Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The link between risk management critical controls and auditing

Nimonik partner and owner of Management Horizons will be speaking on the linkage between operational risk management, critical controls and governance; which should include periodic audits and assessments. Once companies have covered off base line regulatory compliance, they must embark on a journey to reach operational excellence. Mr. Wolfe will explain how leading companies utilize their risk management business process to identify their biggest risks and associated critical controls, and then utilize various assurance processes such as audits and assessments to assure the efficacy of these controls.

  • Login to see the comments

The link between risk management critical controls and auditing

  2. 2. John Wolfe Partner Kim Chanel Vallée-Séguin Communications Manager
  3. 3. Webinar Objectives ✓ To share knowledge and perspectives about operationally excellent management systems and the essential role that risk management and auditing critical controls play in operational excellence ✓ To share the Nimonik passion for developing a compliance plus culture
  4. 4. 60% of all operational losses result from preventable causes 80%of incidences are repeat issues 25-30%of an organization’s costs this year will be wasted fixing the same issues *Source: Peter Merrill – Do it Right the Second Time Operational Risk Management and Audit – A Safety Moment
  5. 5. 5 “Those who don't know history are destined to repeat it.”
 - Edmund Burke “You cannot find what you do not seek” - St. Paul A Few Wise Words
  6. 6. In my experience the organizations with robust integrated ISO 9001, ISO 14001 – OHSAS 18000 HSEQ management programs that also employ Six Sigma Lean management programs 
 are the most successful. Why? They go beyond simple regulatory compliance ✓ They understand their risks and opportunities ✓ They understand their processes ✓ They have simple up-to-date procedures that they follow, 
 they have competent staff and contractors, the right metrics ✓ They empower their people ✓ They focus initially on HSE bad actors, waste, first time quality,
 energy efficiency – building a base for continual learning and
 improvement ✓ They audit – a lot
  7. 7. Management System Framework 1. Leadership, Integrity & Accountability 2. Risk Identification, Assessment & Management 3. Legal Requirements & Commitments 4. Objectives, Targets and Planning 5. Management of Change 6. Structure, Responsibility & Resources 7. Training & Competence 8. Facilities Design & Construction 9. Operations & Maintenance Controls 10.Contractor Management & Third Party Services 11.Data & Document Management 12.Emergency Preparedness & Response 13.Information & Communication Management 14. Quality Assurance 15. Incident Reporting, Investigation & Learning 16. Operations Integrity Monitoring, Audit & Assessment 17. Corrective & Preventative Action 18. Stewardship &
 Management Review PLAN ACT CHECK DO
  8. 8. Regulatory Compliance • Create a Legal Registry that identifies all your legal and other requirements • Create processes (including audits) to verify compliance status • At a minimum - operate within compliance requirements • Have a compliance plus philosophy where it adds value and a robust risk management process
  9. 9. Sample – Legal Registry Tracking Location Permit Description Dates Documents & Filing Compliance Turnover Approval
 Number Approval Type Priori ty / Tier Project Area Plant Sub- Plant System / Tag Number Legal Land Description Approval Issuer Approval 
 Name / Title Description Person Responsible to Obtain Approval Activity for which Approval is Required Forecast / Actual Date to Submit Appl'n Appova l Turn Around Time (days) Forecast Date Approval Required Actual Date Approval Received Permanent / Temporary (expiry date) Renewa l Require d (Y/N) Operating Controls (reference documents) Oil Sands Legal Registry
 (hyperlink) Approval Application (hyperlink to Livelink) Approval Number and Hyperlink to Livelink Compliance Document (descriptor, or hyperlink to Livelink) MPG Compliance Status Ultimate Approval Owner Notes At a minimum: ✓ What is the requirement? ✓ How, why and where is it applicable in your operations? ✓ Who is responsible for demonstrating compliance? ✓ What evidence do you have? ✓ If monitoring and reporting are required - who looks after it and at what frequency Lots of good examples – Suncor had 30 plus data fields
  10. 10. The Risk Management Framework Communicate & Train Communication Reporting Training Communicate & Train Communication Reporting Training Risk Structure & Accountability Risk Roles & Responsibilities: Executive Leadership Team Chief Risk Officer Business & Function Leaders & Management Risk Structure & Accountability Risk Roles & Responsibilities: Executive Leadership Team Chief Risk Officer Business & Function Leaders & Management Mandate & Commitment Policy Standards Procedures/Guidelines Mandate & Commitment Policy Standards Procedures/Guidelines Measure, Review & Improve Control Assurance Policy Standards & Guidelines KPI’s KRI’s Measure, Review & Improve Control Assurance Policy Standards & Guidelines KPI’s KRI’s CommunicateandconsultCommunicateandconsult Establish the contextEstablish the context Identify risksIdentify risks Analyze risksAnalyze risks Evaluate risksEvaluate risks Treat risksTreat risks Risk management information to action - Risk Assurance - Risk Registers - Treatment Plan - Reporting Templates MonitorandreviewMonitorandreviewStrategic Process (Framework continuous improvement cycle) Strategic Process (Framework Implementation) Strategic Process (Framework Implementation) Strategic Process (Framework continuous improvement cycle) Tactical Process Risk assessment Process for Managing Risk 1. 2. 2a. 2b. 2c. 3. 4. 5. Figure 1. Risk Management Framework IV. I. II. V. III. Risk Management Framework --Adapted from CAN/CSA –ISO 31000–Q31001-11
  11. 11. Risk and Decision Making The concept of risk includes five components: 1. Hazard inherent in an activity otherwise deemed beneficial 2. An undesirable event, which brings out the hazard 3. Adverse consequence of the undesirable event 4. Uncertainty of whether the undesirable event will happen or not (likelihood/ probability/ frequency) 5. Perception about the combination of the above
  12. 12. Definition of Risk Issues/ “Hazards” Undesirable event Consequences Risk Likelihood of Consequences Layers of Protection - Prevention Layers of Protection - Mitigation Causes
  13. 13. 13 L ik e lih o o d C a te g o ry - F re q u e nc y G u id e lin e s (B u sin e ss U n it B a sis) D e sc rip tio n f > = 1 /y r O c c u rs o n c e o r m o re p e r y e a r in B U / fa c ility / p ro je c t, a n d is lik e ly to re c c u r w ith in o n e y e a r 6 III II I I I I 0 .1 = < f < 1 /y r (b e tw e e n 1 /y r a n d 1 /1 0 y e a rs ) E x p e c te d to o c c u r s e ve ra l tim e s in th e B U /fa c ility /p ro je c t life tim e 5 III III II I I I 0 .0 1 = < f < 0 .1 /y e a r (b e tw e e n 1 /1 0 a n d 1 /1 0 0 y e a rs ) E x p e c te d to o c c u r in th e B U /fa c ility /p ro je c t life tim e 4 IV III III II I I 0 .0 0 1 = < f < 0 .0 1 /y e a r (b e tw e e n 1 /1 0 0 a n d 1 /1 ,0 0 0 y e a rs ) M a y h a p p e n le s s th a n o n c e d u rin g th e B U /fa c ility /p ro je c t life tim e 3 IV IV III III II I 0 .0 0 0 1 = < f < 0 .0 0 1 /y e a r (b e tw e e n 1 /1 ,0 0 0 a n d 1 /1 0 ,0 0 0 y e ars ) *R e m o te c h a n c e o f h a p p e n in g *2 IV IV IV III III II f < 0 .0 0 0 1 /y e a r (le s s th a n 1 /1 0 ,0 0 0 y e a rs ) *E x tre m e ly re m o te c h a n c e o f h a p p e n in g *1 IV IV IV IV III III *N o te : L ik e lih o o d c a te g o rie s 1 & 2 a re ty p ic a lly fo r fa c ility d e s ig n p u rp o s e s C 1 C 2 C 3 C 4 C 5 C 6 Social In c id e n t - n o Tre a tm e n t F irs t a id / m in o r illn e s s M e d ic a l a id , in ju ry o r illn e s s / re s tric te d w o rk / N u is a n c e p u b lic im p a c t T e m p o ra ry d is ab ility/ lo s t tim e / P e rm a n e n t d is a b ility/ fa ta lity/ M u ltip le o n - s ite fa ta litie s / Environmental R e le a s e to o n -s ite e n viro n m e n t, c o n ta in e d im m e d ia te ly S m a ll u n c o n ta in e d re le a s e b e lo w le g a l lim it o r w ith m in o r im p a c ts / p o s s ib le c u m u la tive im p a c t o n -s ite M in o r e n viro n m e n ta l im p a c t, b u t re s u lt in p e rm it vio la tio n o r a d m in is tra tive p e n a ltie s S ig nific a n t a d ve rs e im p ac t, s ig n ific a n t lo n g-te rm lia b ility, e n forc e m e n t a c tio n C a ta s tro p h ic im p a c t, m a te ria l (c o rp o ra te ) lo n g - te rm lia b ility Economic C < $ 1 0 k $ 1 0 k = < C < $ 1 0 0 k $ 1 0 0 k = < C < $ 1 M $ 1 M = < C < $ 1 0 M $ 1 0 M = < C < $ 1 0 0 M C > $ 1 0 0 M Social In d ivid u a l c o n c e rn / lo c a l m e d ia a tte n tio n / n o im p a c t o n S u n c o r's re p u ta tio n C o m m u n ity c o n c e rn / re g io n a l n e w s / a d ve rs e im p a c t o n S u n c o r's re p u ta tio n a t re g io n a l le ve l P ro vin c ia l n e w s / a d ve rs e im p a c t o n S u n c o r's re p u ta tio n a t p ro vin c ia l/ s ta te le ve l N a tion a l n e w s / p u b lic o u tra g e / s h o rt-te rm d ro p in m a rke t s h a re a n d s h a re p ric e R e c u rrin g n a tio n a l a tte n tio n / p u n itive a c tio n b y g o ve rn m e n t a g a in s t c o m p a n y/ lo n g -te rm m a jo r im p a c t o n m a rk e t s h a re a n d s h a re p ric e F in a n c ia l / D a m a g e (E q u ip m e n t + B u sin e ss In te rru p tio n ) (B u sin e ss U n it/ C lie n ts) H e a lth & S a fe ty (P u b lic a n d E m p lo y e e s) In c r e a s in g C o n s e q ue n c e LikelihoodCategory R e p u ta tio n (P o litic a l/ R e g u la to ry ) IncreasingLikelihood C o n s e q u e n c e C ate g o ry E n v iro n m e n ta l Action Priorities Residual Risk Level Action Priority I II III IV Employees and contractors are aware of the risk, and follow established procedures Responsible EVP & CEO to be made aware of risk, along with mitigation and risk reduction plans Business Unit EVP is responsible to obtain approval from CEO for continued operation Responsible VP ensures preventive controls and mitigation plans are established and maintained, and risks are re-assessed at appropriate intervals Operations management monitors the risk, ensures preventive controls and mitigation plans are functioning and procedures are followed Suncor Risk Matrix
  14. 14. • A Risk Map thus provides a means of ranking the risk of events relative to each other and also providing guidance for action levels III II I I I I III III II I I I IV III III II I I IV IV III III II I IV IV IV III III II IV IV IV IV III III Consequence C LikelihoodL Individual Event Types • For different events that we identify through a risk analysis, once 
 we also know their consequence C and likelihood L, we can 
 plot them on a graph Presentation of Risk - Risk Maps
  15. 15. Integrated Risk Analysis Methods Hazard Identification Methods • Brainstorming • Field Level Risk Assessment • Job Safety Analysis/ Task Analysis • What-if • HAZOP • FMEA
  16. 16. Bow-Tie Risk Analysis RISK EVENT Preventive
 controls Reactive
 controls Causes Causes Causes Consequence Helping to ensure that risks are managed rather than just analyzed Consequence Consequence Preventive
 controls Reactive
  17. 17. THREATS PREVENTIVE CONTROLS Governance and Oversight •Policies and procedures •Delegation of authorities •Functional segregation of duties •Continuous Improvement mindset Approval of Vessels •Marine technical expertise and experience •Marine Risk Management System (IT tool) •Consistent vetting process and rules •Vessel Acceptance Report issuance •Document administration Tools and Processes •AQUARIUS IT tool data management •Cargo handling instructions •Loss Control •IT general controls (disaster recovery, backup of AQUARIUS, internally hosted) •vessel tracking -Capturing of contract terms Compliance and Benchmarking •Meet applicable legal requirements •Consistent with best industry practice •Compliance with company X Vessel Selection Criteria Information Technology Management •Marine Risk Management System (MRMS) IT tool •MRMS data and documentation retention Financial Management •Volume actualization •Logistic settlement •Counter-party / broker settlement •Exchange settlement •Invoice management (include netting) •A/R and A/P management •Demurrage and cargo claims •Loss control •Tariff validation CONSEQUENCES RECOVERY CONTROLS MARINE TRANSPORTATION Reputational • Public outcry from Oil Spill • Investor confidence/Share price (shareholders) Operational • Crude supply to refineries affected Financial • Cost of Cleanup • Insurance Deficiency • Impact from Refinery shut- down Legal and Regulatory • Fines and sanctions • Lawsuits • Prosecution of Executives Strategic • SEMI Growth Objectives • Impact on other major initiatives due to residual reputational damage Strategic -Misalignment with current and future company strategy and risk tolerance People •Skills/experience of staff •Workforce demographics Roles & Responsibilities •Marine accountability for transportation vs. contractual agreement made by operating groups Environmental and Reputational •Operating business units non- compliance •Employment of sub-standard vessels •Engagement of unapproved vendors •Geographic operating environment •Inadequate insurance coverage •Public Perception – •Readiness to respond to a major event •Increasing Environmental consciousness Assets •Use of Aging Fleets/infrastructure Commercial •Commercial needs are not aligned with company’s risk tolerance •Inadequate insurance coverage •Structured deals •High cargo volumes •High dollar values •Freight market volatility •Cargo quality and Loss Control Unsafe (release of Petroleum Product in Waterway) or non-compliant transportation activity Core Business Objectives: 1.Safe, efficient, regulatory compliant movement of crude and products transportation on water) Who is the Client: Marine Transportation, other stakeholders involved in or supporting marine transportation activities.Risk Analysis Financial •Commercial and market expertise • competitive commercial advantage •Centralized market knowledge •Cost controls (GOA/CA limits) Risk Management •Major Emergency Team process •Marine Dept people and processes •Corporate Public Relations process •Internal and External Legal support •Corporate Charterers Liability Insurance ▲No material findingsGrayed out: excluded from scope based on planning meetings ◄ Process improvement or increased formalization ▼ Gap or control failure warranting attention Key: II II II III III III III III I I I Current State Future State Current State Future State Governance and Oversight •Marine policy should be a company X PG&S •Identify all stakeholders •Marine policy improved by appropriate level of company X executive management •Appropriate individual responsible for updating and maintenance of policy •Formalized process for communicating Marine policy Marine Department Procedures •Formalized procedures should be documented Tools and Processes •AQUARIUS / MRMS systems should be documented •Formal documented guidance provided to users East Coast •Formalized communication channels with Marine department •Update East Coast Marine procedures •Compliance to policy •SCM Logistics group interaction with marine group BC Terminal •Formalized communication channels with Marine department •Use of TSW RR RL= Risk Level RR= Residual Risk RL I I II I I II II II I II II Emergency Response Procedures •EH&S and Terminal spill procedures •Spill reporting/control procedures
  18. 18. SIGNIFICANTRISK RECOVERY MEASURES Unplanned Event Emergency Condition CONSEQUENCES RiskAssessmentElement2ProcessHazardAnalysis Managementof Changes CompetencyProgram EngineeringControlsStandard,Procedure, Guideline ContractorSelectionContractorPerformance StakeholderConcerns ComplianceTasks LessonsLearned EmergencyResponse IncidentInvestigationRootCauseAnalysis GoalsandTargets ManagementofChange RiskAssessment DecisionMakingAuthority PMPrograms HazardReportingNearMisses Trending&Analysis Element3 Element4 BusinessPlans Element5 Element6 Element7 Element9 Element10 Element12 Element13 EmergencyPlans Element15 Element12 Element15 Element17 Element5 Element12 PREVENTIVE BARRIERS OEMS Risk and Control based audits will audit both preventative and recovery control adequacy and effectiveness using OEMS criteria
  19. 19. End Result of a Risk Assessment • “Risk Inventory” or “Risk Registry” • Risk assessments are “integrated” risk assessment • Risk assessment worksheet to record the results in summary form.
  20. 20. HAZOP worksheet in Stature
  21. 21. 21
  22. 22. Hazard Controls Last resort Personal Protective Equipment (PPE): the least effective way to protect workers. If the PPE fails, the workers are exposed to the hazard. Engineering Controls: Separate: Isolate the hazard by guarding or enclosing Redesign: Change a process or reconfigure equipment Substitute: Replace materials or processes Administrative: changing the way workers do their jobs, changing policies and procedures for safe work practices, training, etc. M osteffective to leasteffective The Hierarchy of Hazard Controls Control of hazards starts at the top and works down with PPE being the last line of defense. Figure 1: The Hierarchy of Controls: a method for determining appropriate Operational Controls. Eliminate the hazard: Completely remove the hazard
  23. 23. Cost/Benefit Analysis
  24. 24. Dynamics of an Incident System 1 System 2 System 3 System 4 System 5 System 6 System 7 “Hardware” Defenses - Process design - Plant layout - Protection systems “Software” Defenses - Procedures - Audits - Management systems “Liveware” Defenses - Safety culture - Motivation - Alertness Unusual conditions Latent failures in systems Incident
  25. 25. Deepwater Horizon
  26. 26. Incident and KPI Analysis Major Operational Risks and Control Review Strategy and Values - Emerging EHS and PS Risks OEMS Self Assessments & Audits Coverage - Prior Audits & Assessments Audit and Assessment Planning Audit Scope Value Proposition
  27. 27. Management Consultations Principal Risks Suncor Strategy & Value Drivers Audit Plan Idea Generation & Project Scoping Coverage Over Time Resourcing Risk, Value, OEMS Alignment Prioritization
 & Selection Prior Audit Insights External Risks • 5 Year Audit Plan Established • Process Audit Approach OEMS Audits – Non Hazardous Operations / Functions • Embedded into OEMS Process Audits • Process Hazard Analysis • Mechanical Integrity • Quality Assurance OEMS Audits – Hazardous Operations • Annual Determination of Targets • Significant Risks / Key Controls • Environmental • Safety (Personnel and Process) • Emerging Risks • Business Process Effectiveness • Compliance Risk- Based Audits Planning Process In-Year High Risk Requests Process Improvement Project GRC implementation Continuous Improvement
  28. 28. Audit Area Description Proposed Timing ENTERPRISE ASSESSMENTS (Potential impact based on Scope of Audit) Facility Siting Organizational assessment of conformance to the company X 2110 Standard on Facility Siting requirements. Review of status of studies, API and SU 2110 requirements, reporting, risk management, mitigative actions and budgeting TBD Risk Transparency Risk Transparency / Efficacy of Ranking & Reporting RRI and RRII identification, assessment, monitoring and reporting requirements. company X Standards and Process support effective risk transparency and governance of high risk exposures identified by the organization. (Including and internal review of past incidents and risk ranking/reporting) TBD Pipeline Integrity Non-Regulated Lines Process Pipelines Compliance, Conformance to Standards and Risk Management Assessment of compliance against regulatory requirements and conformance against related corporate standards. TBD (Western Canada) Decommissioned Equipment Operational excellence; policies, standards, procedure review of decommissioned equipment processes utilized throughout the organization. TBD Contaminated Sites Liability Compliance, Conformance and Risk Management Assessment of compliance against regulatory requirements and conformance against related corporate standards. TBD Capital Allocation Process (Joint with IA) Capital Allocation and Risk Management Assessment of current capital allocation process and risk management/mitigation of projects identified by the business to mitigate RRI and RRII items. TBD Critical Equipment Back- up Critical Equipment and Exposure to Significant Operational Outages Targeting of assets that if taken offline (e.g. external threat / incident) could lead to a significant operational outage. How exposed are we on certain systems and what security exists to protect identified critical assets. TBD Contractor Management TBD Risk Management Process design effectiveness review to mitigate company X Contractor Management risks. Scope to be determine with IA. TBD Audit Plan - Summary
  29. 29. Auditing of Critical Controls • Minimize impact on operations because of limited resources • Focus on efficacy • Start with Level 1 inherent risk
  30. 30. Auditing of Critical Controls • All audit programs have limited resources, and need to minimize their impact on operations • It is therefore important to focus efforts on providing assurance that the controls used to prevent incidents with the highest consequences are operating with efficacy • I suggest you start with your level I inherent risk controls and work your way down the food chain – recognizing that the front line risk and control owner have the ultimate responsibility and in an ideal world should already have said data and you are simply confirming it 31