Heads of Internal Audit Webinar Integrated Assurance 24 July 2013 In partnership with
WELCOME TO THE WEBINAR The audio for this webcast will be broadcast via your PC speakers you do not need to dial in. If you are unable to use your PC speakers please click on the Request icon on the WebEx tool bar to receive teleconference information. Please submit your questions in the Q&A window. If viewing in full screen mode, please click the icon in the floating participant panel tray. We will address as many questions as time permits at the end of the presentation.
THOMSON REUTERS GRC
WEBINAR PRESENTER Vicky Kubitscheck CFIIA Vicky is an independent advisor, and an executive member and Chief Risk Officer at Police Mutual Group. She has over 25 years' experience working alongside boards and executive management, and leading and managing the strategic development of governance, risk, regulatory and assurance frameworks both in the private and public sector and across a number of industries. Vicky chairs the Insurance Internal Audit Group (IIAG), is a member of the Institute t of Directors, a Fellow of the Chartered Institute of Internal Auditors and a Professional Member of the Institute for Operational Risk. She will be sitting on a new Advisory Group set up by the FRC to assist them in reviewing possible changes to the UK Corporate Governance Code and integrating the principles of the recommendations of the Sharman Panel with the FRC's Guidance on risk management and internal control (Turnbull).
INTEGRATED ASSURANCE Beyond boundaries of risk, compliance and governance AGENDA Introduction An overview The case for rethinking assurance What is Integrated Assurance Key features of integrated assurance Why is it important for effective governance Practical implementation Key considerations Practical examples Discussion
Integrated assurance An overview No universally agreed definition (yet) Variations in interpretation and application at different levels Various terms used eg Coordinated dassurance, Combined da Assurance, GRC Governance, Risk and Compliance, Enterprise Risk Management Common characteristic: coordination between assurance functions including internal and external audit Thrust of IIA definition coordination and role of internal audit Case for rethinking assurance in the boardroom Assurance is intuitive and often taken for granted until something fails Financial crisis exposed weaknesses in governance and quality of assurance Better appreciation of the assurance food chain to restore confidence Integrated view of risks and assurance over the effectiveness of risk Integrated view of risks and assurance over the effectiveness of risk management
The case for rethinking assurance a in the boardroom oo 7 Financial i crisis ii exposed weaknesses in boardroom practice risk and its assurance was disjoined Level of informed risk taking and oversight Adequacy of assurance against excessive risk taking Openness and transparency Accountability, skills and competency Common themes from post crisis analyses Boardsdid did notsufficientlychallengethe challenge the executive Boards did not understand their business models adequately or higher risk activities eg services, products, M&A processes Boards did not receive appropriate it management information to assure themselves for proper discharge of their oversight role
Restoring confidence ce in the boardroom oo 8 Rethinking assurance No risk free zone in the boardroom Assurance isa transaction to inspire i and maintain confidence The board sits at the highest level of the assurance food chain and sets the tone for its demand and supply Need to take assurance from an intuitive to a practical level in the boardroom More risk based assurance across the three lines of defence beyond functional boundaries and silos ie more joined up "Assurance is often intuitive among experienced non execs, but boards require an effective process to maximise the benefits of their experience" Glen Moreno, Chairman of Pearson, Deputy Chairman of the FRC, Ex Chairman UKFI, NED
Whatis Integrated Assurance? 9 Key characteristics of integrated assurance Promotes risk management and its assurance as an integrated process across functional boundaries Provides an holistic or aggregate view of risk assurance Enabling a view of residual risks based on the level of assurance it has over its controls and risk mitigation strategies Joined up view of risks one truth Based on a methodical process Identifies the principal risks and core business activities or processes against the business model and operating environment Maps the nature and level lof assurance available across all lines of defence df against each principal risk and core process ( assurance maps ) Assesses the adequacy of assurance activity across the against board s risk appetite and tolerances Determines enhancements to satisfy board s risk assurance requirements
Why it is important for effective governance? 10 The case for implementing integrated assurance Impact of different truths of risks and risk taking across the organisation Obscures effectiveness of risk ikstrategy and leads to blind risk taking ik ki that exceeds board s risk appetite Undermines integrity of valid assurance which truth to believe Reduces es board s confidence e in the organisation s risk mitigation and systems stemsof internal control Distracts management and the board from things that really matter Gaps, overlaps and duplication in assurance activity Sub optimal use of resources Blurs accountability between the three lines of defence Silo approach to risk identification, assessment, mitigation and reporting Inconsistent views and sub optimal decision making and uninformed risk taking
Implementing Integrated Assurance Three levels of application, each level building on the last 11 Level Level 1: Integrated Assurance Planning Level 2: Enhancing Integrated Assurance Level 3: Integrated Assurance Oversight Purpose of assurance mapping in respect of the principal risks of the enterprise To identify gaps in the provision or contribution of assurance across the 3 lines of defence df To determine the nature and level of assurance being provided from each line of defence in order to assess areas for improvements Building on Level 2, this level aims to collate the outcomes of the assurance activity that is operating at the optimal level across the 3 lines of defence Health warning the assurance map is not the goal Main application or purpose To inform internal audit planning and other risk assurance planning To identify areas where the quality of risk assurance methodology could be improved across all lines of defence To gain a holistic picture of the level of confidence in the underlying controls and risk mitigation strategy across all lines of defence. Facilitates forward looking risk and assurance discussions. ssions
12 Example template of assurance mapping at Level 1 application of integrated assurance 1. What to include in the mapping 2. Mapping across the three lines of defence 3. Defining the Key; will be different dff for each level of application
Practical implementation key considerations 13 Different levels of application and scope Three key levels of application (slide 8) 5 key options from Group Wide, Group level only to entity or even risk specific Pilot implementation identifying allies and partners Options depends on... Mandate from the top Resources and skills Risk and assurance maturity Top 3 key challenges hll Lack of definition Resources and ownership Risk maturity
Practical examples. And Discussion 14 Case study 1: Listed global telecommunications organisation Implementing Level 2 progressing to Level 3; led by Risk and Internal Audit Identified credible assurance providers in the 1 st and 2 nd lines of defence; extending scope and improvingintegrated integrated assurancereporting reporting to the Group Audit Committee Case study 2: UK based financial services company Deployed existing framework at Level 3 to provide the Group Audit Committee with a deep dive, integrated risk assurance view of a subsidiary prior to the Board s discussion on strategic development of the subsidiary; led by CRO Case study 3: Company serving a multi billion $ aviation industry Level 2 with elements of Level 3; led by Internal Audit Enhanced local accountability, risk management and risk assurance oversight at board level; further alignment between assurance and risks Case study 4: Listed global financial services Level 3 with focus on bringing together the key assurance providers to discuss risks, issues and assurance with a forward looking view; led by CRO Improved risk awareness and discussion at Group Audit and Group Risk Committee
15 Integrated assurance Promotingjoined upriskgovernance Any queries, please do not hesitate to contact me: at vicky@kubitscheck.com 2013 Vicky Kubitscheck
Don t miss out The next Heads of Internal Audit Service forum will take place on 10 September in London and will take a practical look at the key issues surrounding social, economic and political risk Summaries of past forums and recordings of previous webinars can be accessed via the Heads of Internal Audit Service section of the IIA website at www.iia.org.uk Thank you to IIA Partner Thomson Reuters for supporting this webinar