IMPROVE YOUR RISK ASSESSMENT PROCESS, DRIVE TRANSFORMATIVE RESULTS…

…IN 4 EASY STEPS, TRULY

FUTUREPROOF 2014

I’VE HAD THE PRIVILEGE OF LEADING RISK ASSESSMENT

ACTIVITIES WITHIN MANY GREAT ORGANIZATIONS…

…WITNESSING WHAT WORKS AND, SOMETIMES, WHAT DOESN’T

• Lenovo

• Hewlett-Packard

• Verizon

• EDS

• Johnson Controls

• BHP Billiton

• Hong Kong MTR

• Kodak

• Gap

• Caterpillar

• General Motors

• Lear

• China - State-owned Assets Supervision & Administration Commission (SASAC)

• Etc.

RISK ASSESSMENT - EY SURVEY RESULTS

#1 “ADJUSTMENT” – IMPROVE THE RISK ASSESSMENT PROCESS

1

2

RISK ASSESSMENTWITHIN THE BROADER, AND DYNAMIC, CORPORATE GOVERNANCE CONTEXT

4

KEY DRIVERS & INFLUENCES

Shareholder Expectations• Institutional• Individual

Government• Regulation• Monitoring• Support

Financial• Rating agencies• Listing

standards• Bondholders

Other Stakeholders• Employees• Suppliers• Customers• Trade unions• Special interest

groups

Other factors• Competition• Disruptive

technology• Macroeconomic

events

BOARD & AUDIT COMMITTEE

EXECUITVE MANAGEMENT

Business Unit

Finance & Accounting Legal

Human Resources

ITSupply Chain

Capital Projects

Key objectives, targets, KPIs, Balanced scorecard, risk appetite- Define - Communicate - Monitor & refine

Maximum foreseeable impact, likelihood, control effectiveness- Drive appropriate, responsive action - Define and monitor KRIs

Manual, automated, prevent/detect, mitigatingDocument - Test - Remediate - Transform - Monitor for exceptions

Compliance management program- Track regulations - Update policies - Train & enable

IDENTIFY & ASSESS KEY RISKS

MONITOR & ENHANCE CONTROLS

ENSURE COMPLIANCE

ESTABLISH THE CORPORATE STRATEGY

EXAMPLE - Internal Controls over Financial Reporting (SOX)

EXAMPLE - Foreign Corrupt Practices (FCPA)

EXAMPLE - Payment Card Industry (PCI)

ASS

UR

AN

CE

& M

ON

ITO

RIN

G

IT SYSTEMS & DATA

REP

OR

TING

& C

OM

MU

NIC

ATION

S

RISK ASSESSMENTAN IIA PERSPECTIVE

• “Practice Advisory 2120-2 - Every organization will experience control breakdowns. Often times when controls fail or frauds occur, someone will ask: “Where were the internal auditors?” The internal audit activity could be a contributing factor due to:

– Lack of an effective risk assessment process to identify key audit areas during the strategic risk assessment, as well as areas of high risk during the planning of individual audits – as a result, failure to do the right audits and/or time wasted on the wrong audits.”

RISK ASSESSMENTIF ONLY IT WERE SIMPLE

1. Identifying risks to achieving objectives requires – objectives. If a robust strategic planning process is absent, risk assessment may take on the role of surrogate.

2. Risk assessment is often relegated to “off-cycle” periods (after planning, budgeting and forecasting is complete) - wherein management is available but the results are significantly less relevant and/or impactful

3. Risk assessment output is unreliable due to insufficient information and/or requisite expertise, groupthink, dominant voice in the room, bias, anchoring, CYA behaviours, etc.

4. The process:

1. Promotes enterprise list management rather than enterprise risk management

2. Evokes unenthusiastic support from executive management:“I have a business to run”… “How long will this workshop last?”

3. Produces reports and heat maps that fail to drive appropriate, responsive action(s)

5. Other challenges?

RISK ASSESSMENTA TIME OF UNPRECEDENTED OPPORTUNITY

1. Boards are getting more progressive, proactive…and nervous

2. Management desires to reduce cost and increase value

3. Internal auditors desire to get more out of life

4. Simple shifts in your risk assessment approach have the potential to transform:

– levels of executive and board engagement

– value and relevance of outputs

– internal audit’s stature in the organization

– your relationship with the AC chair

4 SIMPLE STEPS

1. Get the timing right

2. Ensure that identified risks, are truly risks - and not simply stating the inverse of an objective, i.e. “Failure to…”

3. Review/enhance your risk assessment criteria – to better inform/drive responsive action

4. Produce simple, palatable risk reports - that align and integrate with the organization’s planning and performance management reports

#1 – GET THE TIMING RIGHT

• Align and integrate with:

– Planning, budgeting & forecasting cycles

– Board and executive reporting

– KPIs, key incentives

10

Planning

Risk Assessment

Budgeting

Forecasting

Planning

Budgeting

Forecasting

Risk Assessment

Typical Better practice

6. The organization specifies objectives with

sufficient clarity to enable the identification and

assessment of risks relating to objectives.

7. The organization identifies risks to the

achievement of its objectives across the entity

and analyzes risks as a basis for determining

how the risks should be managed.

8. The organization considers the potential for

fraud in assessing risks to the achievement of

objectives.

9. The organization identifies and assesses

changes that could significantly impact the

system of internal control.

Risk Assessment

#1 – GET THE TIMING RIGHTCOSO 2013 UPDATE - PRINCIPLES OF EFFECTIVE INTERNAL CONTROL

#1 – GET THE TIMING RIGHT“ANCHOR” YOUR RISK ASSESSMENT

12

• Benefits

• Risk are more readily identified

• Greater ownership, relevance and value

• Often described by interviewees as the “risks that matter”

Strategic Objective 1

Strategic Objective 2

Strategic Objective 3

Key Risk 1

Key Risk 2

Key Risk 3

Key Risk 4

Key Risk 5

Key Risk 6

Core Operational Objective 1

Core Operational

Objective 2

Core Operational

Objective 3

#2 - ENSURE THAT IDENTIFIED RISKS -ARE TRULY RISKS

“Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.”

- Institute of Internal Auditors

Note – when most people think risk, they think downside

#2 - ENSURE THAT IDENTIFIED RISKS -ARE TRULY RISKS

14

Rather, encourage respondents to identify the specific events that might trigger a failure

Objective – Reach the moon safely, land on it, and then return to Earth.

Risk – Failure to land on the Moon.

Risk – Oxygen tank explosion

“Failure to…” is not an option.

And neither is, “Inability to…”

#2 - ENSURE THAT IDENTIFIED RISKS, ARE TRULY RISKS

THEN, PERHAPS OFFER A DUAL-VIEW HEAT MAP

IMPA

CT

MANAGEMENT PREPAREDNESS

MonitorRemediate

(+)

(-)

Business Objectives / Initiatives

Risks

HighLow

High

High

Formerly risks beginning with, “Failure to …

Inability to …”

#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIAA TYPICAL HEAT MAP

1

2

3

4

IMPA

CT

(res

idu

al)

LIKELIHOOD

Which risks should comprise the focus of:• Remediation• Internal audit• CSA• Etc?

HighLow

High

#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIACOMMON APPROACHES – AND RELATED CHALLENGES

• Inherent risk - Too abstract - the notion of all controls failing, or not being present, is viewed by management as an irrelevant, academic exercise

• Residual risk - Respondents tend to be overly generous and/or optimistic in their ratings

3MA

XIM

UM

FO

RES

EEA

BLE

IMPA

CT

CONTROL EFFECTIVENESS(or, MANAGEMENT PREPAREDNESS)

1

MonitorRemediate

4

2

What is a plausible, worst-case scenario/impact?

HighLow

High

Potential CSA-focus

Potential IA-focus

#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIAALTERNATIVE, ACTION-FOCUSED APPROACH

#3 – ENHANCE YOUR RISK ASSESSMENT

CRITERIAAND ENSURE A THOROUGH, RELIABLE PROCESS

Interviews

Surveys

Data Analytics

Subject Matter Specialists

External Research / Sector Risk Reports

Risk description here -

Causal factors•

•

Impacts•

•

Preventative / Detective Controls•

•

Mitigating Controls•

•

Improvement Opportunities•

•

Identify potential risks for discussion

Select and profile key risks

Procure• Voting hardware• AV equipment• Room

Develop• Risk rating criteria• Communications to

workshop participants

Assess within a workshop setting

#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIAEMPLOY ANONYMOUS VOTING TECHNOLOGY, AS APPROPRIATE

• Anonymous response reduces fear of reprisal and enhances candour

• Enables areas of varied perception to be identified, explored and addressed

• Highly efficient

• Novelty enhances engagement

• Enables remote participation

Finally, the truth comes out

Can’t believe it - but I’m actually enjoying this!

#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIABETTER INFORM YOUR ASSURANCE AND REMEDIATION STRATEGY

External auditInternal audit

(in-house)Internal audit

(co-source)

Internal Control

Function

General Counsel’s

OfficeCompliance

Control Self Assessment

Risk # 1 Monitor / Test

Risk #2 Monitor / Test

Monitor / Test

Review / remediate

Risk #3 GAP – NO COVERAGE

Risk #4 Review / remediate

Monitor / Test

Risk #6 Monitor / Test

Monitor / Test

Risk #7 Monitor / Test

Risk #8 Monitor / Test

Review / remediate

In-scope

#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIAADD VALUE TO ALIGNED PROCESSES

The risk assessment processAn overview

5

Corporate strategy

Shareholder value

Capital projects

Key initiatives

Identify & Assess Risks

• Strategic• Operational

• Compliance / Legal

• Financial

Drive Appropriate, Responsive Action(s)• Assurance planning• Ongoing monitoring

• Remediation planning• Further analyses• Update budgets

• Continuous improvement• Etc.

Performance targets

Feedback & report

Set Objectives

#3 – Enhance your risk assessment criteriaShifting sentiments, improving outcomes

• Pessimistic

• Apathetic

• Naysayer

• Optimistic

• Engaged

• Advocate

Stakeholder sentiment

LOW HIGH

#4 - PRODUCE SIMPLE, PALATABLE RISK

REPORTS

Characteristics of effective documentation• Simple, palatable & highly relevant• Common formats, measures• Providing timely information for decision making

Strategic Planning & Objective Setting

Budgeting & Forecasting

Assurance Planning, Execution & Reporting

Remediation

Capital Projects & Key Initiatives

Performance Management Systems

& Reporting

Risk Identification, Assessment & Management

IT Strategy & Governance

#4 - PRODUCE SIMPLE, PALATABLE RISK REPORTS

Objective Risk Rating(s) KPI and/or KRI

Responsive Action

Status or Planned Completion Date

Outcome

From planning documents

From risk register

From risk register

Assurance orRemediation activity

IN SUMMARYENHANCING THE RISK ASSESSMENT PROCESS & OUTCOMES

1. Thorough preparation

2. Timing the risk assessment to occur between strategic planning and budgeting cycles, as appropriate

3. Linkage to objectives – strategic, capital projects, etc.

4. Risk definitions that focus upon the risk events that could negatively impact achievement of objectives

5. Strong leadership support, e.g. a supportive “tone at the top”

6. Identification and exploration of the areas where perceptions of risk impact, likelihood and/or control effectiveness diverge

7. Input and support of relevant subject matter specialists; reliable data

8. Avoidance or reduction of group think and/or a dominant voice

9. Risk assessment criteria that effectively inform and drive responsive action

10. Simple, palatable risk reports aligned to and integrated with the organization’s planning and performance management reports – especially at the summary level

26

QUESTIONS

APPENDIX - FOR REFERENCE

SAMPLE RATING CRITERIA – IMPACT

Financial Operational Reputation People

5 Catastrophic • Financial loss >$X M• Loss of key systems

for 5 days or more• Sustained, highly negative

mentions in press

• Multiple members of the leadership team exit the company

• Event triggers significant, irrecoverable loss of employee morale

4 Very High• Financial loss $X to

XM• Loss of key systems

of 1 to 5 days

• Highly negative mention(s) in press but largely recoverable within 6 months through proper crisis management

• Loss of a senior leader; High turnover of experienced staff

• Event triggers significant loss of employee morale but recoverable within 6 months

• Generally-pervasive low morale

3 High• Financial loss $Xk to

XM• Loss of key systems

for 4 to 8 hours

• Some negative press mentions but readily addressed and recoverable in 1 month or less

• Turnover is generally higher than normal (>15%) across all areas of the company

• Multiple pockets of low morale

2 Moderate • Financial loss $X - Xk• Loss of key systems

for 1 to 4 hours

• Generally positive press with a few isolated instances of minor negative mentions

• Elevated turnover in some areas although non-critical

• One or two pockets of low morale

1 Low • Financial loss <$Xk• Loss of key systems

for less than 1 hour

• Positive press with only a few minorrecommendations for product improvement

• Very isolated instances of staff dissatisfaction and/or instances of above average turnover

APPENDIX - FOR REFERENCE

SAMPLE RATING CRITERIA – RECOMMENDED RESPONSE

Recommended Response

UrgentPerform Deep Dive

AnalysisReview and Enhance Enhance Monitor

Rating

Urgentlyconduct activities

Perform a deep dive analysis to better

understand what’s driving the risk

Review & remediate current risk management activities and/or controls,

as appropriate

Enhance risk management activities and/or controls

Monitor risk management activities and/or controls

5

4

3

2

1

ANY QUESTIONS?

30

Brian Link

brian.link@resolvergrc.com

Mobile - 1 647 381 5515

Alternatively, contact me via