Presentation on theme: "Risk Management Workshop"— Presentation transcript:
1Risk Management Workshop Risk Management Workshop - University of ExeterSummer Term 2008Risk Management WorkshopUniversity of ExeterSummer 2008Mazars LLP
2Risk Management Workshop - University of Exeter Summer Term 2008Presenter:Jamie Paddon IPFAAudit Manager,Mazars LLP, Bristol.Mazars LLP
3Agenda Background to Mazars LLP / Internal Audit at the University Session 1 – Introduction to risk managementSession 2 – The benefits of good risk managementSession 3 – Risk management and internal auditSession 4 – Risk management at the University of ExeterSession 5 – Changes to the existing arrangementsSession 6 – Risk linkage and escalationSession 7 – New risk register template and scoring systemComfort breakSession 8 – Monitoring of EWMs and controlsSession 9 – What to expect from an internal auditSession 10 – Questions and Answers
4Background to Mazars LLP & Internal Audit at the University Risk Management Workshop - University of ExeterSummer Term 2008Background to Mazars LLP & Internal Audit at the UniversityUniversity of ExeterSummer 2008Mazars LLP
5Background to MazarsFounded over 100 years ago – formally called Neville RussellRanked 10th in size in UK by fee income18 offices, 104 partners, 1100 staffIIP accreditationNational practiceInternational Partnership5th largest firm in most European countries..................
6Examples of Bristol Office Internal Audit clients
8Internal Audit at the University of Exeter Mazars were awarded a contract to supply internal audit services to the University for three years from 1st August 2006.Our work is required to conform to the standards stipulated by HEFCE in its Accountability and Audit Code of Practice (HEFCE 2004/27).We are required to produce an annual and strategic Internal Audit plan for agreement by the Audit Committee.We are also required to give an annual opinion to the Audit Committee on the adequacy and effectiveness of the arrangements for risk management, control and governance, and economy, efficiency and effectiveness.
9Your Core Internal Audit Team PartnerRichard BottManagerJamie PaddonorSupervisorIain RollandorSenior AuditorsRachael Lovett / Victor Rudebeck / Ian CookJunior AuditorsJemma Allan / Laura Baxter / Sarah Brent
11Session 1 Introduction to Risk Management Risk Management Workshop - University of ExeterSummer Term 2008Session 1 Introduction to Risk ManagementUniversity of ExeterSummer 2008Mazars LLP
12Introduction to Risk Management IIA definition of Risk Management……‘Risk management covers all the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress. Good risk management helps reduce hazard, and builds confidence to innovate.’
13Introduction to Risk Management IIA definition of risk …….‘Risk is most commonly held to mean "hazard" and something to be avoided. But it has another face - that of opportunity. Improving public services requires innovation - seizing new opportunities and managing the risks involved. In this context risk is defined as uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance.’
14Introduction to Risk Management IIA definition of risk appetite…….‘the level of risk you are happy to live with before you do something about it; the amount of risk you are prepared to take in order to achieve objectives.’
15Introduction to Risk Management Treasury definition of risk register (or risk map)……‘A risk register lists all the identified risks and the results of their analysis and evaluation. Information on the status of the risk is also included. The risk register should be continuously updated and reviewed throughout the course of a project.’
16Introduction to Risk Management Definitions of internal control……‘An organisation's procedures that are designed to increase its efficiency, ensure its policies are implemented, and its assets are safeguarded.’Internal controls are processes, effected by management and other personnel, designed to provide reasonable assurance to ensure:Reliable financial and operational information,Compliance with policies and procedures, plans, laws, rules, and regulations,Assets are safeguarded, andOperational efficiency.
17Introduction to Risk Management Definitions of early warning mechanism…..‘An output, event or measure that gives you prior notice that a risk is about to crystallise.’‘When an indicator exceeds (or falls below) a threshold, then it is said to issue a signal that a crisis may occur within a given period.’
18Introduction to Risk Management Risk Management the old fashioned way….Risk map prepared by senior management teamEither hundreds of risks or very few;Risk map updated annually by Finance Director;Risks scored H, M or L;Often no details of the control strategies relied upon or required, in order to manage the risks identified;Audit Committee reviews entire risk map annually;No wider management review; andNo process of feedback as to how well each risk is managed and controlled.
19Introduction to Risk Management Good practice….Risk Management policy in place, clearly defining roles and responsibilities;Joined up process: Board, senior management team (SMT), risk owners and line managers;Two-tier risk registers: Strategic and operational;Up to 50 risks grouped according to strategic objectives;Current controls identified;Likelihood and severity scored both pre and post mitigation (gross/inherent and net/residual risk);Risk tolerance set (the amount of risk the organisation is prepared to accept);
20Introduction to Risk Management Good practice continued….Early warning mechanisms (EWMs) identified;Sources, and frequency, of assurance that each risk is being properly controlled, are clearly identified;Action plans setting out what needs to be done to reduce risk to the agreed tolerance level;Risk register and action plans kept up to date by appropriate individuals / teams, and frequently reviewed by SMT in terms of changes in organisational risks and their scores, risk tolerance, current state of EWMs, and assurances received; andReport to Board / Audit Committee outlining changes to the risk register and progress against risk action plan.
21Session 2 The benefits of good risk management Risk Management Workshop - University of ExeterSummer Term 2008Session 2 The benefits of good risk managementUniversity of ExeterSummer 2008Mazars LLP
22Risk Management – Why bother? Generally, successful organisations have a clear understanding of their strategic aims and objectives – they know where they want to go and how they want to get there.However, this is often not enough. To guarantee success, organisations need to also determine, understand and monitor their exposure to business risks (those events that could prevent or threaten the achievement of their strategic objectives).These events could be things that happen outside the organisation’s control, such as changes in government policy, or internal events such as loss of key staff members.
23Risk Management – Why bother? (cont.) If an organisation can pre-empt all the pitfalls or risks and do something positive to prevent or reduce the likelihood of these occurring, or reduce the impact should they do occur, then the organisation is far more likely to achieve its strategic aims.It is only when organisations gain a full understanding of the possible business risks that could trip them up that they can begin thinking about how best to manage these and make informed judgements as to what resources, control processes and assurance mechanisms are needed.Good risk management breeds confidence and allows an organisation to take informed risks in the future.However, the hard work does not stop there……
24Good Risk Management – What is needed? Successful risk management depends on how ‘live’ and ‘embedded’ the process is.Keeping risk management ‘live’ is determined by how often risks are re-assessed, how often assurance as to whether the controls relied upon are in place and operating as intended, and how close EWMs are to being breeched.Risk management is said to be ‘embedded’ when all tiers of the organisation have regard to the management of risk as part of their day to day activities. It is a process that happens naturally rather than as a separate ‘cottage industry’.
25Embedded risk management – what does it look like? ‘Sign-up’ from the top;Training and guidance;Risk management should comprise of clear processes that are easy to understand and operate – it should not be seen as something in addition to what staff already do;All staff should have an involvement in the process – ownership – and be clear as to the part they play in the organisation’s success;Reference to risk management in job descriptionsReview of performance with regard to management of risk within staff appraisal process; andGood two-way communication channels – staff need to feel valued and listened to.
26Session 3 Risk Management and Internal Audit Risk Management Workshop - University of ExeterSummer Term 2008Session 3 Risk Management and Internal AuditUniversity of ExeterSummer 2008Mazars LLP
27Risk Management and Internal Audit – What is the link? To fully understand this, we need to understand how Internal Audit has evolved…..For many years, Internal Audit functions undertook what was known as Systems Based Internal Audit.This was a process whereby the Internal Audit plan sought to review all major systems within the organisation within a defined time period - Systems and functions were simply reviewed because they were there!Inevitably, this led to a high degree of focus on financial systems and therefore a lot of time spent in Finance.A typical audit programme would probably be 60% focused on finance systems, 15% on other systems, 15% on departments/faculties, and 10% on IT / project risks.
28Risk Management and Internal Audit – What is the link? (cont.) Modern Internal Audit teams now conduct their work using a ‘risk-based’ or ‘risk-led’ approachThis approach focuses internal audit resources toward areas of strategic importance for the business.Where good risk management processes are in place and a sound risk register exists, Internal Audit will often us this as a starting point for the generation of their annual plan.Using ‘risk’ alone as a factor for setting the Internal Audit plan will usually mean that individual finance systems would not be covered, either much or at all!However, as External Audit usually wish to rely on Internal Audit work on finance systems, basic coverage is usually built into the plan.
29Risk Based Internal Audit The implications of ‘risk-based’ internal audit….Higher strategic focus of our work.More senior audit staff input and fresh-thinking.Less reliance on ‘Accountants’ – more reliance on ‘Auditors’.Auditors now need greater sector knowledge and experience.More ‘added value’ for the organisation.Work given greater importance within the organisation.Less burden on Finance staff.We need to ‘win over’ an entirely different audience!
30Risk Based Internal Audit (cont.) Does this mean that good control within finance systems is no longer important?No!Good financial controls are as important now as they have always been.Management and internal and external audit all place a great deal of reliance on good financial controls operating.Ultimately, it is management’s responsibility to ensure good financial controls are maintained.We will still have regard to financial controls as part of our work.
31Risk Management and Internal Audit – the future Risk management practices will become more honed;Internal Audit will have a key role to play providing organisations with assurance that risks are appropriately managed;Control Risk Self Assessment (CRSA) will become an important tool for management and auditors alike, particularly within Finance; andInternal Audit will no longer be seen as a Finance function.
32Session 4 Risk Management at the University Risk Management Workshop - University of ExeterSummer Term 2008Session 4 Risk Management at the UniversityUniversity of ExeterSummer 2008Mazars LLP
33Risk Management at the University of Exeter The University has a strong risk management system in place that concords with best practice;Roles and responsibilities clear;Strategic and operational risks;Strategic risks linked to strategic objectives;Risk tolerance level and current tolerance gap identified for each risk;Register kept ‘live’ in terms of controls, gross and net scores, EWMs and required action;Regular review by Performance & Risk Steering Group, and;VCEG / Audit Committee review.
34Risk Management and the University of Exeter However, there is still room for improvement….Risk management at the operational level could be better;Risk management not truly ‘embedded’ in the organisation;Risk scoring could be better defined;Processes for monitoring EWMs could be better; andAssurance needs could be clarified and better met.We will help the University to improve these areas over the next few years
35Current risk management arrangements – Strategic level Strategy is set ultimately by Council in consultation with others.Strategic risks are determined by senior management.These are scored and grouped into ‘primary’ and ‘secondary’ strategic risks.Risk Owners and Risk Facilitators are assigned to ‘flesh out’ risks and manage these risks on a day to day basis.PRSG monitors progress to reduce risk exposure and to ensure consistency of scoring across all risks.Promotion and relegation occurs between the primary and secondary strategic risk registers.Internal audit periodically independently review the management of risks and quality of risk register entries.
36Current risk management arrangements – operational level Schools complete risk registers as part of annual planning cycle.Review by School Planning Groups / Corporate Planning Services.Services manage risk through risk registers / project management process.There are no formal processes in place to escalate School / Service risks to the strategic risk registers.The management of these risks is generally not formally and periodically assessed by internal audit.
37Session 5 Changes to the existing risk management arrangements Risk Management Workshop - University of ExeterSummer Term 2008Session 5 Changes to the existing risk management arrangementsUniversity of ExeterSummer 2008Mazars LLP
38What’s new? New risk register template; New risk scoring system; Focus on the development of SMART EWMs;Greater emphasis on controls and the provision of assurance that these are in place and operating correctly; andAn escalation / relegation process between School / Service risk registers and the strategic risk registers.
39Why change?Clearer process of risk management at School level is required with a proper process of escalation of risks to the corporate risk registers. This will further embed risk management within the University.Clearer scoring - New scoring mechanism for both pre and post mitigation based on tangible 1-6 matrixes rather than an undefined 1-10 scale.Clearer articulation of risks and associated controls and EWMs – The new risk register template is designed to align possible risk exposures and the EWMs and controls being relied upon to manage these, as well helping managers to regularly monitor EWMs and assure themselves of the presence and effectiveness of controls.
40Session 6 Risk linkage and escalation Risk Management Workshop - University of ExeterSummer Term 2008Session 6 Risk linkage and escalationUniversity of ExeterSummer 2008Mazars LLP
41Risk linkageFewer and larger Schools / Services makes linkage crucial.Top down approach – all University fundamental risks should be considered for a School / Service register, but some may not be necessary for a School / Service register.Schools / Services may have risks unique to them.
42Risk escalation Annual mapping exercise during the Summer term. Feedback to PRSG and Schools / Services in October.Look at emerging risks (movements) as well as current high scoring risks.Mix of objective analysis and judgement.Regular review by DVCs / Registrar and Secretary to PRSG, and back to Schools / Services.
43Session 7 New risk register template and scoring system Risk Management Workshop - University of ExeterSummer Term 2008Session 7 New risk register template and scoring systemUniversity of ExeterSummer 2008Mazars LLP
44Risk register templates Risk register for Schools / ServicesRegisters draw on University register plus local risks.Registers prioritise risks.New corporate risk register formatLandscape format and clearer layout.Links the EWMs and controls to the relevant potential exposure.Enables EWMs and control status to be formally monitored and recorded, keeping them both ‘live’.See example template documents supplied.
45New scoring systemProbability - 1 to 6 scale of narrative descriptions and likelihood percentages.Severity – 1 to 6 scale of narrative descriptions ranging from ‘insignificant’ to ‘catastrophic’.Some helpful (hopefully) definitions for different risk types have been compiled as a guide.See separate probability and impact definitions sheet supplied.
46Advantages of new scoring system Linked to clear definitions, so subjectivity should reduce and consistency of scoring should improve.This should make the deployment of resources more effective in dealing with risk.Can be applied to gross and net risks as well as to risk appetite.Therefore, the difference between the gross and net scores will tell you the value or worth of the controls in place that determine both severity and probability.Also, risk tolerance can be quantified in terms of the same scoring mechanism making it easy to understand where existing controls need to be improved – to reduce likelihood of occurrence or to reduce severity if risk does occur.
47Risk Scoring Exercise – 15 minutes Think about one of the risks you are responsible for and using the new scoring process….Score your gross risk in terms of severity and probability;Score your risk tolerance in terms of severity and probability;Document why you have scored each of the elements this way (i.e. four separate comments)
49Session 8 Monitoring of EWMs and controls Risk Management Workshop - University of ExeterSummer Term 2008Session 8 Monitoring of EWMs and controlsUniversity of ExeterSummer 2008Mazars LLP
50How to set Early Warning Mechanisms EWMs need to be capable of alerting you to the fact that a particular risk, or part of a risk, is about to occur, in sufficient time for you to take action to either stop or reduce it from occurring or to reduce the impact if it does.In order for this to be the case, each EWM should be selected with care to ensure that it is the right early warning tool.Care is also need to ensure that the ‘trigger point’ is set appropriately, at a level that should not be hit under normal circumstances, but when it is reached, there is still time to take evasive action.Consideration should be given to the monitoring arrangements of each EWM - how the status should be monitored and how frequently this should occur.
51Early Warning Mechanism Exercise – 20 minutes Think about one of your potential exposures (sub risks) within the risk you have just scored and…..Identify a relevant EWM that would be capable of alerting you in sufficient time that the risk is about to crystallise;Identify a trigger point and;Describe what action you would take if the trigger point were to be reached and how much this would affect the likelihood of the risk now occurring and how much it would affect the impact.
52What constitutes an effective control? Controls must be directly relevant to the risk - you might need more than one per risk;They should be capable of reducing or eliminating the likelihood and / or impact of the risk concerned;They must be simple to operate;They must be proportionate and cost effective to the risk concerned – not a “sledgehammer to crack” a nut scenario! (and vice versa!)An individual should own or have responsibility for the effective operation of individual controls; andManagers should be able to assure themselves that the controls they rely on are in place and operating effectively.
53Controls and assurance exercise – 20 minutes For your chosen sub-risk / potential exposure…..Detail the key controls you rely upon to prevent or limit BOTH the likelihood of the risk occurring and the impact if it does occur;Document how you (or your manager) can be assured that each control is both in place and operating correctly, and therefore can be relied upon to manage the risk concerned. Think about the frequency of such assurance; andScore the net risk.
54Session 9 What to expect from an Internal Audit Risk Management Workshop - University of ExeterSummer Term 2008Session 9 What to expect from an Internal AuditUniversity of ExeterSummer 2008Mazars LLP
55What will the audit seek to do? Review the adequacy of the risk register entry in terms of;how the risk is articulated and scored;whether all potential exposures have been considered;whether suitable EWMs have been identified and trigger points have been established;whether each EWM is being monitored appropriately and the whether current status of each is known;whether appropriate controls have been established; andwhether appropriate monitoring arrangements are in place to tell managers if controls can be relied upon.Make recommendations to further improve the risk management arrangements in place; andProvide PRSG / Audit Committee with ongoing assurance as to how well University risks are being managed.
56What you will get from us Advance warning of our impending visit and prior consultation over specific dates;An Audit Planning Memorandum for information, consultation and comment that sets out…..the people from our team who will be involved in the audit and those from the University we anticipate being involved;the dates we will be on site;the target date for the preparation of the draft report;the target date for receipt of your comments on this;the target date of the final report; andthe specific scope / objectives of the audit.A draft report for your comments; andA final report
57What will we want from you? Your co-operation throughout the audit process, but particularly over the scheduling and planning of our work;Copies of all relevant documents, policies and procedures – in advance if possible;Initial meetings with each risk owner and risk facilitator to go through all aspects of the risk register. Ideally these should be on the first or second day of our time on site;Subsequent meetings with all staff involved with the monitoring of each EWM and the operation of each control;Evidence of the status of each EWM (if possible); andPrompt comments on our draft report and recommendations.
58Session 10 Questions and Answers Risk Management Workshop - University of ExeterSummer Term 2008Session 10 Questions and AnswersUniversity of ExeterSummer 2008Mazars LLP
59Thank-you for listening Risk Management Workshop - University of ExeterSummer Term 2008Thank-you for listeningIf you have any other questions, queries or concerns, please contact us…..Mazars LLP