ERM 203 – When Storming the Castle Alone Doesn’t Work: Internal Audit as Ally Wednesday, April 18, 2012 Agenda • Speaker introductions • Discuss key points from RIMS & IIA joint paper – Risk Management’s perspective – Internal Audit’s perspective – Collaborative Practices & Value Realized • ERM & IA collaboration at Whirlpool Corporation • Q&A session 2 Risk Management and Internal Audit: Forging a Collaborative Alliance (white paper) • RIMS and IIA joint project • White paper including interviews with: – – – – Cisco Systems Hospital Corporation of America TD Ameritrade Whirlpool • Highlights RIMS’ and The IIA’s recommendation for these functions to work together collaboratively 3 4 5 The Role of IA in ERM • Core internal audit roles: – Giving assurance on the RM program – Giving assurance that risks are correctly evaluated – Evaluating risk management processes – Evaluating the reporting of key risks – Reviewing the management of key risks 6 The Role of IA in ERM • Legitimate internal audit roles (with safeguards): – Facilitating identification and evaluation of risks – Coaching management in responding to risks – Coordinating ERM activities – Consolidated reporting on risks – Maintaining and developing the ERM framework – Championing establishment of ERM – Developing ERM strategy for board approval 7 The Role of IA in ERM • Roles IA should not undertake: – Setting the risk appetite – Imposing risk management processes – Management assurance on risks – Taking decisions on risk exposures – Implementing risk responses on management’s behalf – Accountability for risk management 8 Risk Management and Internal Audit: Forging a Collaborative Alliance - interview questions 1. 2. 3. 4. 5. Who does Internal Audit report to (functionally and administratively)? Who does Risk Management report to? How often does each interact with the Board or a Board committee? How does the risk assessment process work between and among Internal Audit and Risk Management? And how are the results of these risk assessment processes shared with management and/or the Board? What information does each of the functions provide to the other, and how is that information used? Are you satisfied with the level of collaboration? If so, what do you attribute this success to? If not, what is the biggest impediment? How do Internal Audit and Risk Management collaborate in your organization? What are the areas of collaboration? What is working well? What are you working on to improve the relationship? Also, what formal or informal procedures are in place to minimize duplication and overlap with other risk-related functions such as legal, health and safety, and regulatory and Sarbanes-Oxley compliance? What advice do you have for Chief Audit Executives and/or Chief Risk Officers as they seek to achieve greater levels of collaboration between Internal Audit and Risk Management? 9 Collaborative Practices & Value Realized • Link the audit plan and the enterprise risk assessment, and share other work products. Provides assurance that critical risks are being identified effectively. • Share available resources wherever and whenever possible. Allows for efficient use of scarce resources (such as financial, staff, time). • Cross-leverage each function’s respective competencies, roles and responsibilities. Provides communication depth and consistency, especially at the board and management levels. • Assess and monitor strategic risks. Allows for deeper understanding and focused action on the most significant risks. 10 ABOUT WHIRLPOOL CORPORATION World’s leading marketer and manufacturer of home appliances Approximately $18 billion in revenues 70,000+ employees worldwide 67 Manufacturing & Technology Centers World Headquarters: Southwest Michigan 11 MAKE PRODUCTS PEOPLE WANT TO OWN IN THEIR HOMES BRAND PLATFORM BEST CONSUMER POSITION Consumer-relevant innovation Strong cadence to the market Build strong brands CONSUMER-RELEVANT AND VALUE-CREATING INNOVATION 12 WHIRLPOOL’S RISK MANAGEMENT FUNCTION Whirlpool’s Risk Management Core team of 5 Reporting to the Vice President and Treasurer Enterprise Risk Management Traditional risk management of hazard and financial risks Business continuity program Loss Prevention and Engineering Risk Management Chief Financial Officer Vice President Treasurer Risk Engineer Director Administrative Risk Management Assistant Risk Senior Risk Claim Manager Analyst Manager Associate Risk Analyst 13 ENTERPRISE RISK MANAGEMENT PROCESS Enterprise Risk Management is a strategic activity within Whirlpool. Our ERM process ensures that: Risks are appropriately identified. Risks are assessed at the senior management, business, and functional unit level. Risk mitigation is owned by business unit leaders. Oversight: Ultimate responsibility for managing risks rests with the Chief Executive. Board of Directors oversees the overall risk management process through its Audit Committee. The success of risk management is determined by: Identifying the right risks and events driving them. Quantifying and ranking risks. Developing risk management plans which reduce the impact of and help the company prepare for risk events. 14 ENTERPRISE RISK PROGRESS TIMELINE An Ongoing Process Since 2007 2008 2009 Detailed risk assessments completed for Strategic and Financial Level Risks Detailed risk assessments completed for Operational and Compliance Level Risks Qualitative and quantitative metrics included where warranted Velocity metric introduced Critical events and root causes identified Benchmark ERM Maturity Regions identify top risks, mitigation and controls Coordinate with Internal Audit monthly and during annual emerging risk identification 2010 Identified unique regional risks and 2011 mitigation plans Conducted emerging risk survey at the regional level…aggregated results Included Duration and Detectability in new risk assessments Identified Trade Partner and Competitor risk factors ERM presented to S&P Coordinate with Internal Audit Coordinate with Internal Audit monthly and during annual emerging risk identification Annually: Risk Map Repositioned, Risk Owners’ Mitigation Plans Confirmed 2011 ERM – Incorporated into Internal Controls course of WHR University WHR University – Instructor lead courses developed and taught for Finance Group Incorporated ERM into the CAPEX Process System shared with Internal Audit, hosts and reports ERM Interviews with risk owners and direct reports in cooperation with Internal Audit 15 ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL Annual risk assessment process is used by both Internal Audit and Risk Management 16 ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL Control Source Good Decisions Risk Categories Level/Representative Risks 1 Risks are rated, ranked and assigned to one of five categories 2 3 4 5 Good Rules Risk Category Level/Representative Risks 1. Enterprise • Board-level concern 2. Strategic • CEO and executive committee–level concern 3. Financial • Business unit and functional-level concern 4. Operational • Business unit and functional-level concern 5. Compliance & Reporting • Business unit and functional-level concern 17 ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL Key Risks are owned by its executive committee and projects and actions to achieve mitigation goals and objectives are ongoing 18 WHIRLPOOL’S INTERNAL AUDIT FUNCTION Internal Audit Administrative Reporting Relationship Audit Committee Chief Financial Officer Functional Reporting Relationship VP Internal Audit EMEA Senior Manager Administrative Co Sourced Assistant KPMG NAR Senior Director LAR ASIA Director Senior Manager Information Technology Manager Auditors Auditors Auditors Auditors Auditors 6 23 7 11 4 IA reports to the CFO & Audit Committee Represented in all regions globally Core team of ~60 Auditors KPMG FTE’s utilized Core Competency includes Talent management: Rotation into business Financial Leadership Development Program 19 AUDIT PLAN AND DEVELOPMENT PROCESS Quantitative and qualitative assessment of all Whirlpool functions and locations Approach considers internal and external changes in the business environment, Whirlpool’s strategy and key objectives VP Internal Audit and IA Management team gathered input from Senior Executives, including regional CFO’s and management from various functional areas Integrated risk assessment process with Enterprise Risk Management and the Compliance & Ethics Office Reviewed risk assessment and IA Plan with Ernst & Young Reviewed IA Plan with Executive Committee & Global Finance Leadership Team (GFLT) Audit Committee approves annual plan 20 INCORPORATING TECHNOLOGY • ERM PROCESS EMBEDDED WITHIN INTERNAL AUDIT SYSTEM 21 ENTERPRISE RISK MANAGEMENT Collaboration Monthly meetings between IA and RM RM receives IA reports Annually interview senior leaders WHR University ‘Risk and Controls’ course RM utilizes IA software system Benefits Collaborative effort Identify emerging risks earlier Optimize and leverage efforts Common language Shared IT software 22 Q&A 23