks to the company’s business model and the achievement of its strategic objectives, including risks that could threaten its solvency or liquidity;
• agreeing how these risks should be controlled, managed, or mitigated;
© Risk Oversight Solutions Inc.
10
Escalating Expectations: Regulators
© Risk Oversight Solutions Inc.
11
Escalating Expectations: Regulators
Integrated Risk Management
Risk management cannot be practiced effectively in silos. As a result, integrated risk management promotes a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective in a cohesive and consistent manner. It is about supporting strategic decision-making that contributes to the achievement of an organization's overall objectives. It requires an ongoing assessment of risks at every level and in every sector of the organization, aggregating these results at the corporate level, communicating them and ensuring adequate monitoring and review. Integrated risk management involves the use of these aggregated results to inform decision-making and business practices within the organization.
Source: TBS Guide to Integrated Risk Management May 2016
© Risk Oversight Solutions Inc.
12
Escalating Expectations: Regulators
Deputy Heads Deputy Heads are responsible for managing their organization's risks by leading the implementation of effective risk management practices, both formal and informal. This includes establishing the organization's overall risk management approach and ensuring that supporting processes are in place. In doing so, Deputy Heads are encouraged to apply the principles outlined in section 2.3. A key role of the Deputy Head is to ensure that risk management principles and practices are understood and integrated into the various activities of his/her organization. Deputy Heads are also responsible for monitoring risk management practices in their organizations, as well as considering risks that arise when partnering with organizations within and external to the federal public service. This includes ensuring that issues affecting the organization's risk management approach, whether identified through assessments or internal and external monitoring, are examined, reviewed and addressed effectively. In addition, Deputy Heads play an important role in creating a learning environment that promotes continuous improvement in risk management competencies and capacity within their organization. Through their leadership, Deputy Heads foster a risk-informed organizational culture that supports risk-informed decision-making, enables dialogue on risk tolerance, focuses on results and enables the consideration of both opportunity and innovation.
Source: TBS Guide to Integrated Risk Management May 2016
© Risk Oversight Solutions Inc.
13
Escalating Expectations: Regulators
Generally, there are numerous tools and techniques for analyzing (e.g. workshops, surveys) and prioritizing (e.g. risk maps) risks. Organizations are encouraged to design a process that is appropriate for their own operating environment. In defining risk assessment activities within the risk management process, organizations may wish to provide direction regarding:
• who should be involved in the assessment of risks;
• how much rigour is required for a particular risk assessment exercise;
• what type of information needs to the collected and what level of detail is required; and
• how assessed risks should be documented for response purposes.
Source: TBS Guide to Integrated Risk Management May 2016
© Risk Oversight Solutions Inc.
14
Escalating Expectations: Credit Agencies
© Risk Oversight Solutions Inc.
15
Escalating Expectations: Credit Agencies
S&P: “We believe that successful risk culture
begins with fostering open dialogue where every
employee in the organization has some level of
ownership of the organization's risks, can readily
identify the broader impacts of local decisions, and
is rewarded for identifying outsize risks to senior
levels. In such cultures, strategic decision-making
routinely includes a review of relevant risks and
alternative strategies rather than a simple return-on-investment analysis.” (page 4)
© Risk Oversight Solutions Inc.
16
Escalating Expectations: Institutional Investors
© Risk Oversight Solutions Inc.
17
Escalating Expectations: Institutional Investors
© Risk Oversight Solutions Inc.
18
Escalating Expectations: Director Associations
© Risk Oversight Solutions Inc.
19
Escalating Expectations: IA Customers
© Risk Oversight Solutions Inc.
20
Escalating Expectations: IA Customers
© Risk Oversight Solutions Inc.
21
IIA Response to Date
2120 – Risk Management
“The internal audit activity must evaluate the
effectiveness and contribute to the
improvement of the risk management process”
© Risk Oversight Solutions Inc.
22
IIA Response to Date
© Risk Oversight Solutions Inc.
23
IIA Response to Date
© Risk Oversight Solutions Inc.
24
The Way Forward: Reinvent Internal Audit
© Risk Oversight Solutions Inc.
25
The Way Forward: Five Lines of Assurance
© Risk Oversight Solutions Inc.
26
The Way Forward: Paradigm Shift Required
© Risk Oversight Solutions Inc.
27
5LoA Design Objectives
• Redefine risk management from being seen primarily as hazard avoidance/management to a tool to increase certainty key objectives are achieved while still operating with a tolerable level of retained risk
• Provide management and boards with a practical solution to meet escalating board risk oversight and risk governance expectations
• Generate higher levels of management and board participation in ERM and internal audit
• Put the focus and resources on top value creation and potential value erosion end result objectives
© Risk Oversight Solutions Inc.
28
5LoA Design Objectives
• Transition organizations from “supply driven” to
“board/demand driven” assurance
• Provide a platform to “optimize” risk treatment
design (i.e. lowest possible cost combination of
risk treatments capable of producing an
acceptable residual risk status)
• Integrate the work of all assurance functions
including IA, risk, safety, compliance, insurance,
legal, and others
© Risk Oversight Solutions Inc.
29
5LoA Design Objectives
• Elevate the stature of and value added by Internal Audit and ERM support staff
• Integrate strategic planning and ERM
• Engage boards and senior management defining the amount of risk assessment rigor and independent assurance. This is a key risk decision in its own right that hasn’t been sufficiently recognized
• Clarify accountabilities and role of all key assurance players including the board, senior management, work units, ERM staff and internal audit
• Meet emerging risk oversight expectations
© Risk Oversight Solutions Inc.
30
5LoA Core Elements
Use an “OBJECTIVES REGISTER” with top value creation/strategic
objectives and top potential value erosion objectives as the
foundation for all ERM and internal audit work, not a “risk register” or
“audit universe”
© Risk Oversight Solutions Inc.
31
5LoA Core Elements
“Top potential value erosion objectives” are also called
“foundation objectives” and include compliance with laws,
reliable external disclosures, safety and other social responsibility
objectives.
© Risk Oversight Solutions Inc.
32
5LoA Core Elements
Engage senior management and the board in the
process used to decide which objectives to include
in the “OBJECTIVES REGISTER
© Risk Oversight Solutions Inc.
33
5LoA Core Elements
Engage senior management and the board in the
process used to decide “Risk Assessment Rigor”
and “Independent Assurance Level”
© Risk Oversight Solutions Inc.
34
5LoA Core Elements
Conscious and transparent decisions on “Risk Assessment
Rigor/Rigour”
© Risk Oversight Solutions Inc.
35
5LoA Core Elements
Conscious and transparent decisions on “Independent
Assurance Level”
NIA – No independent assurance LOW – A high level assurance review has been completed and a feedback report provided to the OWNER/SPONSOR and RISK OVERSIGHT COMMITTEE MEDIUM – An independent review has been completed to assess the completeness of risks identified, risk treatments and residual risk status information provided and a report provided to the OWNER/SPONSOR and RISK OVERSIGHT COMMITTEE HIGH – In addition to the steps defined for MEDIUM, steps have been taken to confirm the existence and effectiveness of the risk treatments identified.
© Risk Oversight Solutions Inc.
36
5LoA Core Elements
Assign primary responsibility to report upwards on
the residual risk status linked to each objective to a
“OWNER/SPONSOR”
© Risk Oversight Solutions Inc.
37
5LoA Core Elements
Consider the full range of “Risk Treatments” when
completing Risk Treatment Strategy section
© Risk Oversight Solutions Inc.
38
5LoA Core Elements
Focus on the acceptability of “Residual Risk Status”,
specifically whether it is, or is not, within the entity’s risk
appetite and tolerance
© Risk Oversight Solutions Inc.
39
5LoA Core Elements
Conscious and transparent decisions on “Composite
Residual Risk Rating”
© Risk Oversight Solutions Inc.
40
5LoA Core Elements
After the decision on acceptability of residual risk status has been
made, assess whether the Risk Treatment strategy is Optimized
© Risk Oversight Solutions Inc.
41
5LoA Core Elements
Provide consolidated reports on residual risk status to the
board
© Risk Oversight Solutions Inc.
42
5LoA Key Benefits
• Boards are provided with a concise enterprise level report on the state of residual risk for the company’s top value creation and potential value erosion objectives
• The work of the “assurance silos” including IA, risk, safety, environment, compliance, legal, insurance and others is integrated
• Key information is provided to senior management and the board to assess if the current residual risk status linked to top objectives is, or is not, within the company’s risk appetite/tolerance
© Risk Oversight Solutions Inc.
43
5LoA Key Benefits
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes
© Risk Oversight Solutions Inc.
44
5LoA Key Benefits
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes
© Risk Oversight Solutions Inc.
45
5LoA Key Benefit to Federal Departments:
Meets TSB Expectations
Generally, there are numerous tools and techniques for analyzing (e.g. workshops, surveys) and prioritizing (e.g. risk maps) risks. Organizations are encouraged to design a process that is appropriate for their own operating environment. In defining risk assessment activities within the risk management process, organizations may wish to provide direction regarding:
• who should be involved in the assessment of risks;
• how much rigour is required for a particular risk assessment exercise;
• what type of information needs to the collected and what level of detail is required; and
• how assessed risks should be documented for response purposes.
Source: TBS Guide to Integrated Risk Management May 2016
© Risk Oversight Solutions Inc.
46
5LoA Examples
SVG Capital plc
London Stock Exchange
Jan 2015 Annual Report
Page 29
© Risk Oversight Solutions Inc.
47
5LoA Examples
Ottawa Humane
Society:
The first charity
in the world to
implement BDO/OC
© Risk Oversight Solutions Inc.
48
5LoA Examples
Western University is
a licensed user of
Risk Oversight Solutions
training tools and materials
© Risk Oversight Solutions Inc.
49
5LoA Tools
© Risk Oversight Solutions Inc.
50
5LoA Implementation Overview