Risk management and the role of the audit committee


Published on

Published in: Business, Economy & Finance
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk management and the role of the audit committee

  1. 1. Ian Gross Head of Internal Audit & Projects Risk Management and the role of the Audit Committee Higher Education Funding Council for England
  2. 2. What is risk? <ul><li>A risk is: </li></ul><ul><li>‘ the threat or possibility that an action or event will adversely or beneficially affect an organisation’s ability to achieve its objectives’. </li></ul><ul><li>All HEIs have (or should have) objectives </li></ul>
  3. 3. What is risk management? <ul><li>Risk management is defined as </li></ul><ul><li>‘ the systematic application of management policies, practices and procedures to the task of analysing, assessing, treating, monitoring and reporting on risks’. </li></ul>
  4. 4. Is risk management really new? <ul><li>Yes and no </li></ul><ul><li>Understanding risks is not new at all - most of us have an inherent understanding of risk ; e.g. health and safety risk assessments are well established; audit and others use it </li></ul><ul><li>However, risk management in a corporate governance sense is new. It promotes ownership of the RM process at a high level </li></ul>
  5. 5. Why manage risks? <ul><li>It supports the achievement of objectives </li></ul><ul><li>It allows higher risks to be taken </li></ul><ul><li>It reduces the chance of serious errors </li></ul><ul><li>Risks exist at all levels: corporate/strategic, faculty, departmental, functional, personal, project . . . . So we all need to be risk managers in a way appropriate to our own responsibilities </li></ul>
  6. 6. Benefits of risk management
  7. 7. Why now? <ul><li>Implementing the latest development in corporate governance ( Turnbull report ) </li></ul><ul><li>All sectors in the economy are now doing it </li></ul><ul><li>Ongoing process of promoting good practice </li></ul><ul><li>Accountability burden - promotes ownership of internal control and helps to provide assurance to stakeholders </li></ul>
  8. 8. Why use in HE? <ul><li>Improve management within HE sector </li></ul><ul><li>Help maintain/enhance the reputation of HE </li></ul><ul><li>It is good practice </li></ul><ul><li>Helps encourage innovation (= risk taking) </li></ul><ul><li>Contributes to the management of change </li></ul><ul><li>It’s not just about financial risks, but all kinds including academic reputation </li></ul>
  9. 9. What are the types of risk in HE?
  10. 10. What have we done about it? <ul><li>Accounts direction - three year transition </li></ul><ul><li>Briefing for senior managers/governors </li></ul><ul><li>Hands-on guide </li></ul><ul><li>Web-based material </li></ul><ul><ul><li>case studies </li></ul></ul><ul><ul><li>model policy </li></ul></ul><ul><ul><li>illustrative list of risks </li></ul></ul>
  11. 11. What do we expect HEIs to do? <ul><li>Obtain senior manager & governor commitment and agreement to policy </li></ul><ul><li>Establish approach, plan and commence implementation </li></ul><ul><li>Start to embed process at all levels </li></ul><ul><li>Manage, monitor and report on main risks </li></ul><ul><li>Achieve balanced risk portfolio </li></ul>
  12. 12. Audit Committees & Risk Management - 1 <ul><li>Ensure the Committee has an independent </li></ul><ul><li>appreciation of what constitutes good practice </li></ul><ul><li>in risk management, e.g. by considering: </li></ul><ul><li>- the Turnbull report & HEFCE guidance </li></ul><ul><li>- the use of independent training for members </li></ul><ul><li>- advice from other sources e.g. CUC </li></ul><ul><li>- how risk management works in your own organisations. </li></ul>
  13. 13. Audit Committees & Risk Management - 2 <ul><li>Ensure the Committee is well informed about </li></ul><ul><li>the University’s approach to risk management, e.g. by: </li></ul><ul><li>- ensuring the internal auditors conduct reviews of the risk management arrangements (see HEFCE advice) </li></ul><ul><li>- asking the Vice Chancellor, senior managers and/or the risk co-ordinator to explain aspects of it periodically . . . . </li></ul>
  14. 14. Audit Committees & Risk Management - 2 <ul><li>- considering the comments made by HEFCE at its periodic institutional review </li></ul><ul><li>- ensuring the external auditors plan to satisfy themselves on the adequacy of risk management </li></ul><ul><li>- asking for high-level risk owners to make presentations to the Committee about “their” risks . . . . </li></ul>
  15. 15. Audit Committees & Risk Management - 2 <ul><li>- asking for departmental and functional heads to make presentations to the Committee </li></ul><ul><li>- making risk management a standing item on the Committee’s agenda </li></ul><ul><li>- ensuring the Clerk to the Committee is well informed about risk management issues </li></ul><ul><li>- asking to see the corporate level risk register periodically (say, annually) </li></ul>
  16. 16. Audit Committees & Risk Management - 2 <ul><li>- asking to see subsidiary risk registers and/or risk assessments periodically (e.g. for a large capital project or a re-organisation or a new IT/estates/research strategy) </li></ul><ul><li>- ensuring that management uses risk management in a positive way, e.g to help assess opportunities arising. </li></ul>
  17. 17. Audit Committees & Risk Management - 3 <ul><li>Test the effectiveness of the risk </li></ul><ul><li>management arrangements in place where </li></ul><ul><li>appropriate, e.g. by: </li></ul><ul><li>- enquiring how a risk assessment was actually carried out </li></ul><ul><li>- questioning the effectiveness of the mitigating controls </li></ul><ul><li>- directing the internal auditor’s work towards risks of concern to the Committee . . . . </li></ul>
  18. 18. Audit Committees & Risk Management - 3 <ul><li>- asking to see the results of the Vice Chancellor’s annual review of the effectiveness of internal control </li></ul><ul><li>- asking for periodic monitoring reports on the high-level (and other significant) risks </li></ul><ul><li>- ensuring that ‘early warning indicators’ are in place where appropriate </li></ul><ul><li>- seeking management assurances on mitigating controls, further actions and residual risks . . . . </li></ul>
  19. 19. Audit Committees & Risk Management - 3 <ul><li>- ensuring that all corporate objectives are adequately mapped against risks </li></ul><ul><li>- ensuring that there is a process in place to identify new or emerging risks </li></ul><ul><li>- challenging the treatment of residual risks </li></ul><ul><li>- ensuring that ‘further actions’ identified in the risk management process are actually undertaken . . . . </li></ul>
  20. 20. Audit Committees & Risk Management - 3 <ul><li>- enquiring how well risk management is embedded throughout the University and identifying areas where risk management is weak. </li></ul>
  21. 21. Audit Committees & Risk Management - 4 <ul><li>At the year end (November/December meeting) </li></ul><ul><li>the Committee should: </li></ul><ul><li>- review the Vice Chancellor’s statement of internal control and the process behind it </li></ul><ul><li>- review the internal auditor’s annual report </li></ul><ul><li>- review the external auditor’s management letter </li></ul><ul><li>- report to the University Council on the effectiveness of the risk management arrangements </li></ul>
  22. 22. Audit Committees & Risk Management - 5 <ul><li>In summary, the Committee should: </li></ul><ul><li>- familiarise itself with risk management </li></ul><ul><li>- catalyse risk management </li></ul><ul><li>- ensure appropriate audit work is undertaken </li></ul><ul><li>- review information on risks and risk management </li></ul><ul><li>- review internal and external audit reports </li></ul><ul><li>- review corporate governance statements </li></ul><ul><li>- report to the governing body. </li></ul>