Providing Assurance on
Risk Management: It
Can be Done!
Paul J. Sobel, CIA, QIAL, CRMA
Vice President/Chief Audit Executive
Georgia-Pacific LLC
Insert Logo Here
“I keep six honest serving men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who.”
Rudyard Kipling, “The Elephant’s Child”
Insert Logo Here
Questions for this Presentation
• Why provide assurance over risk management?
• What types of assurance can be provided?
• How can we provide assurance?
• Where do we get support for our assessment?
• When should assurance be provided?
• Who provides assurance?
Insert Logo Here
Risk Management Assurance
• It is not providing reasonable assurance that:
– All risks are managed to an acceptable level.
– A specific risk is managed to an acceptable level.
• It is providing reasonable assurance that risk
management, as a whole, is achieving its
objectives.
• Unfortunately, there’s not much good guidance on
how to provide assurance.
Insert Logo Here
Why Provide Assurance?
Standard 2120 – Risk Management
The internal audit activity must evaluate the effectiveness and
contribute to the improvement of risk management processes.
Interpretation
• Organizational objectives support and align
with the organization’s mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that
align with the organization’s risk appetite; and
• Relevant risk information is captured and
communicated.
Insert Logo Here
Why Provide Assurance?
• Risk management effectiveness was one of the top five risk areas
for audit committees (2014 Pulse of the Profession survey).
• Only 7% of audit plan coverage relates to risk management (2015
Pulse of the Profession survey).
• Only 35% of respondents are Extremely or Very Confident in their
organization’s ability to identify and respond to emerging risks (2015
Pulse of the Profession survey).
• CAEs (64%) and audit committees (58%) expect an increase in
focus on risk management (Grant Thornton’s 2015 Competing
Priorities survey).
• Audit functions assessing some aspect of the ERM process/
framework will increase from 47% to 60% in the next five years
(PwC’s 2015 State of the Internal Audit Profession survey).
Insert Logo Here
Why Provide Assurance?
• To be successful, organizations must find ways to:
– Create new value
– Protect existing value
• This requires good strategic planning and managing
the risks to the strategic plan.
– Intelligently take on risks that create value and enable success
– Mitigate risks that can destroy value and inhibit success
• Effective risk management helps an organization
achieve and sustain success.
• Therefore, assurance helps enable sustained success!
Insert Logo Here
What Types of Assurance?
• Designed Adequately
– Aligned with organization’s objectives
– Consistent with Risk Management objectives
– Aligned with risk criteria (i.e., capacity,
attitude, appetite and tolerance levels)
– Relevant to the organization’s external and
internal context
• Operating Effectively
– Operating as designed
– Sustainable
Insert Logo Here
What Types of Assurance?
• Risk Management system as a whole
– Shortly after implementation
– As the system matures
• Components of the Risk Management
system
• Risk Management within a discreet
business area
• Reaction to a risk event
Insert Logo Here
How to Provide Assurance?
Standard 2120 Interpretation
The internal audit activity may gather the information to support this
assessment during multiple engagements. The results of these
engagements, when viewed together, provide an understanding of
the organization’s risk management processes and their
effectiveness.
1. Principles Alignment Approach
2. Comprehensive Assessment Approach
3. Maturity Assessment Approach
Insert Logo Here
ISO 31000: 2009(E)
• Creates value
Mandate
and
commitment (4.2)
Establishing the context
(5.3)
• Part of decision making
Design of
framework
for managing risk
(4.3)
• Systematic, structured
and timely
• Based on the best
available information
• Tailored
• Takes human and cultural
factors into account
Continual
improvement
of the
framework
(4.6)
Implementing
risk
management
(4.4)
• Transparent and inclusive
• Dynamic, iterative and
responsive to change
• Facilitates continual
improvement and
enhancement of the
organization
Monitoring
and review
of the
framework
(4.5)
Risk assessment (5.4)
Communication and consultation (5.2)
• Explicitly addresses
uncertainty
Risk identification(5.4.2)
Risk analysis(5.4.3)
Risk evaluation(5.4.4)
Risk treatment(5.5)
Principles
(Clause 3)
Insert Logo Here
Framework
(Clause 4)
Process
(Clause 5)
Monitoring and review (5.6)
• Integral part of
organizational processes
Principles Alignment
• How well does risk management (RM) support value
creation?
• How integrated is RM within organizational processes?
• How effectively does RM support decision making
throughout the organization?
• How comprehensively does RM identify and address
uncertainty?
• Is RM systematic, structured and timely enough to be
effective and sustainable?
• Does RM ensure decisions are based on the best
available information?
Insert Logo Here
Principles Alignment
• Is RM sufficiently tailored to align with the organization’s
culture and operating style?
• Does RM effectively take human and cultural factors
into account?
• Is RM transparent and inclusive?
• Is RM dynamic, iterative and responsive to an everchanging environment?
• Does RM facilitate continual improvement and
organizational enhancement?
Insert Logo Here
Comprehensive Assessment
• Evaluates all aspects of the RM system.
• Assess whether sound (not leading)
practices are operating in all key areas.
• Involves answering a series of questions
related to all key areas.
• Questions taken from ISO 31000:2009(E),
COSO ERM and other resources.
Insert Logo Here
Clause 5.3.5 – Defining Risk Criteria
• Has the organization’s risk capacity been determined?
– Does the capacity reflect all survivability considerations?
– Has it been appropriately vetted with the board?
• Has the organization’s risk attitude been defined?
– Does the risk attitude reflect the organization’s culture & approach to risk
taking?
– Has it been communicated throughout the organization?
– Does it appear to be understood throughout the organization, or at least by
those responsible for making risk-related decisions?
• Have risk appetite statements been developed?
– Are these statements aligned with the organization’s overall risk capacity?
– Are the statements consistent with the organization’s risk attitude?
– Do the statements provide clarity around how the organization will take on or
avoid certain risk events or outcomes in pursuit of its business objectives?
– Are the statements adequately communicated to those who make riskrelated decisions?
– Are the statements measurable as appropriate?
Insert Logo Here
Clause 5.3.5 – Defining Risk Criteria
• Have risk tolerance levels been established?
–
–
–
–
–
–
Are the tolerance levels consistent with the risk appetite statements?
Do they align with the related business objectives?
Do they consider both individual and aggregated risk outcomes?
Do they set both upper and lower boundaries as appropriate?
Do they help management make resource-deployment decisions?
Are they periodically reevaluated based on changing business conditions?
• Have risk assessment criteria, other than impact and likelihood, been
considered?
– Are such criteria appropriately defined to avoid confusion as to their
meaning?
– Is it clear how such criteria will be used in the risk assessment process?
• Are different points of view appropriately considered when defining
risk criteria?
Insert Logo Here
Where Do We Get Support?
• Internal auditors may already have much of
the support they need:
– Results of past audits
– Participation in board, committee and management
meetings
– Direct involvement in certain RM activities (such as
risk assessment)
– Ongoing discussions or meetings with those involved
with RM
Insert Logo Here
Where Do We Get Support?
• Additional evidence may be gained from:
– Interviews with board members, management, risk owners and
others involved with RM.
– Reviewing minutes and other documentation from meetings of key
board and management committees.
– Reviewing RM policies and procedures.
– Conducting surveys re: RM awareness.
– Examining models, spreadsheets, etc.
– Testing accuracy and reliability of reports.
– Conducting or reviewing post-mortem results.
– Reviewing documentation supporting monitoring activities.
Insert Logo Here
When to Provide Assurance?
• Shortly after RM implementation.
• A year or two after implementation.
• After key implementation phases are complete.
• After a significant risk event.
• If audit results indicate the RM system isn’t
achieving its objectives.
• For a specific component of RM that is of
particularly high risk.
Insert Logo Here
Documenting a
Comprehensive Assessment
Question
Insert Logo Here
Answer
Support for
Answer
Gaps &
Recommendations
Maturity Assessment
• Effectiveness is not necessarily binary – you
don’t magically go from ineffective to
effective.
• Not all areas need to be mature – it’s a cost/
benefit decision.
• Focus should be on closing largest gaps
between current and desired state.
– Management determines desired state, with
board input.
Insert Logo Here
ERM Maturity Stages
Maturity
Stages
Value Creation Stage
Innovative Level
Proficient Level
Foundational Level
Implementation Stage
Insert Logo Here
ERM Maturity Stages
• Implementation Stage – The period during which the organization is
implementing RM.
• Maturity Stages –
– Foundational Level – The organization has established a sound foundation
for ERM but does not yet have the experience to ensure RM effectiveness.
– Proficient Level – With experience, the organization becomes proficient at
operating the RM system. The system has been tested and appears to be
meeting the objectives of RM (typically the minimum level that is targeted).
– Innovative Level – Increasing innovation helps to find more precise,
creative and cost-effective ways of operating the RM system, which gives
the board and senior management greater confidence that the organization
can effectively manage significant risk events.
• Value Creation Stage – Focus shifts to optimizing the organization’s success,
using RM to create a competitive advantage and maximize value creation.
Insert Logo Here
Maturity Criteria
• ERM Mandate and Commitment
• Framework Design
• Risk Criteria
• Risk Assessment
• Risk Treatment
• Risk Monitoring and Reporting
Insert Logo Here
Risk Assessment Example
Foundational Level
• A risk universe has been developed that captures all known risk events and
uses terms understandable by people in the organization.
• Causes, sources, and interdependencies among risks are generally
understood.
• The risk universe has been assessed and prioritized, based on appropriate
risk assessment criteria.
Proficient Level
• The risk universe is updated periodically to reflect new, emerging, or
changing risks, as well as increased knowledge about existing risks.
• The results of risk events are used to enhance the organization’s risk
analysis.
• The prioritized risk portfolio is updated periodically, reflecting both changes
in the organization’s context and its success in managing certain risks to a
tolerable level.
Insert Logo Here
Risk Assessment Example
Innovative Level
• The organization is more effective at identifying, analyzing, and
evaluating unusual, black swan-type events, particularly those with
multiple interdependencies.
Value Creation Stage
• The organization becomes adept at developing strategies for
exploiting certain risk events to create new value, giving it a
competitive advantage.
Insert Logo Here
Where Do We Get Support?
Current Stage
• Past audit activities (e.g., projects, meetings, risk assessment
involvement, other discussions, etc.).
• Additional evidence:
–
–
–
–
–
–
–
Interviews
Minutes and other documentation from meetings
RM policies and procedures
Surveys
Models, spreadsheets, etc.
Risk reports and other communications
Documentation supporting monitoring activities
Insert Logo Here
Where Do We Get Support?
Desired Stage
• Facilitated discussions with:
– Senior management
– The board
– Risk owners
• Don’t aim too high – may not be achievable or
costs exceed the benefits.
• Don’t aim too low – must ensure RM goals are
achieved and the RM system enables success!
Insert Logo Here
When to Provide Assurance?
• Typically, a comprehensive assessment should
be conducted first because it’s more in-depth.
• Maturity assessment most meaningful when:
– One or more comprehensive assessments have
been done and results are becoming less valuable.
– Comprehensive assessment indicates sound
practices are in place but board or management
believes more is needed.
– RM system is effective at mitigating downside risk,
but is not enabling pursuit of upside risk.
Insert Logo Here
Documenting a
Maturity Assessment
Current
Stage
Insert Logo Here
Desired
Stage
Primary
Gaps
Actions to
Close Gaps
Who Provides Assurance?
• Internal Audit!
• Other internal assurance activities
(partnering with Internal Audit)
• External assurance activities:
– If Internal Audit’s objectivity is impaired
– If Internal Audit and other internal assurance
activities lack the knowledge and skills
– Could partner with Internal Audit
Insert Logo Here
Assurance Project Steps
1. Determine objectives
– Expectations of stakeholders
– Who’s the audience?
– Design adequacy and/or operating
effectiveness
– Scope of assessment
2. Determine Approach
– Principles alignment, comprehensive
assessment or maturity approach
Insert Logo Here
Assurance Project Steps
3. Gather the Evidence
– Past vs. new evidence
– Document the results
4. Assess the Results
– Where are there gaps and opportunities?
5. Report on Results
– Will depend on type of assessment and
customer expectations
Insert Logo Here
Summary
• Internal Auditors should assess the ERM system to
provide assurance the organization can:
– Intelligently take on risks that create value and enable success.
– Mitigate risks that can destroy value and inhibit success.
• There are three viable assessment approaches:
– Principles alignment approach
– Comprehensive assessment approach
– Maturity assessment approach
• When in doubt, remember The Elephant Child and ask
what, why, when, how, where and who questions.
Insert Logo Here
Questions?
paul.sobel@gapac.com
Insert Logo Here