Mazaars Internal Audit & Risk Management presentation

advertisement
Risk Management Workshop
University of Exeter
Summer 2008
Presenter:
Jamie Paddon IPFA
Audit Manager,
Mazars LLP, Bristol.
0117 317 1568
077390 31141
jamie.paddon@mazars.co.uk
Agenda
•
Background to Mazars LLP / Internal Audit at the University
•
Session 1 – Introduction to risk management
•
Session 2 – The benefits of good risk management
•
Session 3 – Risk management and internal audit
•
Session 4 – Risk management at the University of Exeter
•
Session 5 – Changes to the existing arrangements
•
Session 6 – Risk linkage and escalation
•
Session 7 – New risk register template and scoring system
•
Comfort break
•
Session 8 – Monitoring of EWMs and controls
•
Session 9 – What to expect from an internal audit
•
Session 10 – Questions and Answers
Background to Mazars LLP
& Internal Audit at the University
University of Exeter
Summer 2008
Background to Mazars
• Founded over 100 years ago –
formally called Neville Russell
• Ranked 10th in size in UK by fee
income
• 18 offices, 104 partners, 1100 staff
. .
• IIP accreditation
• National practice
• International Partnership
• 5th largest firm in most European
countries
..
.
.
.. .
...
. ..
.. .
Examples of Bristol Office Internal Audit
clients
Examples of the Firm’s clients
Internal Audit at the University of Exeter
• Mazars were awarded a contract to supply internal
audit services to the University for three years from 1st
August 2006.
• Our work is required to conform to the standards
stipulated by HEFCE in its Accountability and Audit
Code of Practice (HEFCE 2004/27).
• We are required to produce an annual and strategic
Internal Audit plan for agreement by the Audit
Committee.
• We are also required to give an annual opinion to the
Audit Committee on the adequacy and effectiveness of
the arrangements for risk management, control and
governance, and economy, efficiency and
effectiveness.
Your Core Internal Audit Team
Partner
Richard Bott
richard.bott@mazars.co.uk
0117 973 4481
Manager
Jamie Paddon
jamie.paddon@mazars.co.uk
0117 317 1568 or 077940 31141
Supervisor
Iain Rolland
iain.rolland@mazars.co.uk
0117 317 1544 or 077400 84771
Senior Auditors
Rachael Lovett / Victor Rudebeck / Ian Cook
Junior Auditors
Jemma Allan / Laura Baxter / Sarah Brent
Internal Audit Specialists
Risk
Management
Consultant
Rebecca Scott
rebecca.scott@mazars.co.uk
01582 700 729
IT Director
Steve Temple
stephen.temple@mazars.co.uk
01582 506 016
IT Manager
Neil Belton
neil.belton@mazars.co.uk
01582 506 011
Senior Tax
Manager
Cath Brown
catharine.brown@mazars.co.uk
0117 9734481
Session 1
Introduction to Risk Management
University of Exeter
Summer 2008
Introduction to Risk Management
IIA definition of Risk Management……
• ‘Risk management covers all the processes
involved in identifying, assessing and judging
risks, assigning ownership, taking actions to
mitigate or anticipate them, and monitoring
and reviewing progress. Good risk
management helps reduce hazard, and builds
confidence to innovate.’
Introduction to Risk Management
IIA definition of risk …….
• ‘Risk is most commonly held to mean
"hazard" and something to be avoided. But it
has another face - that of opportunity.
Improving public services requires innovation
- seizing new opportunities and managing the
risks involved. In this context risk is defined as
uncertainty of outcome, whether positive
opportunity or negative threat, of actions and
events. It is the combination of likelihood and
impact, including perceived importance.’
Introduction to Risk Management
IIA definition of risk appetite…….
• ‘the level of risk you are happy to live with
before you do something about it; the amount
of risk you are prepared to take in order to
achieve objectives.’
Introduction to Risk Management
Treasury definition of risk register (or risk map)……
• ‘A risk register lists all the identified risks and
the results of their analysis and evaluation.
Information on the status of the risk is also
included. The risk register should be
continuously updated and reviewed
throughout the course of a project.’
Introduction to Risk Management
Definitions of internal control……
• ‘An organisation's procedures that are designed to
increase its efficiency, ensure its policies are
implemented, and its assets are safeguarded.’
• Internal controls are processes, effected by
management and other personnel, designed to provide
reasonable assurance to ensure:
– Reliable financial and operational information,
– Compliance with policies and procedures, plans, laws,
rules, and regulations,
– Assets are safeguarded, and
– Operational efficiency.
Introduction to Risk Management
Definitions of early warning mechanism…..
• ‘An output, event or measure that gives you
prior notice that a risk is about to crystallise.’
• ‘When an indicator exceeds (or falls below) a
threshold, then it is said to issue a signal that
a crisis may occur within a given period.’
Introduction to Risk Management
Risk Management the old fashioned way….
•
•
•
•
•
Risk map prepared by senior management team
Either hundreds of risks or very few;
Risk map updated annually by Finance Director;
Risks scored H, M or L;
Often no details of the control strategies relied upon or
required, in order to manage the risks identified;
• Audit Committee reviews entire risk map annually;
• No wider management review; and
• No process of feedback as to how well each risk is
managed and controlled.
Introduction to Risk Management
Good practice….
• Risk Management policy in place, clearly defining roles
and responsibilities;
• Joined up process: Board, senior management team
(SMT), risk owners and line managers;
• Two-tier risk registers: Strategic and operational;
• Up to 50 risks grouped according to strategic
objectives;
• Current controls identified;
• Likelihood and severity scored both pre and post
mitigation (gross/inherent and net/residual risk);
• Risk tolerance set (the amount of risk the organisation
is prepared to accept);
Introduction to Risk Management
Good practice continued….
• Early warning mechanisms (EWMs) identified;
• Sources, and frequency, of assurance that each risk is
being properly controlled, are clearly identified;
• Action plans setting out what needs to be done to
reduce risk to the agreed tolerance level;
• Risk register and action plans kept up to date by
appropriate individuals / teams, and frequently
reviewed by SMT in terms of changes in organisational
risks and their scores, risk tolerance, current state of
EWMs, and assurances received; and
• Report to Board / Audit Committee outlining changes to
the risk register and progress against risk action plan.
Session 2
The benefits of good risk management
University of Exeter
Summer 2008
Risk Management – Why bother?
• Generally, successful organisations have a clear
understanding of their strategic aims and objectives –
they know where they want to go and how they want to
get there.
• However, this is often not enough. To guarantee
success, organisations need to also determine,
understand and monitor their exposure to business
risks (those events that could prevent or threaten the
achievement of their strategic objectives).
• These events could be things that happen outside the
organisation’s control, such as changes in government
policy, or internal events such as loss of key staff
members.
Risk Management – Why bother? (cont.)
• If an organisation can pre-empt all the pitfalls or risks
and do something positive to prevent or reduce the
likelihood of these occurring, or reduce the impact
should they do occur, then the organisation is far more
likely to achieve its strategic aims.
• It is only when organisations gain a full understanding
of the possible business risks that could trip them up
that they can begin thinking about how best to manage
these and make informed judgements as to what
resources, control processes and assurance
mechanisms are needed.
• Good risk management breeds confidence and allows
an organisation to take informed risks in the future.
• However, the hard work does not stop there……
Good Risk Management – What is needed?
• Successful risk management depends on how ‘live’ and
‘embedded’ the process is.
• Keeping risk management ‘live’ is determined by how
often risks are re-assessed, how often assurance as to
whether the controls relied upon are in place and
operating as intended, and how close EWMs are to
being breeched.
• Risk management is said to be ‘embedded’ when all
tiers of the organisation have regard to the
management of risk as part of their day to day
activities. It is a process that happens naturally rather
than as a separate ‘cottage industry’.
Embedded risk management – what does it
look like?
• ‘Sign-up’ from the top;
• Training and guidance;
• Risk management should comprise of clear processes
that are easy to understand and operate – it should not
be seen as something in addition to what staff already
do;
• All staff should have an involvement in the process –
ownership – and be clear as to the part they play in the
organisation’s success;
• Reference to risk management in job descriptions
• Review of performance with regard to management of
risk within staff appraisal process; and
• Good two-way communication channels – staff need to
feel valued and listened to.
Session 3
Risk Management and Internal Audit
University of Exeter
Summer 2008
Risk Management and Internal Audit – What
is the link?
•
•
•
•
To fully understand this, we need to understand
how Internal Audit has evolved…..
For many years, Internal Audit functions undertook
what was known as Systems Based Internal Audit.
This was a process whereby the Internal Audit plan
sought to review all major systems within the
organisation within a defined time period - Systems and
functions were simply reviewed because they were
there!
Inevitably, this led to a high degree of focus on financial
systems and therefore a lot of time spent in Finance.
A typical audit programme would probably be 60%
focused on finance systems, 15% on other systems,
15% on departments/faculties, and 10% on IT / project
risks.
Risk Management and Internal Audit – What
is the link? (cont.)
•
•
•
•
Modern Internal Audit teams now conduct their
work using a ‘risk-based’ or ‘risk-led’ approach
This approach focuses internal audit resources toward
areas of strategic importance for the business.
Where good risk management processes are in place
and a sound risk register exists, Internal Audit will often
us this as a starting point for the generation of their
annual plan.
Using ‘risk’ alone as a factor for setting the Internal
Audit plan will usually mean that individual finance
systems would not be covered, either much or at all!
However, as External Audit usually wish to rely on
Internal Audit work on finance systems, basic coverage
is usually built into the plan.
Risk Based Internal Audit
The implications of ‘risk-based’ internal audit….
• Higher strategic focus of our work.
• More senior audit staff input and fresh-thinking.
• Less reliance on ‘Accountants’ – more reliance on
‘Auditors’.
• Auditors now need greater sector knowledge and
experience.
• More ‘added value’ for the organisation.
• Work given greater importance within the organisation.
• Less burden on Finance staff.
• We need to ‘win over’ an entirely different audience!
Risk Based Internal Audit (cont.)
Does this mean that good control within finance
systems is no longer important?
No!
• Good financial controls are as important now as they
have always been.
• Management and internal and external audit all place a
great deal of reliance on good financial controls
operating.
• Ultimately, it is management’s responsibility to ensure
good financial controls are maintained.
• We will still have regard to financial controls as part of
our work.
Risk Management and Internal Audit – the
future
• Risk management practices will become more honed;
• Internal Audit will have a key role to play providing
organisations with assurance that risks are
appropriately managed;
• Control Risk Self Assessment (CRSA) will become an
important tool for management and auditors alike,
particularly within Finance; and
• Internal Audit will no longer be seen as a Finance
function.
Session 4
Risk Management at the University
University of Exeter
Summer 2008
Risk Management at the University of Exeter
The University has a strong risk management system
in place that concords with best practice;
• Roles and responsibilities clear;
• Strategic and operational risks;
• Strategic risks linked to strategic objectives;
• Risk tolerance level and current tolerance gap
identified for each risk;
• Register kept ‘live’ in terms of controls, gross and net
scores, EWMs and required action;
• Regular review by Performance & Risk Steering Group,
and;
• VCEG / Audit Committee review.
Risk Management and the University of Exeter
However, there is still room for improvement….
• Risk management at the operational level could be
better;
• Risk management not truly ‘embedded’ in the
organisation;
• Risk scoring could be better defined;
• Processes for monitoring EWMs could be better; and
• Assurance needs could be clarified and better met.
We will help the University to improve these
areas over the next few years
Current risk management arrangements –
Strategic level
• Strategy is set ultimately by Council in consultation with
others.
• Strategic risks are determined by senior management.
• These are scored and grouped into ‘primary’ and
‘secondary’ strategic risks.
• Risk Owners and Risk Facilitators are assigned to
‘flesh out’ risks and manage these risks on a day to day
basis.
• PRSG monitors progress to reduce risk exposure and
to ensure consistency of scoring across all risks.
• Promotion and relegation occurs between the primary
and secondary strategic risk registers.
• Internal audit periodically independently review the
management of risks and quality of risk register entries.
Current risk management arrangements –
operational level
• Schools complete risk registers as part of annual
planning cycle.
• Review by School Planning Groups / Corporate
Planning Services.
• Services manage risk through risk registers / project
management process.
• There are no formal processes in place to escalate
School / Service risks to the strategic risk registers.
• The management of these risks is generally not
formally and periodically assessed by internal audit.
Session 5
Changes to the existing risk
management arrangements
University of Exeter
Summer 2008
What’s new?
•
•
•
•
New risk register template;
New risk scoring system;
Focus on the development of SMART EWMs;
Greater emphasis on controls and the provision of
assurance that these are in place and operating
correctly; and
• An escalation / relegation process between School /
Service risk registers and the strategic risk registers.
Why change?
• Clearer process of risk management at School level is
required with a proper process of escalation of risks to the
corporate risk registers. This will further embed risk
management within the University.
• Clearer scoring - New scoring mechanism for both pre and
post mitigation based on tangible 1-6 matrixes rather than
an undefined 1-10 scale.
• Clearer articulation of risks and associated controls and
EWMs – The new risk register template is designed to
align possible risk exposures and the EWMs and controls
being relied upon to manage these, as well helping
managers to regularly monitor EWMs and assure
themselves of the presence and effectiveness of controls.
Session 6
Risk linkage and escalation
University of Exeter
Summer 2008
Risk linkage
• Fewer and larger Schools / Services makes linkage
crucial.
• Top down approach – all University fundamental risks
should be considered for a School / Service register,
but some may not be necessary for a School / Service
register.
• Schools / Services may have risks unique to them.
Risk escalation
• Annual mapping exercise during the Summer term.
• Feedback to PRSG and Schools / Services in October.
• Look at emerging risks (movements) as well as current
high scoring risks.
• Mix of objective analysis and judgement.
• Regular review by DVCs / Registrar and Secretary to
PRSG, and back to Schools / Services.
Session 7
New risk register template
and scoring system
University of Exeter
Summer 2008
Risk register templates
Risk register for Schools / Services
• Registers draw on University register plus local risks.
• Registers prioritise risks.
New corporate risk register format
• Landscape format and clearer layout.
• Links the EWMs and controls to the relevant potential
exposure.
• Enables EWMs and control status to be formally
monitored and recorded, keeping them both ‘live’.
See example template documents supplied.
New scoring system
• Probability - 1 to 6 scale of narrative descriptions and
likelihood percentages.
• Severity – 1 to 6 scale of narrative descriptions ranging
from ‘insignificant’ to ‘catastrophic’.
• Some helpful (hopefully) definitions for different risk
types have been compiled as a guide.
• See separate probability and impact definitions sheet
supplied.
Advantages of new scoring system
• Linked to clear definitions, so subjectivity should reduce
and consistency of scoring should improve.
• This should make the deployment of resources more
effective in dealing with risk.
• Can be applied to gross and net risks as well as to risk
appetite.
• Therefore, the difference between the gross and net
scores will tell you the value or worth of the controls in
place that determine both severity and probability.
• Also, risk tolerance can be quantified in terms of the
same scoring mechanism making it easy to understand
where existing controls need to be improved – to
reduce likelihood of occurrence or to reduce severity if
risk does occur.
Risk Scoring Exercise – 15 minutes
Think about one of the risks you are responsible for and
using the new scoring process….
• Score your gross risk in terms of severity and
probability;
• Score your risk tolerance in terms of severity and
probability;
• Document why you have scored each of the elements
this way (i.e. four separate comments)
Comfort Break
10 minutes
Session 8
Monitoring of EWMs and controls
University of Exeter
Summer 2008
How to set Early Warning Mechanisms
• EWMs need to be capable of alerting you to the fact
that a particular risk, or part of a risk, is about to occur,
in sufficient time for you to take action to either stop or
reduce it from occurring or to reduce the impact if it
does.
• In order for this to be the case, each EWM should be
selected with care to ensure that it is the right early
warning tool.
• Care is also need to ensure that the ‘trigger point’ is set
appropriately, at a level that should not be hit under
normal circumstances, but when it is reached, there is
still time to take evasive action.
• Consideration should be given to the monitoring
arrangements of each EWM - how the status should be
monitored and how frequently this should occur.
Early Warning Mechanism Exercise – 20
minutes
Think about one of your potential exposures (sub risks)
within the risk you have just scored and…..
• Identify a relevant EWM that would be capable of
alerting you in sufficient time that the risk is about to
crystallise;
• Identify a trigger point and;
• Describe what action you would take if the trigger point
were to be reached and how much this would affect the
likelihood of the risk now occurring and how much it
would affect the impact.
What constitutes an effective control?
• Controls must be directly relevant to the risk - you
might need more than one per risk;
• They should be capable of reducing or eliminating the
likelihood and / or impact of the risk concerned;
• They must be simple to operate;
• They must be proportionate and cost effective to the
risk concerned – not a “sledgehammer to crack” a nut
scenario! (and vice versa!)
• An individual should own or have responsibility for the
effective operation of individual controls; and
• Managers should be able to assure themselves that the
controls they rely on are in place and operating
effectively.
Controls and assurance exercise – 20
minutes
For your chosen sub-risk / potential exposure…..
• Detail the key controls you rely upon to prevent or limit
BOTH the likelihood of the risk occurring and the
impact if it does occur;
• Document how you (or your manager) can be assured
that each control is both in place and operating
correctly, and therefore can be relied upon to manage
the risk concerned. Think about the frequency of such
assurance; and
• Score the net risk.
Session 9
What to expect from an Internal Audit
University of Exeter
Summer 2008
What will the audit seek to do?
• Review the adequacy of the risk register entry in terms
of;
– how the risk is articulated and scored;
– whether all potential exposures have been considered;
– whether suitable EWMs have been identified and trigger
points have been established;
– whether each EWM is being monitored appropriately and
the whether current status of each is known;
– whether appropriate controls have been established; and
– whether appropriate monitoring arrangements are in
place to tell managers if controls can be relied upon.
• Make recommendations to further improve the risk
management arrangements in place; and
• Provide PRSG / Audit Committee with ongoing
assurance as to how well University risks are being
managed.
What you will get from us
• Advance warning of our impending visit and prior
consultation over specific dates;
• An Audit Planning Memorandum for information,
consultation and comment that sets out…..
– the people from our team who will be involved in the audit
and those from the University we anticipate being
involved;
– the dates we will be on site;
– the target date for the preparation of the draft report;
– the target date for receipt of your comments on this;
– the target date of the final report; and
– the specific scope / objectives of the audit.
• A draft report for your comments; and
• A final report
What will we want from you?
• Your co-operation throughout the audit process, but
particularly over the scheduling and planning of our
work;
• Copies of all relevant documents, policies and
procedures – in advance if possible;
• Initial meetings with each risk owner and risk facilitator
to go through all aspects of the risk register. Ideally
these should be on the first or second day of our time
on site;
• Subsequent meetings with all staff involved with the
monitoring of each EWM and the operation of each
control;
• Evidence of the status of each EWM (if possible); and
• Prompt comments on our draft report and
recommendations.
Session 10
Questions and Answers
University of Exeter
Summer 2008
Thank-you for listening
If you have any other questions, queries
or concerns, please contact us…..
jamie.paddon@mazars.co.uk 077940 31141
Iain.rolland@mazars.co.uk 077940 31321
Download