SlideShare a Scribd company logo

2015 IA Presentation_G Fisher_V2.1

Download as PPTX, PDF
G
Grant Fisher

This document provides an overview of combined assurance and how to develop an effective combined assurance model. It discusses obtaining a multi-dimensional view of risk, identifying key role players in assurance, determining the appropriate number of lines of defense, and mapping assurance providers to risks, controls and objectives. The goal of combined assurance is to maximize governance and risk oversight through an integrated and aligned approach to assurance.

1 of 41
Demystifying Combined Assurance Creating a Well-rounded Risk Profile to Assess the Adequacy of your Assurance Coverage Grant Fisher General Manager: Group Audit and Risk Management, Bridgestone South Africa 5 March 2015
Outline 1 Introduction 2 Obtaining a Multi-dimensional View of Risk 3 Your Key Role Players in Combined Assurance 4 How Many Lines of Defense are Enough? 5 Mapping Assurance Providers to Risks, Controls, and Objectives 6 Gap Analysis: Strengthening the Risk Net 7 Discussion Time and Case Study 2
1 Introduction If you can't explain it simply, you don't understand it well enough. Albert Einstein Read more at http://www.brainyquote.com/quotes/quotes/a/alberteins383803.html# kzhdHCJcMuFL7BS1.99 3
1 Introduction (cont.) 4 I am convinced that a simple profit-seeking business will never thrive, but a business that contributes to its society and country will be forever profitable. Shojiro Ishibashi, Founder The essence of sustainability 60 years before the first King report, Bridgestone was promoting principles of good governance (even though the term did not yet exist).
1 Introduction (cont.) 5 The World of Assurance and Good Governance In the past 20 years, we have seen a fundamental change in the role of business in society. This is particularly meaningful in the context of a new South Africa. King I (1994) • Introduced the concept of good governance • Focused on the role of the Board • Recommended Affirmative Action King II (2002) • Promoted the roles of Internal Audit and Risk Management • Stressed the importance of sound financial reporting • Recommended “ non-financial reporting” King III (2009) • Promoted the roles of Internal Audit and Risk Management further • Recommended Integrated Sustainability Reporting • Introduced the concept of Combined Assurance King IV(20??) • Will take the concept of Combined Assurance further...
1 Introduction (cont.) 6 Who’s involved? Aspect Western Capitalism A New Compassionate Capitalism Time horizon Short-term focus Considers short, medium and long-term Value Creation Returns to Shareholders Value for Stakeholders Mission Profit motive above all else Concern for people, planet, and profit Annual Reporting Financial Reporting Integrated Sustainability Reporting Internal Audit Risk Forensics Transformation Governance Secretarial Legal Insurance Compliance CSR SQE Security The World of Assurance and Good Governance (cont.) What has changed?
1 Introduction (cont.) 7 Why Combined Assurance? It started with the King Report on Governance (King III): The audit committee should ensure that a combined assurance model is applied to provide a co-ordinated approach to all assurance activities Potential Benefits • Focus on key risks • Identify gaps • Reduce operational disruptions • Track remedial actions • Improve reporting to the Board • Support Integrated Report
1 Introduction (cont.) 8 Combined Assurance means better Risk Management and better Governance* * but only if we want it to... Picture from www.edf.azPicture from www.mypharmacare.ca
2 Obtaining a Multi-dimensional View of Risk 9 Ask yourself the following: • Do we know what our risks are? • Do we really know what our risks are? • What are our biggest risks, and how do we measure them? • How do we get our assurance? • Who are we really relying on? • If we know our risks, why do bad things still happen? • Do we just tick the boxes? (Think about Enron. ABIL. Are they that different to us?) http://jeffreyhill.typepad.com/english/2009/03/cartoon-fiddling-while- rome-burns.html
2 Obtaining a Multi-dimensional View of Risk (cont.) 10 How we do it at Bridgestone South Africa Risk Profile Risk Forum & Internal Audit Incident Reports Global Risks • Incorporate global risks and classification systems • Learn from local and global incidents, accidents and disasters • Lead risk forum and conduct interviews (cross-functional team) • Incorporate internal audit experience • Consider other methods (PESTEL, SWOT, etc.) • Leverage data analytics (planned)
2 Obtaining a Multi-dimensional View of Risk (cont.) 11 Elements of our Risk Framework RISK FRAMEWORK POLICIES AND STANDARDS RISK MANAGEMENT (NORMAL CONDITIONS) BUSINESS CONTINUITY MANAGEMENT INCIDENT REPORTING CRISIS MANAGEMENT • Appetite • Tolerance • Capacity • Risk Criteria • Classification • All Risk Categories • Incidents • Accidents • Emergencies • Emergency Planning • Task Force Establishment • COSO ERM • Risk Register
2 Obtaining a Multi-dimensional View of Risk (cont.) 12 Categories of our Top 10 Risks • Regulatory Compliance Our first financial risk is at #17 (Bad Debt), so then: • Is Internal Audit really risk-based? • Who is giving us the real assurance? It cannot be the traditional world of financial audit. (And it doesn’t help to get assurance on the wrong risks!) Category Qty Regulatory Compliance 2 Emergency Planning 1 Transformation 2 Operations 1 Quality 3 Ethics 1
2 Obtaining a Multi-dimensional View of Risk (cont.) 13 Establishing your Strategic Position (where do you fit in?) Supply Chain [CORE] Administrative [SUPPORT] Corporate Social Responsibility (CSR) Enterprise Risk Management (ERM) Planning Purchasing Production Logistics Sales Marketing Finance HR IT SQE Internal Audit Compliance
2 Obtaining a Multi-dimensional View of Risk (cont.) 14 What are we trying to achieve? 22 CSR Focus Points Global Reporting Initiative (GRI) Requirements Fundamental CSR Activities • Stable Profits • Compliance • Business Continuity • Stakeholder Communication Economic Impact • Financial Results (for shareholders) • Impact on other Stakeholders - Staff compensation - Employee benefits - Community investments - Donations - Returns to providers of capital - Tax paid - Local procurement - Local recruitment - Infrastructure development CSR through Business Activities • Quality Products and Services • Technological Innovation • Customer Research • Fair Business Practice • Fair and CSR Procurement • Timely Disclosure CSR through Environmental Activities • Conservation through Products • Conservation through Supply Chain • Social Activities Environmental Impact (materials, energy, water, etc.) CSR from a Social Standpoint • Job Satisfaction • Workplace Safety • Diversity • Human Rights • Social Activities and Volunteering Social Impact • Labour Practices • Human Rights • Society • Product Responsibility
2 Obtaining a Multi-dimensional View of Risk (cont.) 15 What do we care about? The way we look at value has changed. And new accounting standards reflect this. [For accounting value to reflect economic value, goodwill must be stated at Fair Market Value (IFRS)] Now accountants have to look to the future to establish value And internal auditors have to look to the future to establish risk Yet neither has a crystal ball... Picture from www.wired.com Value Perspective Definition Time Frame Economic NPV (Expected Future Income Flows) Future Accounting Assets – Liabilities Past
2 Obtaining a Multi-dimensional View of Risk (cont.) 16 Value theory of Risk Anything that can destroy Value (or potential value) Activities undertaken to protect Value Co-ordinating of activities to protect Value Or Integrating and aligning assurance processes in a company to maximise risk and governance oversight and control efficiencies, and optimise overall assurance to the audit and risk committee, considering the company’s risk appetite. (King III) Or “Internal due diligence on an ongoing basis” (IRMSA)
2 Obtaining a Multi-dimensional View of Risk (cont.) 17 It takes a King to Govern One of the best Governance Codes in the World, And yet...
2 Obtaining a Multi-dimensional View of Risk (cont.) 18 Corruption Perceptions Index 2013 South Africa’s biggest risk! [IRMSA Risk Report 2015] P.S. What’s Botswana got that we haven’t?
2 Obtaining a Multi-dimensional View of Risk (cont.) 19 Another definition of Risk Any obstacle to getting what we want If you’re not thinking CSR, you’re not thinking risk
2 Obtaining a Multi-dimensional View of Risk (cont.) 20 Know your Universe HR IR Pay Morale Skills Legal Compliance EthicsContracts Security Assets Visitors Crime Staff Finance Reporting Fraud LiquidityTreasury Tax IT DRP Data Systems Software Wellness Hygiene Disease Disaster Nature Fatality Safety Quality Product Service Environment Business Economy Supplier ProductionPlanning Market
2 Obtaining a Multi-dimensional View of Risk (cont.) 21 Develop some detail (but don’t get lost in it) # Broad Risk Category Sub-category Risk # Risk Name Key Person 1 Human Capital Skills Maintenance 30 Skills Shortage Jane Industrial Relations - Unfair Dismissal Labour Market Activity 23 Labour Unrest Compensation Framework 29 Staff Compensation Employee Relations - Employee Scandal 47 Family Relationships Recruitment 45 Fraudulent Applications Staff Morale 14 Restructuring - Division of Labour
2 Obtaining a Multi-dimensional View of Risk (cont.) 22 Document thoroughly [extract from risk register] P.S. What’s missing? Causes or contributing factors (there should be a control for every cause) 2014Rank Risk # Date Risk Name Risk Description MaptoCSRObjective BSJRiskCategory COSORiskCategory Likelihood(Pre-control) Impact(Pre-control) InherentRisk Existing Controls and/or Mitigation Measures Likelihood(Post-control) Impact(Post-control) ResidualRisk RiskResponse Action Plan Actionbydate PersonResponsible RiskOwner BCPIndicator Progress to Plan / Follow-up Status 1 001 26-Nov- 13 Non- compliance with Competitions Act A violation of the Competitions Act results in severe penalties (i.r.o. price fixing, market allocation, resale price maintenance, market power, collusion, etc.) 1 2 8 03Legal Compliance 4 5 IV Competition Compliance Training Manual (on Intranet) 3 5 IV Reduce - Policy on anti-cartel activity (in-progress per BSJ instruction) - On-line compliance training 31-12-2013 RS Legal No - Policy approved by the Board (Dec 2013) - Compliance Training rolled out to sales and marketing staff (Sep 2014) 2 002 26-Nov- 13 Terrorism or related catastrophe An unforseen act of terrorism or sabotage has a profound effect on the business 1 3 17 07Disaster Strategic 1 5 IV - Security on site - Risk Control Policy - Emergency Planning and Procedures (BSAF Plants) - SASRIA cover is in place for Max T against terrorism provided it is politically motivated (NASRIA in Namibia) 1 5 IV TBD - Enhance and/or standardise contingency planning systems and procedures (at group level), giving special consideration to second- round effects (beyond initial financial impacts) - Consider outsourcing the management of catastrophes TBD CT CSR/SQE Yes Note: Terrorist threat exists in Mozambique, but no SASRIA cover equivalent there
3 Your Key Role Players in Combined Assurance 23 Who are we relying on? From the point of view of a multi-national... Internal (Local) Group-Global External Operating Management J-SOX Auditors External Audit Group Audit and Risk TQM Auditors Corporate Lawyers Legal / Secretarial Internal Auditing Consulting Engineers CSR / SQE Business Continuity Insurers Human Resources B-BBEE Verification Agency Finance ISO Certification Information Technology Labour Relations Consultants Technical OEM Auditors (e.g. BMW) Fire Protection Inspectors Safety Inspectors Forensic Consultants
3 Your Key Role Players in Combined Assurance (cont.) 24 Should we be relying on them? • Highly Skilled, but not Independent Internal Assurers • Skilled and Independent, but limited Local Knowledge Group-Global • Skilled, Relatively Independent, and Accredited, but Costly External Assurers
3 Your Key Role Players in Combined Assurance (cont.) 25 Special Case: J-SOX (Mutual Assurance) The Group CEO (Global) performs a group assessment based on internal control confirmation statements submitted by each group company, and submits an internal control statement based on the assessment results to the Prime Minister of Japan. Each Group Company conducts their own control self-assessment. Assurance is provided on the following control types: • Entity Level Controls • Financial Closing and Reporting Controls • Business Process Controls • IT General Controls BSJ places reliance on our self-assessment. We place reliance on their independent validation.
3 Your Key Role Players in Combined Assurance (cont.) 26
3 Your Key Role Players in Combined Assurance (cont.) 27 And for JSE-Listed Companies... • Who gives you assurance on your integrated report? • Are traditional auditors the right people? • Do they have the right credentials? • Is the report really integrated? • Do we create value over time...? On the other hand... • Is independent assurance even possible? • Are we taking assurance too far? • Should we stop with Internal Audit? • You cannot guarantee sustainability [King III vs JSE] Picture from www.pgsadvisors.com
4 How many Lines of Defense are Enough? 28 According to the IIA…
4 How many Lines of Defense are Enough? (cont.) 29 • Risk and Control Owners [Management] Line 1 • Risk Management Process Owners [e.g. Risk Management / Risk Forum] Line 2 • Assurance Providers on Risk Management Process [Internal Audit] Line 3 • External Assurance Providers and Consultants Line 4 • Board Sub-committees Line 5 In other words...
5 Mapping Assurance Providers to Risks, Controls, and Objectives 30 Developing a Model (According to IRMSA) • Secure commitment • Especially Internal Audit 4. Identify and Involve Assurance Providers • Describe assurance mission of each provider • Draft assurance activities to be undertaken and frequency 5. Map Risks to Assurance Providers • Design blueprint • Build infrastructure (risk methodology) 6. Decide on Optimum Model • Define what it is • Explain the benefits 1. Create Awareness • Chief Internal Auditor • Chief Risk Officer 2. Identify a Champion • Identify business objectives and risks that affect their attainment • Prioritise risks 3. Develop an Assurance Strategy
5 Mapping Assurance Providers to Risks, Controls, and Objectives 31 Getting Started (getting a broad overview) Business Process Internal Assurance Provider Output External Assurance Provider Output Economic / Financial Economic Value Added External Audit Value Added Report Financial Results External Audit External Audit Report Safety, Health, Environment & Quality Legal Safety Compliance CSR / SHEQ Department Inspection Reports Consultants (BSMP) Audit / Inspection Report Safety Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) OHSAS18001:2007 Certification Environmental Standards CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) ISO14001:2004 Certification Quality Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) ISO9001: 2008 and TS16949:2009 Certification Empowerment B-BBEE Credentials Service Provider B-BBEE Scorecard Human Resources Employee Satisfaction To be confirmed Employee Satisfaction Survey Risk , Control and Governance Internal Control Environment Group Audit and Risk Internal Audit Report to the Board Risk Management Process Group Audit and Risk Internal Audit Report to the Board Governance / King III Group Audit and Risk Governance Assessment Report To be confirmed Independent Statement Sustainability Reporting CSR / SHEQ Department CSR Report External Audit Independent Assurance Report
5 Mapping Assurance Providers to Risks, Controls, and Objectives 32 Mapping by Risk 2014Rank Risk# Date Risk Name Risk Description MaptoCSR Objective BSJRiskCategory COSORisk Category Likelihood(Pre- control) Impact(Pre-control) InherentRisk Existing Controls and/or Mitigation Measures Likelihood(Post- control) Impact(Post- control) ResidualRisk RiskResponse Action Plan Actionbydate PersonResponsible RiskOwner BCPIndicator Progress to Plan / Follow-up Status Supporti ng Process 1st Line Assura nce 2nd Line Assura nce 3rd Line Assura nce Externa l Assura nce Assura nce Gap 1 0 0 1 26- Nov- 13 Non- compliance with Competitions Act A violation of the Competitions Act results in severe penalties (i.r.o. price fixing, market allocation, resale price maintenance, market power, collusion, etc.) 1 2 8 03Legal Compliance 4 5 IV Competition Compliance Training Manual (on Intranet) 3 5 IV Reduce - Policy on anti- cartel activity (in- progress per BSJ instruction) - On-line compliance training 31-12-2013 RS Legal No - Policy approved by the Board (Dec 2013) - Compliance Training rolled out to sales and marketing staff (Sep 2014) Complia nce Training Operati ng Manage ment (Sales and Marketi ng) Legal / Secreta rial Internal Audit Corpora te Lawyers Legal Complia nce Audit (A - Z) 6 0 0 5 26- Nov- 13 Product Recall Product failures result in recalls that cause reputational damage 1 5 09Quality Strategic 4 5 IV - QA testing, manufacturing quality gates, QTR procedures - QS Procedure (Correct, updated testing procedures should be followed at all times; suspect tyres not released) - ISO9001 - Extension under liability policy 2 4 III Accept F Qualification audit at Brits (BSJ) [Quality Process Audit] Ongoing PW Quality Yes Audit completed; IIP for corrective actions in progress Quality Control Operati ng Manage ment (Plant) CSR / SQE - DQS (ISO900 1 and TS1694 9 TQM Auditors (BSJ) Quality Auditor / Inspect or or CQO • Select high residual risks and high inherent risks • Consider low level risks for overkill
5 Mapping Assurance Providers to Risks, Controls, and Objectives 33 A Different Perspective (public sector template)
6 Gap Analysis: Strengthening the Risk Net 34 An ongoing process Assess the extent of Risk Coverage Assess Assurance Providers Identify Assurance Gaps Identify Assurance Overkill Compile Remedial Action Plan Report to Governing Body Track Actions against Plan Monitor, Update and Improve • Credentials • Methodologies • Independence • Business Knowledge • Cost • Low level risks • Misunderstood risks • Duplication of effort • Compare actual with desired levels  Gaps in coverage  Gaps in assurance provider capability
7 Discussion Time and Case Study 35 Food for Thought The world changes in strange and unpredictable ways. Not one of the great political or economic shifts of the past 100 years was predicted with any degree of accuracy. Examples stretch from the end of the Cold War to the global financial crisis. Remember that in 1985 PW Botha warned that he would not lead white South Africa down the path of “abdication and suicide”. Ten years later Nelson Mandela celebrated his first anniversary in the Union Buildings. Most recently American officials have admitted that they did not see ISIS coming. Therefore resist the temptation to use short-term current trends to come to fixed conclusions about (the) future – history suggests that your initial conclusions may be very wrong. Frans Cronje, CEO: Institute of Race Relations Quoted with permission
7 Discussion Time and Case Study (cont.) 36 Questions Comments Ideas ?
7 Discussion Time and Case Study (cont.) 37 Case Study: African Bank • Record Loss: “needed 8.5 billion rand to survive” • Seven of the eleven directors had no previous banking experience • Share price plummeted more than 95% • Made loans at annual interest rates as high as 60% • “…didn’t provide enough for bad debts” – Sanlam • Ripple effects: Moody’s lowered credit ratings on the four largest banks • Could even bring SA closer to a ratings downgrade – Standard Bank • Sunday Times Front Page: “F*** the poor” – Chief Risk Officer • Charming CEO + Weak Chairman  No balance of power Sources: BusinessReport and Sunday Times
7 Discussion Time and Case Study (cont.) 38 Case Study: African Bank (cont.) What the company said… ABIL Risk Management strategy is to embed a risk culture and support business units within the group - Accountability – Risk Report financial year ended 30 September 2013 The audit Committee must ensure that the combined assurance received is appropriate to address the significant risks facing the company. The combined assurance model consists of management, the Risk committee, internal assurance providers i.e. finance, internal audit, risk and external assurance providers i.e. external auditors. The Audit committee must monitor the relationship between the external assurance providers and the company. - Group Audit Committee Charter of ABIL and Group Subsidiaries
7 Discussion Time and Case Study (cont.) 39 SO WHERE WERE THEY?
Thank You 40 http://www.asksotiris.com/albert-einstein-quotes/
Thank You 41

Recommended

StrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingStrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingNathan Ives
 
Deloitte risk committee guidance
Deloitte risk committee guidanceDeloitte risk committee guidance
Deloitte risk committee guidanceLutangu Lutangu
 
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11wcooling
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?Jim Kaplan CIA CFE
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
Risk analysis and management
Risk analysis and managementRisk analysis and management
Risk analysis and managementgnitu
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 

Recommended

StrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingStrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingNathan Ives
 
Deloitte risk committee guidance
Deloitte risk committee guidanceDeloitte risk committee guidance
Deloitte risk committee guidanceLutangu Lutangu
 
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11wcooling
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?Jim Kaplan CIA CFE
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
Risk analysis and management
Risk analysis and managementRisk analysis and management
Risk analysis and managementgnitu
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Strategic leadership
Strategic leadershipStrategic leadership
Strategic leadershipİsmet Barutcugil
 
Leveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationLeveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationInternational Federation of Accountants
 
Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Saras Singh
 
Effective Strategic Planning Workshop
Effective Strategic Planning WorkshopEffective Strategic Planning Workshop
Effective Strategic Planning WorkshopCyber Sari-Sari
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
GRC Software Implementation Strategy
GRC Software Implementation StrategyGRC Software Implementation Strategy
GRC Software Implementation StrategyPatrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
Risk Culture, Risk What?
Risk Culture, Risk What?Risk Culture, Risk What?
Risk Culture, Risk What?Ian Rich
 
risk management
risk managementrisk management
risk managementHolly E. Rogers
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The AuditorCorporate Compliance Seminars
 
Strategic Planning
Strategic PlanningStrategic Planning
Strategic Planningduanehampton
 
Risk Management Essentials for Bankers
Risk Management Essentials for BankersRisk Management Essentials for Bankers
Risk Management Essentials for BankersDavid Vu
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides SlideTeam
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 
Job Analysis and Rewards
Job Analysis and RewardsJob Analysis and Rewards
Job Analysis and Rewardsaizellbernal
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk ManagementDr David Hancock
 
Operational Risk Management Overview PowerPoint presentation Slides
Operational Risk Management Overview PowerPoint presentation SlidesOperational Risk Management Overview PowerPoint presentation Slides
Operational Risk Management Overview PowerPoint presentation SlidesSlideTeam
 
Balanced Scorecard
Balanced ScorecardBalanced Scorecard
Balanced ScorecardAnahel Figueroa Alvarado
 
Operational Risk Assessment PowerPoint Presentation Slides
Operational Risk Assessment PowerPoint Presentation SlidesOperational Risk Assessment PowerPoint Presentation Slides
Operational Risk Assessment PowerPoint Presentation SlidesSlideTeam
 
4 Core Capabilities for Building Strong Risk Governance
4 Core Capabilities for Building Strong Risk Governance4 Core Capabilities for Building Strong Risk Governance
4 Core Capabilities for Building Strong Risk GovernanceColleen Beck-Domanico
 
Operational Risk Governance: 5 Core Regulatory Expectations
Operational Risk Governance: 5 Core Regulatory ExpectationsOperational Risk Governance: 5 Core Regulatory Expectations
Operational Risk Governance: 5 Core Regulatory ExpectationsColleen Beck-Domanico
 

More Related Content

What's hot

Leveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationLeveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationInternational Federation of Accountants
 
Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Saras Singh
 
Effective Strategic Planning Workshop
Effective Strategic Planning WorkshopEffective Strategic Planning Workshop
Effective Strategic Planning WorkshopCyber Sari-Sari
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
Risk Culture, Risk What?
Risk Culture, Risk What?Risk Culture, Risk What?
Risk Culture, Risk What?Ian Rich
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Strategic Planning
Strategic PlanningStrategic Planning
Strategic Planningduanehampton
 
Risk Management Essentials for Bankers
Risk Management Essentials for BankersRisk Management Essentials for Bankers
Risk Management Essentials for BankersDavid Vu
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides SlideTeam
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk managementKannan Subbiah
 
Job Analysis and Rewards
Job Analysis and RewardsJob Analysis and Rewards
Job Analysis and Rewardsaizellbernal
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk ManagementDr David Hancock
 
Operational Risk Management Overview PowerPoint presentation Slides
Operational Risk Management Overview PowerPoint presentation SlidesOperational Risk Management Overview PowerPoint presentation Slides
Operational Risk Management Overview PowerPoint presentation SlidesSlideTeam
 
Operational Risk Assessment PowerPoint Presentation Slides
Operational Risk Assessment PowerPoint Presentation SlidesOperational Risk Assessment PowerPoint Presentation Slides
Operational Risk Assessment PowerPoint Presentation SlidesSlideTeam
 

What's hot (20)

Strategic leadership
Strategic leadershipStrategic leadership
Strategic leadership
 
Leveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your OrganizationLeveraging Effective Risk Management and Internal Control for Your Organization
Leveraging Effective Risk Management and Internal Control for Your Organization
 
Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)
 
Effective Strategic Planning Workshop
Effective Strategic Planning WorkshopEffective Strategic Planning Workshop
Effective Strategic Planning Workshop
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
 
GRC Software Implementation Strategy
GRC Software Implementation StrategyGRC Software Implementation Strategy
GRC Software Implementation Strategy
 
Risk Culture, Risk What?
Risk Culture, Risk What?Risk Culture, Risk What?
Risk Culture, Risk What?
 
risk management
risk managementrisk management
risk management
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
 
Strategic Planning
Strategic PlanningStrategic Planning
Strategic Planning
 
Risk Management Essentials for Bankers
Risk Management Essentials for BankersRisk Management Essentials for Bankers
Risk Management Essentials for Bankers
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
 
Job Analysis and Rewards
Job Analysis and RewardsJob Analysis and Rewards
Job Analysis and Rewards
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk Management
 
Operational Risk Management Overview PowerPoint presentation Slides
Operational Risk Management Overview PowerPoint presentation SlidesOperational Risk Management Overview PowerPoint presentation Slides
Operational Risk Management Overview PowerPoint presentation Slides
 
Balanced Scorecard
Balanced ScorecardBalanced Scorecard
Balanced Scorecard
 
Operational Risk Assessment PowerPoint Presentation Slides
Operational Risk Assessment PowerPoint Presentation SlidesOperational Risk Assessment PowerPoint Presentation Slides
Operational Risk Assessment PowerPoint Presentation Slides
 

Similar to 2015 IA Presentation_G Fisher_V2.1

4 Core Capabilities for Building Strong Risk Governance
4 Core Capabilities for Building Strong Risk Governance4 Core Capabilities for Building Strong Risk Governance
4 Core Capabilities for Building Strong Risk GovernanceColleen Beck-Domanico
 
Operational Risk Governance: 5 Core Regulatory Expectations
Operational Risk Governance: 5 Core Regulatory ExpectationsOperational Risk Governance: 5 Core Regulatory Expectations
Operational Risk Governance: 5 Core Regulatory ExpectationsColleen Beck-Domanico
 
How to Measure and Mitigate Conduct Risk
How to Measure and Mitigate Conduct RiskHow to Measure and Mitigate Conduct Risk
How to Measure and Mitigate Conduct RiskColleen Beck-Domanico
 
10 Key Principles of Operational Risk Management
10 Key Principles of Operational Risk Management10 Key Principles of Operational Risk Management
10 Key Principles of Operational Risk ManagementColleen Beck-Domanico
 
Organizational Governance- William Swirsky
Organizational Governance- William SwirskyOrganizational Governance- William Swirsky
Organizational Governance- William SwirskyCGTI
 
Are You Selling Safety? Anyone Buying? November 2009
Are You Selling Safety? Anyone Buying? November 2009Are You Selling Safety? Anyone Buying? November 2009
Are You Selling Safety? Anyone Buying? November 2009FayFeeney
 
B & f ch (1 15) final .........., Business and Finance, ICAB
B & f ch (1 15) final .........., Business and Finance, ICABB & f ch (1 15) final .........., Business and Finance, ICAB
B & f ch (1 15) final .........., Business and Finance, ICABSazzad Hossain, ITP, MBA, CSCA™
 
Presentation On Pragati Life Insurance
Presentation On Pragati Life InsurancePresentation On Pragati Life Insurance
Presentation On Pragati Life InsuranceRahat Bhuiyan
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Erm overview of auditing fraud and revenue assurance
Erm overview of auditing fraud and revenue assuranceErm overview of auditing fraud and revenue assurance
Erm overview of auditing fraud and revenue assurancewisnu wardhana, i nyoman
 
Chartered Accountant’s Role in an Enterprise Risk Management
Chartered Accountant’s Role in an Enterprise Risk ManagementChartered Accountant’s Role in an Enterprise Risk Management
Chartered Accountant’s Role in an Enterprise Risk ManagementCA. (Dr.) Rajkumar Adukia
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Andrew Smart
 
Risk Management Presentation to Doyle Property Club
Risk Management Presentation to Doyle Property ClubRisk Management Presentation to Doyle Property Club
Risk Management Presentation to Doyle Property Clubmarcpreston
 
RSM India publication - Internal audit and risk management in BFSI Sector
RSM India publication - Internal audit and risk management in BFSI Sector RSM India publication - Internal audit and risk management in BFSI Sector
RSM India publication - Internal audit and risk management in BFSI Sector RSM India
 
Audit _ Assurance - Internal Audit and Risk Advisory - SBC Credentials.pdf
Audit _ Assurance - Internal Audit and Risk Advisory - SBC Credentials.pdfAudit _ Assurance - Internal Audit and Risk Advisory - SBC Credentials.pdf
Audit _ Assurance - Internal Audit and Risk Advisory - SBC Credentials.pdfSteadfast Business Consulting
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementStephen Ong
 

Similar to 2015 IA Presentation_G Fisher_V2.1 (20)

4 Core Capabilities for Building Strong Risk Governance
4 Core Capabilities for Building Strong Risk Governance4 Core Capabilities for Building Strong Risk Governance
4 Core Capabilities for Building Strong Risk Governance
 
Operational Risk Governance: 5 Core Regulatory Expectations
Operational Risk Governance: 5 Core Regulatory ExpectationsOperational Risk Governance: 5 Core Regulatory Expectations
Operational Risk Governance: 5 Core Regulatory Expectations
 
How to Measure and Mitigate Conduct Risk
How to Measure and Mitigate Conduct RiskHow to Measure and Mitigate Conduct Risk
How to Measure and Mitigate Conduct Risk
 
10 Key Principles of Operational Risk Management
10 Key Principles of Operational Risk Management10 Key Principles of Operational Risk Management
10 Key Principles of Operational Risk Management
 
Organizational Governance- William Swirsky
Organizational Governance- William SwirskyOrganizational Governance- William Swirsky
Organizational Governance- William Swirsky
 
Are You Selling Safety? Anyone Buying? November 2009
Are You Selling Safety? Anyone Buying? November 2009Are You Selling Safety? Anyone Buying? November 2009
Are You Selling Safety? Anyone Buying? November 2009
 
B & f ch (1 15) final .........., Business and Finance, ICAB
B & f ch (1 15) final .........., Business and Finance, ICABB & f ch (1 15) final .........., Business and Finance, ICAB
B & f ch (1 15) final .........., Business and Finance, ICAB
 
Chris Gould - BCM case
Chris Gould - BCM caseChris Gould - BCM case
Chris Gould - BCM case
 
Presentation On Pragati Life Insurance
Presentation On Pragati Life InsurancePresentation On Pragati Life Insurance
Presentation On Pragati Life Insurance
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Erm overview of auditing fraud and revenue assurance
Erm overview of auditing fraud and revenue assuranceErm overview of auditing fraud and revenue assurance
Erm overview of auditing fraud and revenue assurance
 
Chartered Accountant’s Role in an Enterprise Risk Management
Chartered Accountant’s Role in an Enterprise Risk ManagementChartered Accountant’s Role in an Enterprise Risk Management
Chartered Accountant’s Role in an Enterprise Risk Management
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard
 
Risk Management Presentation to Doyle Property Club
Risk Management Presentation to Doyle Property ClubRisk Management Presentation to Doyle Property Club
Risk Management Presentation to Doyle Property Club
 
Risk Dashboard
Risk Dashboard Risk Dashboard
Risk Dashboard
 
Governance, Risk Management, and Internal Control in the Public Sector
Governance, Risk Management, and Internal Control in the Public SectorGovernance, Risk Management, and Internal Control in the Public Sector
Governance, Risk Management, and Internal Control in the Public Sector
 
RSM India publication - Internal audit and risk management in BFSI Sector
RSM India publication - Internal audit and risk management in BFSI Sector RSM India publication - Internal audit and risk management in BFSI Sector
RSM India publication - Internal audit and risk management in BFSI Sector
 
Audit _ Assurance - Internal Audit and Risk Advisory - SBC Credentials.pdf
Audit _ Assurance - Internal Audit and Risk Advisory - SBC Credentials.pdfAudit _ Assurance - Internal Audit and Risk Advisory - SBC Credentials.pdf
Audit _ Assurance - Internal Audit and Risk Advisory - SBC Credentials.pdf
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management Framework
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk management
 

2015 IA Presentation_G Fisher_V2.1

  • 1. Demystifying Combined Assurance Creating a Well-rounded Risk Profile to Assess the Adequacy of your Assurance Coverage Grant Fisher General Manager: Group Audit and Risk Management, Bridgestone South Africa 5 March 2015
  • 2. Outline 1 Introduction 2 Obtaining a Multi-dimensional View of Risk 3 Your Key Role Players in Combined Assurance 4 How Many Lines of Defense are Enough? 5 Mapping Assurance Providers to Risks, Controls, and Objectives 6 Gap Analysis: Strengthening the Risk Net 7 Discussion Time and Case Study 2
  • 3. 1 Introduction If you can't explain it simply, you don't understand it well enough. Albert Einstein Read more at http://www.brainyquote.com/quotes/quotes/a/alberteins383803.html# kzhdHCJcMuFL7BS1.99 3
  • 4. 1 Introduction (cont.) 4 I am convinced that a simple profit-seeking business will never thrive, but a business that contributes to its society and country will be forever profitable. Shojiro Ishibashi, Founder The essence of sustainability 60 years before the first King report, Bridgestone was promoting principles of good governance (even though the term did not yet exist).
  • 5. 1 Introduction (cont.) 5 The World of Assurance and Good Governance In the past 20 years, we have seen a fundamental change in the role of business in society. This is particularly meaningful in the context of a new South Africa. King I (1994) • Introduced the concept of good governance • Focused on the role of the Board • Recommended Affirmative Action King II (2002) • Promoted the roles of Internal Audit and Risk Management • Stressed the importance of sound financial reporting • Recommended “ non-financial reporting” King III (2009) • Promoted the roles of Internal Audit and Risk Management further • Recommended Integrated Sustainability Reporting • Introduced the concept of Combined Assurance King IV(20??) • Will take the concept of Combined Assurance further...
  • 6. 1 Introduction (cont.) 6 Who’s involved? Aspect Western Capitalism A New Compassionate Capitalism Time horizon Short-term focus Considers short, medium and long-term Value Creation Returns to Shareholders Value for Stakeholders Mission Profit motive above all else Concern for people, planet, and profit Annual Reporting Financial Reporting Integrated Sustainability Reporting Internal Audit Risk Forensics Transformation Governance Secretarial Legal Insurance Compliance CSR SQE Security The World of Assurance and Good Governance (cont.) What has changed?
  • 7. 1 Introduction (cont.) 7 Why Combined Assurance? It started with the King Report on Governance (King III): The audit committee should ensure that a combined assurance model is applied to provide a co-ordinated approach to all assurance activities Potential Benefits • Focus on key risks • Identify gaps • Reduce operational disruptions • Track remedial actions • Improve reporting to the Board • Support Integrated Report
  • 8. 1 Introduction (cont.) 8 Combined Assurance means better Risk Management and better Governance* * but only if we want it to... Picture from www.edf.azPicture from www.mypharmacare.ca
  • 9. 2 Obtaining a Multi-dimensional View of Risk 9 Ask yourself the following: • Do we know what our risks are? • Do we really know what our risks are? • What are our biggest risks, and how do we measure them? • How do we get our assurance? • Who are we really relying on? • If we know our risks, why do bad things still happen? • Do we just tick the boxes? (Think about Enron. ABIL. Are they that different to us?) http://jeffreyhill.typepad.com/english/2009/03/cartoon-fiddling-while- rome-burns.html
  • 10. 2 Obtaining a Multi-dimensional View of Risk (cont.) 10 How we do it at Bridgestone South Africa Risk Profile Risk Forum & Internal Audit Incident Reports Global Risks • Incorporate global risks and classification systems • Learn from local and global incidents, accidents and disasters • Lead risk forum and conduct interviews (cross-functional team) • Incorporate internal audit experience • Consider other methods (PESTEL, SWOT, etc.) • Leverage data analytics (planned)
  • 11. 2 Obtaining a Multi-dimensional View of Risk (cont.) 11 Elements of our Risk Framework RISK FRAMEWORK POLICIES AND STANDARDS RISK MANAGEMENT (NORMAL CONDITIONS) BUSINESS CONTINUITY MANAGEMENT INCIDENT REPORTING CRISIS MANAGEMENT • Appetite • Tolerance • Capacity • Risk Criteria • Classification • All Risk Categories • Incidents • Accidents • Emergencies • Emergency Planning • Task Force Establishment • COSO ERM • Risk Register
  • 12. 2 Obtaining a Multi-dimensional View of Risk (cont.) 12 Categories of our Top 10 Risks • Regulatory Compliance Our first financial risk is at #17 (Bad Debt), so then: • Is Internal Audit really risk-based? • Who is giving us the real assurance? It cannot be the traditional world of financial audit. (And it doesn’t help to get assurance on the wrong risks!) Category Qty Regulatory Compliance 2 Emergency Planning 1 Transformation 2 Operations 1 Quality 3 Ethics 1
  • 13. 2 Obtaining a Multi-dimensional View of Risk (cont.) 13 Establishing your Strategic Position (where do you fit in?) Supply Chain [CORE] Administrative [SUPPORT] Corporate Social Responsibility (CSR) Enterprise Risk Management (ERM) Planning Purchasing Production Logistics Sales Marketing Finance HR IT SQE Internal Audit Compliance
  • 14. 2 Obtaining a Multi-dimensional View of Risk (cont.) 14 What are we trying to achieve? 22 CSR Focus Points Global Reporting Initiative (GRI) Requirements Fundamental CSR Activities • Stable Profits • Compliance • Business Continuity • Stakeholder Communication Economic Impact • Financial Results (for shareholders) • Impact on other Stakeholders - Staff compensation - Employee benefits - Community investments - Donations - Returns to providers of capital - Tax paid - Local procurement - Local recruitment - Infrastructure development CSR through Business Activities • Quality Products and Services • Technological Innovation • Customer Research • Fair Business Practice • Fair and CSR Procurement • Timely Disclosure CSR through Environmental Activities • Conservation through Products • Conservation through Supply Chain • Social Activities Environmental Impact (materials, energy, water, etc.) CSR from a Social Standpoint • Job Satisfaction • Workplace Safety • Diversity • Human Rights • Social Activities and Volunteering Social Impact • Labour Practices • Human Rights • Society • Product Responsibility
  • 15. 2 Obtaining a Multi-dimensional View of Risk (cont.) 15 What do we care about? The way we look at value has changed. And new accounting standards reflect this. [For accounting value to reflect economic value, goodwill must be stated at Fair Market Value (IFRS)] Now accountants have to look to the future to establish value And internal auditors have to look to the future to establish risk Yet neither has a crystal ball... Picture from www.wired.com Value Perspective Definition Time Frame Economic NPV (Expected Future Income Flows) Future Accounting Assets – Liabilities Past
  • 16. 2 Obtaining a Multi-dimensional View of Risk (cont.) 16 Value theory of Risk Anything that can destroy Value (or potential value) Activities undertaken to protect Value Co-ordinating of activities to protect Value Or Integrating and aligning assurance processes in a company to maximise risk and governance oversight and control efficiencies, and optimise overall assurance to the audit and risk committee, considering the company’s risk appetite. (King III) Or “Internal due diligence on an ongoing basis” (IRMSA)
  • 17. 2 Obtaining a Multi-dimensional View of Risk (cont.) 17 It takes a King to Govern One of the best Governance Codes in the World, And yet...
  • 18. 2 Obtaining a Multi-dimensional View of Risk (cont.) 18 Corruption Perceptions Index 2013 South Africa’s biggest risk! [IRMSA Risk Report 2015] P.S. What’s Botswana got that we haven’t?
  • 19. 2 Obtaining a Multi-dimensional View of Risk (cont.) 19 Another definition of Risk Any obstacle to getting what we want If you’re not thinking CSR, you’re not thinking risk
  • 20. 2 Obtaining a Multi-dimensional View of Risk (cont.) 20 Know your Universe HR IR Pay Morale Skills Legal Compliance EthicsContracts Security Assets Visitors Crime Staff Finance Reporting Fraud LiquidityTreasury Tax IT DRP Data Systems Software Wellness Hygiene Disease Disaster Nature Fatality Safety Quality Product Service Environment Business Economy Supplier ProductionPlanning Market
  • 21. 2 Obtaining a Multi-dimensional View of Risk (cont.) 21 Develop some detail (but don’t get lost in it) # Broad Risk Category Sub-category Risk # Risk Name Key Person 1 Human Capital Skills Maintenance 30 Skills Shortage Jane Industrial Relations - Unfair Dismissal Labour Market Activity 23 Labour Unrest Compensation Framework 29 Staff Compensation Employee Relations - Employee Scandal 47 Family Relationships Recruitment 45 Fraudulent Applications Staff Morale 14 Restructuring - Division of Labour
  • 22. 2 Obtaining a Multi-dimensional View of Risk (cont.) 22 Document thoroughly [extract from risk register] P.S. What’s missing? Causes or contributing factors (there should be a control for every cause) 2014Rank Risk # Date Risk Name Risk Description MaptoCSRObjective BSJRiskCategory COSORiskCategory Likelihood(Pre-control) Impact(Pre-control) InherentRisk Existing Controls and/or Mitigation Measures Likelihood(Post-control) Impact(Post-control) ResidualRisk RiskResponse Action Plan Actionbydate PersonResponsible RiskOwner BCPIndicator Progress to Plan / Follow-up Status 1 001 26-Nov- 13 Non- compliance with Competitions Act A violation of the Competitions Act results in severe penalties (i.r.o. price fixing, market allocation, resale price maintenance, market power, collusion, etc.) 1 2 8 03Legal Compliance 4 5 IV Competition Compliance Training Manual (on Intranet) 3 5 IV Reduce - Policy on anti-cartel activity (in-progress per BSJ instruction) - On-line compliance training 31-12-2013 RS Legal No - Policy approved by the Board (Dec 2013) - Compliance Training rolled out to sales and marketing staff (Sep 2014) 2 002 26-Nov- 13 Terrorism or related catastrophe An unforseen act of terrorism or sabotage has a profound effect on the business 1 3 17 07Disaster Strategic 1 5 IV - Security on site - Risk Control Policy - Emergency Planning and Procedures (BSAF Plants) - SASRIA cover is in place for Max T against terrorism provided it is politically motivated (NASRIA in Namibia) 1 5 IV TBD - Enhance and/or standardise contingency planning systems and procedures (at group level), giving special consideration to second- round effects (beyond initial financial impacts) - Consider outsourcing the management of catastrophes TBD CT CSR/SQE Yes Note: Terrorist threat exists in Mozambique, but no SASRIA cover equivalent there
  • 23. 3 Your Key Role Players in Combined Assurance 23 Who are we relying on? From the point of view of a multi-national... Internal (Local) Group-Global External Operating Management J-SOX Auditors External Audit Group Audit and Risk TQM Auditors Corporate Lawyers Legal / Secretarial Internal Auditing Consulting Engineers CSR / SQE Business Continuity Insurers Human Resources B-BBEE Verification Agency Finance ISO Certification Information Technology Labour Relations Consultants Technical OEM Auditors (e.g. BMW) Fire Protection Inspectors Safety Inspectors Forensic Consultants
  • 24. 3 Your Key Role Players in Combined Assurance (cont.) 24 Should we be relying on them? • Highly Skilled, but not Independent Internal Assurers • Skilled and Independent, but limited Local Knowledge Group-Global • Skilled, Relatively Independent, and Accredited, but Costly External Assurers
  • 25. 3 Your Key Role Players in Combined Assurance (cont.) 25 Special Case: J-SOX (Mutual Assurance) The Group CEO (Global) performs a group assessment based on internal control confirmation statements submitted by each group company, and submits an internal control statement based on the assessment results to the Prime Minister of Japan. Each Group Company conducts their own control self-assessment. Assurance is provided on the following control types: • Entity Level Controls • Financial Closing and Reporting Controls • Business Process Controls • IT General Controls BSJ places reliance on our self-assessment. We place reliance on their independent validation.
  • 26. 3 Your Key Role Players in Combined Assurance (cont.) 26
  • 27. 3 Your Key Role Players in Combined Assurance (cont.) 27 And for JSE-Listed Companies... • Who gives you assurance on your integrated report? • Are traditional auditors the right people? • Do they have the right credentials? • Is the report really integrated? • Do we create value over time...? On the other hand... • Is independent assurance even possible? • Are we taking assurance too far? • Should we stop with Internal Audit? • You cannot guarantee sustainability [King III vs JSE] Picture from www.pgsadvisors.com
  • 28. 4 How many Lines of Defense are Enough? 28 According to the IIA…
  • 29. 4 How many Lines of Defense are Enough? (cont.) 29 • Risk and Control Owners [Management] Line 1 • Risk Management Process Owners [e.g. Risk Management / Risk Forum] Line 2 • Assurance Providers on Risk Management Process [Internal Audit] Line 3 • External Assurance Providers and Consultants Line 4 • Board Sub-committees Line 5 In other words...
  • 30. 5 Mapping Assurance Providers to Risks, Controls, and Objectives 30 Developing a Model (According to IRMSA) • Secure commitment • Especially Internal Audit 4. Identify and Involve Assurance Providers • Describe assurance mission of each provider • Draft assurance activities to be undertaken and frequency 5. Map Risks to Assurance Providers • Design blueprint • Build infrastructure (risk methodology) 6. Decide on Optimum Model • Define what it is • Explain the benefits 1. Create Awareness • Chief Internal Auditor • Chief Risk Officer 2. Identify a Champion • Identify business objectives and risks that affect their attainment • Prioritise risks 3. Develop an Assurance Strategy
  • 31. 5 Mapping Assurance Providers to Risks, Controls, and Objectives 31 Getting Started (getting a broad overview) Business Process Internal Assurance Provider Output External Assurance Provider Output Economic / Financial Economic Value Added External Audit Value Added Report Financial Results External Audit External Audit Report Safety, Health, Environment & Quality Legal Safety Compliance CSR / SHEQ Department Inspection Reports Consultants (BSMP) Audit / Inspection Report Safety Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) OHSAS18001:2007 Certification Environmental Standards CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) ISO14001:2004 Certification Quality Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) ISO9001: 2008 and TS16949:2009 Certification Empowerment B-BBEE Credentials Service Provider B-BBEE Scorecard Human Resources Employee Satisfaction To be confirmed Employee Satisfaction Survey Risk , Control and Governance Internal Control Environment Group Audit and Risk Internal Audit Report to the Board Risk Management Process Group Audit and Risk Internal Audit Report to the Board Governance / King III Group Audit and Risk Governance Assessment Report To be confirmed Independent Statement Sustainability Reporting CSR / SHEQ Department CSR Report External Audit Independent Assurance Report
  • 32. 5 Mapping Assurance Providers to Risks, Controls, and Objectives 32 Mapping by Risk 2014Rank Risk# Date Risk Name Risk Description MaptoCSR Objective BSJRiskCategory COSORisk Category Likelihood(Pre- control) Impact(Pre-control) InherentRisk Existing Controls and/or Mitigation Measures Likelihood(Post- control) Impact(Post- control) ResidualRisk RiskResponse Action Plan Actionbydate PersonResponsible RiskOwner BCPIndicator Progress to Plan / Follow-up Status Supporti ng Process 1st Line Assura nce 2nd Line Assura nce 3rd Line Assura nce Externa l Assura nce Assura nce Gap 1 0 0 1 26- Nov- 13 Non- compliance with Competitions Act A violation of the Competitions Act results in severe penalties (i.r.o. price fixing, market allocation, resale price maintenance, market power, collusion, etc.) 1 2 8 03Legal Compliance 4 5 IV Competition Compliance Training Manual (on Intranet) 3 5 IV Reduce - Policy on anti- cartel activity (in- progress per BSJ instruction) - On-line compliance training 31-12-2013 RS Legal No - Policy approved by the Board (Dec 2013) - Compliance Training rolled out to sales and marketing staff (Sep 2014) Complia nce Training Operati ng Manage ment (Sales and Marketi ng) Legal / Secreta rial Internal Audit Corpora te Lawyers Legal Complia nce Audit (A - Z) 6 0 0 5 26- Nov- 13 Product Recall Product failures result in recalls that cause reputational damage 1 5 09Quality Strategic 4 5 IV - QA testing, manufacturing quality gates, QTR procedures - QS Procedure (Correct, updated testing procedures should be followed at all times; suspect tyres not released) - ISO9001 - Extension under liability policy 2 4 III Accept F Qualification audit at Brits (BSJ) [Quality Process Audit] Ongoing PW Quality Yes Audit completed; IIP for corrective actions in progress Quality Control Operati ng Manage ment (Plant) CSR / SQE - DQS (ISO900 1 and TS1694 9 TQM Auditors (BSJ) Quality Auditor / Inspect or or CQO • Select high residual risks and high inherent risks • Consider low level risks for overkill
  • 33. 5 Mapping Assurance Providers to Risks, Controls, and Objectives 33 A Different Perspective (public sector template)
  • 34. 6 Gap Analysis: Strengthening the Risk Net 34 An ongoing process Assess the extent of Risk Coverage Assess Assurance Providers Identify Assurance Gaps Identify Assurance Overkill Compile Remedial Action Plan Report to Governing Body Track Actions against Plan Monitor, Update and Improve • Credentials • Methodologies • Independence • Business Knowledge • Cost • Low level risks • Misunderstood risks • Duplication of effort • Compare actual with desired levels  Gaps in coverage  Gaps in assurance provider capability
  • 35. 7 Discussion Time and Case Study 35 Food for Thought The world changes in strange and unpredictable ways. Not one of the great political or economic shifts of the past 100 years was predicted with any degree of accuracy. Examples stretch from the end of the Cold War to the global financial crisis. Remember that in 1985 PW Botha warned that he would not lead white South Africa down the path of “abdication and suicide”. Ten years later Nelson Mandela celebrated his first anniversary in the Union Buildings. Most recently American officials have admitted that they did not see ISIS coming. Therefore resist the temptation to use short-term current trends to come to fixed conclusions about (the) future – history suggests that your initial conclusions may be very wrong. Frans Cronje, CEO: Institute of Race Relations Quoted with permission
  • 36. 7 Discussion Time and Case Study (cont.) 36 Questions Comments Ideas ?
  • 37. 7 Discussion Time and Case Study (cont.) 37 Case Study: African Bank • Record Loss: “needed 8.5 billion rand to survive” • Seven of the eleven directors had no previous banking experience • Share price plummeted more than 95% • Made loans at annual interest rates as high as 60% • “…didn’t provide enough for bad debts” – Sanlam • Ripple effects: Moody’s lowered credit ratings on the four largest banks • Could even bring SA closer to a ratings downgrade – Standard Bank • Sunday Times Front Page: “F*** the poor” – Chief Risk Officer • Charming CEO + Weak Chairman  No balance of power Sources: BusinessReport and Sunday Times
  • 38. 7 Discussion Time and Case Study (cont.) 38 Case Study: African Bank (cont.) What the company said… ABIL Risk Management strategy is to embed a risk culture and support business units within the group - Accountability – Risk Report financial year ended 30 September 2013 The audit Committee must ensure that the combined assurance received is appropriate to address the significant risks facing the company. The combined assurance model consists of management, the Risk committee, internal assurance providers i.e. finance, internal audit, risk and external assurance providers i.e. external auditors. The Audit committee must monitor the relationship between the external assurance providers and the company. - Group Audit Committee Charter of ABIL and Group Subsidiaries
  • 39. 7 Discussion Time and Case Study (cont.) 39 SO WHERE WERE THEY?