Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
INTERNAL AUDIT AND OPERATIONAL RISKT A C K L I N G T O D A Y ’ S E M E R G I N G R I S K S T O G E T H E R
2© Copyright 2016 EMC Corporation. All rights reserved.
Companies are struggling to obtain a
holistic view of risk and show ROI on
risk management activities
Risk Complexity
Risk Volatility
Volume of Risks
Resource Demands
Operational Risk Management Today
3© Copyright 2016 EMC Corporation. All rights reserved.
Internal Audit today
Are internal audit departments positioned
to keep up with the audit requirements
imposed by complex, increasing risks
and drive strategic value?
Frequency
Complexity
Variety
4© Copyright 2016 EMC Corporation. All rights reserved.
Emerging Risks
IT risks – such as cyber, cloud, IoT
Reputation and social media
Third-party relationships
Accountability to ensure effective oversight of
risks
Convergence of risk management activities for a
holistic view
Increased Regulations, e.g., Compliance with
the EU General Data Protection Regulation
The risk culture of the organization
Strategic change management
Talent recruitment and retention
Complex financial and operating models
Resiliency risks
5© Copyright 2016 EMC Corporation. All rights reserved.
We believe organizations need to embrace
risk to remain competitive but are not
positioned to optimally manage risk.
Who is responsible for this loss?
Is this really a high risk?
Why aren’t we using the same language to talk about risks across the company?
Why is the same risk being assessed in different ways?
This metric shows the risk profile changing, how is it being addressed?
Are the auditors aware of this / where were the auditors?
Risk noise…
6© Copyright 2016 EMC Corporation. All rights reserved.
A siloed, static approach will not survive
We believe organizations today face
more risks and changes than their
audit groups are positioned to keep up
with.
In order to enhance Internal Audit’s
value within the organization, they
must take a coordinated, risk-based
approach.
7© Copyright 2016 EMC Corporation. All rights reserved.
Free from conditions that restrict unbiased activity
CAE has direct access to senior management and the board
Objective, unbiased mental attitude and judgment
Auditor Independence
1100 - Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be objective in performing their work.
8© Copyright 2016 EMC Corporation. All rights reserved.
Auditor Risk Management
2010.6 Internal audit planning needs to make use of the organizational risk management process, where one has been developed.
2120 The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
2200-2.6 Internal auditors need to assess whether management’s identification and assessment of the key controls is adequate.
2210.A1 Internal auditors consider management’s assessment of risks relevant to the activity under review.
9© Copyright 2016 EMC Corporation. All rights reserved.
Similarities between Audit and ORM
Organizational units, such as a department or process
Standards and regulatory topics
Regular frequency of audits
Audit Universe
Business Context
Risk register
Standards and regulatory
topics
Regular frequency of
evaluation
Risk Universe
10© Copyright 2016 EMC Corporation. All rights reserved.
Similarities between Audit and ORM
Audit universe risk assessment
Tier Two risk assessment (i.e.,
scoping the audit
engagement)
Events
Audit Risk Assessments
Risk register assessments
Risk Projects
Top down or bottoms up assessments
Risk Events
ORM Risk Assessments
11© Copyright 2016 EMC Corporation. All rights reserved.
Similarities between Audit and ORM
Risks and their potential impact
Controls that mitigate the risks
Audit procedures to test the
controls
Findings Remediation
Audit Risk and Control Matrix
Risks and their potential impact
Key Mitigating Controls
Other 2nd and 3rd LOD test the
controls
Findings Remediation
ORM Risks and Key Controls
12© Copyright 2016 EMC Corporation. All rights reserved.
Key ORM Program Components
Any circumstance where, through lack or failure of a control, a loss was
sustained or could have been sustained
Includes situations where loss could have incurred, but in fact a gain was
realized (positive risks)
Risk Events inform improvements to processes or controls to reduce the recurrence and/or magnitude of risk events
Lessons learned also gathered from external risk event information to support
and inform risk identification, assessment and measurement
Risk Events
13© Copyright 2016 EMC Corporation. All rights reserved.
Key ORM Program Components
Key Risk Indicators (KRIs) are metrics which allow organizations to monitor their risk profile
KRIs include measurable thresholds that reflect the risk tolerances of the
business
KRIs are monitored to alert management when risk levels are or may exceed
acceptable ranges, individually or collectively (usually aspirational)
KRI monitoring drives timely, proactive, decision-making and actions
Key Risk Indicators
14© Copyright 2016 EMC Corporation. All rights reserved.
Key ORM Program Components
Considers array of abnormal, extraordinary, maximum severity events for key
risks throughout organization
Assesses potential frequency and impact of such events
Includes analysis of internal and external loss experience, KRIs, and RCSAs
Considers circumstances and contributing factors that could lead to an
extreme event and controls that would limit its likelihood and impact
Management concludes whether potential risk is acceptable or whether changes in control or business strategy are required
Risk Scenario Analysis
15© Copyright 2016 EMC Corporation. All rights reserved.
Key ORM Program Components
Central repository of all internal, external, regulatory audit issues
Specifies management accountability for issue and due date
Captures and tracks remediation plans
Escalation of past due issues and remediation plans
Provides assurance that all issues are captured and addressed in accordance
with severity
Issue Management
16© Copyright 2016 EMC Corporation. All rights reserved.
Ensure the identification and assessment of risk inherent in all material changes to products, activities, processes and systems to make sure
the inherent risks and incentives are well understood
Process for all new products, partners, activities, processes & systems that fully assesses operational risk
1st Line Responsibility to identify, assess and implement
2nd Line Must be aware, challenge, and verify alignment to risk management framework and risk appetite
Key ORM Program Components
Change Management
17© Copyright 2016 EMC Corporation. All rights reserved.
We must build business context, consistently understand significant risks regardless of their source, streamline processes, and engage the first line of defense
A New Risk World
18© Copyright 2016 EMC Corporation. All rights reserved.
A New World for Audit
Audit must drive consistency with and leverage ORM to drive greater efficiency in the execution of the audit plan.
We need to change our approach to move from compliance to be risk-driven to ensure a focus on the right priorities as they change.
19© Copyright 2016 EMC Corporation. All rights reserved.
Go
ve
rna
nce
& O
ve
rsig
ht
To
lera
nce
s &
Au
tho
ritie
s
Risk Management Framework
Lines of Defense
First LineBusiness Lines & Support Functions
• Product, process, risk, & control
ownership & management
• Business strategy execution
• Revenue generation & support
Second LineIndependent Risk Oversight Functions:
• ERM, ORM, Compliance, Credit Review, etc.
• Risk Management Framework; Alignment
Monitoring; Challenging 1st Line; Facilitation
Third Line• Internal & External Audit
• Independent validation and reporting of
program design & effectiveness;
Leverage information
Assess
• Inherent/Residual
• Likelihood/Impact
• Volatility/Speed
• Rating scales
• Top-Down/Bottom-Up
• Qualitative/Quantitative
• RCSAs & Modeling
Risk Management ActivitiesIdentify
• Where is Risk?
• Internal & External
threat-sources
• How Risk Arises
• Business Context
• Scenarios/What-if
Decision
• Accept, Reject, Reduce
• Manual/Automated
• Decision Escalation
based on Risk
Tolerances & Delegated
Authorities
Treat
• “Right” People
• Policies, Procedures,
Controls, Incentives
• Risk Transfer (Insur-
ance & Hedging)
• Risk Reserves & Risk
Based Pricing
Monitor
• Risk Profile
• Biz Changes
• KRIs, KCIs, KPIs
• Losses, near miss,
external events
• Outstanding Issues
• Model output
Business Strategy Risk Strategy Risk Appetite
Board / Executive Team
Risk Profile
Culture, Communications & Training
20© Copyright 2016 EMC Corporation. All rights reserved.
ORM and ERM
RESPONSIBILITY CAE
CEO,
CRO,ERM
CHIEF
CREDIT OFCR ORM
CFO, TREASR CHRO CLO CCO CISO BCM
VENDORRM
AUDIT X
STRATEGY, FINANCIAL HEALTH X X
CREDIT X X
LIQUIDITY, MARKET, FX X X
PEOPLE, TALENT MGMT X X X
ALL ERRORS & FRAUD X X
FINANCIAL REPORTING, SOX X X X
LITIGATION MGMT X X X
INFORMATION SECURITY X X X
BUSINESS CONTINUITY, DR X X X
3RD PARTY RISK & PERF X X X X X X X X X X
REGULATORY COMPLIANCE X X X X X X X X X X
REPUTATION X X X X X X X X X X
ORM
ERM
21© Copyright 2016 EMC Corporation. All rights reserved.
Continuous Controls Monitoring
Dynamic Risk Evaluation
Key Adjacencies
Policy Program Management
Controls Assurance Program Management
Operational Risk ManagementFoundation
Siloed Managed Advantaged
Issues Management
IT Risk Management
Loss Event Management
Risk Inventory & Top-Down
Assessment
Key Indicator Management
Bottom-Up Risk Assessment
Project Risk Assessments
Audit Entity and Risk Universe
Operational Risk Use Cases | Adjacent GRC Use Cases | Audit Use Cases
Static Risk Evaluation
Regulatory Driven Universe
Static Controls Testing
Separate Risk Assessments
22© Copyright 2016 EMC Corporation. All rights reserved.
Does Risk Management Really Drive Growth?
References: Journal of Accountancy, EY and PwC
23© Copyright 2016 EMC Corporation. All rights reserved.
Must enable organizations to:
► Establish common business context for risk
► Consistently assess risk
► Evaluate loss events and perform root cause analysis
► Monitor changes in risk using key risk and control indicators
► Obtain a holistic view of risk
ORM and Audit
24© Copyright 2016 EMC Corporation. All rights reserved.
Inspire Everyone to Own Risk
Engage business units to more easily identify and manage the increasing
volume and complexity of
risk
Address risk consistently
across your organization
Tie strategy to execution
25© Copyright 2016 EMC Corporation. All rights reserved.
@pnpotter1017
Patrick Potter on LinkedIn
Thank You
EMC, RSA, Archer, the EMC logo and the RSA logo are registered trademarks of EMC Corporation in the U.S. and other countries.