2. I’VE HAD THE PRIVILEGE OF LEADING RISK ASSESSMENT
ACTIVITIES WITHIN MANY GREAT ORGANIZATIONS…
…WITNESSING WHAT WORKS AND, SOMETIMES, WHAT DOESN’T
• Lenovo
• Hewlett-Packard
• Verizon
• EDS
• Johnson Controls
• BHP Billiton
• Hong Kong MTR
• Kodak
• Gap
• Caterpillar
• General Motors
• Lear
• China - State-owned Assets
Supervision & Administration
Commission (SASAC)
• Etc.
3. RISK ASSESSMENT - EY SURVEY RESULTS
#1 “ADJUSTMENT” – IMPROVE THE RISK ASSESSMENT PROCESS
1
2
4. RISK ASSESSMENT
WITHIN THE BROADER, AND DYNAMIC, CORPORATE GOVERNANCE CONTEXT
4
KEY DRIVERS &
INFLUENCES
Shareholder
Expectations
• Institutional
• Individual
Government
• Regulation
• Monitoring
• Support
Financial
• Rating agencies
• Listing
standards
• Bondholders
Other
Stakeholders
• Employees
• Suppliers
• Customers
• Trade unions
• Special interest
groups
Other factors
• Competition
• Disruptive
technology
• Macroeconomic
events
BOARD & AUDIT COMMITTEE
EXECUITVE MANAGEMENT
Business
Unit
Finance &
Accounting Legal
Human
Resources
IT
Supply
Chain
Capital
Projects
Key objectives, targets, KPIs, Balanced scorecard, risk appetite
- Define - Communicate - Monitor & refine
Maximum foreseeable impact, likelihood, control effectiveness
- Drive appropriate, responsive action - Define and monitor KRIs
Manual, automated, prevent/detect, mitigating
Document - Test - Remediate - Transform - Monitor for exceptions
Compliance management program
- Track regulations - Update policies - Train & enable
IDENTIFY & ASSESS KEY RISKS
MONITOR & ENHANCE CONTROLS
ENSURE COMPLIANCE
ESTABLISH THE CORPORATE STRATEGY
EXAMPLE - Internal Controls over Financial Reporting (SOX)
EXAMPLE - Foreign Corrupt Practices (FCPA)
EXAMPLE - Payment Card Industry (PCI)
ASSURANCE&MONITORING
IT SYSTEMS & DATA
REPORTING&COMMUNICATIONS
5. RISK ASSESSMENT
AN IIA PERSPECTIVE
• “Practice Advisory 2120-2 - Every organization will
experience control breakdowns. Often times when controls
fail or frauds occur, someone will ask: “Where were the
internal auditors?” The internal audit activity could be a
contributing factor due to:
– Lack of an effective risk assessment process to identify
key audit areas during the strategic risk assessment, as
well as areas of high risk during the planning of individual
audits – as a result, failure to do the right audits and/or
time wasted on the wrong audits.”
6. RISK ASSESSMENT
IF ONLY IT WERE SIMPLE
1. Identifying risks to achieving objectives requires – objectives. If a robust strategic planning
process is absent, risk assessment may take on the role of surrogate.
2. Risk assessment is often relegated to “off-cycle” periods (after planning, budgeting and
forecasting is complete) - wherein management is available but the results are significantly
less relevant and/or impactful
3. Risk assessment output is unreliable due to insufficient information and/or requisite
expertise, groupthink, dominant voice in the room, bias, anchoring, CYA behaviours, etc.
4. The process:
1. Promotes enterprise list management rather than enterprise risk management
2. Evokes unenthusiastic support from executive management:
“I have a business to run”… “How long will this workshop last?”
3. Produces reports and heat maps that fail to drive appropriate, responsive action(s)
5. Other challenges?
7.
8. RISK ASSESSMENT
A TIME OF UNPRECEDENTED OPPORTUNITY
1. Boards are getting more progressive, proactive…
and nervous
2. Management desires to reduce cost and increase value
3. Internal auditors desire to get more out of life
4. Simple shifts in your risk assessment approach have the
potential to transform:
– levels of executive and board engagement
– value and relevance of outputs
– internal audit’s stature in the organization
– your relationship with the AC chair
9. 4 SIMPLE STEPS
1. Get the timing right
2. Ensure that identified risks, are truly risks - and not simply
stating the inverse of an objective, i.e. “Failure to…”
3. Review/enhance your risk assessment criteria – to better
inform/drive responsive action
4. Produce simple, palatable risk reports - that align and
integrate with the organization’s planning and
performance management reports
10. #1 – GET THE TIMING RIGHT
• Align and integrate with:
– Planning, budgeting & forecasting cycles
– Board and executive reporting
– KPIs, key incentives
10
Planning
Risk
Assessment
Budgeting
Forecasting
Planning
Budgeting
Forecasting
Risk
Assessment
Typical Better practice
11. 6. The organization specifies objectives with
sufficient clarity to enable the identification and
assessment of risks relating to objectives.
7. The organization identifies risks to the
achievement of its objectives across the entity
and analyzes risks as a basis for determining
how the risks should be managed.
8. The organization considers the potential for
fraud in assessing risks to the achievement of
objectives.
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control.
Risk Assessment
#1 – GET THE TIMING RIGHT
COSO 2013 UPDATE - PRINCIPLES OF EFFECTIVE INTERNAL CONTROL
12. #1 – GET THE TIMING RIGHT
“ANCHOR” YOUR RISK ASSESSMENT
12
• Benefits
• Risk are more readily
identified
• Greater ownership,
relevance and value
• Often described by
interviewees as the “risks
that matter”
Strategic Objective 1
Strategic Objective 2
Strategic Objective 3
Key Risk 1
Key Risk 2
Key Risk 3
Key Risk 4
Key Risk 5
Key Risk 6
Core Operational
Objective 1
Core Operational
Objective 2
Core Operational
Objective 3
13. #2 - ENSURE THAT IDENTIFIED RISKS -
ARE TRULY RISKS
“Risk is the possibility of an event occurring that will
have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.”
- Institute of Internal Auditors
Note – when most people think risk, they think
downside
14. #2 - ENSURE THAT IDENTIFIED RISKS -
ARE TRULY RISKS
14
Rather, encourage respondents to
identify the specific events that might
trigger a failure
Objective – Reach the moon safely, land
on it, and then return to Earth.
Risk – Failure to land on the Moon.
Risk – Oxygen tank explosion
“Failure to…” is not an option.
And neither is, “Inability to…”
15. #2 - ENSURE THAT IDENTIFIED RISKS, ARE TRULY RISKS
THEN, PERHAPS OFFER A DUAL-VIEW HEAT MAP
IMPACT
MANAGEMENT PREPAREDNESS
MonitorRemediate
(+)
(-)
Business Objectives / Initiatives
Risks
HighLow
High
High
Formerly risks beginning
with, “Failure to …
Inability to …”
16. #3 – ENHANCE YOUR RISK ASSESSMENT CRITERIA
A TYPICAL HEAT MAP
1
2
3
4
IMPACT(residual)
LIKELIHOOD
Which risks should
comprise the focus of:
• Remediation
• Internal audit
• CSA
• Etc?
HighLow
High
17. #3 – ENHANCE YOUR RISK ASSESSMENT CRITERIA
COMMON APPROACHES – AND RELATED CHALLENGES
• Inherent risk - Too abstract - the notion of all
controls failing, or not being present, is viewed
by management as an irrelevant, academic
exercise
• Residual risk - Respondents tend to be overly
generous and/or optimistic in their ratings
18. 3
MAXIMUM
FORESEEABLEIMPACT
CONTROL EFFECTIVENESS
(or, MANAGEMENT PREPAREDNESS)
1
MonitorRemediate
4
2
What is a plausible, worst-case
scenario/impact?
HighLow
High
Potential CSA-
focus
Potential
IA-focus
#3 – ENHANCE YOUR RISK ASSESSMENT CRITERIA
ALTERNATIVE, ACTION-FOCUSED APPROACH
19. #3 – ENHANCE YOUR RISK ASSESSMENT
CRITERIA
AND ENSURE A THOROUGH, RELIABLE PROCESS
Interviews
Surveys
Data Analytics
Subject Matter
Specialists
External Research /
Sector Risk Reports
Risk description here -
Causal factors
•
•
Impacts
•
•
Preventative /
Detective Controls
•
•
Mitigating Controls
•
•
Improvement Opportunities
•
•
Identify potential
risks for discussion
Select and profile key risks
Procure
• Voting hardware
• AV equipment
• Room
Develop
• Risk rating criteria
• Communications to
workshop participants
Assess within a
workshop setting
20. #3 – ENHANCE YOUR RISK ASSESSMENT CRITERIA
EMPLOY ANONYMOUS VOTING TECHNOLOGY, AS APPROPRIATE
• Anonymous response reduces
fear of reprisal and enhances
candour
• Enables areas of varied
perception to be identified,
explored and addressed
• Highly efficient
• Novelty enhances engagement
• Enables remote participation
Finally, the truth
comes out
Can’t believe it - but
I’m actually enjoying
this!
21. #3 – ENHANCE YOUR RISK ASSESSMENT CRITERIA
BETTER INFORM YOUR ASSURANCE AND REMEDIATION STRATEGY
External audit
Internal audit
(in-house)
Internal audit
(co-source)
Internal
Control
Function
General
Counsel’s
Office
Compliance
Control Self
Assessment
Risk # 1 Monitor /
Test
Risk #2 Monitor /
Test
Monitor /
Test
Review /
remediate
Risk #3 GAP – NO COVERAGE
Risk #4 Review /
remediate
Monitor /
Test
Risk #6 Monitor /
Test
Monitor /
Test
Risk #7 Monitor /
Test
Risk #8 Monitor /
Test
Review /
remediate
In-scope
22. #3 – ENHANCE YOUR RISK ASSESSMENT CRITERIA
ADD VALUE TO ALIGNED PROCESSES
The risk assessment process
An overview
5
Corporate strategy
Shareholder value
Capital projects
Key initiatives
Identify &
Assess Risks
• Strategic
• Operational
• Compliance /
Legal
• Financial
DriveAppropriate,
ResponsiveAction(s)
• Assurance planning
• Ongoing monitoring
• Remediation planning
• Further analyses
• Update budgets
• Continuous improvement
• Etc.
Performance targets
Feedback & report
Set Objectives
24. #4 - PRODUCE SIMPLE, PALATABLE RISK
REPORTS
Characteristics of effective documentation
• Simple, palatable & highly relevant
• Common formats, measures
• Providing timely information for decision making
Strategic Planning &
Objective Setting
Budgeting &
Forecasting
Assurance Planning,
Execution &
Reporting
Remediation
Capital Projects & Key
Initiatives
Performance
Management Systems
& Reporting
Risk Identification,
Assessment &
Management
IT Strategy &
Governance
25. #4 - PRODUCE SIMPLE, PALATABLE RISK REPORTS
Objective Risk Rating(s) KPI and/or
KRI
Responsive
Action
Status or Planned
Completion Date
Outcome
From planning
documents
From risk
register
From risk
register
Assurance or
Remediation
activity
26. IN SUMMARY
ENHANCING THE RISK ASSESSMENT PROCESS & OUTCOMES
1. Thorough preparation
2. Timing the risk assessment to occur between strategic planning and budgeting cycles, as
appropriate
3. Linkage to objectives – strategic, capital projects, etc.
4. Risk definitions that focus upon the risk events that could negatively impact achievement of
objectives
5. Strong leadership support, e.g. a supportive “tone at the top”
6. Identification and exploration of the areas where perceptions of risk impact, likelihood and/or
control effectiveness diverge
7. Input and support of relevant subject matter specialists; reliable data
8. Avoidance or reduction of group think and/or a dominant voice
9. Risk assessment criteria that effectively inform and drive responsive action
10. Simple, palatable risk reports aligned to and integrated with the organization’s planning and
performance management reports – especially at the summary level
26
28. APPENDIX - FOR REFERENCE
SAMPLE RATING CRITERIA – IMPACT
Financial Operational Reputation People
5 Catastrophic • Financial loss >$X M
• Loss of key systems
for 5 days or more
• Sustained, highly negative
mentions in press
• Multiple members of the
leadership team exit the company
• Event triggers significant,
irrecoverable loss of employee
morale
4 Very High
• Financial loss $X to
XM
• Loss of key systems
of 1 to 5 days
• Highly negative
mention(s) in press but
largely recoverable within
6 months through proper
crisis management
• Loss of a senior leader; High
turnover of experienced staff
• Event triggers significant loss of
employee morale but recoverable
within 6 months
• Generally-pervasive low morale
3 High
• Financial loss $Xk to
XM
• Loss of key systems
for 4 to 8 hours
• Some negative press
mentions but readily
addressed and
recoverable in 1 month or
less
• Turnover is generally higher than
normal (>15%) across all areas of
the company
• Multiple pockets of low morale
2 Moderate • Financial loss $X - Xk
• Loss of key systems
for 1 to 4 hours
• Generally positive press
with a few isolated
instances of minor
negative mentions
• Elevated turnover in some areas
although non-critical
• One or two pockets of low morale
1 Low • Financial loss <$Xk
• Loss of key systems
for less than 1 hour
• Positive press with only a
few minor
recommendations for
product improvement
• Very isolated instances of staff
dissatisfaction and/or instances of
above average turnover
29. APPENDIX - FOR REFERENCE
SAMPLE RATING CRITERIA – RECOMMENDED RESPONSE
Recommended Response
Urgent
Perform Deep Dive
Analysis
Review and Enhance Enhance Monitor
Rating
Urgently
conduct
activities
Perform a deep dive
analysis to better
understand what’s driving
the risk
Review & remediate
current risk management
activities and/or controls,
as appropriate
Enhance risk management
activities and/or controls
Monitor risk management
activities and/or controls
5
4
3
2
1