Providing Assurance on Risk Management: It Can be Done! Paul J. Sobel, CIA, QIAL, CRMA Vice President/Chief Audit Executive Georgia-Pacific LLC Insert Logo Here “I keep six honest serving men (They taught me all I knew); Their names are What and Why and When And How and Where and Who.” Rudyard Kipling, “The Elephant’s Child” Insert Logo Here Questions for this Presentation • Why provide assurance over risk management? • What types of assurance can be provided? • How can we provide assurance? • Where do we get support for our assessment? • When should assurance be provided? • Who provides assurance? Insert Logo Here Risk Management Assurance • It is not providing reasonable assurance that: – All risks are managed to an acceptable level. – A specific risk is managed to an acceptable level. • It is providing reasonable assurance that risk management, as a whole, is achieving its objectives. • Unfortunately, there’s not much good guidance on how to provide assurance. Insert Logo Here Why Provide Assurance? Standard 2120 – Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Interpretation • Organizational objectives support and align with the organization’s mission; • Significant risks are identified and assessed; • Appropriate risk responses are selected that align with the organization’s risk appetite; and • Relevant risk information is captured and communicated. Insert Logo Here Why Provide Assurance? • Risk management effectiveness was one of the top five risk areas for audit committees (2014 Pulse of the Profession survey). • Only 7% of audit plan coverage relates to risk management (2015 Pulse of the Profession survey). • Only 35% of respondents are Extremely or Very Confident in their organization’s ability to identify and respond to emerging risks (2015 Pulse of the Profession survey). • CAEs (64%) and audit committees (58%) expect an increase in focus on risk management (Grant Thornton’s 2015 Competing Priorities survey). • Audit functions assessing some aspect of the ERM process/ framework will increase from 47% to 60% in the next five years (PwC’s 2015 State of the Internal Audit Profession survey). Insert Logo Here Why Provide Assurance? • To be successful, organizations must find ways to: – Create new value – Protect existing value • This requires good strategic planning and managing the risks to the strategic plan. – Intelligently take on risks that create value and enable success – Mitigate risks that can destroy value and inhibit success • Effective risk management helps an organization achieve and sustain success. • Therefore, assurance helps enable sustained success! Insert Logo Here What Types of Assurance? • Designed Adequately – Aligned with organization’s objectives – Consistent with Risk Management objectives – Aligned with risk criteria (i.e., capacity, attitude, appetite and tolerance levels) – Relevant to the organization’s external and internal context • Operating Effectively – Operating as designed – Sustainable Insert Logo Here What Types of Assurance? • Risk Management system as a whole – Shortly after implementation – As the system matures • Components of the Risk Management system • Risk Management within a discreet business area • Reaction to a risk event Insert Logo Here How to Provide Assurance? Standard 2120 Interpretation The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness. 1. Principles Alignment Approach 2. Comprehensive Assessment Approach 3. Maturity Assessment Approach Insert Logo Here ISO 31000: 2009(E) • Creates value Mandate and commitment (4.2) Establishing the context (5.3) • Part of decision making Design of framework for managing risk (4.3) • Systematic, structured and timely • Based on the best available information • Tailored • Takes human and cultural factors into account Continual improvement of the framework (4.6) Implementing risk management (4.4) • Transparent and inclusive • Dynamic, iterative and responsive to change • Facilitates continual improvement and enhancement of the organization Monitoring and review of the framework (4.5) Risk assessment (5.4) Communication and consultation (5.2) • Explicitly addresses uncertainty Risk identification(5.4.2) Risk analysis(5.4.3) Risk evaluation(5.4.4) Risk treatment(5.5) Principles (Clause 3) Insert Logo Here Framework (Clause 4) Process (Clause 5) Monitoring and review (5.6) • Integral part of organizational processes Principles Alignment • How well does risk management (RM) support value creation? • How integrated is RM within organizational processes? • How effectively does RM support decision making throughout the organization? • How comprehensively does RM identify and address uncertainty? • Is RM systematic, structured and timely enough to be effective and sustainable? • Does RM ensure decisions are based on the best available information? Insert Logo Here Principles Alignment • Is RM sufficiently tailored to align with the organization’s culture and operating style? • Does RM effectively take human and cultural factors into account? • Is RM transparent and inclusive? • Is RM dynamic, iterative and responsive to an everchanging environment? • Does RM facilitate continual improvement and organizational enhancement? Insert Logo Here Comprehensive Assessment • Evaluates all aspects of the RM system. • Assess whether sound (not leading) practices are operating in all key areas. • Involves answering a series of questions related to all key areas. • Questions taken from ISO 31000:2009(E), COSO ERM and other resources. Insert Logo Here Clause 5.3.5 – Defining Risk Criteria • Has the organization’s risk capacity been determined? – Does the capacity reflect all survivability considerations? – Has it been appropriately vetted with the board? • Has the organization’s risk attitude been defined? – Does the risk attitude reflect the organization’s culture & approach to risk taking? – Has it been communicated throughout the organization? – Does it appear to be understood throughout the organization, or at least by those responsible for making risk-related decisions? • Have risk appetite statements been developed? – Are these statements aligned with the organization’s overall risk capacity? – Are the statements consistent with the organization’s risk attitude? – Do the statements provide clarity around how the organization will take on or avoid certain risk events or outcomes in pursuit of its business objectives? – Are the statements adequately communicated to those who make riskrelated decisions? – Are the statements measurable as appropriate? Insert Logo Here Clause 5.3.5 – Defining Risk Criteria • Have risk tolerance levels been established? – – – – – – Are the tolerance levels consistent with the risk appetite statements? Do they align with the related business objectives? Do they consider both individual and aggregated risk outcomes? Do they set both upper and lower boundaries as appropriate? Do they help management make resource-deployment decisions? Are they periodically reevaluated based on changing business conditions? • Have risk assessment criteria, other than impact and likelihood, been considered? – Are such criteria appropriately defined to avoid confusion as to their meaning? – Is it clear how such criteria will be used in the risk assessment process? • Are different points of view appropriately considered when defining risk criteria? Insert Logo Here Where Do We Get Support? • Internal auditors may already have much of the support they need: – Results of past audits – Participation in board, committee and management meetings – Direct involvement in certain RM activities (such as risk assessment) – Ongoing discussions or meetings with those involved with RM Insert Logo Here Where Do We Get Support? • Additional evidence may be gained from: – Interviews with board members, management, risk owners and others involved with RM. – Reviewing minutes and other documentation from meetings of key board and management committees. – Reviewing RM policies and procedures. – Conducting surveys re: RM awareness. – Examining models, spreadsheets, etc. – Testing accuracy and reliability of reports. – Conducting or reviewing post-mortem results. – Reviewing documentation supporting monitoring activities. Insert Logo Here When to Provide Assurance? • Shortly after RM implementation. • A year or two after implementation. • After key implementation phases are complete. • After a significant risk event. • If audit results indicate the RM system isn’t achieving its objectives. • For a specific component of RM that is of particularly high risk. Insert Logo Here Documenting a Comprehensive Assessment Question Insert Logo Here Answer Support for Answer Gaps & Recommendations Maturity Assessment • Effectiveness is not necessarily binary – you don’t magically go from ineffective to effective. • Not all areas need to be mature – it’s a cost/ benefit decision. • Focus should be on closing largest gaps between current and desired state. – Management determines desired state, with board input. Insert Logo Here ERM Maturity Stages Maturity Stages Value Creation Stage Innovative Level Proficient Level Foundational Level Implementation Stage Insert Logo Here ERM Maturity Stages • Implementation Stage – The period during which the organization is implementing RM. • Maturity Stages – – Foundational Level – The organization has established a sound foundation for ERM but does not yet have the experience to ensure RM effectiveness. – Proficient Level – With experience, the organization becomes proficient at operating the RM system. The system has been tested and appears to be meeting the objectives of RM (typically the minimum level that is targeted). – Innovative Level – Increasing innovation helps to find more precise, creative and cost-effective ways of operating the RM system, which gives the board and senior management greater confidence that the organization can effectively manage significant risk events. • Value Creation Stage – Focus shifts to optimizing the organization’s success, using RM to create a competitive advantage and maximize value creation. Insert Logo Here Maturity Criteria • ERM Mandate and Commitment • Framework Design • Risk Criteria • Risk Assessment • Risk Treatment • Risk Monitoring and Reporting Insert Logo Here Risk Assessment Example Foundational Level • A risk universe has been developed that captures all known risk events and uses terms understandable by people in the organization. • Causes, sources, and interdependencies among risks are generally understood. • The risk universe has been assessed and prioritized, based on appropriate risk assessment criteria. Proficient Level • The risk universe is updated periodically to reflect new, emerging, or changing risks, as well as increased knowledge about existing risks. • The results of risk events are used to enhance the organization’s risk analysis. • The prioritized risk portfolio is updated periodically, reflecting both changes in the organization’s context and its success in managing certain risks to a tolerable level. Insert Logo Here Risk Assessment Example Innovative Level • The organization is more effective at identifying, analyzing, and evaluating unusual, black swan-type events, particularly those with multiple interdependencies. Value Creation Stage • The organization becomes adept at developing strategies for exploiting certain risk events to create new value, giving it a competitive advantage. Insert Logo Here Where Do We Get Support? Current Stage • Past audit activities (e.g., projects, meetings, risk assessment involvement, other discussions, etc.). • Additional evidence: – – – – – – – Interviews Minutes and other documentation from meetings RM policies and procedures Surveys Models, spreadsheets, etc. Risk reports and other communications Documentation supporting monitoring activities Insert Logo Here Where Do We Get Support? Desired Stage • Facilitated discussions with: – Senior management – The board – Risk owners • Don’t aim too high – may not be achievable or costs exceed the benefits. • Don’t aim too low – must ensure RM goals are achieved and the RM system enables success! Insert Logo Here When to Provide Assurance? • Typically, a comprehensive assessment should be conducted first because it’s more in-depth. • Maturity assessment most meaningful when: – One or more comprehensive assessments have been done and results are becoming less valuable. – Comprehensive assessment indicates sound practices are in place but board or management believes more is needed. – RM system is effective at mitigating downside risk, but is not enabling pursuit of upside risk. Insert Logo Here Documenting a Maturity Assessment Current Stage Insert Logo Here Desired Stage Primary Gaps Actions to Close Gaps Who Provides Assurance? • Internal Audit! • Other internal assurance activities (partnering with Internal Audit) • External assurance activities: – If Internal Audit’s objectivity is impaired – If Internal Audit and other internal assurance activities lack the knowledge and skills – Could partner with Internal Audit Insert Logo Here Assurance Project Steps 1. Determine objectives – Expectations of stakeholders – Who’s the audience? – Design adequacy and/or operating effectiveness – Scope of assessment 2. Determine Approach – Principles alignment, comprehensive assessment or maturity approach Insert Logo Here Assurance Project Steps 3. Gather the Evidence – Past vs. new evidence – Document the results 4. Assess the Results – Where are there gaps and opportunities? 5. Report on Results – Will depend on type of assessment and customer expectations Insert Logo Here Summary • Internal Auditors should assess the ERM system to provide assurance the organization can: – Intelligently take on risks that create value and enable success. – Mitigate risks that can destroy value and inhibit success. • There are three viable assessment approaches: – Principles alignment approach – Comprehensive assessment approach – Maturity assessment approach • When in doubt, remember The Elephant Child and ask what, why, when, how, where and who questions. Insert Logo Here Questions? paul.sobel@gapac.com Insert Logo Here