THE AUDIT COMMITTEE’S ROLE IN ANTICIPATING AND MANAGING EMERGING RISKS
Black swans like the Covid-19 health crisis and the resulting fallout provide salutary lessons on how boards must be prepared for a panoply of risks. This session guides audit comittee members on how to provide an effective oversight on risk management practices in the organisation, without duplicating the efforts from the Risk Management Department and leveraging on internal audit as an effective third line of defence
EL PAPEL DEL COMITÉ DE AUDITORÍA EN ANTICIPACIÓN Y GESTIÓN DE RIESGOS EMERGENTES
Los cisnes negros como la crisis de salud de Covid-19 y las consecuencias resultantes brindan lecciones saludables sobre cómo las juntas deben estar preparadas para una panoplia de riesgos. Esta sesión guía a los miembros del comité de auditoría sobre cómo proporcionar una visión general eficaz de las prácticas de gestión de riesgos en la organización, sin duplicar los esfuerzos del Departamento de Gestión de Riesgos y aprovechando la auditoría interna como una tercera línea de defensa eficaz.
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
Quantitative Data-Driven Risk Management and Internal Audit
1.
2.
3.
4. PANELLISTS
MODERATO
R
THE AUDIT COMMITTEE’S ROLE IN ANTICIPATING
AND MANAGING EMERGING RISKS
PROF HERNAN HUWYLER
Compliance Programme Director
IE Business School
Denmark
SPEAKER
5. Board overview trends
after COVID19
Scenario
planning
Resilience risks Risks for move-
to-cloud and
digitalization
strategies
Quantified
cyber risks
Client and
supplier
solvency risks
Decision trees
Transformation
and cost
reduction risks
Testing
assumptions
[5]
6. Immature risk techniques
Assessing risks
in red, yellow
and green is
malpractice
and negligence
Flawed techniques
• Heat maps
• Risk matrices
• Scoring and rating
systems
Useless
Incorrect decision-
making
Accountability
principle
Liabilities for
• Organizations
• Board
members
• Auditors
[6]
7. What does the board needs
to know about risks?
You cannot
reply to
them talking
about colors
• Is this price covering the liabilities?
• How much should we invest?
• Should we set a reserve for incidents?
• Are we paying for the right insurance
coverage?
• Should we outsource?
• Are the costs of these controls being
recovered?
[7]
8. What risks should the audit
committee cover?
You cannot
focus the
audit plan
using colors
• Better cash-flow forecasting for
impairments and covenants > COVID
crisis, COVID risk reporting
• Higher fraud risks > work-from-
anywhere, segregation when reducing
staff
• Skill gaps in cyber controls
• Reassess the inventory values and costs
[8]
9. Science proving that red,
yellow and green…
…
DON’T
work
What is wrong about risk matrices, Tony Cox, 2008 > worse than useless
Further thoughts on the utility of risk matrices, David Ball, 2013 >
untrustworthy picture
Risk matrix input data biases, Erik Smith, 2009 > not objective number grids
Some extensions on risk matrix approach, Huihui Ni, 2010 > defects still left
unresolved
On the origin of probability consequence diagrams, Ben Ale, 2015 > single
factor impacts
Problems with scoring methods and ordinal scales, Doug Hubbard, 2010 >
arbitrary features of the scoring
Recommendations on the use and design of risk matrices, Niels Duijm, 2015
> aggregation is problematical
Back to Basics: Risk Matrices and ALARP, Glen Wilkinson, 2010 > unable to
compare risks
… a long list
[9]
11. Monte Carlo Simulations
Extract key
assumptions
used on
• Business plans
• Budgets
• Bids
Improve the
used planning
models to
analyze the
volatility on the
assumptions
Run +10,000
random
simulations
Analyze results
• Histograms
• Loss exceedance
curves
• Tornado charts
[11]
12. Monte Carlo Simulations
Planning assumptions Volatility
Sales 1,000 90% sure between 800 to 1,100
- Variable costs (600) 80% sure between 450 to 800
- Fixed costs (300) 95% sure between 280 to 320
Profit 100
[12]
13. Monte Carlo Simulations
800 1,100
#
cases
90% cases
450 800
#
cases
80% cases
Sales Variable costs Fixed costs
280 320
#
cases
95% cases
Plan
1,000
[13]
Plan
600
Plan
300
14. Monte Carlo Simulations
Sales
800 1,100
#
cases
90% cases
Ln (Max) + Ln (Min)
2 Standard Error
P(A), μ = , σ =
Single
Loss
[14]
=
Ln
Ln (Max) - Ln (Min)
Confidence Interval
Standard
Error
80% 2.56
90% 3.29
95% 3.92
99% 5.15
20. How to audit assumptions?
[20]
• Was the trend data traceable to internal and external
objective sources?
• Was the trend data approved by an independent expert?
• Were risk data and formulas manipulated?
• Were expert estimates calibrated and more than 6?
• Was any change in the methodology affecting consistency
with previous analysis?
• Were the lessons learnt incorporated to improve the
assumptions?
• Was the performance measured and compared to goals?
21. How to assess emerging
risks?
[21]
• Weak signals of a newly
or rapidly increasing high
risk
• Predict new threats
scanning the horizon
• Assessed by performing a
business case
• Potential disputes with
external auditors
• Misreporting non-
financial information
• Failure in digitalization
• Tax increases
• Restart postponed
projects
22. OnRisk
A Guide to Understanding,
Aligning, and Optimizing Risk
Institute of Internal Auditors
[22]