THE AUDIT COMMITTEE’S ROLE IN ANTICIPATING AND MANAGING EMERGING RISKS Black swans like the Covid-19 health crisis and the resulting fallout provide salutary lessons on how boards must be prepared for a panoply of risks. This session guides audit comittee members on how to provide an effective oversight on risk management practices in the organisation, without duplicating the efforts from the Risk Management Department and leveraging on internal audit as an effective third line of defence EL PAPEL DEL COMITÉ DE AUDITORÍA EN ANTICIPACIÓN Y GESTIÓN DE RIESGOS EMERGENTES Los cisnes negros como la crisis de salud de Covid-19 y las consecuencias resultantes brindan lecciones saludables sobre cómo las juntas deben estar preparadas para una panoplia de riesgos. Esta sesión guía a los miembros del comité de auditoría sobre cómo proporcionar una visión general eficaz de las prácticas de gestión de riesgos en la organización, sin duplicar los esfuerzos del Departamento de Gestión de Riesgos y aprovechando la auditoría interna como una tercera línea de defensa eficaz.

4. PANELLISTS
MODERATO
R
THE AUDIT COMMITTEE’S ROLE IN ANTICIPATING
AND MANAGING EMERGING RISKS
PROF HERNAN HUWYLER
Compliance Programme Director
IE Business School
Denmark
SPEAKER

5. Board overview trends
after COVID19
Scenario
planning
Resilience risks Risks for move-
to-cloud and
digitalization
strategies
Quantified
cyber risks
Client and
supplier
solvency risks
Decision trees
Transformation
and cost
reduction risks
Testing
assumptions
[5]

6. Immature risk techniques
Assessing risks
in red, yellow
and green is
malpractice
and negligence
Flawed techniques
• Heat maps
• Risk matrices
• Scoring and rating
systems
Useless
Incorrect decision-
making
Accountability
principle
Liabilities for
• Organizations
• Board
members
• Auditors
[6]

7. What does the board needs
to know about risks?
You cannot
reply to
them talking
about colors
• Is this price covering the liabilities?
• How much should we invest?
• Should we set a reserve for incidents?
• Are we paying for the right insurance
coverage?
• Should we outsource?
• Are the costs of these controls being
recovered?
[7]

8. What risks should the audit
committee cover?
You cannot
focus the
audit plan
using colors
• Better cash-flow forecasting for
impairments and covenants > COVID
crisis, COVID risk reporting
• Higher fraud risks > work-from-
anywhere, segregation when reducing
staff
• Skill gaps in cyber controls
• Reassess the inventory values and costs
[8]

9. Science proving that red,
yellow and green…
…
DON’T
work
What is wrong about risk matrices, Tony Cox, 2008 > worse than useless
Further thoughts on the utility of risk matrices, David Ball, 2013 >
untrustworthy picture
Risk matrix input data biases, Erik Smith, 2009 > not objective number grids
Some extensions on risk matrix approach, Huihui Ni, 2010 > defects still left
unresolved
On the origin of probability consequence diagrams, Ben Ale, 2015 > single
factor impacts
Problems with scoring methods and ordinal scales, Doug Hubbard, 2010 >
arbitrary features of the scoring
Recommendations on the use and design of risk matrices, Niels Duijm, 2015
> aggregation is problematical
Back to Basics: Risk Matrices and ALARP, Glen Wilkinson, 2010 > unable to
compare risks
… a long list
[9]

10. Science proving that red,
yellow and green…
…
work
[10]

11. Monte Carlo Simulations
Extract key
assumptions
used on
• Business plans
• Budgets
• Bids
Improve the
used planning
models to
analyze the
volatility on the
assumptions
Run +10,000
random
simulations
Analyze results
• Histograms
• Loss exceedance
curves
• Tornado charts
[11]

12. Monte Carlo Simulations
Planning assumptions Volatility
Sales 1,000 90% sure between 800 to 1,100
- Variable costs (600) 80% sure between 450 to 800
- Fixed costs (300) 95% sure between 280 to 320
Profit 100
[12]

13. Monte Carlo Simulations
800 1,100
#
cases
90% cases
450 800
#
cases
80% cases
Sales Variable costs Fixed costs
280 320
#
cases
95% cases
Plan
1,000
[13]
Plan
600
Plan
300

14. Monte Carlo Simulations
Sales
800 1,100
#
cases
90% cases
Ln (Max) + Ln (Min)
2 Standard Error
P(A), μ = , σ =
Single
Loss
[14]
=
Ln
Ln (Max) - Ln (Min)
Confidence Interval
Standard
Error
80% 2.56
90% 3.29
95% 3.92
99% 5.15

15. 1400
1200
1000
800
600 1
346
691
1036
1381
1726
2071
2416
2761
3106
3451
3796
4141
4486
4831
5176
5521
5866
6211
6556
6901
7246
7591
7936
8281
8626
8971
9316
9661
Monte Carlo Simulations
Sales
800 1,100
#
cases
90% cases
+LOGNORM.INV(RAND(),(LN(800)+LN(1
100))/2,(LN(1100)-LN(800))/3.29)
Plan 1000, 75.1%
[15]

16. Monte Carlo Simulations
1200
1000
800
600
400
200
1
335
669
1003
1337
1671
2005
2339
2673
3007
3341
3675
4009
4343
4677
5011
5345
5679
6013
6347
6681
7015
7349
7683
8017
8351
8685
9019
9353
9687
450 800
#
cases
80% cases
Variable costs
+LOGNORM.INV(RAND(),(LN(450)+LN(8
00))/2,(LN(800)-LN(450))/2.56)
Plan 600, 2%
[16]

17. Monte Carlo Simulations
280 320
250
290
270
310
350
330
1
324
647
970
1293
1616
1939
2262
2585
2908
3231
3554
3877
4200
4523
4846
5169
5492
5815
6138
6461
6784
7107
7430
7753
8076
8399
8722
9045
9368
9691
#
cases
95% cases
Variable costs
+LOGNORM.INV(RAND(),(LN(280)+LN(3
20))/2,(LN(320)-LN(280))/3. 92)
Plan 300, 57.8%
[17]

18. Loss Exceedance Curve
-1000
-800
0
-200
-400
-600
200
600
400
1
224
447
670
893
1116
1339
1562
1785
2008
2231
2454
2677
2900
3123
3346
3569
3792
4015
4238
4461
4684
4907
5130
5353
5576
5799
6022
6245
6468
6691
6914
7137
7360
7583
7806
8029
8252
8475
8698
8921
9144
9367
9590
9813
Plan 100, 98%
Plan has 98% chances to fail
[18]

19. Tornado Chart
Sales
Variable costs
Fixed costs
[19]
+600 -800
Key: ensure the efficiency of controls reducing variables costs

20. How to audit assumptions?
[20]
• Was the trend data traceable to internal and external
objective sources?
• Was the trend data approved by an independent expert?
• Were risk data and formulas manipulated?
• Were expert estimates calibrated and more than 6?
• Was any change in the methodology affecting consistency
with previous analysis?
• Were the lessons learnt incorporated to improve the
assumptions?
• Was the performance measured and compared to goals?

21. How to assess emerging
risks?
[21]
• Weak signals of a newly
or rapidly increasing high
risk
• Predict new threats
scanning the horizon
• Assessed by performing a
business case
• Potential disputes with
external auditors
• Misreporting non-
financial information
• Failure in digitalization
• Tax increases
• Restart postponed
projects

22. OnRisk
A Guide to Understanding,
Aligning, and Optimizing Risk
Institute of Internal Auditors
[22]

23. Let’s connect
Prof. Hernan
Huwyler
hernanwyler
@hewyler
[23]

24. Share your success
Institute of Internal Auditors
https://global.theiia.org https://iiam.com.my/
@TheIIA @IIAMalaysia
[24]

25. JOINTLY ORGANISED BY: