The role of internal audit in enterprise-wide risk management (ERM) James Glass Director, Business Review and Audit Division

Enterprise-wide Risk Management “A structured, consistent and co-ordinated framework for assessing, responding to and reporting on all risks that affect the achievement of an organisation’s objectives. ERM

Guidance IIA standards Position Statement on risk based internal auditing Position statement on embedding risk management Position statement (draft) on Enterprise wide risk management COSO2 framework

COSO draft guidance Objectives Identification Risk Assessment Response Controls Information & Communication Monitoring Internal Environment Strategic Operations Reporting Compliance

COSO Guidance – importance of internal environment

Benefits of ERM Greater likelihood of achieving an organisation’s objectives Reduction in management time spent fire fighting Concise/consolidated reporting of disparate risks Greater management focus on the things that matter Fewer surprises or crises Understanding the key risks and their wider implications More informed risk taking / decision making Seizing opportunities / competitive advantage

Internal audit role in ERM Central co-ordinating point for ERM Facilitating management’s response to risk Giving advice on identifying and classifying risks Facilitating risk workshops Monitoring risks across the business Operating the ERM framework Legitimate internal audit roles with safeguards Championing establishment of ERM Developing risk management strategy for board approval Holistic reporting on risks Roles internal audit should not undertake Accountability for risk management Managing risks on managements behalf Imposing risk management processes Taking decisions on risk responses Management assurance on risks Setting risk appetite Giving assurance on the risk management processes Giving assurance that risks are correctly classified Evaluating risk management processes Evaluating reporting of key risks Reviewing the management of key risks Core risk-based internal audit roles

Risk based auditing – risk framework / planning Identify corporate goals, risk appetite & risks to achieving goals Is overall risk management process adequate & effective for identifying, assessing, managing & reporting on risk? Report Facilitate improvement Use organisation’s own view of risk as far as possible Yes Use own assessment of risks (temporarily) with management input No Determine scope and priority of individual audit assignments

Risk based auditing - assignments Review business objectives in the area selected for audit against corporate goals Are risk management processes adequate to identify & manage risks to achieving business objectives and their wider implications? Where largely OK Evaluate processes and determine how management gain assurance that the risk management activities are being carried out as intended Where not OK Undertake / facilitate risk identification & assessment inherent risks risk mitigation residual risks Give assurance where OK and facilitate improvement where not

Risk based auditing – the environment High level of IA risk assessment Focus on improving risk capabilities Significant reliance on management process IA assesses major change risk & wider picture organisation & business model Pace & extent of change to IA undertakes risk assessments & works with management to improve risk management processes High reliance on management assurance Less need for IA unless changes Degree of risk awareness and risk management capability

Conclusion Be aware of latest guidance Importance within an organisation of: Understanding the language of risk Internal environment and culture Stakeholder expectations Need for effective risk based audit approach within the context of ERM

Questions