Risk Management Workshop University of Exeter Summer 2008 Presenter: Jamie Paddon IPFA Audit Manager, Mazars LLP, Bristol. 0117 317 1568 077390 31141 jamie.paddon@mazars.co.uk Agenda • Background to Mazars LLP / Internal Audit at the University • Session 1 – Introduction to risk management • Session 2 – The benefits of good risk management • Session 3 – Risk management and internal audit • Session 4 – Risk management at the University of Exeter • Session 5 – Changes to the existing arrangements • Session 6 – Risk linkage and escalation • Session 7 – New risk register template and scoring system • Comfort break • Session 8 – Monitoring of EWMs and controls • Session 9 – What to expect from an internal audit • Session 10 – Questions and Answers Background to Mazars LLP & Internal Audit at the University University of Exeter Summer 2008 Background to Mazars • Founded over 100 years ago – formally called Neville Russell • Ranked 10th in size in UK by fee income • 18 offices, 104 partners, 1100 staff . . • IIP accreditation • National practice • International Partnership • 5th largest firm in most European countries .. . . .. . ... . .. .. . Examples of Bristol Office Internal Audit clients Examples of the Firm’s clients Internal Audit at the University of Exeter • Mazars were awarded a contract to supply internal audit services to the University for three years from 1st August 2006. • Our work is required to conform to the standards stipulated by HEFCE in its Accountability and Audit Code of Practice (HEFCE 2004/27). • We are required to produce an annual and strategic Internal Audit plan for agreement by the Audit Committee. • We are also required to give an annual opinion to the Audit Committee on the adequacy and effectiveness of the arrangements for risk management, control and governance, and economy, efficiency and effectiveness. Your Core Internal Audit Team Partner Richard Bott richard.bott@mazars.co.uk 0117 973 4481 Manager Jamie Paddon jamie.paddon@mazars.co.uk 0117 317 1568 or 077940 31141 Supervisor Iain Rolland iain.rolland@mazars.co.uk 0117 317 1544 or 077400 84771 Senior Auditors Rachael Lovett / Victor Rudebeck / Ian Cook Junior Auditors Jemma Allan / Laura Baxter / Sarah Brent Internal Audit Specialists Risk Management Consultant Rebecca Scott rebecca.scott@mazars.co.uk 01582 700 729 IT Director Steve Temple stephen.temple@mazars.co.uk 01582 506 016 IT Manager Neil Belton neil.belton@mazars.co.uk 01582 506 011 Senior Tax Manager Cath Brown catharine.brown@mazars.co.uk 0117 9734481 Session 1 Introduction to Risk Management University of Exeter Summer 2008 Introduction to Risk Management IIA definition of Risk Management…… • ‘Risk management covers all the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress. Good risk management helps reduce hazard, and builds confidence to innovate.’ Introduction to Risk Management IIA definition of risk ……. • ‘Risk is most commonly held to mean "hazard" and something to be avoided. But it has another face - that of opportunity. Improving public services requires innovation - seizing new opportunities and managing the risks involved. In this context risk is defined as uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance.’ Introduction to Risk Management IIA definition of risk appetite……. • ‘the level of risk you are happy to live with before you do something about it; the amount of risk you are prepared to take in order to achieve objectives.’ Introduction to Risk Management Treasury definition of risk register (or risk map)…… • ‘A risk register lists all the identified risks and the results of their analysis and evaluation. Information on the status of the risk is also included. The risk register should be continuously updated and reviewed throughout the course of a project.’ Introduction to Risk Management Definitions of internal control…… • ‘An organisation's procedures that are designed to increase its efficiency, ensure its policies are implemented, and its assets are safeguarded.’ • Internal controls are processes, effected by management and other personnel, designed to provide reasonable assurance to ensure: – Reliable financial and operational information, – Compliance with policies and procedures, plans, laws, rules, and regulations, – Assets are safeguarded, and – Operational efficiency. Introduction to Risk Management Definitions of early warning mechanism….. • ‘An output, event or measure that gives you prior notice that a risk is about to crystallise.’ • ‘When an indicator exceeds (or falls below) a threshold, then it is said to issue a signal that a crisis may occur within a given period.’ Introduction to Risk Management Risk Management the old fashioned way…. • • • • • Risk map prepared by senior management team Either hundreds of risks or very few; Risk map updated annually by Finance Director; Risks scored H, M or L; Often no details of the control strategies relied upon or required, in order to manage the risks identified; • Audit Committee reviews entire risk map annually; • No wider management review; and • No process of feedback as to how well each risk is managed and controlled. Introduction to Risk Management Good practice…. • Risk Management policy in place, clearly defining roles and responsibilities; • Joined up process: Board, senior management team (SMT), risk owners and line managers; • Two-tier risk registers: Strategic and operational; • Up to 50 risks grouped according to strategic objectives; • Current controls identified; • Likelihood and severity scored both pre and post mitigation (gross/inherent and net/residual risk); • Risk tolerance set (the amount of risk the organisation is prepared to accept); Introduction to Risk Management Good practice continued…. • Early warning mechanisms (EWMs) identified; • Sources, and frequency, of assurance that each risk is being properly controlled, are clearly identified; • Action plans setting out what needs to be done to reduce risk to the agreed tolerance level; • Risk register and action plans kept up to date by appropriate individuals / teams, and frequently reviewed by SMT in terms of changes in organisational risks and their scores, risk tolerance, current state of EWMs, and assurances received; and • Report to Board / Audit Committee outlining changes to the risk register and progress against risk action plan. Session 2 The benefits of good risk management University of Exeter Summer 2008 Risk Management – Why bother? • Generally, successful organisations have a clear understanding of their strategic aims and objectives – they know where they want to go and how they want to get there. • However, this is often not enough. To guarantee success, organisations need to also determine, understand and monitor their exposure to business risks (those events that could prevent or threaten the achievement of their strategic objectives). • These events could be things that happen outside the organisation’s control, such as changes in government policy, or internal events such as loss of key staff members. Risk Management – Why bother? (cont.) • If an organisation can pre-empt all the pitfalls or risks and do something positive to prevent or reduce the likelihood of these occurring, or reduce the impact should they do occur, then the organisation is far more likely to achieve its strategic aims. • It is only when organisations gain a full understanding of the possible business risks that could trip them up that they can begin thinking about how best to manage these and make informed judgements as to what resources, control processes and assurance mechanisms are needed. • Good risk management breeds confidence and allows an organisation to take informed risks in the future. • However, the hard work does not stop there…… Good Risk Management – What is needed? • Successful risk management depends on how ‘live’ and ‘embedded’ the process is. • Keeping risk management ‘live’ is determined by how often risks are re-assessed, how often assurance as to whether the controls relied upon are in place and operating as intended, and how close EWMs are to being breeched. • Risk management is said to be ‘embedded’ when all tiers of the organisation have regard to the management of risk as part of their day to day activities. It is a process that happens naturally rather than as a separate ‘cottage industry’. Embedded risk management – what does it look like? • ‘Sign-up’ from the top; • Training and guidance; • Risk management should comprise of clear processes that are easy to understand and operate – it should not be seen as something in addition to what staff already do; • All staff should have an involvement in the process – ownership – and be clear as to the part they play in the organisation’s success; • Reference to risk management in job descriptions • Review of performance with regard to management of risk within staff appraisal process; and • Good two-way communication channels – staff need to feel valued and listened to. Session 3 Risk Management and Internal Audit University of Exeter Summer 2008 Risk Management and Internal Audit – What is the link? • • • • To fully understand this, we need to understand how Internal Audit has evolved….. For many years, Internal Audit functions undertook what was known as Systems Based Internal Audit. This was a process whereby the Internal Audit plan sought to review all major systems within the organisation within a defined time period - Systems and functions were simply reviewed because they were there! Inevitably, this led to a high degree of focus on financial systems and therefore a lot of time spent in Finance. A typical audit programme would probably be 60% focused on finance systems, 15% on other systems, 15% on departments/faculties, and 10% on IT / project risks. Risk Management and Internal Audit – What is the link? (cont.) • • • • Modern Internal Audit teams now conduct their work using a ‘risk-based’ or ‘risk-led’ approach This approach focuses internal audit resources toward areas of strategic importance for the business. Where good risk management processes are in place and a sound risk register exists, Internal Audit will often us this as a starting point for the generation of their annual plan. Using ‘risk’ alone as a factor for setting the Internal Audit plan will usually mean that individual finance systems would not be covered, either much or at all! However, as External Audit usually wish to rely on Internal Audit work on finance systems, basic coverage is usually built into the plan. Risk Based Internal Audit The implications of ‘risk-based’ internal audit…. • Higher strategic focus of our work. • More senior audit staff input and fresh-thinking. • Less reliance on ‘Accountants’ – more reliance on ‘Auditors’. • Auditors now need greater sector knowledge and experience. • More ‘added value’ for the organisation. • Work given greater importance within the organisation. • Less burden on Finance staff. • We need to ‘win over’ an entirely different audience! Risk Based Internal Audit (cont.) Does this mean that good control within finance systems is no longer important? No! • Good financial controls are as important now as they have always been. • Management and internal and external audit all place a great deal of reliance on good financial controls operating. • Ultimately, it is management’s responsibility to ensure good financial controls are maintained. • We will still have regard to financial controls as part of our work. Risk Management and Internal Audit – the future • Risk management practices will become more honed; • Internal Audit will have a key role to play providing organisations with assurance that risks are appropriately managed; • Control Risk Self Assessment (CRSA) will become an important tool for management and auditors alike, particularly within Finance; and • Internal Audit will no longer be seen as a Finance function. Session 4 Risk Management at the University University of Exeter Summer 2008 Risk Management at the University of Exeter The University has a strong risk management system in place that concords with best practice; • Roles and responsibilities clear; • Strategic and operational risks; • Strategic risks linked to strategic objectives; • Risk tolerance level and current tolerance gap identified for each risk; • Register kept ‘live’ in terms of controls, gross and net scores, EWMs and required action; • Regular review by Performance & Risk Steering Group, and; • VCEG / Audit Committee review. Risk Management and the University of Exeter However, there is still room for improvement…. • Risk management at the operational level could be better; • Risk management not truly ‘embedded’ in the organisation; • Risk scoring could be better defined; • Processes for monitoring EWMs could be better; and • Assurance needs could be clarified and better met. We will help the University to improve these areas over the next few years Current risk management arrangements – Strategic level • Strategy is set ultimately by Council in consultation with others. • Strategic risks are determined by senior management. • These are scored and grouped into ‘primary’ and ‘secondary’ strategic risks. • Risk Owners and Risk Facilitators are assigned to ‘flesh out’ risks and manage these risks on a day to day basis. • PRSG monitors progress to reduce risk exposure and to ensure consistency of scoring across all risks. • Promotion and relegation occurs between the primary and secondary strategic risk registers. • Internal audit periodically independently review the management of risks and quality of risk register entries. Current risk management arrangements – operational level • Schools complete risk registers as part of annual planning cycle. • Review by School Planning Groups / Corporate Planning Services. • Services manage risk through risk registers / project management process. • There are no formal processes in place to escalate School / Service risks to the strategic risk registers. • The management of these risks is generally not formally and periodically assessed by internal audit. Session 5 Changes to the existing risk management arrangements University of Exeter Summer 2008 What’s new? • • • • New risk register template; New risk scoring system; Focus on the development of SMART EWMs; Greater emphasis on controls and the provision of assurance that these are in place and operating correctly; and • An escalation / relegation process between School / Service risk registers and the strategic risk registers. Why change? • Clearer process of risk management at School level is required with a proper process of escalation of risks to the corporate risk registers. This will further embed risk management within the University. • Clearer scoring - New scoring mechanism for both pre and post mitigation based on tangible 1-6 matrixes rather than an undefined 1-10 scale. • Clearer articulation of risks and associated controls and EWMs – The new risk register template is designed to align possible risk exposures and the EWMs and controls being relied upon to manage these, as well helping managers to regularly monitor EWMs and assure themselves of the presence and effectiveness of controls. Session 6 Risk linkage and escalation University of Exeter Summer 2008 Risk linkage • Fewer and larger Schools / Services makes linkage crucial. • Top down approach – all University fundamental risks should be considered for a School / Service register, but some may not be necessary for a School / Service register. • Schools / Services may have risks unique to them. Risk escalation • Annual mapping exercise during the Summer term. • Feedback to PRSG and Schools / Services in October. • Look at emerging risks (movements) as well as current high scoring risks. • Mix of objective analysis and judgement. • Regular review by DVCs / Registrar and Secretary to PRSG, and back to Schools / Services. Session 7 New risk register template and scoring system University of Exeter Summer 2008 Risk register templates Risk register for Schools / Services • Registers draw on University register plus local risks. • Registers prioritise risks. New corporate risk register format • Landscape format and clearer layout. • Links the EWMs and controls to the relevant potential exposure. • Enables EWMs and control status to be formally monitored and recorded, keeping them both ‘live’. See example template documents supplied. New scoring system • Probability - 1 to 6 scale of narrative descriptions and likelihood percentages. • Severity – 1 to 6 scale of narrative descriptions ranging from ‘insignificant’ to ‘catastrophic’. • Some helpful (hopefully) definitions for different risk types have been compiled as a guide. • See separate probability and impact definitions sheet supplied. Advantages of new scoring system • Linked to clear definitions, so subjectivity should reduce and consistency of scoring should improve. • This should make the deployment of resources more effective in dealing with risk. • Can be applied to gross and net risks as well as to risk appetite. • Therefore, the difference between the gross and net scores will tell you the value or worth of the controls in place that determine both severity and probability. • Also, risk tolerance can be quantified in terms of the same scoring mechanism making it easy to understand where existing controls need to be improved – to reduce likelihood of occurrence or to reduce severity if risk does occur. Risk Scoring Exercise – 15 minutes Think about one of the risks you are responsible for and using the new scoring process…. • Score your gross risk in terms of severity and probability; • Score your risk tolerance in terms of severity and probability; • Document why you have scored each of the elements this way (i.e. four separate comments) Comfort Break 10 minutes Session 8 Monitoring of EWMs and controls University of Exeter Summer 2008 How to set Early Warning Mechanisms • EWMs need to be capable of alerting you to the fact that a particular risk, or part of a risk, is about to occur, in sufficient time for you to take action to either stop or reduce it from occurring or to reduce the impact if it does. • In order for this to be the case, each EWM should be selected with care to ensure that it is the right early warning tool. • Care is also need to ensure that the ‘trigger point’ is set appropriately, at a level that should not be hit under normal circumstances, but when it is reached, there is still time to take evasive action. • Consideration should be given to the monitoring arrangements of each EWM - how the status should be monitored and how frequently this should occur. Early Warning Mechanism Exercise – 20 minutes Think about one of your potential exposures (sub risks) within the risk you have just scored and….. • Identify a relevant EWM that would be capable of alerting you in sufficient time that the risk is about to crystallise; • Identify a trigger point and; • Describe what action you would take if the trigger point were to be reached and how much this would affect the likelihood of the risk now occurring and how much it would affect the impact. What constitutes an effective control? • Controls must be directly relevant to the risk - you might need more than one per risk; • They should be capable of reducing or eliminating the likelihood and / or impact of the risk concerned; • They must be simple to operate; • They must be proportionate and cost effective to the risk concerned – not a “sledgehammer to crack” a nut scenario! (and vice versa!) • An individual should own or have responsibility for the effective operation of individual controls; and • Managers should be able to assure themselves that the controls they rely on are in place and operating effectively. Controls and assurance exercise – 20 minutes For your chosen sub-risk / potential exposure….. • Detail the key controls you rely upon to prevent or limit BOTH the likelihood of the risk occurring and the impact if it does occur; • Document how you (or your manager) can be assured that each control is both in place and operating correctly, and therefore can be relied upon to manage the risk concerned. Think about the frequency of such assurance; and • Score the net risk. Session 9 What to expect from an Internal Audit University of Exeter Summer 2008 What will the audit seek to do? • Review the adequacy of the risk register entry in terms of; – how the risk is articulated and scored; – whether all potential exposures have been considered; – whether suitable EWMs have been identified and trigger points have been established; – whether each EWM is being monitored appropriately and the whether current status of each is known; – whether appropriate controls have been established; and – whether appropriate monitoring arrangements are in place to tell managers if controls can be relied upon. • Make recommendations to further improve the risk management arrangements in place; and • Provide PRSG / Audit Committee with ongoing assurance as to how well University risks are being managed. What you will get from us • Advance warning of our impending visit and prior consultation over specific dates; • An Audit Planning Memorandum for information, consultation and comment that sets out….. – the people from our team who will be involved in the audit and those from the University we anticipate being involved; – the dates we will be on site; – the target date for the preparation of the draft report; – the target date for receipt of your comments on this; – the target date of the final report; and – the specific scope / objectives of the audit. • A draft report for your comments; and • A final report What will we want from you? • Your co-operation throughout the audit process, but particularly over the scheduling and planning of our work; • Copies of all relevant documents, policies and procedures – in advance if possible; • Initial meetings with each risk owner and risk facilitator to go through all aspects of the risk register. Ideally these should be on the first or second day of our time on site; • Subsequent meetings with all staff involved with the monitoring of each EWM and the operation of each control; • Evidence of the status of each EWM (if possible); and • Prompt comments on our draft report and recommendations. Session 10 Questions and Answers University of Exeter Summer 2008 Thank-you for listening If you have any other questions, queries or concerns, please contact us….. jamie.paddon@mazars.co.uk 077940 31141 Iain.rolland@mazars.co.uk 077940 31321