INTERNAL AUDIT CONFERENCEINTERNAL AUDIT & RISK ENVIRONMENTS

Presentation by:KIMEU, Jones Musyoki

ICPAK

Mombasa Continental Beach Resort

Wednesday 20th August, 2014

Introduction

Background MBA (For Executives) BCom. (Hons) CPAK CISA FCCA

Over 15 years experience in Risk Management, Audit, Consultancy in risk, internal controls, IT audits and Corporate Governance

2

KIMEU, Jones Musyoki+254 722 607157Jones_kimeu@yahoo.com

CONTENT

• Introduction• The Context• Internal and external risks

environments.• Factors affecting a firms risk

appetite and tolerance.• Integrated risk management.

Slide 3

Slide 4

INTRODUCTION

The possibility that an event will occur and adversely affect the achievement of objectives

• Committee of Sponsoring Organizations (COSO) Enterprise Risk

Management Framework

The chance of something happening that will have an impact upon objectives

• AS/NZS 4360:1999, Risk Management

Events that may have a positive impact represent opportunities

Slide 5

INTRODUCTION

• Risks can be defined as real or potential events which reduce the likelihood of achieving strategic and operational objectives

• Risk identification is the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern.

17

All Risk types

ReputationSecurity of confidential Information

Bad press reports

Transparency & AccountabilityFire

Labour strikes

Dynamic IT Industry

CONTEXT: In today's world, change and uncertainty are constants...

LANDSCAPE OF EMERGING RISKS

7

Invasionof privacy

Bogus parts

Powersystembreak

Organisedcrime

CO2 trading

Off-shore &internetmarkets

Spaceweather

ElectrosmogResistance to

antibiotics

Drinkingwater quality

Loss of reputation

Businessethics

Intercontinentaldata transmission

Customised drugs

NanotechnologyCalderaerruption

RSI

Cyberrisks

Dirtybombs

Implants

Indoorpollution

Toxic mold

Foodcontaminants

Stress atwork

EndocrinedisruptorsMedia

risks

Ageinginfrastructures

Tele-medicine

CloningDeteriorating

safetystandards

Alcohol

Contingent Business

Interruption

MegaTsunami

Pervasivecomputing

Privatisation

Botox

Spread ofDiseases - EBOLA

CONTEXT

Slide 8

People – fraud, vandalism, human error, strikes, miscommunication, riots etc

Systems – machine breakdown, internal control deficiencies, obsolescence etc

External factors – suppliers, customers, natural perils (earthquakes, floods) etc

ROLE OF INTERNAL AUDIT

Slide 9

Independent appraisal of the policies, processes, and controls relating to risk management framework and reporting to all levels of management

The Role of Internal Audit in Risk Management is important but one that can also present significant challenges- source IIA

IIA10

ROLE OF AUDIT AS A CATALYST

Board

Senior Management

Risk Management

Business Units

Internal Audit

Oversight

Ownership & Management

Assurance

Co-ordination

Action

Risk based surveys

BEST PRACTICE – Risk Based Internal Audits (RBIA)

RISK UNIVERSE

INTERNAL AND EXERNAL RISKS

RISK UNIVERSE

Definition: All risk types and categories across all business lines, functions, geographical locations and legal entities that could affect an organization.

14

ESTABLISH THE CONTEXT

15

External Environment

RISK UNIVERSE (Cont.)

16

RISK UNIVERSE (Cont.)A company focused on ERM constantly assesses risk

factors to ensure they reflect business realities – both quantifiable or non-quantifiable risks or Financial &

Non-financial risks

Ris

k

Fra

mew

ork

Ris

k

Fra

mew

ork

Liquidity

Liquidity

Corporate Funding

Corporate Funding

Collateral Requiremen

ts

Collateral Requiremen

ts

Contingency funding

Contingency funding

Fra

mew

ork

D

efi

nit

ion

s

Ability to generate/obtain sufficient

cash in a timely

manner to meet

demands as they arise

MarketMarket

Mkt factor sensitivity

Mkt factor sensitivity

Volume Risk

Volume Risk

Mkt LiquidityMkt Liquidity

Investment Performan

ce

Investment Performan

ce

Health Health

Contagion risk

Contagion risk

Chronic diseases

Chronic diseases

PandemicsPandemics

Operational

Operational

PeoplePeople

ProcessProcess

SystemSystem

Financial Reporting

Financial Reporting

ExternalExternal

Environmental

Environmental

Law Changes

Law Changes

Non-Complianc

e

Non-Complianc

e

Environmental Impact

Environmental Impact

Environmental

Positioning

Environmental

Positioning

Business &

Strategic

Business &

StrategicReputation

al

Reputational

Quality of Health care

Quality of Health care

Demand Changes

Demand Changes

Industry Changes

Industry Changes Unethical

behavior

Unethical behavior

Crisis Managem

ent

Crisis Managem

ent

Association Risk

Association RiskPolitical

Risk

Political Risk

Potential loss arising

from adverse

movements in external

market valuables

Risk of failure od market

intermediaries

Risk of loss from

inadequate or failed internal

processes, people, financial

reporting, systems or

external events

Risk of loss and associated

harm due to the company’s

interaction with the

environment

Risk of unsuccessful performance due to

potential threats, actions or events

adversely affecting the organization’s ability to achieve

objectives

Potential negative publicity

regarding business practice,

regardless of validity

Collateral Requiremen

ts

Collateral Requiremen

ts

Contingency funding

Contingency funding

RISKS AT 3 LEVELS

1. Strategic/Corporate Level Risk - Strategic alignment, Governance, Culture, Funding, etc.2. Business Level - Organization (structure / Segregation of duties, Infrastructure, Competence, Staff attitudes, etc.3. Transaction Level - P2P, Treasury Management, Financial Reporting, etc.

18

STRATEGIC /CORPORATE RISKS

• Organization structure• Resource Allocation• Governance• Reputation

19

STRATEGIC RISKS (Cont.)

Organization structure•Organization charts and reporting lines•Authority and Responsibility•Segregation of duties (SOD)

20

STRATEGIC RISKS (Cont.)

Resource Allocation•Budgeting and planning•Goal /Objective setting•Timelines •Metrics & Measurement

21

STRATEGIC RISKS (Cont.)

Governance•Culture•Ethical behavior•Board effectiveness•Succession planning•Tone at the top

22

STRATEGIC RISKS (Cont.)

Reputation•Image and Branding•Stakeholder Relations

23

FINANCE RISK

• Finance/Budget Management• Financial Reporting• Internal Controls• Accounting

24

FINANCE RISK (Cont.)

Finance/Budget Management•Cash forecast•Liquidity•Cash flow Management•AnalyticsFinancial Reporting•Financial Statement close process

25

FINANCE RISK (Cont.)

Internal Controls•Transaction management (Initiation, approval, recording and custody)Accounting•Application of accounting regulations, rules and procedures

26

OPERATIONAL RISK

• Infrastructure• People• Process• Technology

27

OPERATIONAL RISK (Cont.)

Infrastructure•Capability•Office Space•Assets•Tools•Physical Security•Business Continuity

28

OPERATIONAL RISK (Cont.)

People•Leadership – board /management expertise•HR – responsibility & accountability•Health & Safety•Risk-reward alignment•Performance Management•Empowerment

29

• Mindset• Buy-in--consensus• Balance between revenue

driven and control driven• Competitor pressure• Communication• Sustaining vigilance

OPERATIONAL RISKS - PEOPLE

People Risk

Supports or undermines strategy

…..alignment <within/out> of attitude, goals

…..strong ERM …….within risk appetite ……scandals and

collapses

OPERATIONAL RISK (Cont.)

Process•Fraud•Policies and Procedures•Outsourcing•Third Party Fraud•Business processes

31

OPERATIONAL RISK (Cont.)

Technology•Integrity •Accuracy•Availability /Timeliness•Relevance •Restricted Access

32

COMPLIANCE RISKS

• Regulatory risks• Contractual commitments (contract)• Policies and procedures• Code of Business Conduct

33

ENVIRONMENTAL RISKS

Economic: Such as; Donor Support, Skilled Labor supply, Forex Fluctuations

• Natural Environment: • Political: Will, priorities & political

stability• Social: demographics, attitudes, tastes and

preferences• Technological (IT Risk): Eg. Innovations

34

TECHNOLOGICAL (IT) RISKS

35

TEAM EXERCISE

Identify common risks affecting your organization and your industry

Classify these risks - strategic, business, operational

36

FACTORS AFFECTING A FIRMS RISK APPETITE AND

TOLERANCE

RISK APPETITE

Definition: Risk appetite can be defined as the amount of risk on a broad level, that an organization is willing to take on in pursuit of value. Or other words the total impact of risk an organization is prepared to accept in the pursuit of its strategic objectives.It goes to the heart of an organization, how it does business, perception by stakeholders (employees, customers, regulators, rating agencies etc):

RISK APPETITE

The following factors influence Risk Appetite of an organization;The external environmentPeopleBusiness systems and policies

NB/ Risk appetites vary from organization to organization, business units and risk types {For instance a banks lending to a mature market will differ with an emerging market}.

RISK APPETITE

From another perspective, smaller losses incurred as a consequence of fraudulent activity (such as cybercrime) can have a more adverse impact on a bank reputation than much higher lending losses incurred in the normal course of business.

Consequently financial institutions set a much lower risk appetite for fraudulent or unethical practices which could damage reputation.

RISK APPETITE

Ways to measure risk appetite;Simple qualitative {reputational, management effort

and regulatory compliance} measures (such as defining risk categories and setting target levels)Based on the above, develop complex quantitative models of economic capital and earnings volatility {capital adequacy, target debt rating, earnings volatility, credit rating etc}.

Conclusion: Provides a cornerstone for the organization’s Risk Management framework

RISK APPETITE - CHARACTERISTICS

A well defined Risk Appetite should have the following characteristics;1. Reflective of strategy, including objectives, business plans and stakeholder expectations;2.Reflective of all aspects of the business3.Acknowledge a willingness and capacity to take on risks4.Is documented as a formal risk appetite statement

RISK APPETITE - CHARACTERISTICS

5. Considers the skills, resources and technology required to monitor and manage the risk exposure in the context if risk appetite.6. Is inclusive of a tolerance for loss or negative events that can be reasonably quantified7.Is periodically review and reconsidered with reference to evolving industry and market conditions8.Has been approved by the board

RISK APPETITE RATING (Example)

WILLINGNESS TO ACCEPT RISK

Low  Medium   High

1 2 3 4 5Earnings Volatility          Capital requirements          Reputation          Credit rating          Regulatory standing          

RISK TOLERANCE

Definition: Risk Tolerance: The degree of variability in investment returns that an individual is willing to withstand. An important component in investing. An individual should have a realistic understanding of his or her ability and willingness to stomach large swings in the value of his or her investments. Investors who take on too much risk may panic and sell at the wrong time

RISK TOLERANCE - Cont.

The factors affecting Risk Tolerance (assess using risk tolerance questionnaires) include;Review worst-case returns for different asset classes historically in order to get an idea of how much money one would feel comfortable losing if his or her investments have a bad year or bad series of years.The time horizon that one has to invest, future earning capacity, and the presence of other assets such as a home, pension, social security or inheritance{In general, one can take greater risk with investable assets when there are other, more stable sources of funds available}.

RISK TOLERANCE

Your investment time frame: cliché is what we'll refer to as ‘age-based’ investment risk tolerance. When will the capital be needed? If the time horizon is relatively short, risk tolerance should shift to be more conservative.

Your Risk capital: Money available to invest or trade that will not affect your lifestyle if lost (liquid capital).

Your Investment experience: Aim to get some experience under your belt before committing too much capital. Always remember the old cliché and strive for preservation of capital.

RISK TOLERANCE

Your investment objectives: If you are saving for your retirement, how much risk do

you really want to take with those funds?

The actual investment your are considering: Different investments carry different levels of risk. All

investments involve a degree of risk and returns can never be guaranteed so it is important to choose investments that suit your circumstances

RISK TOLERANCE

Illustration of a range of investment types and their associated risks

INTEGRATION:RISK LANGUAGE &

CULTURE

50

INTEGRATION – LANGUAGE & CULTURE

Develop a Common Risk and Control Language:

•Take an inventory of all current risk practices and taxonomies. •Determine which ones best meet our business needs. •Align remaining practices and taxonomies with the ones we determined are best.

INTEGRATED RISK MANAGEMENT

{ENTEPRISE RISK MANAGEMENT & GOVERNANCE}

52

RISK MANAGEMENT GOVERNANCE

GovernanceBoard, Audit & Risk committee, Exec Risk Committee(s), Risk

appetite, Risk universe

1. Governance Committees

• Audit committee – Expanded mandate to cover risk oversight

• Risk Management committee (new)– Executive committee chaired by CEO with representation by all HODs. Risk manager to be secretary (but can’t chair). Forum for risk discussions.

2. Risk appetite - The amount of risk that an organisation is willing to seek or accept in the pursuit of its mandate to be clearly defined through a delegation of authority matrix, policies, procedures

3. Tone at the Top – Board to set clear leadership (clarity of direction) and expectations for risk management (informed risk/reward)

Board

Audit and Risk Committee

Risk ManagementCommittee (Exec)

HOD 1

HOD 2

HOD 3

Management reporting

ERM Framework (ERMF)

3. Tools, resources, policies & procedures, training, risk culture, systems

5. GovernanceBoard, Audit & Risk committee, Exec Risk

Committee(s), Risk appetite

Risk Register

Risk monitoring & reporting

Risks / Opportunities

Risk assessment / measurement

Risk identification

4. Organisation StructureRoles and responsibilities, Risk domains, Risk Mgr, HODs, Departmental risk champions

Risk mitigation & Treatment

Risk Matrix

6. L

ines

of

Ass

ura

nce

Inte

rnal

/ Ext

erna

l aud

it

1. Risk Universe(All Risk Types)

2.

Understand/Appreciate

ERM

Develop Risk

Strategy

FormulateImplementation

plan

Create Budget

Develo

pBOD

Executive Mgt

TacticalMgt

OperationalLevel

Audit

DevelopAn ERM

Framework

Create Governance

Structure

Spread the Gospel – Culture

Imp

lemen

t

Risk –Reward

all operations

Assurance

QA

IMPLEMENTATION BUILDINGBLOCKS

ImplementRisk Mgt process

Risk Ownership

ARE WE SUCCEEDING? – MEASURING SUCCESS

1.1 Creating awareness & set tone on Importance of Risk Management

2.2 Risk Governance & policy design

2.1 Risk Identification & Risk Maps

3.2Key Risk Indicators (KRIs)

3.1 Self Assessment Tools - CRSAs

4.3 Internal Model to Quantify Risk & Capital number

4.2 ConsiderationConsideration of External Data

4.1 CaptureCapture Internal Risk Data

5.4 Reporting to Management and Stakeholders

5.3 Management Controls & Corrective Actions

5.2 Risk Return Metric

5.1 Integrate with existing systems

1. Culture2. Risk Identification

3. Qualitative Management

4.4 Quantitative Measurement

5. Integrated Management

MONITORING & EVALUATION

57

Monitoring - Internal control systems need to be monitored, a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.

INSTITUTIONALISING RISK MANAGEMENT

58

1.Crucial to set the tone at the top - leadership and consistency2. Promote Risk Management as a day-to-day management tool to, inter alia, ensure achieve of strategic objective/mandate and enhanced service delivery

3. Senior managers should establish clear risk management roles and responsibilities

INSTITUTIONALISING RISK MANAGEMENT (Cont.)

59

4. Staff should have capacity (skill, training, knowledge, information and resources necessary) to perform risk management roles

5. Integration with strategic planning, new initiatives and projects

6. Every person has a role a play (performance management)

RISK MANAGEMENT

60

The most important phases of risk management process include: the risk identification, risk analysis and risk response. a) The risk identification is achieved by completing checklists, organizing meetings for identifying risks and analysis of archived documents.

RISK MANAGEMENT (Cont.)

61

b) The risk analysis uses methods such as: determining the expected value, Monte Carlo simulation and decision trees. c) The risk response includes measures and actions to reduce, eliminate or risk allocation.

ERM IMPLEMENTATION CHALLENGES

62

ERM IMPLEMENTATION CHALLENGES

• People• Organization• Process• Systems• Change Management

63

ERM IMPLEMENTATION CHALLENGES (Cont.)

People•Lack of commitment buy-in from board/ senior management / staff•No in-house expertise or experience in performing risk management •Risk management culture not well established

64

ERM IMPLEMENTATION CHALLENGES

Organization•Inappropriate risk management organisation structure•Not aligned with institutions / departments objective

65

ERM IMPLEMENTATION CHALLENGES

Processes•Inadequate project funding •No clear understanding of policies and procedures to establish the risk management architecture•Failure to prioritise implementation activities

66

ERM IMPLEMENTATION CHALLENGES

Systems•Inadequate technologies to collect and measure risks•Inadequate communications systems to capture and communicate risk information•Disintegrated systems/ old traditional applications

67

ERM IMPLEMENTATION CHALLENGES

Change Management•Articulating and measuring the potential benefits of ERM•Integrating risk management into strategic planning processes

68

ERM IMPLEMENTATION CHALLENGES

Change Management (Cont.)•Understand industry specific risks and risk management standards/solutions•Risk management information not well communicated including risk appetite and risk tolerance

69

RISK REPORTING

RISK REGISTER

71

Central repository / log for all risks identified by the organisation

CONTENTS OF A RISK REGISTER

72

1.The risk2.Root cause3.Mitigating controls / correction action

plan4.Responsible party5.Target date6.Impact/probability assessment

Identification

Assessment

MonitoringReporting

Control / Mitigation

KRI RCSA

LDMCapital

Calculation

Risk Event Descriptio

n

Inherent Impact

Inherent Likelihoo

d

Description of Standard Controls

Control Rating

Residual Impact

Residual Likelihoo

d

Action plan

Responsible

Person

Due Date

RISK ASSESSMENT/MEASUREMENT

74

RISK ASSESSMENT MATRIXAlmost Certain: The event is expected to occur in most circumstances, say several times per month

5

Likely: The event will probably occur in most circumstances, say once per year

4

Probable: The event might occur, say once in every 3 years

3

Unlikely: The event could occur at some time, say once in every 5 years

2

Rare: Event may only occur in only exceptional ci rcumstances

1

Scale 1 2 3 4 5Budgetary control;- Fraud and theft; Loss of grants/funding; Lack of system integrity; Continuity planning; Repairs and maintenance of buildings – fire, flood & power interruption & Intellectual Propertycommercialisation;

Fin

an

cia

l /

Co

mm

erc

ial

KES 10,000.00 KES 100,000.00 KES 500,000.00 KES 1,000,000.00 >KES 1000,000.00

Non compliance with legislation

Re

gu

lato

ry

Minimal issueIsolated

compliance issueIsolated serious

compliance issuesystematic serious compliance issue

Sanction by regulator

Changes to Government Policy; Adverse media coverage; Reputation and goodwill; Quality Management; Equal Opportunities; Brand Image

Re

pu

tati

on

al

/

Po

liti

cal

Minor Issues resolved promptly

by day to day management

processes

Issue raised by stakeholders and/or local

press

Stakeholders and or community

concern, heavy local media

coverage

Embarrassment for the Trustee,

including adverse media coverage

Reputation and standing of the

Trustee affected nationally and internationally

Loss of staff & knowledge; Recruitment & retention; Health & safety; Inadequate communication; Training and development; S

taff

/

Cu

sto

me

rs

First AidMinor injuries /

treatmentInjury and /or

hospitalisationSingle death Multiple deaths

Chemical hazards; Environmental Health & Safety; Community & Stakeholder relationships;

En

vir

on

me

nta

l /

Co

mm

un

ity

Minor and brief pollution

Transient harm Moderate harm Significant harm Long term harm

Impact of the event occurring

Low Risk Medium Risk High Risk

Managed withindepartment

Reported to RiskManagement Committee

Reported to Board

Lik

eli

ho

od

of

the

Ev

en

t

CONTROLS EVALUATION

Risk Event Description

Inherent

Impact

Inherent Likelihood

Description of Standard Controls

Control Rating

Residual Impact

Residual Likelihoo

d

Maker

CONTROLS EVALUATION

Each Control or a set of controls effectiveness is /are rated on a four point scale;

1. Efficient - The internal control system is efficient and adequate2. Acceptable - A few corrections should make the internal control system satisfactory3. To Improve - The internal control system has to be enhanced and the process monitored more closely4. Poor - The internal control system of the process has to be reorganized immediately

LIKELIHOOD AND IMPACT

77

RISK HEATMAP - PROFILE

SAMPLE KEY RISK INDICATORS (KRIs)

-4

-3

-2

-1

0

1

2

3

4

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Time

Perf

orm

an

ce

Staff Turnover

Customer Complaints

Internal Limit Violations

Computer Breakdowns

Electronic Security Breaches

GAINING RISK REPORTING

RISK REPORT ITEM

2

Risk D

irect

ion

Management Action Plan Report Status

Monitoring

Information & Communication

Control Activities

Risk Response

Risk Assessment

Event Identification

Objective Setting

RECAP – FUNDAMENTALS OF ERM

Source: COSO ERM Framework

Fundamental steps of Risk Management

RECAP - BEST PRACTICE IN ERM

Slide 86

Slide 87

Quote of the day

"…in all my experience, I have never been in an accident of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea… I never saw a wreck and have never been

wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort."

Edward J. Smith interviewed by the New York press, 1907

Slide 88

Slide 89

Think the unthinkable! Expect the unexpected!

On April 15, 1912, RMS Titanic sank with the loss of more than 1500 lives-one of which was its

Captain-E.J.Smith

I thank you

KIMEU, JM. Email: jones_kimeu@yahoo.com # 0722

607157