COURSE 1 Integration of Enterprise Risk Management with Internal Audit
FEBRUARY 25, 2020
Bill Dawson, Partner | Risk Advisory Services Joe Casey, Director | Risk Advisory Services CPE and Support
SLIDE PROVIDED BY L&D TEAM
2 BDO & Our Internal Audit Webinar Series
3 Polling Question 1
From which time zone are you participating today?
A. Eastern time B. Central Time C. Mountain Time D. Pacific Coast Time E. Other
4 Bill Dawson, CPA Partner | Risk Advisory Services
Bill is a partner in BDO’s Risk Advisory Services practice. He is a financial executive with diverse accounting and reporting, tax, audit, internal controls, risk assessment, and business consulting experience with public and privately held domestic and multinational corporations. Bill uses his 30+ years of experience to help clients develop best in class internal audit functions, which operate as a business partner and key driver of effective management and financial control, process improvement, operational efficiency, and proactive risk management. He implements a disciplined and practical enterprise risk management PROFESSIONAL AFFILIATIONS approach to ensure effective identification, monitoring and Certified Public Accountant (CPA) – Pennsylvania mitigation of strategic, financial and operational risk. American Institute of Certified Public Accountants Pennsylvania Institute of Certified Public Accountants Prior to joining BDO, Bill was a Risk & Compliance principal at AC Institute of Internal Auditors Lordi, a boutique management consulting firm in Philadelphia. He EDUCATION has also served as VP of internal audit, and later as the VP of B.S., Accounting, Villanova University corporate income tax for a $2+ billion specialty apparel retailer. He has 18+ years of Big 4 experience, including as an audit partner managing a portfolio of public and privately held consumer product, chemical manufacturing, aerospace and retail clients.
5 Joe Casey, CPA, CFE Director | Risk Advisory Services
Joe is a director in the Risk Advisory Services practice at BDO where he provides companies with risk management, internal audit and SOX services. He has more than 20 years of experience and served as the outsourced director of internal audit or co-sourced partner for companies in various industries.
Joe has assisted companies with the implementation of enterprise risk management programs, lead business risk assessments and is COSO Enterprise Risk Management certified.
Joe has a wide range of experience which includes: leading asset PROFESSIONAL AFFILIATIONS Certified Fraud Examiner (CFE) misappropriation, financial statement fraud and corruption Certified Public Accountant (CPA) - Pennsylvania investigations, providing forensic accounting and dispute consulting American Institute of Certified Public Accountants services, performing external financial statement audits, leading Institute of Internal Auditors data analytics efforts, performing financial due diligence and EDUCATION managing an accounting function. M.B.A., Temple University B.S., University of Maryland Prior to joining BDO, Joe was a director for the Risk & Compliance practice at AC Lordi, and is a former manager with the Big 4.
6 Today’s Learning Objectives
At the conclusion of this course, participants will be able to:
Discuss the role that Internal Audit can have in providing support and monitoring of an organization’s risk management program
Identify and prioritize areas where Internal Audit can provide assurance as to the effectiveness of risk mitigating activities
Assess the maturity of an organization’s Enterprise Risk Management program
Recognize that Enterprise Risk Management is a continuous process that should be embedded within an organization
7 Topics
Introductions
Three Lines of Defense
What is Enterprise Risk Management (ERM)
Why ERM
COSO & ERM
Role of Internal Audit
Risk Assessment Methodology
ERM Maturity Model
Concluding Thoughts
8 Three Lines of Risk Defense
9 Three Lines of Risk Defense A PRACTICAL WAY TO OUTLINE RISK ROLES AND RESPONSIBILITIES
Board of Directors / Audit Committee Perform oversight
Executive Management Committee Monitor performance
1st Line 2nd Line 3rd Line ERM Own and manage risk Oversee risk Activity Independent assurance
Management Risk Compliance Internal Audit Regulators
Management Interpret & Test & verify External Audit develop Design & Independently Department Product Finance facilitate Monitor & Operations Operations Operations Inform & educate report Process and Process and Process and Risk Owners Risk Owners Risk Owners Monitor & report
Deliver outcomes within expected ranges Protect from downside events
Adapted from ECIIA/FERMA Guidance on 8th EU Company Law Directive, article 41 10 Polling Question 2
Which Line of Risk Defense is your position categorized?
A. 1st Line - Management, business or administrative function B. 2nd Line - Risk management or compliance function C. 3rd Line - Internal Audit function
11 What is Enterprise Risk Management (ERM)
12 ERM Overview
ERM is the identification, assessment and management of a holistic basket of the most significant risks/opportunities that could impede or enable the achievement of the entity’s strategic, operational, compliance, reporting and other important objectives.
13 ERM Overview, Cont’d.
An ERM program is a continuous process that:
PROVIDES ANTICIPATES PROVIDES ALIGNS RISKS, IDENTIFIES RESPONDS ONGOING & MONITORS REAL-TIME OBJECTIVES & & ASSESSES TO RISKS RISK UNCERTAIN OR MISSION RISKS MANAGEMENT FUTURE PERIODIC EVENTS REPORTING
Note: Opportunities to the organization should also be considered in each step of the process.
One of the first steps in establishing an ERM program is to perform an initial Business Risk Assessment (BRA).
14 ERM v. BRA
Strategic Objectives
Compliance Operating Reporting Objectives Objectives Objectives CEO BRA CRO * * CRO - Central coordination Legal HR BU CTO COO CFO CIO CAE and oversight of the risk Business / Functional Objectives management program BU Objectives
15 Why ERM
16 Why ERM?
Response to an onset of a risk
Operational surprises or losses
Fiduciary responsibility of the Board
Increased sources and types of business risk
Complex systems and business environment
Need for increased transparency in the understanding, DRIVERS managing and reporting of important risks to key stakeholders
Anticipating and managing new and emerging risks in uncertain times
Increase performance predictability through risk management
17 17 Why ERM, Cont’d.
Provides a common language for risk management
Provides an inventory of important risks and opportunities that could inhibit or enable the enterprise in achieving its strategic and related business objectives
Assesses and prioritizes important risks and opportunities while identifying residual risks that may require further mitigation Aligns management in efforts to efficiently allocate resources RESULTS Establishes a formal framework to gather, assess, manage, and report the most important risks forming the basis for on ongoing risk management program
Provides improved transparency and accountability for risk management and its oversight by senior management and the board
Provides the basis for a multi-year risk based internal audit plan that could provide on-going assurance that risks are properly identified and mitigating activities are operating effectively
18 18 COSO & ERM
19 COSO & ERM
Committee Of Sponsoring Organizations (COSO)
Private sector initiative sponsored by 5 Sponsoring Organizations: 5 organizations
Provides thought leadership through frameworks and guidance on • Enterprise risk management (ERM) • Internal control • Fraud detection
ERM Framework (issued in 2004 and updated in 2017) Establishes a standard with a common risk definition and framework that is readily usable by management in evaluating and improving their organization's enterprise risk management processes
20 COSO & ERM
COSO 2004 ERM Framework COSO 2017 ERM Framework (Updated by 2017 Framework) Enterprise Risk Management – Enterprise Risk Management – Aligning Integrated Framework Risk with Strategy and Performance
Old ERM Graphic New ERM Graphic
Framework provides reasonable assurance Framework provides reasonable of achieving objectives through control & expectation of achieving objectives no monitoring components. control or monitoring components.
21 COSO 2017 Framework (5 components/20 principles)
Source: COSO’s Enterprise Risk Management—Integrating with Strategy and Performance.
22 Polling Question 3
Has your company identified its top risks?
A. Yes B. No C. Not sure
23 Role of Internal Audit
24 Internal Audit’s Skills for ERM Internal audit has the potential to add significant value to implementation and monitoring of ERM in an organization as they:
Are aware of the mission, strategy and objectives of the organization Have access to the audit committee & executive management Have an audit charter to leverage involvement in risk management with the audit committee Have established relationships across the organization to leverage Understand the development & use of standard tools and methodologies Have strong team and facilitation skills Know how to identity and evaluate risks & controls Know how to summarize and report at an Executive level
Internal Audit is part of the governance structure of the company!
25 Internal Audit Role in Risk Management
ROLES LEGITIMATE CORE INTERNAL INTERNAL INTERNAL AUDIT ROLES AUDITING AUDIT ROLES WITH REGARD SHOULD WITH TO ERM NOT SAFEGUARDS UNDERTAKE
AUDIT CRO MANAGEMENT
Provide assurance that risks are correctly Facilitate identification & evaluation of risks Set the risk appetite stated & evaluated Coach management in risk response Impose risk management processes Provide assurance that mitigating actions are Coordinate ERM activities Manage risk operating Consolidate reporting on risks Make decisions and implement risk responses Evaluate risk management process Maintain & develop ERM framework Implement mitigating actions for risks Evaluate reporting & management of key risks Champion establishment of ERM Accountable for risk management
Develop ERM strategy for board approval
Source: Adapted from “Position Statement: The Role of Internal Auditing in Enterprise-wide Risk Management.”
26 Polling Question 4
Does your company have a risk management function separate from internal audit?
A. Yes B. No
27 Risk Assessment Methodology
28 Practical Approach to ERM BUSINESS RISK ASSESSMENT
INFRASTRUCTURE METHODOLOGY DELIVERABLES
1. Actionable Understand Information Business Methodology Objectives & Key Risk Risk Register Indicators 2. Common 6. Develop Language Report & Common Risk Top Risks Monitor Language Repeatable Risk Mitigation Process Strategies 5. 3. Identify Current State Identify & Residual Risk Mitigating Document vs. Future State Activities & Meaningful Analysis Assess Residual Risks Risk 4. Monitoring Assess & Board Reporting Process Aggregate Gross Risks Internal Audit Planning
ENABLING ACTIVITIES
Tools / Templates Project Planning Communication Awareness / Training
29 Identify & Assess Risks to Strategies and Business Objectives (Example)
Develop an innovative product to meet customer STRATEGY needs.
Develop a plant based juice product that represents BUSINESS OBJECTIVE 20% of overall product line.
PROCUREMENT OBJECTIVE MANUFACTURING OBJECTIVE Obtain high-quality products at Meet customer demand. best possible prices.
Risk 1 Risk 2 Risk 3 Risk 4
Plant based juices Limited number of Possibility production Possibility of poor may result in higher vendors with suitable cannot support the production quality or costs impacting experience new line of juices consistency financial goals Example adapted from language presented in COSO ERM January 2018 – Compendium of Examples
30 Identifying Risk Areas – Risk Universe Example
STRATEGIC FINANCIAL
Planning & Resource Allocation Market Dynamics Communication & Investor Accounting & Reporting Market Organizational Structure Competition Relations Accounting, Reporting & Interest Rate rd 3 Party Relations Pricing Pressures Media Relations Disclosure Foreign Currency Strategic Planning Macro-Economic Factors Investor Relations Reporting & Information Integrity Commodities Annual Budgeting Customer & Platform Mix Crisis Communications Internal Control / J-SOX Derivatives Forward Pricing Socio-Political Issues Employee Communications Forecasting Technological Advances Technology Enabled Liquidity Risk Mgmt Tax JVs / Alliances / Sub Contractors & End User Perception Communication Channels Cash Management Tax Strategy & Planning Partnerships Product Availability Government Relations Capital Funding Tax Optimization Outsourcing Arrangements Cross-functional Working Capital Management Transfer Pricing Franchise Arrangements Major Initiatives Communication Credit & Collections (DSO) Indirect Taxes Significant Vendors Vision & Direction Reputation Management Insurance Sales & Use Tax Planning & Execution Pension Funding Governance Personnel Development Mergers, Acquisitions & Capital Structure Board Performance Measurement & Monitoring Divestitures Debt Tone at the Top Technology Implementation Valuation & Pricing Equity Control Environment Business Acceptance of New Due Diligence Stock-based Compensation Corporate Social Responsibility Initiative Planning, Execution & Integration OPERATIONS COMPLIANCE
Sales & Marketing People/Human Resources Assets Regulatory Legal Marketing Culture Real Estate Trade Contract Advertising Recruiting & Retention Fixed Assets Government Contracts Liability Research & Development Development & Performance Inventory Customs Intellectual Property Sales & Pricing Succession Planning Intellectual Property Labor Anti-Corruption (FCPA) Technology Enabled Sales Compensation & Benefits Protection Securities Franchise Agreements Customer Support Labor Relations Environment Credit Financing Training Supply Chain Data Protection & Privacy Code of Conduct Master Planning & Forecasting Product Quality/Safety Ethics Government & Commercial Information Technology Subcontractor Health & Safety Fraud Contracts Management IT Management Procurement & Vendor Competitive Practices / Anti- Pricing IT Security / Access Management Trade Measurement IT Availability / Continuity Materials Mgmt & Inventory Tax Compliance & Audit Tax Implications IT Integrity Production Management IT Resources Distribution Sales & Marketing Environmental IT Infrastructure Transportation & Logistics J-SOX Natural Events Cyber Incidents Product Defects & Returns Credit Financing Terror & Malicious Acts Data Security & Privacy Warranty Health & Safety Disaster Recovery
31 Example: Common Language - Assessing Risk Severity
Impact Likelihood Catastrophic impact on profitability where over xx% of Event is expected to occur in most circumstances, 90% chance EBITDA is lost Almost Certain of occurrence in the next 12 months or four times over the Loss of reputation or brand value that may take 3-5 years next five years. to recover Extreme Event will probably occur in most circumstances, 55% chance Loss of key alliances Likely of occurrence in the next 12 months or 3 times over the next 5 Serious loss in market share years. Events and problems will require significant Board and Event should occur at some time, 25% chance of occurrence in senior management attention Possible the next 12 months or two times over the next five years. Significant impact on profitability where over xx% of Event should occur at some time, 10% chance of occurrence in EBITDA is lost Unlikely the next 12 months or once every five years. Loss of reputation or brand value that may take 1-3 years to recover Event may occur in exceptional circumstances, less than 5% chance of occurrence in the next 12 months or once over five Significant Key alliances threatened Remote years. Serious loss in market share Events and problems will require Board and senior management attention
Moderate impact on profitability where over xx% of EBITDA is lost Loss of reputation or brand value that involves widespread, Moderate adverse media coverage and/or potentially involves litigation Situation will require management attention
Low loss on profitability where over xx% of EBITDA is lost Loss of reputation or brand value that involves local Low adverse media coverage Consequences can be absorbed under normal operating conditions
Insignificant impact on profitability where little or no Minimal EBITDA is lost ($x million) No potential impact on market share
32 Example: Risk Appetite Likely Unlikely Possible Almost Certain Remote
Catastrophic Risk Category Significant Extreme High Moderate Substantial Minor Impact Low Insignificant
Minimal
Likelihood
33 Gather & Inventory Risk
Identify strategic and related objectives Determine who to survey or interview Conduct interviews or surveys to gather risks Convert interview discussions into risk statements Validate resulting risk statements Develop and maintain a risk register Aggregate risk statements into common risk statements Associate common risks to key objectives
Risk Inventory
34 Risk Register/Assessment and Definitions
Gross Risk Residual Risk ERM
Gross Risk Mitigating Activities of Desired Risk # Risk Description Impact Likelihood Impact Likelihood Score Score Controls Level Procurement determines Plant based juices may result best sources for 1 in higher costs impacting Significant Likely Extreme Moderate Possible Medium Low materials and negotiates financial goals. best prices. Production capacity planning done on a Possibility production cannot 2 Moderate Possible Substantial regular basis given known Moderate Unlikely Minor Minor support new line of juices. orders and anticipated demand.
DEFINITIONS
Gross Risk – severity of risk without management controls Mitigating actions – activities (procedures and controls) that reduce the severity of the gross risk Residual risk – the amount of risk that remains after management controls Desired risk – the amount of risk the company would like to take or accept
Risk description as presented in COSO ERM January 2018 – Compendium of Examples
35 Managing Residual Risk
Residual Risk ERM
Mitigating Activities of Desired Risk Planned Remediation Achieved Risk # Risk Description Score Risk Owner Controls Level Activities Level Based on procurement material Procurement determines pricing results, model Plant based juices may result best sources for expected profitability 1 in higher costs impacting Medium Low Production Low materials and negotiates at different levels of profitability. best prices. demand given expected market pricing. Production capacity planning done on a Possibility production cannot 2 regular basis given known Minor Minor Procurement None Minor support new line of juices. orders and anticipated demand.
Management can plan to further reduce its residual risks to a desired level by planning additional remediation activities
Risk description as presented in COSO ERM January 2018 – Compendium of Examples
36 Auditing Mitigating Activities
Mitigating Activities of # Risk Description Gross Risk Residual Risk Audit Activity Controls
Plant based juices may result Procurement determines Review procurement procedures to assure that new 1 in higher costs impacting Extreme best sources for materials Medium produce vendor and pricing analyses is in line with financial goals. and negotiates best prices. company needs.
Production capacity Review production planning activities to assure Possibility production cannot planning done on a regular timing, volume demand, product line equipment and 2 Substantial Minor support new line of juices. basis given known orders configuration have been properly considered to and anticipated demand. support decision making.
Internal Audit can provide assurance to the entity that mitigating activities or internal controls are operating as intended
Risk description as presented in COSO ERM January 2018 – Compendium of Examples
37 Polling Question 5
Does your Internal Audit function use the Company’s risk management program information in determining its audit plan?
A. Yes B. Indirectly C. No D. We don’t have a documented risk management program E. Not sure
38 ERM Maturity Model
39 ERM Maturity Model / Journey
Journey
PRE-ERM FRAGMENTED INITIAL MANAGED FULLY INTEGRATED
Ad-hoc Silo risk Senior level management Coordinated risk Risk Management used as
No management and board support for management and defined a competitive advantage framework activities initial risk effort ERM process Top down risk culture developed tending to be Development of a common Policy guidelines, common with training throughout loss reduction Risk risk language and risk language and organization focused management framework framework Strategy aligned to roles not Disparate Initial identification, Risk Committee mission, vision & values monitoring and well defined documentation and Periodic risk identification, Risks are aligned to reporting Depends assessment of business assessments, measuring, strategy and functions primarily on risks and monitoring performance, risk/reward Limited focus on individual Discussions of managing Consistent and frequent focus the linkage awareness, risk to targeted levels communication of top Risk discussions are among risks capability Identification of risk strategic, new and emerging embedded in strategic and action Some executive owners and discussions of risks to executive leadership planning and key business leadership/ an on-going risk Risks are considered in objectives board support management program to setting strategy and On-going enterprise-wide identify new and emerging business plans risk monitoring, risk while monitor existing Proactive risk knowledge measuring, and reporting risks sharing across the entity Early warning risk Communication of top Proactive risk training and indicators are used to strategic and related risks awareness monitor risks and to Executive leadership performance Internal Audit review of risk Initial recommendations to mitigation activities Linkage of risks to leadership for outcomes of performance measures effort and incentives
40 Role of Internal Audit in the Journey
Degree and balance of INTERNAL AUDIT depends on ERM maturity
ERM Maturity Scale
Pre-ERM Fully Integrated
Internal Audit Services
Consulting Assurance
41 Polling Question 6
Where do you think your organization is on the maturity scale?
A. Pre-ERM (Ad hoc and no framework) B. Fragmented (Limited focus or silo approach) C. Initial (Getting started) D. Managed (Central coordination and oversight) E. Fully-Integrated (Senior level risk aware decision making) F. Not Sure
42 Concluding Thoughts
43 Concluding Thoughts
Internal Audit should:
Review its internal audit charter to see its role in risk management
Determine the maturity of the company’s risk management program
Work with the audit committee to solidity its thoughts on your role in the company’s risk management activities
Be proactive in determining how to best support the company’s risk management efforts
Use both your assurance and consulting capabilities to assist management and the board in their risk monitoring and oversight roles
Develop a multi-year audit program based on the results of the company’s risk management program
44 Questions
Bill Dawson Joe Casey [email protected] [email protected] 610-455-2073 484-887-7577
45 Coming Soon
March 16-18, 2020 IIA GAM Conference The Aria, Las Vegas – Visit us at Booth 509
April 28, 2020 2020 Internal Audit Webinar Series – Course 2 Evaluating Compliance and Anti-Fraud Programs: A Case Study with BDO’s Forensics practice
46 Still Available for Download
BDO’s 2019 Global Risk Landscape Report A Culture of Complacency www.bdo.com/global-risk-landscape
This publication is disseminated annually in June. Please watch your email for more details.
47 Wrapping Up
SLIDE PROVIDED BY L&D TEAM
48