effective assurance frameworks · reviewing the effectiveness of risk management reviewing, with...
TRANSCRIPT
Effective Assurance Frameworks
NIG E L IR E L A ND, HE A D O F B A R CUD SHA R E D SE R VICES
@ ba r cuds s
w w w.ba r cuds har eds er v ices .or g.uk
Today
▪ What an Assurance Framework is
▪ How an Assurance Framework can add value
▪ Use of an Assurance Framework in practice
▪ Understanding key terms like:
▪ Assurance;
▪ Risk appetite; and
▪ 3 lines of defence.
Barcud Shared Services▪ Consortium of housing associations in South Wales
▪ Primarily Internal Audit
▪ Risk, projects, strategy, business continuity…
Barcud Internal Audit▪ Best of independence & internal
▪ Work in housing associations
▪ See & feel risks
▪ Boards, audit committees, management and staff
▪ In-sector information
▪ Support and advise – ‘Insight’
▪ Money stays in the sector
Assurance Frameworks - History
2002/3
2012
2017
2012 – 2017Development of risk management processes
Assurance Frameworks - Purpose
NHS Audit Committee Handbook: “the pivotal tool underpinning the Audit Committee’s remit of monitoring financial, clinical and all operational risks”
and… “the key source of evidence that links strategic objectives to risk.”
HM Treasury (2012): “Should be structured and provide reliable evidence to underpin the assessment of the risk and control environment for the annual Governance Statement, supported by independent appraisal from the internal audit service.”
Assurance Frameworks - Purpose
Main elements:
▪ Natural development of risk management processes
▪ Provides an enhanced link between strategy and risks
▪ Based on “reliable evidence”
▪ Brings together risk management and the 3 lines of defence model
What is risk?
The threat that an event or action will affect an organisation’s ability to achieve its business objectives and execute its strategies
So, what is risk management?
Being able to…
…identify the risk cause at the earliest opportunity, measure the risk effect and apply a proportionate level of resources to mitigate, or take advantage of, the risk…
and…
…obtaining assurance that the controls on which the organisation relies for mitigating the risk are effective.
What is assurance?Confidence, based on sufficient evidence, that internalcontrols are in place, operating effectively and objectivesare being achieved (various – Public Sector)
Assurance is what gives you comfort that a control isworking (and therefore informs whether a risk is beingmanaged as you had envisaged)
What do you want from Risk Management?
▪ Tool for increasing the likelihood of achieving objectives
▪ Aid to entrepreneurship – being ‘risk aware’ not ‘riskaverse’
▪ Greater exploitation of opportunities
▪ Understand and prevent / reduce risk impacts
▪ Increase efficiency
Role of the BoardCHC Code of Governance (new):
▪ 3.2 – “The Board safeguards and promotes theorganisation’s reputation and, by extension, promotespublic confidence in the wider sector.”
▪ Principle 4 – Decision-making, risk and control
▪ 4.1 – “The Board is clear that its focus is on strategy,performance and assurance”
▪ New WG Governance requirements emphasises “BoardAssurance”
Role of the Audit Committee
▪ Reviewing the effectiveness of risk management
▪ Reviewing, with management, the operation ofrisk management and responses to identified risks
▪ Reviewing the adequacy of assurance providingactivities and challenging management’s responseto these
OBJECTIVE RISK INHERENT
SCORE
CONTROLS RESIDUAL
RISK SCORE
ASSURANCE FURTHER
ACTION
TARGET
RISK
We will
provide 24/7
365 access to
customers
An incident
occurs which
stops our
organisation
providing
access for
more than
24hrs
25
(5 x 5)
1) Business
Continuity
Plan
2) Resilient
hardware
3) Regular
testing, review
and updating
8
(2 x 4)
Easy review of risks directly
against objectives…
(note cause and effect)
…which enables more effective assessment &
scrutiny of the risk score.
A clear understanding of the action being taken and the controls in place to address
the risk…
…which enables effective assessment & scrutiny of the
residual risk score
HOW DO YOU
KNOW?
OBJECTIVE RISK INHERENT
SCORE
CONTROLS RESIDUAL
RISK SCORE
ASSURANCE FURTHER
ACTION
TARGET
RISK
We will
provide 24/7
365 access to
customers
An incident
occurs which
stops our
organisation
providing
access for
more than
24hrs
25
(5 x 5)
1) Business
Continuity
Plan
2) Resilient
hardware
3) Regular
testing, review
and updating
8
(2 x 4)
Insert
assurance
here…
The assurances give you comfort that the controls are working and
therefore assurance that the residual risk score is accurate
So what’s the issue?▪ Risk Registers over-focus on controls:
Audit Committee – control v risk / objective Time to identify controls & Minor / insignificant
controls Assurances are ‘control-driven’ * Number over quality / effectiveness *
▪ Assurances seen as less important
▪ ‘Quality’ of assurance unclear
▪ Assurance under-used – information not used as such
Potential Sources of Assurance▪ Internal Audit
▪ External Audit
▪ Certifications – IIP /ISO9001 / ISO18001 /ISO32001
▪ Specialist reviews – HSE /Duty of Care /Penetration Testing
▪ Regulator feedback
▪ Customer feedback /complaints, including socialmedia
▪ Local Authority / Partners
▪ Key Performance Indicators(KPIs)
▪ Management reports
3. Independent Assurance
2. Corporate Oversight
1. Management
3 Lines of Defence:
RISK
First Line – Day to Day Management
Second Line – Corporate Oversight
Third Line – Independent Assurance
Maximise Benefit?
Adding the 3 lines of defence:HM Treasury Guidance…
Assessing Sources of Assurance
Summarises previous ’identification’ stage
Assessment
A lot to rationalise:
Current Risk Registers
Identifying sources of assuranceAssessing sources of assurance
Programme of Assurance
AC Reporting
Proportionality & Adding Value
Risk definition:
“Being able to identify the risk cause at the earliest opportunity, measure the risk effectand apply a proportionate level of resources to mitigate, or take advantage of, the risk…”
Shouldn’t we also apply this to assurance activities?
Programme of Assurance
3. Independent Assurance
2. Corporate Oversight
1. Management
RISK
- Key Performance Indicators- RAG reports
- Systems reports / management information
- Customer satisfaction surveys
- Corporate risk management
- Performance Indicators- Information from systems
- RAG reports to senior management
- Measured performance against targets and plans
- Specialist review of process- Independent review of
policies and procedures- ISO Accreditation
Did the assurance provide VfM?
Barcud-led Project
Aims:
▪ Upskill clients in risk management
▪ Greater understanding of assurance
▪ Development of a template
▪ Testing in practice
▪ Tailored Assurance Framework per-client
Programme of Assurance
Programme of Assurance
▪ Risk-based – like your Internal Audit (IA) Strategy
▪ Programme of Assurance & IA Strategy coordinated
▪ Should consider the ‘Quality’ of assurance
▪ Should reflect the assurance you already have
▪ Should consider Value for Money & proportionality
▪ Report progress to the Audit Committee
OBJECTIVE RISK INHERENT
SCORE
CONTROLS RESIDUAL
RISK SCORE
ASSURANCE FURTHER
ACTION
TARGET
RISK
We will
provide 24/7
365 access to
customers
An incident
occurs which
stops our
organisation
providing
access
25
(5 x 5)
1) Business
Continuity
Plan
2) Resilient
hardware
3) Regular
testing, review
and updating8
(2 x 4)
1) Internal
Audit of BCP
2017/18 –
Substantial
Assurance
2) Incident in
2016/17 –
lessons learnt
document
3) External
Penetration
testing report
– 2017/18
To address any gaps in control (c) or assurance (a) further
action may be required
Building into current risk registers:
Assurance Map
Building into current risk registers:
Developing a new focus:
Programme of assurance – IA Plan?
Programme of assurance – IA Plan?
How does an AF achieve efficiencies?
Do we need an Internal Audit?
KPIs
RAG Reports
MgmtInfo.
Customer Satisfaction
SurveysIndependent
Review
Compliments & Complaints
System updates
ISO Certification
Accreditation
Award
Regulatory Judgement
Risk Appetite
Risk Appetite (for Risk)
▪ The level of risk (taking into account both impact andlikelihood) that the organisation is willing to tolerate.
▪ It can be at the organisational, departmental orindividual risk level.
Risk Appetite?
Risk Appetite
▪ “Risk appetite needs to be measurable. Otherwise thereis a risk that any statements become empty andvacuous”1; and
▪ “Risk appetite is not a single, fixed concept. There will bea range of appetites for different risks which need toalign and these appetites may well vary over time: thetemporal aspect of risk appetite is a key attribute to thiswhole development”1.
1 Institute of Risk Management Risk Appetite & Tolerance Guidance Paper, 2010
Risk Appetite
Current performance direction
Where you might end up if something good happens
Where you might end up if something “bad” happens
- Based on Institute of Risk Management model
Risk Appetite
Risk Universe
Risk Tolerance
Risk Appetite
Risk Appetite
Appetite for Opportunity?
▪ Different from risk appetite?
▪ Used for decision making
▪ New opportunities
▪ Words like: “averse”, “open”, “hungry”
▪ Work for decisions; not for risk?
Risk Appetite
▪ Removes some of the subjectivity about whether a risk ismanaged to an acceptable level or not.
▪ Enables more robust challenging by stakeholders on thescoring and mitigation of risks.
▪ Enables effective allocation of resources when seekingassurance.
OBJECTIVE RISK INHERENT
SCORE
CONTROLS RESIDUAL
RISK SCORE
ASSURANCE FURTHER
ACTION
TARGET
RISK
We will
provide 24/7
365 access to
customers
An incident
occurs which
stops our
organisation
providing
access
25
(5 x 5)
1) Business
Continuity
Plan
2) Resilient
hardware
3) Regular
testing, review
and updating8
(2 x 4)
1) Internal
Audit of BCP
2017/18 –
Substantial
Assurance
2) Incident in
2016/17 –
lessons learnt
document
3) External
Penetration
testing report
– 2017/18
4
(2 x 2)
‘Target’ Risk▪ An example – risk appetite at the individual risk level
▪ Should be set by the audit committee (or board)
Risk Appetite – Challenge?
Development: Finance:Health & Safety /
Legal Compliance: Housing:
Elements of Risk Appetite
▪ Statement in Risk Management Policy
▪ Departmental risk appetites (diagrams?)
▪ Your risk matrices / guidance for scoring
▪ Risk matrix colour distribution
▪ Your target risk scores on the risk register
Internal AuditorsA key element of your programme of assurance:
▪ Do they truly understand your business?
▪ Do they know you? Are they too “arms length”?
▪ Do they give you ongoing support and advice?
▪ Are they sufficiently knowledgeable of your risks?
▪ Are they helping/supporting you pushing yourrisk/assurance framework forwards?
Why an Assurance Framework▪ Greater understanding of risk status
▪ Promotes continual improvement
▪ Greater Value for Money
▪ Makes more use of what you already have
▪ More efficient and effective use of assurance, includingInternal Audit, to fill gaps
▪ Helps you “KNOW”!
Thank youNIG E L IR E L A ND, HE A D O F B A R CUD SHA R E D SE R VICES
@ ba r c uds s
w w w.ba r cuds har e ds e r v ice s .or g.uk
Recommended reading▪ ACCA – Risk and the Strategic Role of Leadership (2018) -
http://www.accaglobal.com/scotland/en/professional-insights/risk/risk-and-the-strategic-role-of-leadership.html
▪ HM Treasury – Assurance Frameworks (2012) -https://www.gov.uk/government/publications/assurance-frameworks-guidance
▪ Institute of Internal Auditors – Coordinating Risk Managemnt and Assurance(2012) -https://global.theiia.org/certification/Public%20Documents/Coordinating%20Risk%20Management%20and%20Assurance.pdf
▪ ICAEW – Assurance Mapping - https://www.icaew.com/en/technical/audit-and-assurance/assurance/assurance-mapping#assurance
Talk to us! www.barcudsharedservices.org.uk