This document provides an overview of combined assurance and how to develop an effective combined assurance model. It discusses obtaining a multi-dimensional view of risk, identifying key role players in assurance, determining the appropriate number of lines of defense, and mapping assurance providers to risks, controls and objectives. The goal of combined assurance is to maximize governance and risk oversight through an integrated and aligned approach to assurance.
1. Demystifying Combined
Assurance
Creating a Well-rounded Risk Profile to Assess the
Adequacy of your Assurance Coverage
Grant Fisher
General Manager: Group Audit and Risk Management, Bridgestone South Africa
5 March 2015
2. Outline
1 Introduction
2 Obtaining a Multi-dimensional View of Risk
3 Your Key Role Players in Combined Assurance
4 How Many Lines of Defense are Enough?
5 Mapping Assurance Providers to Risks, Controls, and
Objectives
6 Gap Analysis: Strengthening the Risk Net
7 Discussion Time and Case Study
2
3. 1 Introduction
If you can't explain
it simply, you don't
understand it well
enough.
Albert Einstein
Read more at
http://www.brainyquote.com/quotes/quotes/a/alberteins383803.html#
kzhdHCJcMuFL7BS1.99
3
4. 1 Introduction (cont.)
4
I am convinced that a
simple profit-seeking
business will never
thrive, but a business
that contributes to its
society and country will
be forever profitable.
Shojiro Ishibashi,
Founder
The essence of sustainability
60 years before the first King report,
Bridgestone was promoting principles of good
governance (even though the term did not yet
exist).
5. 1 Introduction (cont.)
5
The World of Assurance and Good Governance
In the past 20 years, we have seen a fundamental change in the role of
business in society. This is particularly meaningful in the context of a new
South Africa.
King I (1994)
• Introduced the
concept of
good
governance
• Focused on
the role of the
Board
• Recommended
Affirmative
Action
King II (2002)
• Promoted the
roles of
Internal Audit
and Risk
Management
• Stressed the
importance of
sound financial
reporting
• Recommended
“ non-financial
reporting”
King III (2009)
• Promoted the
roles of
Internal Audit
and Risk
Management
further
• Recommended
Integrated
Sustainability
Reporting
• Introduced the
concept of
Combined
Assurance
King IV(20??)
• Will take the
concept of
Combined
Assurance
further...
6. 1 Introduction (cont.)
6
Who’s involved?
Aspect Western Capitalism A New Compassionate Capitalism
Time horizon Short-term focus Considers short, medium and long-term
Value Creation Returns to Shareholders Value for Stakeholders
Mission Profit motive above all else Concern for people, planet, and profit
Annual Reporting Financial Reporting Integrated Sustainability Reporting
Internal Audit
Risk
Forensics
Transformation
Governance
Secretarial
Legal
Insurance
Compliance
CSR
SQE
Security
The World of Assurance and Good Governance (cont.)
What has changed?
7. 1 Introduction (cont.)
7
Why Combined Assurance?
It started with the King Report on
Governance (King III):
The audit committee should ensure that
a combined assurance model is applied
to provide a co-ordinated approach to all
assurance activities
Potential Benefits
• Focus on key risks
• Identify gaps
• Reduce operational disruptions
• Track remedial actions
• Improve reporting to the Board
• Support Integrated Report
8. 1 Introduction (cont.)
8
Combined Assurance means better
Risk Management and better
Governance*
* but only if we want it to...
Picture from www.edf.azPicture from www.mypharmacare.ca
9. 2 Obtaining a Multi-dimensional View of Risk
9
Ask yourself the following:
• Do we know what our risks are?
• Do we really know what our risks
are?
• What are our biggest risks, and how
do we measure them?
• How do we get our assurance?
• Who are we really relying on?
• If we know our risks, why do bad things still happen?
• Do we just tick the boxes?
(Think about Enron. ABIL. Are they that different to us?)
http://jeffreyhill.typepad.com/english/2009/03/cartoon-fiddling-while-
rome-burns.html
10. 2 Obtaining a Multi-dimensional View of Risk (cont.)
10
How we do it at Bridgestone South Africa
Risk Profile
Risk
Forum &
Internal
Audit
Incident
Reports
Global
Risks
• Incorporate global risks and
classification systems
• Learn from local and global
incidents, accidents and disasters
• Lead risk forum and conduct
interviews (cross-functional team)
• Incorporate internal audit
experience
• Consider other methods
(PESTEL, SWOT, etc.)
• Leverage data analytics (planned)
11. 2 Obtaining a Multi-dimensional View of Risk (cont.)
11
Elements of our Risk Framework
RISK
FRAMEWORK
POLICIES AND
STANDARDS
RISK
MANAGEMENT
(NORMAL
CONDITIONS)
BUSINESS
CONTINUITY
MANAGEMENT
INCIDENT
REPORTING
CRISIS
MANAGEMENT
• Appetite
• Tolerance
• Capacity
• Risk Criteria
• Classification
• All Risk
Categories
• Incidents
• Accidents
• Emergencies
• Emergency
Planning
• Task Force
Establishment
• COSO
ERM
• Risk
Register
12. 2 Obtaining a Multi-dimensional View of Risk (cont.)
12
Categories of our Top 10 Risks
• Regulatory Compliance
Our first financial risk is at #17 (Bad Debt), so then:
• Is Internal Audit really risk-based?
• Who is giving us the real assurance?
It cannot be the traditional world of financial audit.
(And it doesn’t help to get assurance on the wrong risks!)
Category Qty
Regulatory Compliance 2
Emergency Planning 1
Transformation 2
Operations 1
Quality 3
Ethics 1
13. 2 Obtaining a Multi-dimensional View of Risk (cont.)
13
Establishing your Strategic Position (where do you fit in?)
Supply Chain [CORE] Administrative [SUPPORT]
Corporate Social Responsibility (CSR)
Enterprise Risk Management (ERM)
Planning
Purchasing
Production
Logistics
Sales
Marketing
Finance
HR
IT
SQE
Internal Audit
Compliance
14. 2 Obtaining a Multi-dimensional View of Risk (cont.)
14
What are we trying to achieve?
22 CSR Focus Points Global Reporting Initiative (GRI) Requirements
Fundamental CSR Activities
• Stable Profits
• Compliance
• Business Continuity
• Stakeholder Communication
Economic Impact
• Financial Results (for shareholders)
• Impact on other Stakeholders
- Staff compensation
- Employee benefits
- Community investments
- Donations
- Returns to providers of capital
- Tax paid
- Local procurement
- Local recruitment
- Infrastructure development
CSR through Business Activities
• Quality Products and Services
• Technological Innovation
• Customer Research
• Fair Business Practice
• Fair and CSR Procurement
• Timely Disclosure
CSR through Environmental Activities
• Conservation through Products
• Conservation through Supply Chain
• Social Activities
Environmental Impact (materials, energy, water, etc.)
CSR from a Social Standpoint
• Job Satisfaction
• Workplace Safety
• Diversity
• Human Rights
• Social Activities and Volunteering
Social Impact
• Labour Practices
• Human Rights
• Society
• Product Responsibility
15. 2 Obtaining a Multi-dimensional View of Risk (cont.)
15
What do we care about?
The way we look at value has changed. And new accounting standards reflect this.
[For accounting value to reflect economic value, goodwill must be stated at Fair Market Value (IFRS)]
Now accountants have to look to the future to
establish value
And internal auditors have to look to the future to
establish risk
Yet neither has a crystal ball...
Picture from www.wired.com
Value Perspective Definition Time Frame
Economic NPV (Expected Future Income Flows) Future
Accounting Assets – Liabilities Past
16. 2 Obtaining a Multi-dimensional View of Risk (cont.)
16
Value theory of Risk
Anything that can destroy Value (or potential value)
Activities undertaken to protect Value
Co-ordinating of activities to protect Value
Or
Integrating and aligning assurance processes in a company to maximise risk and
governance oversight and control efficiencies, and optimise overall assurance to
the audit and risk committee, considering the company’s risk appetite. (King III)
Or
“Internal due diligence on an ongoing basis” (IRMSA)
17. 2 Obtaining a Multi-dimensional View of Risk (cont.)
17
It takes a King to Govern
One of the best
Governance Codes
in the World,
And yet...
18. 2 Obtaining a Multi-dimensional View of Risk (cont.)
18
Corruption Perceptions Index 2013
South Africa’s biggest risk! [IRMSA Risk Report 2015]
P.S. What’s Botswana got that we haven’t?
19. 2 Obtaining a Multi-dimensional View of Risk (cont.)
19
Another definition of Risk
Any obstacle to getting what we want
If you’re not
thinking CSR,
you’re not
thinking risk
20. 2 Obtaining a Multi-dimensional View of Risk (cont.)
20
Know your Universe
HR
IR
Pay
Morale
Skills
Legal
Compliance
EthicsContracts
Security
Assets
Visitors
Crime
Staff
Finance
Reporting
Fraud
LiquidityTreasury
Tax
IT
DRP
Data
Systems
Software
Wellness
Hygiene
Disease
Disaster
Nature
Fatality
Safety
Quality
Product
Service
Environment
Business
Economy
Supplier
ProductionPlanning
Market
21. 2 Obtaining a Multi-dimensional View of Risk (cont.)
21
Develop some detail (but don’t get lost in it)
#
Broad Risk
Category
Sub-category
Risk
#
Risk Name
Key
Person
1 Human Capital
Skills Maintenance 30 Skills Shortage
Jane
Industrial Relations - Unfair Dismissal
Labour Market Activity 23 Labour Unrest
Compensation
Framework
29 Staff Compensation
Employee Relations
- Employee Scandal
47
Family
Relationships
Recruitment 45
Fraudulent
Applications
Staff Morale
14 Restructuring
- Division of Labour
22. 2 Obtaining a Multi-dimensional View of Risk (cont.)
22
Document thoroughly [extract from risk register]
P.S. What’s missing? Causes or contributing factors (there should be a control for every cause)
2014Rank
Risk
#
Date Risk Name Risk Description
MaptoCSRObjective
BSJRiskCategory
COSORiskCategory
Likelihood(Pre-control)
Impact(Pre-control)
InherentRisk
Existing Controls
and/or Mitigation
Measures
Likelihood(Post-control)
Impact(Post-control)
ResidualRisk
RiskResponse
Action Plan
Actionbydate
PersonResponsible
RiskOwner
BCPIndicator
Progress to Plan /
Follow-up Status
1 001
26-Nov-
13
Non-
compliance
with
Competitions
Act
A violation of the
Competitions Act
results in severe
penalties (i.r.o. price
fixing, market
allocation, resale
price maintenance,
market power,
collusion, etc.)
1
2
8
03Legal
Compliance
4 5 IV
Competition Compliance
Training Manual (on
Intranet)
3 5 IV
Reduce
- Policy on anti-cartel
activity (in-progress per
BSJ instruction)
- On-line compliance
training
31-12-2013
RS
Legal
No
- Policy
approved by the
Board (Dec 2013)
- Compliance
Training rolled out
to sales and
marketing staff
(Sep 2014)
2 002
26-Nov-
13
Terrorism or
related
catastrophe
An unforseen act of
terrorism or sabotage
has a profound effect
on the business
1
3
17
07Disaster
Strategic
1 5 IV
- Security on site
- Risk Control Policy
- Emergency Planning
and Procedures (BSAF
Plants)
- SASRIA cover is in
place for Max T against
terrorism provided it is
politically motivated
(NASRIA in Namibia)
1 5 IV
TBD
- Enhance and/or
standardise contingency
planning systems and
procedures (at group
level), giving special
consideration to second-
round effects (beyond
initial financial impacts)
- Consider outsourcing
the management of
catastrophes
TBD
CT
CSR/SQE
Yes
Note: Terrorist
threat exists in
Mozambique, but
no SASRIA cover
equivalent there
23. 3 Your Key Role Players in Combined Assurance
23
Who are we relying on?
From the point of view of a multi-national...
Internal (Local) Group-Global External
Operating Management J-SOX Auditors External Audit
Group Audit and Risk TQM Auditors Corporate Lawyers
Legal / Secretarial Internal Auditing Consulting Engineers
CSR / SQE Business Continuity Insurers
Human Resources B-BBEE Verification Agency
Finance ISO Certification
Information Technology Labour Relations Consultants
Technical OEM Auditors (e.g. BMW)
Fire Protection Inspectors
Safety Inspectors
Forensic Consultants
24. 3 Your Key Role Players in Combined Assurance (cont.)
24
Should we be relying on them?
• Highly Skilled, but not Independent
Internal Assurers
• Skilled and Independent, but limited Local Knowledge
Group-Global
• Skilled, Relatively Independent, and Accredited, but
Costly
External Assurers
25. 3 Your Key Role Players in Combined Assurance (cont.)
25
Special Case: J-SOX (Mutual Assurance)
The Group CEO (Global) performs a group assessment based on internal control
confirmation statements submitted by each group company, and submits an
internal control statement based on the assessment results to the Prime Minister
of Japan. Each Group Company conducts their own control self-assessment.
Assurance is provided on the following control types:
• Entity Level Controls
• Financial Closing and Reporting Controls
• Business Process Controls
• IT General Controls
BSJ places reliance on our self-assessment.
We place reliance on their independent validation.
26. 3 Your Key Role Players in Combined Assurance (cont.)
26
27. 3 Your Key Role Players in Combined Assurance (cont.)
27
And for JSE-Listed Companies...
• Who gives you assurance on your integrated report?
• Are traditional auditors the right people?
• Do they have the right credentials?
• Is the report really integrated?
• Do we create value over time...?
On the other hand...
• Is independent assurance even possible?
• Are we taking assurance too far?
• Should we stop with Internal Audit?
• You cannot guarantee sustainability [King III vs JSE] Picture from www.pgsadvisors.com
28. 4 How many Lines of Defense are Enough?
28
According to the IIA…
29. 4 How many Lines of Defense are Enough? (cont.)
29
• Risk and Control Owners [Management]
Line 1
• Risk Management Process Owners [e.g. Risk Management / Risk Forum]
Line 2
• Assurance Providers on Risk Management Process [Internal Audit]
Line 3
• External Assurance Providers and Consultants
Line 4
• Board Sub-committees
Line 5
In other words...
30. 5 Mapping Assurance Providers to Risks, Controls, and Objectives
30
Developing a Model (According to IRMSA)
• Secure commitment
• Especially Internal Audit
4. Identify and Involve
Assurance Providers
• Describe assurance mission of
each provider
• Draft assurance activities to
be undertaken and frequency
5. Map Risks to
Assurance Providers
• Design blueprint
• Build infrastructure (risk
methodology)
6. Decide on Optimum
Model
• Define what it is
• Explain the benefits
1. Create Awareness
• Chief Internal Auditor
• Chief Risk Officer
2. Identify a Champion
• Identify business objectives
and risks that affect their
attainment
• Prioritise risks
3. Develop an
Assurance Strategy
31. 5 Mapping Assurance Providers to Risks, Controls, and Objectives
31
Getting Started (getting a broad overview)
Business Process
Internal Assurance
Provider
Output
External
Assurance
Provider
Output
Economic / Financial
Economic Value Added External Audit Value Added Report
Financial Results External Audit External Audit Report
Safety, Health, Environment &
Quality
Legal Safety Compliance CSR / SHEQ Department Inspection Reports Consultants (BSMP) Audit / Inspection Report
Safety Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) OHSAS18001:2007 Certification
Environmental Standards CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) ISO14001:2004 Certification
Quality Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF)
ISO9001: 2008 and
TS16949:2009 Certification
Empowerment
B-BBEE Credentials Service Provider B-BBEE Scorecard
Human Resources
Employee Satisfaction To be confirmed Employee Satisfaction Survey
Risk , Control and Governance
Internal Control Environment Group Audit and Risk Internal Audit Report to the Board
Risk Management Process Group Audit and Risk Internal Audit Report to the Board
Governance / King III Group Audit and Risk Governance Assessment Report To be confirmed Independent Statement
Sustainability Reporting CSR / SHEQ Department CSR Report External Audit Independent Assurance Report
32. 5 Mapping Assurance Providers to Risks, Controls, and Objectives
32
Mapping by Risk
2014Rank
Risk#
Date Risk Name Risk Description
MaptoCSR
Objective
BSJRiskCategory
COSORisk
Category
Likelihood(Pre-
control)
Impact(Pre-control)
InherentRisk
Existing Controls
and/or Mitigation
Measures
Likelihood(Post-
control)
Impact(Post-
control)
ResidualRisk
RiskResponse
Action Plan
Actionbydate
PersonResponsible
RiskOwner
BCPIndicator
Progress to
Plan /
Follow-up
Status
Supporti
ng
Process
1st
Line
Assura
nce
2nd
Line
Assura
nce
3rd
Line
Assura
nce
Externa
l
Assura
nce
Assura
nce
Gap
1
0
0
1
26-
Nov-
13
Non-
compliance
with
Competitions
Act
A violation of the
Competitions Act
results in severe
penalties (i.r.o.
price fixing, market
allocation, resale
price
maintenance,
market power,
collusion, etc.)
1
2
8
03Legal
Compliance
4 5 IV
Competition
Compliance Training
Manual (on Intranet)
3 5 IV
Reduce
- Policy on anti-
cartel activity (in-
progress per BSJ
instruction)
- On-line
compliance training
31-12-2013
RS
Legal
No
- Policy
approved by
the Board
(Dec 2013)
-
Compliance
Training
rolled out to
sales and
marketing
staff (Sep
2014)
Complia
nce
Training
Operati
ng
Manage
ment
(Sales
and
Marketi
ng)
Legal /
Secreta
rial
Internal
Audit
Corpora
te
Lawyers
Legal
Complia
nce
Audit (A
- Z)
6
0
0
5
26-
Nov-
13
Product
Recall
Product failures
result in recalls
that cause
reputational
damage
1
5
09Quality
Strategic
4 5 IV
- QA testing,
manufacturing quality
gates, QTR
procedures
- QS Procedure
(Correct, updated
testing procedures
should be followed at
all times; suspect
tyres not released)
- ISO9001
- Extension under
liability policy
2 4 III
Accept
F Qualification audit
at Brits (BSJ)
[Quality Process
Audit]
Ongoing
PW
Quality
Yes
Audit
completed;
IIP for
corrective
actions in
progress
Quality
Control
Operati
ng
Manage
ment
(Plant)
CSR /
SQE
-
DQS
(ISO900
1 and
TS1694
9
TQM
Auditors
(BSJ)
Quality
Auditor /
Inspect
or or
CQO
• Select high residual risks and high inherent risks
• Consider low level risks for overkill
33. 5 Mapping Assurance Providers to Risks, Controls, and Objectives
33
A Different Perspective (public sector template)
34. 6 Gap Analysis: Strengthening the Risk Net
34
An ongoing process Assess the
extent of Risk
Coverage
Assess
Assurance
Providers
Identify
Assurance
Gaps
Identify
Assurance
Overkill
Compile
Remedial
Action Plan
Report to
Governing
Body
Track Actions
against Plan
Monitor,
Update and
Improve
• Credentials
• Methodologies
• Independence
• Business Knowledge
• Cost
• Low level risks
• Misunderstood risks
• Duplication of effort
• Compare actual with
desired levels
Gaps in
coverage
Gaps in
assurance
provider
capability
35. 7 Discussion Time and Case Study
35
Food for Thought
The world changes in strange and unpredictable ways. Not one of the
great political or economic shifts of the past 100 years was predicted with
any degree of accuracy. Examples stretch from the end of the Cold War
to the global financial crisis. Remember that in 1985 PW Botha warned
that he would not lead white South Africa down the path of “abdication
and suicide”. Ten years later Nelson Mandela celebrated his first
anniversary in the Union Buildings. Most recently American officials have
admitted that they did not see ISIS coming.
Therefore resist the temptation to use short-term current trends to come
to fixed conclusions about (the) future – history suggests that your initial
conclusions may be very wrong.
Frans Cronje, CEO: Institute of Race Relations
Quoted with permission
36. 7 Discussion Time and Case Study (cont.)
36
Questions
Comments
Ideas
?
37. 7 Discussion Time and Case Study (cont.)
37
Case Study: African Bank
• Record Loss: “needed 8.5 billion rand to survive”
• Seven of the eleven directors had no previous banking experience
• Share price plummeted more than 95%
• Made loans at annual interest rates as high as 60%
• “…didn’t provide enough for bad debts” – Sanlam
• Ripple effects: Moody’s lowered credit ratings on the four largest
banks
• Could even bring SA closer to a ratings downgrade – Standard Bank
• Sunday Times Front Page: “F*** the poor” – Chief Risk Officer
• Charming CEO + Weak Chairman No balance of power
Sources: BusinessReport and Sunday Times
38. 7 Discussion Time and Case Study (cont.)
38
Case Study: African Bank (cont.)
What the company said…
ABIL Risk Management strategy is to embed a risk culture and
support business units within the group
- Accountability – Risk Report financial year ended 30 September 2013
The audit Committee must ensure that the combined assurance
received is appropriate to address the significant risks facing
the company. The combined assurance model consists of
management, the Risk committee, internal assurance providers
i.e. finance, internal audit, risk and external assurance
providers i.e. external auditors. The Audit committee must
monitor the relationship between the external assurance
providers and the company.
- Group Audit Committee Charter of ABIL and Group Subsidiaries