![Page 1: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/1.jpg)
Session 8: Risk Management, Assurance and AuditClaire Lea, Thursday 2 November 2017, 4pm
My microphone is currently muted
![Page 2: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/2.jpg)
Session 8: Risk Management, Assurance and Audit
Claire Lea, Thursday 2 November 2017, 4pm
![Page 3: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/3.jpg)
Today’s plan
• Principles and significance of risk management
• Effective risk management systems
• Board of director responsibilities for internal control
• Audit Committee and external audit
• Sample exam question
• Concluding remarks
![Page 4: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/4.jpg)
Risk management
Effective risk management can be
likened to that of the survival of a living
organism.
In Darwin's Theory of Evolution many
people interpret this with the phrase
‘the survival of the fittest’
However the most important element
is ‘the capacity of adaptation’.
Effective risk management is therefore
not only a system of processes but it
is also a series of behaviours.
![Page 5: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/5.jpg)
FRC Guidance on risk management, internal control and related business reporting
Snappy title for the latest guidance (2014) on risk management! However, it
introduces a step change –
• New strategic report in corporate sector – require boards to report
annually on their principal risks
• Challenge is to include behavioural and organisational risk
• Risk has a higher profile in the NHS with work of Audit Committee and
the Board Assurance Framework
• Need to consider downside and upside risk
![Page 6: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/6.jpg)
Board’s responsibilities
• Ensuring design/implementation of risk management and internal control
systems that identify risks and enables a robust assessment of the
principal risks;
• Determine the nature/extent of the principal risks faced and risks which
the organisation is willing to take to achieve its strategic objectives
(determining its ‘risk appetite’);
• Ensuring that culture and reward systems have been embedded
throughout the organisation;
• Agreeing how principal risks are managed/mitigated to reduce the
likelihood or impact;
![Page 7: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/7.jpg)
Board’s responsibilities
• Monitoring and reviewing the risk management and internal control
systems, and the management’s process of monitoring and reviewing,
and satisfying itself that they are functioning effectively and that
corrective action is being taken where necessary; and
• Ensuring sound internal and external information and communication
processes and taking responsibility for external communication on risk
management and internal control.
![Page 8: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/8.jpg)
Types of risk
What types of risks can you name?
![Page 9: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/9.jpg)
Types of risk
• Financial risk
• Operational risk
• Reputational risk
• Behavioural risk
• Third-party or competition risk
• External risks
![Page 10: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/10.jpg)
Risk management system
• Risk registers and risk identification
• Risk evaluation and scoring
• Risk management measures and mitigation
• Risk control and review
![Page 11: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/11.jpg)
Risk management and governance
![Page 12: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/12.jpg)
Internal controls
• Financial controls
• Operational controls
• Compliance controls
![Page 13: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/13.jpg)
Elements of an internal control system
• Control environment – awareness & attitude
• System for identifying risks
• Controls which eliminate, reduce or control risks
• Information to employees to fulfil task of risk management
• Monitor effectiveness regularly
COSO Framework
![Page 14: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/14.jpg)
Assurance
Performance reporting
• Single Oversight Framework
• CCG Improvement & Assessment Framework
Quality Governance
• CQUINs
• Quality Accounts [& Quality Report (FTs)]
• CQC rating
Financial reporting
• Annual report and accounts
• Monthly reporting
• Directors duties and responsibilities – break even and going concern
![Page 15: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/15.jpg)
Assurance statements
• Going concern statement
• Corporate governance statement [FT compliance with FT Code]
• Annual governance statement
• Board Assurance Framework
• Integrated reporting, performance dashboards, board committee reports
• Head of Internal Audit Opinion
• External Audit post audit report
![Page 16: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/16.jpg)
Types and levels of assurance
Verbal, written, empirical
Level 1 – operational (management)
Level 2 – oversight (committees)
Level 3 – independent (audit/reviews/inspections etc.)
![Page 17: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/17.jpg)
The role of audit
• Function and scope of external audit – external scrutiny, true and fair
view, unqualified opinion.
• Independent
• Function and scope of internal audit – independent review of risk
management and internal control processes.
• Directors still responsible for preventing and detecting fraud and for the
information in the annual report and accounts.
![Page 18: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/18.jpg)
Independence of external audit
• Self-interest threats:
• Self-review threat:
• Advocacy threat:
• Familiarity threat:
• Intimidation threat:
Debate:
Should non-audit work be prohibited or restricted?
How do they protect the independence of the auditors?
![Page 19: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/19.jpg)
Audit Committee
• HFMA Handbook for NHS Audit Committees extends role beyond
financial controls
• Membership is solely non-executive directors
• Chair is not allowed to be a member
• Training, induction and remuneration of members
• Appointment and removal of auditors
• Assessment of independence
• Non-audit work
• Whistleblowing/raising concerns/Freedom to Speak Up
![Page 20: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/20.jpg)
Concluding remarks
• Risk management is a key board responsibility
• Assurance is a key mechanism for holding management to account.
• It also provides a regular assessment on progress towards an
organisation’s strategic objective.
• Assurance should be forward looking as well as backward looking.
• Audit Committee – key governance role for NEDs, independent, direct
access to third parties, e.g. auditors
![Page 21: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/21.jpg)
Sample exam question – November 2016
Beevor NHS Foundation Trust (‘Beevor’) has been discussing its strategy and vision in light of
the board’s role for defining long-term strategy. It is planning a board development session
next month, which will look at strategy and the associated risk management in further detail.
The first part of this day will allow the board to consider its principal risks, such as financial
sustainability and insufficient paediatric consultant recruitment, in the light of its strategic
discussions thus far.
Required
As an introduction to the board development session, the Chair has asked you to:
(a) Prepare slides for a presentation, with notes, which define business risk and analyse four
categories of business risk, giving examples of each in the health sector. (16 marks)
(b) Prepare a briefing paper which discusses the importance of risk appetite, risk capacity
and risk tolerance for Beevor. (9 marks)
![Page 22: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/22.jpg)
Examiner comments
Question 3 was also a very popular question and there was a very wide range of
responses from a Grade C Fail to Merit. It was poorly answered with 43% of those
attempting it, failing to pass. Good scripts demonstrated an understanding of
business risks and did not confuse them with internal control risks. They also
addressed the role of the board in risk management, the concept of principle risks
and set out clear source guidance for their responses. Similar questions have
been set for the exam before and the generally poor responses seem to highlight a
lack of preparation in this area and a limited review of past papers. Average score
13.3.
![Page 23: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/23.jpg)
Sample answer
FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting 2014
UK Corporate Governance Code
Business risks:
• are risks that occur and arise in the business environment
• may also be referred to as strategic risks
• will differ between organisations
• can be positive (upside) or negative (downside)
• are the responsibility of the Board to determine
Remember mark available for layout as slides
![Page 24: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/24.jpg)
Sample answer
Business risks can be categorised as
• Financial risk
• Operational risk
• Reputational risk
• Behavioural risk
• Third-party or competition risk
• External risks
Business risks are not the same as internal control risks, which are risks that arise
because of weaknesses in its systems, procedures, management or personnel
that are in place within the trust. These are risks that the trust has within its
control and it needs to have a comprehensive system in place to manage.
The controls for these risks are ‘internal controls’ and internal controls
are applied within an internal control system.
![Page 25: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/25.jpg)
Sample answer
Application to the scenario?
Risk appetite and tolerance – decided by the Board
Risk appetite is the desire/willingness to take on risk
Risk tolerance is the amount of risk which is tolerated to achieve the strategic goals
![Page 26: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/26.jpg)
Following this session
• Session slides and content
• Results of Task 2 will be available from Monday 13th November.
• Exam strategy webinar – Thursday 9 November 4pm
• Exam – 30 November 2017 – Good luck!
![Page 27: Session 8: Risk Management, Assurance and Audit€¦ · Session 8: Risk Management, Assurance and Audit Claire Lea, Thursday 2 November 2017, 4pm My microphone is currently muted](https://reader033.vdocuments.net/reader033/viewer/2022060209/5f0465c27e708231d40dc5a1/html5/thumbnails/27.jpg)
Thank you