17
30 th September 2015 Risk Management and the Internal Audit profession Two sides of the same coin?

Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

  • Upload
    vukhanh

  • View
    219

  • Download
    5

Embed Size (px)

Citation preview

Page 1: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

30th

September 2015

Risk Management and the Internal

Audit profession – Two sides of the

same coin?

Page 2: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

1© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

■ Risk

management;

■ Internal Audit;

and

■ Two sides of the

same coin.

Risk Management and the Internal Audit profession – Two sides of the same coin?

Mike Wilson

Partner

M: 07557564333

E:[email protected]

Sam Arshad

Director

M:+44 7747 532 970

E:[email protected]

Definitions

■ Risk governance:

Three lines of

defence; and

■ Potential roles of

Internal Audit.

Roles and

responsibilities

■ Leading

Practices in

Governance,

Risk and

Compliance;

■ Risk

Management

trends; and

■ UK Corporate

Governance

Code Update.

Emerging themes

Page 3: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

2© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Definition of Risk Management

Risk Management (taken from the Institute of Risk

Management).

Risk is part of life. Avoiding all risk would result in

no achievement, no progress and no reward.

It is the combination of the probability of an event and its

consequence. Consequences can range from

to

Risks: Strategic, tactical and operational.

Risk management:

Includes an assessment of the relative priority of risks and a

rigorous approach to monitoring and controlling them.

To be effective, risk management must be proportionate to

the size and nature of an organisation.

Page 4: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

3© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Definition of Internal Audit

Definition of internal auditing

(Institute of Internal Audit).

Independent objective

assurance.

Systematic, disciplined

approach to evaluate and

improve the effectiveness of

risk management, control, and

governance processes.

Page 5: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

4© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Definition of ‘Two sides of the same coin’

If two things are two side of the

same coin, they are very closely

related although they seem

different:

Violent behaviour and deep insecurity

are often two sides of the same coin.

Page 6: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

5© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Risk Governance: Three lines of defence

Risk Governance

Assurance

providers

Third line of

defence

Standard

setters of

first line

Second

line of

defence

Business owners of risk

management, control and

compliance

First Line of

defence

■ Liaise with senior management

and/or board;

■ Rationalise and systematise risk

assessment and governance

reporting;

■ Provide oversight; and

■ Provide assurance that risk-

management processes are

adequate and appropriate.

Risk process and content monitoring

■ Establish policy and process for

risk management;

■ Strategic link for the enterprise in

terms of risk;

■ Provide guidance and coordination;

■ Identify enterprise trends,

synergies, and opportunities for

change;

■ Liaison between third line of

defence and first line of defence;

and

■ Oversight over certain risk areas

(e.g., credit, market) and in terms

of certain enterprise objectives

(e.g., compliance with regulation).

Risk process accountability

■ Manage risks/implement actions

to manage and treat risk;

■ Comply with risk-management

process;

■ Implement risk-management

processes where applicable; and

■ Execute risk assessments and

identify emerging risk.

Risk content accountability

Page 7: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

6© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Potential roles of Internal Audit

Core assurance

(value preservation)

Consultancy

(value creation)

Maturity of controls/environment

Maturity of risk management processes

Degree of independence of Internal Audit from the business

How much is budgeted, and where the priorities lie

Drivers of the role of

Internal Audit

Role/existence of other assurance activities

HighLow

Other considerations

Potential roles for

Internal Audit

Compliance with

policies & procedures

Effectiveness of

policies &

procedures

Compliance with

laws and

regulations

Business performance

Adequacy of response

to new/emerging risks

Effectiveness and

efficiency of controls

Strategic support

Shaping the future

Page 8: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

7© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Leading Practices in Governance, Risk & Compliance (GRC)E

fficie

ncy

E

ffe

ctiv

en

ess

Current State Effectiveness

Blurring of risk and control

responsibilities between 1st

Line and risk and compliance

functions (2nd

Line)

Risk and compliance skills

pertaining to new regulations

are limited/unavailable

Limited risk awareness at

1st

Line; Low risk/control

experience

Inconsistent quality of

control testing and test

result documentation limits

leverage

Efficiency

Risk and compliance touch

points lack coordination

and planning

Lack of leveraging work

among risk and compliance

functions due to timing

Limited linkage of issues

repositories/databases

Risk and compliance skills

and knowledge are not

tracked, corroborated

(tested) and documented

Improving EFFICIENCY of risk

and compliance processes via

Centers of Excellence,

streamlined to help alleviate

burden on BUs and allow

focus on core responsibilities

Maintaining EFFECTIVENESS

by applying Three Lines of

Defense to clarify

roles/responsibilities, closing

skills gap, and establishing

Centers of Excellence for

consistency and quality

Three Lines of Defense

Control Testing

E.g., development of test scripts, scheduling of testing,

conducting tests of controls, exception analysis,

documentation of test results, etc.

Skills & Learning Development Center

E.g., skills tracking, skills database maintenance,

facilitate development of risk and compliance

curriculum, delivery of risk and compliance training, etc.

Knowledge & Data/Issues Management Center

E.g., execution and distribution of knowledge, provision

of standards and guidance – framework, methodology,

policies taxonomy reference, escalation rules, data

repository / warehouse

Master Calendar Planning Center

E.g., coordination of risk and compliance calendars for

risk assessment and controls testing to streamline

touch points at 1st

Line, establishment of a Master

Calendar Plan taking into account critical paths and

minimum requirements, etc.

Future State

Page 9: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

8© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Trends in Risk Management

From Towards

Strategy and performance

perspective

Focused on value chains,

what is ‘at risk’

Interconnected view

Multi-year impact – viability

People-based controls –

behaviours

Governance and compliance

perspective

Focused on risk categories

Single risks

Within FY impact on liquidity

and solvency

‘Hard’ controls – policy,

process, sanctions

Page 10: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

9© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Trends in Risk Management: Connecting strategy and risk

Innovating and pursuing opportunity while balancing upside and downside

Financial Performance

Targets

Markets

Propositions

and Brands

Clients and

Channels

Core

Business

Processes

Operational &

Technology

Infrastructure

Organisational

Structure, Governance,

Risk & Controls

People

and Culture

Measures

and Incentives

Business

model

Growth

profitability

liquidity

Leverage

Operating

model cost

■ Acquisitions

■ Pricing

■ New markets

■ New products

Risks to

Strategy

■ Natural hazards

■ Commodity prices

■ Geopolitical events

■ Cyber attack

External

Risks

■ Regulatory violations

■ Quality issues

■ Technology and

data events

■ Product shortages

Internal

Risks

Focus of the majority of today’s risk

investments and programmes is

value preservation, not value creation

Page 11: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

10© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Trends in Risk Management: Understanding systemic risks

Traditional risk map Inter-connected view

Page 12: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

11© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Trends in Risk Management: Risk Culture

KPMG’s ERM framework KPMG’s Risk

Culture Framework

Action &

Determination

Competencies &

Context

Belief &

Commitment

Knowledge &

Understanding

Cultural drivers

Visibility

Is the behaviour of staff consistent with the

intended practices described in the policy

and procedure?

Clarity

Are rules, (risk) policies and procedures

accurate, concrete and complete and do

employees understand what is expected?

Role Modelling

Does management lead by example and

display the behaviours that support risk-

based decision-making

Involvement

Do employees feel accountable for the

proper use of risk policies and take

ownership for the strategy of the

organisation?

Openness

It is normal to discuss risks and is there an

atmosphere of both challenge and mutual

respect?

Practicability

Do the organisation’s targets correspond to

the risk appetite and overall risk strategy and

are employees enabled to do what is

requested of them in terms of managing risks?

Improvement

Are incidents and ’near misses’ evaluated to

determine potential risks and do employees

feel they learn from their mistakes?

Enforcement

Are employees rewarded for responsible

behaviour and is irresponsible behaviour

disciplined?

Page 13: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

12© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

UK Corporate Governance Code Update

Highlights

Key revisions covering:

■ Risk management and internal control;

■ Directors’ remuneration; and

■ Shareholder engagement.

New Guidance on Risk Management, Internal

Control and Related Financial and Business

Reporting (what was the ‘Turnbull Guidance’).

Applicable for periods beginning on or after 1

October 2014.

Page 14: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

13© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

UK Corporate Governance Code Update (cont.)

Risk management and internal controlKey questions:

■ What constitutes a robust assessment and

what evidence will the directors need to

support their statement?

■ Does the ‘principal risks’ disclosure need

reassessing? Are they the ‘right’ risks?

■ Are the disclosures relating to the

management and mitigation of the principal

risks meaningful?

■ Does the board need to reassess the scope,

frequency of reporting and assurance required?

■ Does the board have visibility over all the full

universe of risk and all material controls –

including financial, operational and compliance?

WHAT IS THE ROLE OF

INTERNAL AUDIT?

WHAT IS THE ROLE OF RISK?

■ A robust assessment of the principal risks facing the company; and

■ Explicit disclosure of how they are being managed or mitigated.

C.2.1 … The directors should confirm in the annual report that they have carried out a robust

assessment of the principal risks facing the company, including those that would threaten its

business model, future performance, solvency or liquidity. The directors should describe those

risks and explain how they are being managed or mitigated.

■ Expectation that the board monitors and reviews risk management and internal

control systems on an ongoing basis.

C.2.3 … The board should monitor the company’s risk management and internal control systems

and, at least annually, carry out a review of their effectiveness, and report on that review in the

annual report. The monitoring and review should cover all material controls, including financial,

operational and compliance controls.

Paragraph 40 … Regular reports to the board should provide a balanced assessment of the risks

and the effectiveness of the systems of risk management and internal control in managing those

risks. The board should form its own view on effectiveness, based on the evidence it obtains,

exercising the standard of care generally applicable to directors in the exercise of their duties.

Page 15: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

14© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

AGREE?

Risk management and the Internal Audit profession – Two sides of the same coin

DISAGREE?

Page 16: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

Thank you

Page 17: Risk Management and the Internal Audit profession … September 2015 Risk Management and the Internal Audit profession –Two sides of the same coin?

The KPMG name, logo and “cutting through complexity” are registered trademarks or

trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address

the circumstances of any particular individual or entity. Although we endeavour to

provide accurate and timely information, there can be no guarantee that such

information is accurate as of the date it is received or that it will continue to be accurate

in the future. No one should act on such information without appropriate professional

advice after a thorough examination of the particular situation.

© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG

network of independent member firms affiliated with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved.