26
INTERNAL AUDIT AND OPERATIONAL RISK TACKLING TODAY’S EMERGING RISKS TOGETHER

INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

  • Upload
    others

  • View
    12

  • Download
    0

Embed Size (px)

Citation preview

Page 1: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

INTERNAL AUDIT AND OPERATIONAL RISKT A C K L I N G T O D A Y ’ S E M E R G I N G R I S K S T O G E T H E R

Page 2: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

2© Copyright 2016 EMC Corporation. All rights reserved.

Companies are struggling to obtain a

holistic view of risk and show ROI on

risk management activities

Risk Complexity

Risk Volatility

Volume of Risks

Resource Demands

Operational Risk Management Today

Page 3: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

3© Copyright 2016 EMC Corporation. All rights reserved.

Internal Audit today

Are internal audit departments positioned

to keep up with the audit requirements

imposed by complex, increasing risks

and drive strategic value?

Frequency

Complexity

Variety

Page 4: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

4© Copyright 2016 EMC Corporation. All rights reserved.

Emerging Risks

IT risks – such as cyber, cloud, IoT

Reputation and social media

Third-party relationships

Accountability to ensure effective oversight of

risks

Convergence of risk management activities for a

holistic view

Increased Regulations, e.g., Compliance with

the EU General Data Protection Regulation

The risk culture of the organization

Strategic change management

Talent recruitment and retention

Complex financial and operating models

Resiliency risks

Page 5: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

5© Copyright 2016 EMC Corporation. All rights reserved.

We believe organizations need to embrace

risk to remain competitive but are not

positioned to optimally manage risk.

Who is responsible for this loss?

Is this really a high risk?

Why aren’t we using the same language to talk about risks across the company?

Why is the same risk being assessed in different ways?

This metric shows the risk profile changing, how is it being addressed?

Are the auditors aware of this / where were the auditors?

Risk noise…

Page 6: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

6© Copyright 2016 EMC Corporation. All rights reserved.

A siloed, static approach will not survive

We believe organizations today face

more risks and changes than their

audit groups are positioned to keep up

with.

In order to enhance Internal Audit’s

value within the organization, they

must take a coordinated, risk-based

approach.

Page 7: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

7© Copyright 2016 EMC Corporation. All rights reserved.

Free from conditions that restrict unbiased activity

CAE has direct access to senior management and the board

Objective, unbiased mental attitude and judgment

Auditor Independence

1100 - Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be objective in performing their work.

Page 8: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

8© Copyright 2016 EMC Corporation. All rights reserved.

Auditor Risk Management

2010.6 Internal audit planning needs to make use of the organizational risk management process, where one has been developed.

2120 The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

2200-2.6 Internal auditors need to assess whether management’s identification and assessment of the key controls is adequate.

2210.A1 Internal auditors consider management’s assessment of risks relevant to the activity under review.

Page 9: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

9© Copyright 2016 EMC Corporation. All rights reserved.

Similarities between Audit and ORM

Organizational units, such as a department or process

Standards and regulatory topics

Regular frequency of audits

Audit Universe

Business Context

Risk register

Standards and regulatory

topics

Regular frequency of

evaluation

Risk Universe

Page 10: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

10© Copyright 2016 EMC Corporation. All rights reserved.

Similarities between Audit and ORM

Audit universe risk assessment

Tier Two risk assessment (i.e.,

scoping the audit

engagement)

Events

Audit Risk Assessments

Risk register assessments

Risk Projects

Top down or bottoms up assessments

Risk Events

ORM Risk Assessments

Page 11: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

11© Copyright 2016 EMC Corporation. All rights reserved.

Similarities between Audit and ORM

Risks and their potential impact

Controls that mitigate the risks

Audit procedures to test the

controls

Findings Remediation

Audit Risk and Control Matrix

Risks and their potential impact

Key Mitigating Controls

Other 2nd and 3rd LOD test the

controls

Findings Remediation

ORM Risks and Key Controls

Page 12: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

12© Copyright 2016 EMC Corporation. All rights reserved.

Key ORM Program Components

Any circumstance where, through lack or failure of a control, a loss was

sustained or could have been sustained

Includes situations where loss could have incurred, but in fact a gain was

realized (positive risks)

Risk Events inform improvements to processes or controls to reduce the recurrence and/or magnitude of risk events

Lessons learned also gathered from external risk event information to support

and inform risk identification, assessment and measurement

Risk Events

Page 13: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

13© Copyright 2016 EMC Corporation. All rights reserved.

Key ORM Program Components

Key Risk Indicators (KRIs) are metrics which allow organizations to monitor their risk profile

KRIs include measurable thresholds that reflect the risk tolerances of the

business

KRIs are monitored to alert management when risk levels are or may exceed

acceptable ranges, individually or collectively (usually aspirational)

KRI monitoring drives timely, proactive, decision-making and actions

Key Risk Indicators

Page 14: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

14© Copyright 2016 EMC Corporation. All rights reserved.

Key ORM Program Components

Considers array of abnormal, extraordinary, maximum severity events for key

risks throughout organization

Assesses potential frequency and impact of such events

Includes analysis of internal and external loss experience, KRIs, and RCSAs

Considers circumstances and contributing factors that could lead to an

extreme event and controls that would limit its likelihood and impact

Management concludes whether potential risk is acceptable or whether changes in control or business strategy are required

Risk Scenario Analysis

Page 15: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

15© Copyright 2016 EMC Corporation. All rights reserved.

Key ORM Program Components

Central repository of all internal, external, regulatory audit issues

Specifies management accountability for issue and due date

Captures and tracks remediation plans

Escalation of past due issues and remediation plans

Provides assurance that all issues are captured and addressed in accordance

with severity

Issue Management

Page 16: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

16© Copyright 2016 EMC Corporation. All rights reserved.

Ensure the identification and assessment of risk inherent in all material changes to products, activities, processes and systems to make sure

the inherent risks and incentives are well understood

Process for all new products, partners, activities, processes & systems that fully assesses operational risk

1st Line Responsibility to identify, assess and implement

2nd Line Must be aware, challenge, and verify alignment to risk management framework and risk appetite

Key ORM Program Components

Change Management

Page 17: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

17© Copyright 2016 EMC Corporation. All rights reserved.

We must build business context, consistently understand significant risks regardless of their source, streamline processes, and engage the first line of defense

A New Risk World

Page 18: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

18© Copyright 2016 EMC Corporation. All rights reserved.

A New World for Audit

Audit must drive consistency with and leverage ORM to drive greater efficiency in the execution of the audit plan.

We need to change our approach to move from compliance to be risk-driven to ensure a focus on the right priorities as they change.

Page 19: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

19© Copyright 2016 EMC Corporation. All rights reserved.

Go

ve

rna

nce

& O

ve

rsig

ht

To

lera

nce

s &

Au

tho

ritie

s

Risk Management Framework

Lines of Defense

First LineBusiness Lines & Support Functions

• Product, process, risk, & control

ownership & management

• Business strategy execution

• Revenue generation & support

Second LineIndependent Risk Oversight Functions:

• ERM, ORM, Compliance, Credit Review, etc.

• Risk Management Framework; Alignment

Monitoring; Challenging 1st Line; Facilitation

Third Line• Internal & External Audit

• Independent validation and reporting of

program design & effectiveness;

Leverage information

Assess

• Inherent/Residual

• Likelihood/Impact

• Volatility/Speed

• Rating scales

• Top-Down/Bottom-Up

• Qualitative/Quantitative

• RCSAs & Modeling

Risk Management ActivitiesIdentify

• Where is Risk?

• Internal & External

threat-sources

• How Risk Arises

• Business Context

• Scenarios/What-if

Decision

• Accept, Reject, Reduce

• Manual/Automated

• Decision Escalation

based on Risk

Tolerances & Delegated

Authorities

Treat

• “Right” People

• Policies, Procedures,

Controls, Incentives

• Risk Transfer (Insur-

ance & Hedging)

• Risk Reserves & Risk

Based Pricing

Monitor

• Risk Profile

• Biz Changes

• KRIs, KCIs, KPIs

• Losses, near miss,

external events

• Outstanding Issues

• Model output

Business Strategy Risk Strategy Risk Appetite

Board / Executive Team

Risk Profile

Culture, Communications & Training

Page 20: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

20© Copyright 2016 EMC Corporation. All rights reserved.

ORM and ERM

RESPONSIBILITY CAE

CEO,

CRO,ERM

CHIEF

CREDIT OFCR ORM

CFO, TREASR CHRO CLO CCO CISO BCM

VENDORRM

AUDIT X

STRATEGY, FINANCIAL HEALTH X X

CREDIT X X

LIQUIDITY, MARKET, FX X X

PEOPLE, TALENT MGMT X X X

ALL ERRORS & FRAUD X X

FINANCIAL REPORTING, SOX X X X

LITIGATION MGMT X X X

INFORMATION SECURITY X X X

BUSINESS CONTINUITY, DR X X X

3RD PARTY RISK & PERF X X X X X X X X X X

REGULATORY COMPLIANCE X X X X X X X X X X

REPUTATION X X X X X X X X X X

ORM

ERM

Page 21: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

21© Copyright 2016 EMC Corporation. All rights reserved.

Continuous Controls Monitoring

Dynamic Risk Evaluation

Key Adjacencies

Policy Program Management

Controls Assurance Program Management

Operational Risk ManagementFoundation

Siloed Managed Advantaged

Issues Management

IT Risk Management

Loss Event Management

Risk Inventory & Top-Down

Assessment

Key Indicator Management

Bottom-Up Risk Assessment

Project Risk Assessments

Audit Entity and Risk Universe

Operational Risk Use Cases | Adjacent GRC Use Cases | Audit Use Cases

Static Risk Evaluation

Regulatory Driven Universe

Static Controls Testing

Separate Risk Assessments

Page 22: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

22© Copyright 2016 EMC Corporation. All rights reserved.

Does Risk Management Really Drive Growth?

References: Journal of Accountancy, EY and PwC

Page 23: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

23© Copyright 2016 EMC Corporation. All rights reserved.

Must enable organizations to:

► Establish common business context for risk

► Consistently assess risk

► Evaluate loss events and perform root cause analysis

► Monitor changes in risk using key risk and control indicators

► Obtain a holistic view of risk

ORM and Audit

Page 24: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

24© Copyright 2016 EMC Corporation. All rights reserved.

Inspire Everyone to Own Risk

Engage business units to more easily identify and manage the increasing

volume and complexity of

risk

Address risk consistently

across your organization

Tie strategy to execution

Page 25: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

25© Copyright 2016 EMC Corporation. All rights reserved.

[email protected]

@pnpotter1017

Patrick Potter on LinkedIn

Thank You

Page 26: INTERNAL AUDIT AND OPERATIONAL RISK · Risk Inventory & Top-Down Assessment Key Indicator Management Bottom-Up Risk Assessment Project Risk Assessments Audit Entity and Risk Universe

EMC, RSA, Archer, the EMC logo and the RSA logo are registered trademarks of EMC Corporation in the U.S. and other countries.