Integration of Enterprise Risk Management with Internal Audit

Home , Audit committee, Internal audit, Internal control

COURSE 1 Integration of Enterprise Risk Management with Internal Audit

FEBRUARY 25, 2020

Bill Dawson, Partner | Risk Advisory Services Joe Casey, Director | Risk Advisory Services CPE and Support

SLIDE PROVIDED BY L&D TEAM

2 BDO & Our Internal Audit Webinar Series

3 Polling Question 1

From which time zone are you participating today?

A. Eastern time B. Central Time C. Mountain Time D. Pacific Coast Time E. Other

4 Bill Dawson, CPA Partner | Risk Advisory Services

Bill is a partner in BDO’s Risk Advisory Services practice. He is a financial executive with diverse accounting and reporting, tax, audit, internal controls, risk assessment, and business consulting experience with public and privately held domestic and multinational corporations. Bill uses his 30+ years of experience to help clients develop best in class internal audit functions, which operate as a business partner and key driver of effective management and financial control, process improvement, operational efficiency, and proactive risk management. He implements a disciplined and practical enterprise risk management PROFESSIONAL AFFILIATIONS approach to ensure effective identification, monitoring and Certified Public Accountant (CPA) – Pennsylvania mitigation of strategic, financial and operational risk. American Institute of Certified Public Accountants Pennsylvania Institute of Certified Public Accountants Prior to joining BDO, Bill was a Risk & Compliance principal at AC Institute of Internal Auditors Lordi, a boutique management consulting firm in Philadelphia. He EDUCATION has also served as VP of internal audit, and later as the VP of B.S., Accounting, Villanova University corporate income tax for a $2+ billion specialty apparel retailer. He has 18+ years of Big 4 experience, including as an audit partner managing a portfolio of public and privately held consumer product, chemical manufacturing, aerospace and retail clients.

5 Joe Casey, CPA, CFE Director | Risk Advisory Services

Joe is a director in the Risk Advisory Services practice at BDO where he provides companies with risk management, internal audit and SOX services. He has more than 20 years of experience and served as the outsourced director of internal audit or co-sourced partner for companies in various industries.

Joe has assisted companies with the implementation of enterprise risk management programs, lead business risk assessments and is COSO Enterprise Risk Management certified.

Joe has a wide range of experience which includes: leading asset PROFESSIONAL AFFILIATIONS Certified Fraud Examiner (CFE) misappropriation, financial statement fraud and corruption Certified Public Accountant (CPA) - Pennsylvania investigations, providing forensic accounting and dispute consulting American Institute of Certified Public Accountants services, performing external financial statement audits, leading Institute of Internal Auditors data analytics efforts, performing financial due diligence and EDUCATION managing an accounting function. M.B.A., Temple University B.S., University of Maryland Prior to joining BDO, Joe was a director for the Risk & Compliance practice at AC Lordi, and is a former manager with the Big 4.

6 Today’s Learning Objectives

At the conclusion of this course, participants will be able to:

 Discuss the role that Internal Audit can have in providing support and monitoring of an organization’s risk management program

 Identify and prioritize areas where Internal Audit can provide assurance as to the effectiveness of risk mitigating activities

 Assess the maturity of an organization’s Enterprise Risk Management program

 Recognize that Enterprise Risk Management is a continuous process that should be embedded within an organization

7 Topics

 Introductions

 Three Lines of Defense

 What is Enterprise Risk Management (ERM)

 Why ERM

 COSO & ERM

 Role of Internal Audit

 Risk Assessment Methodology

 ERM Maturity Model

 Concluding Thoughts

8 Three Lines of Risk Defense

9 Three Lines of Risk Defense A PRACTICAL WAY TO OUTLINE RISK ROLES AND RESPONSIBILITIES

Board of Directors / Audit Committee Perform oversight

Executive Management Committee Monitor performance

1st Line 2nd Line 3rd Line ERM Own and manage risk Oversee risk Activity Independent assurance

Management Risk Compliance Internal Audit Regulators

Management Interpret & Test & verify External Audit develop Design & Independently Department Product Finance facilitate Monitor & Operations Operations Operations Inform & educate report Process and Process and Process and Risk Owners Risk Owners Risk Owners Monitor & report

Deliver outcomes within expected ranges Protect from downside events

Adapted from ECIIA/FERMA Guidance on 8th EU Company Law Directive, article 41 10 Polling Question 2

Which Line of Risk Defense is your position categorized?

A. 1st Line - Management, business or administrative function B. 2nd Line - Risk management or compliance function C. 3rd Line - Internal Audit function

11 What is Enterprise Risk Management (ERM)

12 ERM Overview

ERM is the identification, assessment and management of a holistic basket of the most significant risks/opportunities that could impede or enable the achievement of the entity’s strategic, operational, compliance, reporting and other important objectives.

13 ERM Overview, Cont’d.

An ERM program is a continuous process that:

PROVIDES ANTICIPATES PROVIDES ALIGNS RISKS, IDENTIFIES RESPONDS ONGOING & MONITORS REAL-TIME OBJECTIVES & & ASSESSES TO RISKS RISK UNCERTAIN OR MISSION RISKS MANAGEMENT FUTURE PERIODIC EVENTS REPORTING

Note: Opportunities to the organization should also be considered in each step of the process.

One of the first steps in establishing an ERM program is to perform an initial Business Risk Assessment (BRA).

14 ERM v. BRA

Strategic Objectives

Compliance Operating Reporting Objectives Objectives Objectives CEO BRA CRO * * CRO - Central coordination Legal HR BU CTO COO CFO CIO CAE and oversight of the risk Business / Functional Objectives management program BU Objectives

15 Why ERM

16 Why ERM?

 Response to an onset of a risk

 Operational surprises or losses

 Fiduciary responsibility of the Board

 Increased sources and types of business risk

 Complex systems and business environment

 Need for increased transparency in the understanding, DRIVERS managing and reporting of important risks to key stakeholders

 Anticipating and managing new and emerging risks in uncertain times

 Increase performance predictability through risk management

17 17 Why ERM, Cont’d.

 Provides a common language for risk management

 Provides an inventory of important risks and opportunities that could inhibit or enable the enterprise in achieving its strategic and related business objectives

 Assesses and prioritizes important risks and opportunities while identifying residual risks that may require further mitigation  Aligns management in efforts to efficiently allocate resources RESULTS  Establishes a formal framework to gather, assess, manage, and report the most important risks forming the basis for on ongoing risk management program

 Provides improved transparency and accountability for risk management and its oversight by senior management and the board

 Provides the basis for a multi-year risk based internal audit plan that could provide on-going assurance that risks are properly identified and mitigating activities are operating effectively

18 18 COSO & ERM

19 COSO & ERM

Committee Of Sponsoring Organizations (COSO)

 Private sector initiative sponsored by 5 Sponsoring Organizations: 5 organizations

 Provides thought leadership through frameworks and guidance on • Enterprise risk management (ERM) • Internal control • Fraud detection

ERM Framework (issued in 2004 and updated in 2017) Establishes a standard with a common risk definition and framework that is readily usable by management in evaluating and improving their organization's enterprise risk management processes

20 COSO & ERM

COSO 2004 ERM Framework COSO 2017 ERM Framework (Updated by 2017 Framework) Enterprise Risk Management – Enterprise Risk Management – Aligning Integrated Framework Risk with Strategy and Performance

Old ERM Graphic New ERM Graphic

Framework provides reasonable assurance Framework provides reasonable of achieving objectives through control & expectation of achieving objectives no monitoring components. control or monitoring components.

21 COSO 2017 Framework (5 components/20 principles)

Source: COSO’s Enterprise Risk Management—Integrating with Strategy and Performance.

22 Polling Question 3

Has your company identified its top risks?

A. Yes B. No C. Not sure

23 Role of Internal Audit

24 Internal Audit’s Skills for ERM Internal audit has the potential to add significant value to implementation and monitoring of ERM in an organization as they:

 Are aware of the mission, strategy and objectives of the organization  Have access to the audit committee & executive management  Have an audit charter to leverage involvement in risk management with the audit committee  Have established relationships across the organization to leverage  Understand the development & use of standard tools and methodologies  Have strong team and facilitation skills  Know how to identity and evaluate risks & controls  Know how to summarize and report at an Executive level

Internal Audit is part of the governance structure of the company!

25 Internal Audit Role in Risk Management

ROLES LEGITIMATE CORE INTERNAL INTERNAL INTERNAL AUDIT ROLES AUDITING AUDIT ROLES WITH REGARD SHOULD WITH TO ERM NOT SAFEGUARDS UNDERTAKE

AUDIT CRO MANAGEMENT

 Provide assurance that risks are correctly  Facilitate identification & evaluation of risks  Set the risk appetite stated & evaluated  Coach management in risk response  Impose risk management processes  Provide assurance that mitigating actions are  Coordinate ERM activities  Manage risk operating  Consolidate reporting on risks  Make decisions and implement risk responses  Evaluate risk management process  Maintain & develop ERM framework  Implement mitigating actions for risks  Evaluate reporting & management of key risks  Champion establishment of ERM  Accountable for risk management

 Develop ERM strategy for board approval

Source: Adapted from “Position Statement: The Role of Internal Auditing in Enterprise-wide Risk Management.”

26 Polling Question 4

Does your company have a risk management function separate from internal audit?

A. Yes B. No

27 Risk Assessment Methodology

28 Practical Approach to ERM BUSINESS RISK ASSESSMENT

INFRASTRUCTURE METHODOLOGY DELIVERABLES

1.  Actionable Understand Information Business  Methodology Objectives & Key Risk  Risk Register Indicators 2.  Common 6. Develop Language Report & Common Risk  Top Risks Monitor Language  Repeatable  Risk Mitigation Process Strategies 5. 3. Identify  Current State Identify &  Residual Risk Mitigating Document vs. Future State Activities & Meaningful Analysis Assess Residual Risks Risk 4.  Monitoring Assess &  Board Reporting Process Aggregate Gross Risks  Internal Audit Planning

ENABLING ACTIVITIES

Tools / Templates Project Planning Communication Awareness / Training

29 Identify & Assess Risks to Strategies and Business Objectives (Example)

Develop an innovative product to meet customer STRATEGY needs.

Develop a plant based juice product that represents BUSINESS OBJECTIVE 20% of overall product line.

PROCUREMENT OBJECTIVE MANUFACTURING OBJECTIVE Obtain high-quality products at Meet customer demand. best possible prices.

Risk 1 Risk 2 Risk 3 Risk 4

Plant based juices Limited number of Possibility production Possibility of poor may result in higher vendors with suitable cannot support the production quality or costs impacting experience new line of juices consistency financial goals Example adapted from language presented in COSO ERM January 2018 – Compendium of Examples

30 Identifying Risk Areas – Risk Universe Example

STRATEGIC FINANCIAL

Planning & Resource Allocation Market Dynamics Communication & Investor Accounting & Reporting Market  Organizational Structure  Competition Relations  Accounting, Reporting &  Interest Rate rd  3 Party Relations  Pricing Pressures  Media Relations Disclosure  Foreign Currency  Strategic Planning  Macro-Economic Factors  Investor Relations  Reporting & Information Integrity  Commodities  Annual Budgeting  Customer & Platform Mix  Crisis Communications  Internal Control / J-SOX  Derivatives  Forward Pricing  Socio-Political Issues  Employee Communications  Forecasting  Technological Advances  Technology Enabled Liquidity Risk Mgmt Tax  JVs / Alliances / Sub Contractors &  End User Perception Communication Channels  Cash Management  Tax Strategy & Planning Partnerships  Product Availability  Government Relations  Capital Funding  Tax Optimization  Outsourcing Arrangements  Cross-functional  Working Capital Management  Transfer Pricing  Franchise Arrangements Major Initiatives Communication  Credit & Collections (DSO)  Indirect Taxes  Significant Vendors  Vision & Direction  Reputation Management  Insurance  Sales & Use Tax  Planning & Execution  Pension Funding Governance  Personnel Development Mergers, Acquisitions & Capital Structure  Board Performance  Measurement & Monitoring Divestitures  Debt  Tone at the Top  Technology Implementation  Valuation & Pricing  Equity  Control Environment  Business Acceptance of New  Due Diligence  Stock-based Compensation  Corporate Social Responsibility Initiative  Planning, Execution & Integration OPERATIONS COMPLIANCE

Sales & Marketing People/Human Resources Assets Regulatory Legal  Marketing  Culture  Real Estate  Trade  Contract  Advertising  Recruiting & Retention  Fixed Assets  Government Contracts  Liability  Research & Development  Development & Performance  Inventory  Customs  Intellectual Property  Sales & Pricing  Succession Planning  Intellectual Property  Labor  Anti-Corruption (FCPA)  Technology Enabled Sales  Compensation & Benefits Protection  Securities  Franchise Agreements  Customer Support  Labor Relations  Environment  Credit Financing  Training Supply Chain  Data Protection & Privacy Code of Conduct  Master Planning & Forecasting  Product Quality/Safety  Ethics Government & Commercial Information Technology  Subcontractor  Health & Safety  Fraud  Contracts Management  IT Management  Procurement & Vendor  Competitive Practices / Anti-  Pricing  IT Security / Access Management Trade  Measurement  IT Availability / Continuity  Materials Mgmt & Inventory  Tax Compliance & Audit  Tax Implications  IT Integrity  Production Management  IT Resources  Distribution  Sales & Marketing Environmental  IT Infrastructure  Transportation & Logistics  J-SOX  Natural Events  Cyber Incidents  Product Defects & Returns  Credit Financing  Terror & Malicious Acts  Data Security & Privacy  Warranty  Health & Safety  Disaster Recovery

31 Example: Common Language - Assessing Risk Severity

Impact Likelihood  Catastrophic impact on profitability where over xx% of Event is expected to occur in most circumstances, 90% chance EBITDA is lost Almost Certain of occurrence in the next 12 months or four times over the  Loss of reputation or brand value that may take 3-5 years next five years. to recover Extreme Event will probably occur in most circumstances, 55% chance  Loss of key alliances Likely of occurrence in the next 12 months or 3 times over the next 5  Serious loss in market share years.  Events and problems will require significant Board and Event should occur at some time, 25% chance of occurrence in senior management attention Possible the next 12 months or two times over the next five years.  Significant impact on profitability where over xx% of Event should occur at some time, 10% chance of occurrence in EBITDA is lost Unlikely the next 12 months or once every five years.  Loss of reputation or brand value that may take 1-3 years to recover Event may occur in exceptional circumstances, less than 5% chance of occurrence in the next 12 months or once over five Significant  Key alliances threatened Remote years.  Serious loss in market share  Events and problems will require Board and senior management attention

 Moderate impact on profitability where over xx% of EBITDA is lost  Loss of reputation or brand value that involves widespread, Moderate adverse media coverage and/or potentially involves litigation  Situation will require management attention

 Low loss on profitability where over xx% of EBITDA is lost  Loss of reputation or brand value that involves local Low adverse media coverage  Consequences can be absorbed under normal operating conditions

 Insignificant impact on profitability where little or no Minimal EBITDA is lost ($x million)  No potential impact on market share

32 Example: Risk Appetite Likely Unlikely Possible Almost Certain Remote

Catastrophic Risk Category Significant Extreme High Moderate Substantial Minor Impact Low Insignificant

Minimal

Likelihood

33 Gather & Inventory Risk

 Identify strategic and related objectives  Determine who to survey or interview  Conduct interviews or surveys to gather risks  Convert interview discussions into risk statements  Validate resulting risk statements  Develop and maintain a risk register  Aggregate risk statements into common risk statements  Associate common risks to key objectives

Risk Inventory

34 Risk Register/Assessment and Definitions

Gross Risk Residual Risk ERM

Gross Risk Mitigating Activities of Desired Risk # Risk Description Impact Likelihood Impact Likelihood Score Score Controls Level Procurement determines Plant based juices may result best sources for 1 in higher costs impacting Significant Likely Extreme Moderate Possible Medium Low materials and negotiates financial goals. best prices. Production capacity planning done on a Possibility production cannot 2 Moderate Possible Substantial regular basis given known Moderate Unlikely Minor Minor support new line of juices. orders and anticipated demand.

DEFINITIONS

 Gross Risk – severity of risk without management controls  Mitigating actions – activities (procedures and controls) that reduce the severity of the gross risk  Residual risk – the amount of risk that remains after management controls  Desired risk – the amount of risk the company would like to take or accept

Risk description as presented in COSO ERM January 2018 – Compendium of Examples

35 Managing Residual Risk

Residual Risk ERM

Mitigating Activities of Desired Risk Planned Remediation Achieved Risk # Risk Description Score Risk Owner Controls Level Activities Level Based on procurement material Procurement determines pricing results, model Plant based juices may result best sources for expected profitability 1 in higher costs impacting Medium Low Production Low materials and negotiates at different levels of profitability. best prices. demand given expected market pricing. Production capacity planning done on a Possibility production cannot 2 regular basis given known Minor Minor Procurement None Minor support new line of juices. orders and anticipated demand.

Management can plan to further reduce its residual risks to a desired level by planning additional remediation activities

Risk description as presented in COSO ERM January 2018 – Compendium of Examples

36 Auditing Mitigating Activities

Mitigating Activities of # Risk Description Gross Risk Residual Risk Audit Activity Controls

Plant based juices may result Procurement determines Review procurement procedures to assure that new 1 in higher costs impacting Extreme best sources for materials Medium produce vendor and pricing analyses is in line with financial goals. and negotiates best prices. company needs.

Production capacity Review production planning activities to assure Possibility production cannot planning done on a regular timing, volume demand, product line equipment and 2 Substantial Minor support new line of juices. basis given known orders configuration have been properly considered to and anticipated demand. support decision making.

Internal Audit can provide assurance to the entity that mitigating activities or internal controls are operating as intended

Risk description as presented in COSO ERM January 2018 – Compendium of Examples

37 Polling Question 5

Does your Internal Audit function use the Company’s risk management program information in determining its audit plan?

A. Yes B. Indirectly C. No D. We don’t have a documented risk management program E. Not sure

38 ERM Maturity Model

39 ERM Maturity Model / Journey

Journey

PRE-ERM FRAGMENTED INITIAL MANAGED FULLY INTEGRATED

 Ad-hoc  Silo risk  Senior level management  Coordinated risk  Risk Management used as

 No management and board support for management and defined a competitive advantage framework activities initial risk effort ERM process  Top down risk culture developed tending to be  Development of a common  Policy guidelines, common with training throughout loss reduction  Risk risk language and risk language and organization focused management framework framework  Strategy aligned to  roles not Disparate  Initial identification,  Risk Committee mission, vision & values monitoring and well defined documentation and  Periodic risk identification,  Risks are aligned to reporting  Depends assessment of business assessments, measuring, strategy and functions primarily on risks and monitoring performance, risk/reward  Limited focus on  individual Discussions of managing  Consistent and frequent focus the linkage awareness, risk to targeted levels communication of top  Risk discussions are among risks capability  Identification of risk strategic, new and emerging embedded in strategic and action  Some executive owners and discussions of risks to executive leadership planning and key business leadership/ an on-going risk  Risks are considered in objectives board support management program to setting strategy and  On-going enterprise-wide identify new and emerging business plans risk monitoring, risk while monitor existing  Proactive risk knowledge measuring, and reporting risks sharing across the entity  Early warning risk  Communication of top  Proactive risk training and indicators are used to strategic and related risks awareness monitor risks and to Executive leadership performance  Internal Audit review of risk  Initial recommendations to mitigation activities  Linkage of risks to leadership for outcomes of performance measures effort and incentives

40 Role of Internal Audit in the Journey

Degree and balance of INTERNAL AUDIT depends on ERM maturity

ERM Maturity Scale

Pre-ERM Fully Integrated

Internal Audit Services

Consulting Assurance

41 Polling Question 6

Where do you think your organization is on the maturity scale?

A. Pre-ERM (Ad hoc and no framework) B. Fragmented (Limited focus or silo approach) C. Initial (Getting started) D. Managed (Central coordination and oversight) E. Fully-Integrated (Senior level risk aware decision making) F. Not Sure

42 Concluding Thoughts

43 Concluding Thoughts

Internal Audit should:

 Review its internal audit charter to see its role in risk management

 Determine the maturity of the company’s risk management program

 Work with the audit committee to solidity its thoughts on your role in the company’s risk management activities

 Be proactive in determining how to best support the company’s risk management efforts

 Use both your assurance and consulting capabilities to assist management and the board in their risk monitoring and oversight roles

 Develop a multi-year audit program based on the results of the company’s risk management program

44 Questions

Bill Dawson Joe Casey [email protected] [email protected] 610-455-2073 484-887-7577

45 Coming Soon

March 16-18, 2020 IIA GAM Conference The Aria, Las Vegas – Visit us at Booth 509

April 28, 2020 2020 Internal Audit Webinar Series – Course 2 Evaluating Compliance and Anti-Fraud Programs: A Case Study with BDO’s Forensics practice

46 Still Available for Download

BDO’s 2019 Global Risk Landscape Report A Culture of Complacency www.bdo.com/global-risk-landscape

This publication is disseminated annually in June. Please watch your email for more details.

47 Wrapping Up

SLIDE PROVIDED BY L&D TEAM