Siegfried addressing current governance and risk management challenges in governmental and international organizations

ICGFM ‐ Winter 2010 Conference
December 6, 2010

Addressing Current Governance and Risk
Management Challenges in Governmental and
International Organizations

Alan Siegfried
CIA, CCSA, CFSA, CGAP, CPA, CISA, CBA, CSP, CITP, MBA
Auditor General, Inter‐American Development Bank
IIA Chairman, North American Board

Our World at a Glance
• Global economic challenges and issues
• Changing regulatory environment
• Financial markets turmoil
• Shrinking workforce and massive layoffs
• Budget restrictions
• Risk management efforts ineffective
• Stakeholder confidence shaken
• Uncertainty and unpredictability

Opportunity for internal audit profession to demonstrate leadership
in risk management, control and governance

International Organizations. Alan N. Siegfried 2

Risk of Not Responding
• Diminished stature of Internal Audit in surfacing and
addressing emerging risks

• Significantly reduced credibility as a trusted governance
partner

• Diminished value of internal audit activities

• Seen as being inflexible and non‐responsive to emerging
risk

Where were the Internal Auditors?


Risk Management Lessons Learned
• Short term cost‐cutting with destructive operational or control
implications
• Reliance on a third party supplier, distributor, counterparty or joint
venture partners with financial difficulties what contingency plans
are in place
• Customer dissatisfaction over valued receivables
• Liquidity issues due to the tightening of credit and reduced demand
• Increased incentives for financial fraud
• Disgruntled current and ex‐employees who sabotage, pilfer assets
• Loss or damage to reputation

Internal Audit Role
Help management identify risks, design risk management strategies, assess
and monitor effectiveness of applicable controls


Current Challenges for Governance and
Risk Management
1. Aligning internal audit coverage to meet new expectations
2. Fully embrace a risk‐centric strategy
3. Realigning skills to address new requirements
4. Leveraging technology to achieve greater efficiencies
5. Coping with diminished resources
6. Maintaining stature with the audit committee
7. Integrate fraud and prevention and ethics investigations into audit
strategies
8. Demonstrate stronger commitment to quality
9. Enhance coordination internally
10. Demonstrating value and adding to the bottom line
The IIA 2009

Potential Internal Audit Involvement in Risk
Management and Governance
 Participate in cross functional ‘what if’ discussions to
reconsider risks and identify action plans

 Help design risk management / monitoring processes (i.e.,
controls!) to address risks

 Redirect audit resources to re‐assessed highest risk areas

 Internal audit review of risk management and organizational
governance


Video
http://www.youtube.com/watch?v=laKprX‐HP94


Understanding the Difference
• Risk management
“A process to identify, assess, manage and control potential events or
situations to provide reasonable assurance regarding the
achievement of the organization’s objectives”
• Control
“Any action taken by management, the board, and other parties to
manage risk and increase the likelihood that established objectives
and goals will be achieved”
• Governance
“The combination of processes and structures implemented by the
board in order to inform, direct, manage and monitor the activities of
the organization toward the achievement of its objectives”


What is Organizational Governance?

The process through which
Board
(1) values and goals are
IA RM established and
communicated,
(2) the accomplishment of goals
EA Executive
Management C is monitored,
(3) accountability is ensured, and
(4) values are preserved.

ORGANIZATION


Parties in the Governance Process
 Oversight group – board and committees of the board

 Stewardship group – executive management:
Dual role of stewardship of resources allocated by board
and accountability of results of operations

 Performance group – operating and support management
and staff

 Assurance group – internal and external auditing
functions,
and in some organizations, compliance and risk
management monitoring functions, are also part of the
assurance group.

Two Basic Responsibilities of the Board

Strategic Values
BOARD Direction Boundaries
Governance
Umbrella Accountability
Governance
Oversight Values
Preservation


Audit Committee Areas of Focus

Financial
Reporting

Risk
Internal Management
Audit Internal
Control

Audit
Committees
Areas of
Regulatory Focus
Compliance & External
Ethical Audit
Matters

Maintaining
Measuring Communicating
Effectiveness & Reporting


Key Components of Governance Oversight

Risk Senior
Management -
Governance Management Risk Owners
Stakeholders Umbrella
BOD
Assurance Internal-External


Governance Opportunities
“ Changing business and economic conditions provide an opportunity to reassess
board priorities and re‐focus the agenda”

Board skills and capabilities reflect the changing  business environment

Tighten risk management oversight

Keep ahead of the strategic agenda

Extract the most from board committees

Review the flow of information from management to the Board

Create and sustain an ethical organization

Recruit, develop and retain talented managers

Strengthen board governance and organizational policies
KPMG


What can Internal Audit Bring to the Table?

 Provide independent, objective assessments on:

 Appropriateness of governance structure
 Operating effectiveness of governance activities.

 Act as catalysts for change by:

 Advising or advocating improvements in governance
structure and practices

 Providing assurance on the risk management, control, and
governance
The IIA

Risk and Risk Management
• Risk is the probability/likelihood of something happening that will have
an adverse impact on objectives.

• Risk Management is the systematic application of processes and
structures that enable an organization to identify, assess, analyze,
optimize, monitor, improve, or transfer risk while communicating risk
and risk decisions to stakeholders.

 Enterprise Risk Management (ERM) deals with risks and opportunities
affecting value creation or preservation.

 ERM is a process, effected by an entity’s board of directors and
management which is applied in a strategy setting and across the
enterprise.  It is designed to identify potential events that may affect the
entity, and manage those risks to provide reasonable assurance
regarding the achievement of objectives.
Source:   Committee of Sponsoring Organizations, “Enterprise Risk
Management – Integrated Framework, Executive Summary”,
Addressing Current Governance and Risk 2004

Benefits of ERM
 Holistic view of risk in the organization
 Greater likelihood of achieving objectives
 Consolidated reporting of risks at board level
 Improved understanding of key risks and implications
 Identification and sharing of cross business risks
 Greater management focus on the issues that really
matter
 Fewer surprises or crises
 Increased likelihood of change initiatives being achieved
 Capability to take on greater risk for greater reward and
 More informed risk‐taking and decision‐making.


ERM Quality Classifications
• Advanced capabilities to identify, measure, manage all risk exposures within
tolerances
Excellent
• Advanced implementation, development and execution of ERM parameters
• Consistently optimizes risk adjusted returns throughout the organization
• Clear vision of risk tolerance and overall risk profile
• Risk Control exceeds adequate for most major risks
Strong • Has robust processes to identify and prepare for emerging risks
• Incorporates risk management and decision making to optimize risk adjusted
returns

• Has fully functioning control systems in place for all of their major risks
• May lack a robust process for identifying and preparing for emerging risks
Adequate
• Performing good classical “silo” based risk management
• Not fully developed process to optimize risk adjusted returns

• Incomplete control process for one or more major risks
Weak • Inconsistent or limited capabilities to identify, measure or manage major risk
exposures
Source:  Standard & Poor’s


Fundamental Principles of an Effective
Risk Management Strategy in International Organizations

Clearly defined key roles, Common risk
Common definition of risk
responsibilities and management
and risk framework
authority infrastructure

Executive management
Appropriate transparency responsible for designing, Business units held
and visibility of governing implementing, and responsible for risk
bodies maintaining effective risk management
management

Support functions have Oversight functions
pervasive impact on the provide objective
business and the assurance , monitoring
management of risks and reporting


Effective Risk Management Practices

Adopt a risk Provide meaningful
management policy Appoint a risk risk information to
and specific risk manager Senior Management
component definitions and the Board

Quantify and
Set and review risk Perform Regular
communicate losses
limits with the Board assessments.
from risk

Transfer risks if cost is Train Management Provide annual
less that the cost of and the Board in risk assurance on the state
retention. matters. of risk management.


Responsibilities of the Risk Manager
 Implement an enterprise‐wide risk management strategy,
processes and controls
 Propose risk management policy for Board approval
 Coordinate risk management efforts across the
organization
 Collect and combine risk information
 Assess the information collected
 Identify, assess and report risks
 Communicate risk information to the Board and
Management
 Provide annual assurance on the state of risk management
 Affirm policies are appropriate for the foreseeable future.


Internal Audit’s Role in ERM


Internal Audit Value Proposition
Valued.
Moving the profession from recognized ‐ to trusted ‐ to valued
contributions to your organization and assurance to stakeholders Trusted.

Recognized.
 Understand the business management’s strategies and
objectives
 Focus on the right areas and the right risks
 Provide practical, relevant  and persuasive
recommendations
 Become proactive catalyst for positive change
 Balance consultative and assurance services
 Help protect AND grow the business
 Earn a ‘Seat at the table’
 Act as trusted advisor on risk, control and governance
issues

Responsibilities TODAY
 Seeking to understand stakeholder expectations and evaluating
effectiveness in meeting those expectations

 Developing and demonstrating strong communication skills to
effectively convey findings and recommendations

 Embracing and executing a balanced risk based audit plan

 Providing leadership on issues of corporate governance, fraud, risk
management, internal control and financial reporting

 Willing to challenge status quo, and operating as change agents

 Providing a learning environment and career pathway


Useful Tools Corporate Executive Board

Risk Management Evaluation Framework
Level Risk Evaluation Criteria
Provide Clear Risk Management Policies and Procedures
Provide Clear Risk Management Corporate Governance Structures
Provide Tools and Frameworks to Train the Line to Manage Risk
Leverage Company Knowledge to Identify and Assess Risk
Level 1
Focus on Both the Upside and Downside of Risk to optimize Strategic Risk Taking
Prioritize Risk Based on Probability and Inherent Impact
Provide Clear Visibility into Key Risks and Mitigation Status
Aggregate Risk and Mitigation Information into a Central Database
Prioritize Risk Based on Probability and Residual Impact
Embed Risk Considerations into Day-to-Day Planning and Decision Making
Level 2
Link Risk Management to Employee Performance
Assess Effectiveness of Risk Mitigation Efforts
Coordinate Risk Assurance Activities Across the Organization
Assess Risk Velocity to Prioritize Risk Mitigation Efforts
Formally Define Business Unit Risk Appetite as Part of the Risk Opportunity Analysis
Embed Feedback Lops for Continuous Improvement in Risk Strategy
Level 3
Leverage Predictive Risk Metrics to Assess Probable impacts and Mitigation
Strategies
Develop a 360-Degree View of Counterparty Risk to Pinpoint Exposure Levels

Risks to Consider in 2010
Risk Type Risk
Financial • Reporting integrity • System security vulnerabilities • Off balance sheet risk
• Financial statements/disclosures • Inadequate recording/oversight of • Transactions are not properly
are misstated according to financial information approved
accounting standards • Estimates are not adequate • Inability to raise capital
• Lack of reliability in the systems   • Interest rate/market risk • Asset/liability risk
reporting key financial data • Foreign currency exchange • Investment risk
• Insufficient liquidity • Credit risk

Compliance • Non‐compliance with   • Breaching existing capital • Adherence to pension plan
employment practices requirements requirements
• Environmental contamination • Non‐adherence to debt covenants • Insider trading
• Record retention policy • Data used to support     • Safety health privacy violations
• Inability to meet contractual compliance is unreliable • Fraud
obligations

Strategic • Strategic alliances • Competitive pressure • Litigious trends and judicial
• Strategic planning does not • Loss of key customers uncertainty
consider external impacts • Counterparty failures • Reputation risk
• New products and services • Customer pricing pressure • Insufficient governance structure
• Customer demand shortfall • Disruptive technologies and  practices

Operational • Loss of key personnel • Natural disasters • Service quality
• Obsolete technology • Acts of terror • Project/change management
• Insufficient information • Third‐party outsourcing • Business disruption/system
technology governance • Security breaches failures
• Inadequate development   • Lack of business continuity     • Lack of sufficient contractual
effectiveness /disaster recovery planning oversight
• Process control risk
Addressing Current Governance and Risk Grant Thornton,

Final Thoughts

 Risks facing our organizations are unprecedented
and stakeholders’ expectations continue to increase

 Internal audit profession has an opportunity to step
forward to be a key player in Governance and Risk
Management

 Individual practitioners and organizations must
‘raise the bar’ to most effectively represent and
advocate for strong governance and risk
management


Value Final Thoughts

Foresight

Insight

Hindsight

Focus


Siegfried addressing current governance and risk management challenges in governmental and international organizations

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (18)

En vedette

En vedette (8)

Similaire à Siegfried addressing current governance and risk management challenges in governmental and international organizations

Similaire à Siegfried addressing current governance and risk management challenges in governmental and international organizations (20)

Plus de icgfmconference

Plus de icgfmconference (20)

Dernier

Dernier (20)

Siegfried addressing current governance and risk management challenges in governmental and international organizations