Download - 2015 IA Presentation_G Fisher_V2.1
Demystifying Combined AssuranceCreating a Well-rounded Risk Profile to Assess the Adequacy of your Assurance Coverage
Grant FisherGeneral Manager: Group Audit and Risk Management, Bridgestone South Africa
5 March 2015
Outline
1 Introduction
2 Obtaining a Multi-dimensional View of Risk
3 Your Key Role Players in Combined Assurance
4 How Many Lines of Defense are Enough?
5 Mapping Assurance Providers to Risks, Controls, and Objectives
6 Gap Analysis: Strengthening the Risk Net
7 Discussion Time and Case Study
2
1 Introduction
If you can't explain it simply, you don't understand it well enough.
Albert Einstein
Read more at http://www.brainyquote.com/quotes/quotes/a/alberteins383803.html#kzhdHCJcMuFL7BS1.99
3
1 Introduction (cont.)
4
I am convinced that a simple profit-seeking business will never thrive, but a business that contributes to its society and country will be forever profitable.
Shojiro Ishibashi, Founder
The essence of sustainability
60 years before the first King report, Bridgestone was promoting principles of good governance (even though the term did not yet exist).
1 Introduction (cont.)
5
The World of Assurance and Good Governance
In the past 20 years, we have seen a fundamental change in the role of business in society. This is particularly meaningful in the context of a new South Africa.
King I (1994)
• Introduced the concept of good governance
• Focused on the role of the Board
• Recommended Affirmative Action
King II (2002)
• Promoted the roles of Internal Audit and Risk Management
• Stressed the importance of sound financial reporting
• Recommended “ non-financial reporting”
King III (2009)
• Promoted the roles of Internal Audit and Risk Management further
• Recommended Integrated Sustainability Reporting
• Introduced the concept of Combined Assurance
1 Introduction (cont.)
6
Who’s involved?
Aspect Western Capitalism A New Compassionate Capitalism
Time horizon Short-term focus Considers short, medium and long-term
Value Creation Returns to Shareholders Value for Stakeholders
Mission Profit motive above all else Concern for people, planet, and profit
Annual Reporting Financial Reporting Integrated Sustainability Reporting
Internal AuditRisk
Forensics
TransformationGovern
ance
Secretarial
LegalInsuranc
e
Compliance
CSRSQE
Security
The World of Assurance and Good Governance (cont.)
What has changed?
1 Introduction (cont.)
7
Why Combined Assurance?
It started with the King Report on Governance (King III):
The audit committee should ensure that a combined assurance model is applied to provide a co-ordinated approach to all assurance activities
Potential Benefits
• Focus on key risks• Identify gaps• Reduce operational disruptions• Track remedial actions• Improve reporting to the Board• Support Integrated Report
1 Introduction (cont.)
8
Combined Assurance means better Risk Management and better Governance*
* but only if we want it to...
Picture from www.edf.az Picture from www.mypharmacare.ca
2 Obtaining a Multi-dimensional View of Risk
9
Ask yourself the following:
• Do we know what our risks are?
• Do we really know what our risks are?
• What are our biggest risks, and how do we measure them?
• How do we get our assurance?
• Who are we really relying on?
• If we know our risks, why do bad things still happen?
• Do we just tick the boxes?
(Think about Enron. ABIL. Are they that different to us?)
http://jeffreyhill.typepad.com/english/2009/03/cartoon-fiddling-while-rome-burns.html
2 Obtaining a Multi-dimensional View of Risk (cont.)
10
How we do it at Bridgestone South Africa
Risk Profile
Risk Forum & Internal Audit
Incident Reports
Global Risks
• Incorporate global risks and classification systems
• Learn from local and global incidents, accidents and disasters
• Lead risk forum and conduct interviews (cross-functional team)
• Incorporate internal audit experience
• Consider other methods (PESTEL, SWOT, etc.)
• Leverage data analytics (planned)
2 Obtaining a Multi-dimensional View of Risk (cont.)
11
Elements of our Risk Framework
RISK FRAMEWORK
POLICIES AND
STANDARDS
RISK MANAGEMENT
(NORMAL CONDITIONS)
BUSINESS CONTINUITY
MANAGEMENT
INCIDENT REPORTING
CRISIS MANAGEME
NT
• Appetite• Tolerance• Capacity• Risk Criteria• Classification
• All Risk Categories
• Incidents• Accidents• Emergencies
• Emergency Planning
• Task Force Establishment
• COSO ERM
• Risk Register
2 Obtaining a Multi-dimensional View of Risk (cont.)
12
Categories of our Top 10 Risks
• Regulatory Compliance
Our first financial risk is at #17 (Bad Debt), so then:
• Is Internal Audit really risk-based?
• Who is giving us the real assurance?
It cannot be the traditional world of financial audit.
(And it doesn’t help to get assurance on the wrong risks!)
Category Qty
Regulatory Compliance 2
Emergency Planning 1
Transformation 2
Operations 1
Quality 3
Ethics 1
2 Obtaining a Multi-dimensional View of Risk (cont.)
13
Establishing your Strategic Position (where do you fit in?)
Supply Chain [CORE] Administrative [SUPPORT]
Corporate Social Responsibility (CSR)
Enterprise Risk Management (ERM)
Planning Purchasing Production Logistics Sales Marketing Finance HR IT SQE
Internal Audit
Compliance
2 Obtaining a Multi-dimensional View of Risk (cont.)
14
What are we trying to achieve?
22 CSR Focus Points Global Reporting Initiative (GRI) Requirements
Fundamental CSR Activities• Stable Profits• Compliance• Business Continuity• Stakeholder Communication
Economic Impact• Financial Results (for shareholders)• Impact on other Stakeholders
- Staff compensation - Employee benefits - Community investments - Donations - Returns to providers of capital - Tax paid - Local procurement - Local recruitment - Infrastructure development
CSR through Business Activities• Quality Products and Services• Technological Innovation• Customer Research• Fair Business Practice• Fair and CSR Procurement• Timely Disclosure
CSR through Environmental Activities• Conservation through Products• Conservation through Supply Chain• Social Activities
Environmental Impact (materials, energy, water, etc.)
CSR from a Social Standpoint• Job Satisfaction• Workplace Safety• Diversity• Human Rights• Social Activities and Volunteering
Social Impact• Labour Practices• Human Rights• Society • Product Responsibility
2 Obtaining a Multi-dimensional View of Risk (cont.)
15
What do we care about?
The way we look at value has changed. And new accounting standards reflect this. [For accounting value to reflect economic value, goodwill must be stated at Fair Market Value (IFRS)]
Now accountants have to look to the future to establish value
And internal auditors have to look to the future to establish risk
Yet neither has a crystal ball...
Picture from www.wired.com
Value Perspective Definition Time Frame
Economic NPV (Expected Future Income Flows) Future
Accounting Assets – Liabilities Past
2 Obtaining a Multi-dimensional View of Risk (cont.)
16
Value theory of Risk
Anything that can destroy Value (or potential value)
Activities undertaken to protect Value
Co-ordinating of activities to protect Value
Or
Integrating and aligning assurance processes in a company to maximise risk and governance oversight and control efficiencies, and optimise overall assurance to the audit and risk committee, considering the company’s risk appetite. (King III)
Or
“Internal due diligence on an ongoing basis” (IRMSA)
2 Obtaining a Multi-dimensional View of Risk (cont.)
17
It takes a King to Govern
One of the best
Governance Codes
in the World,
And yet...
2 Obtaining a Multi-dimensional View of Risk (cont.)
18
Corruption Perceptions Index 2013
South Africa’s biggest risk! [IRMSA Risk Report 2015]
P.S. What’s Botswana got that we haven’t?
2 Obtaining a Multi-dimensional View of Risk (cont.)
19
Another definition of Risk
Any obstacle to getting what we want
If you’re not thinking CSR, you’re not thinking risk
2 Obtaining a Multi-dimensional View of Risk (cont.)
20
Know your Universe
HR
Legal
Compliance
EthicsContracts
Security
Finance
IT
Wellness
Disaster
Safety
Quality
Environment
Business
2 Obtaining a Multi-dimensional View of Risk (cont.)
21
Develop some detail (but don’t get lost in it)
#Broad Risk Category
Sub-categoryRisk
#Risk Name
Key Person
1 Human Capital
Skills Maintenance 30 Skills Shortage
Jane
Industrial Relations - Unfair Dismissal
Labour Market Activity 23 Labour Unrest
Compensation Framework
29 Staff Compensation
Employee Relations
- Employee Scandal
47Family Relationships
Recruitment 45Fraudulent Applications
Staff Morale14 Restructuring
- Division of Labour
2 Obtaining a Multi-dimensional View of Risk (cont.)
22
Document thoroughly [extract from risk register]
P.S. What’s missing? Causes or contributing factors (there should be a control for every cause)
2014 Rank
Risk #
Date Risk Name Risk Description
Map to CSR
Objective
BSJ Risk Category
COSO Risk Category
Likelihood
(Pre-control)
Impact (Pre-control)
Inherent Risk
Existing Controls and/or Mitigation
Measures
Likelihood (Post-control)
Impact (Post-control)
Residual Risk
Risk Response
Action Plan
Action by date
Person Responsible
Risk O
wner
BCP Indicator
Progress to Plan / Follow-up Status
1 00126-Nov-
13
Non-compliance with Competitions Act
A violation of the Competitions Act results in severe penalties (i.r.o. price fixing, market allocation, resale price maintenance, market power, collusion, etc.)
128
03 Legal
Compliance
4 5 IVCompetition Compliance Training Manual (on Intranet)
3 5 IVReduce
- Policy on anti-cartel activity (in-progress per BSJ instruction) - On-line compliance training
31-
12-
2013
RSLegal
No
- Policy approved by the Board (Dec 2013) - Compliance Training rolled out to sales and marketing staff (Sep 2014)
2 00226-Nov-
13
Terrorism or related catastrophe
An unforseen act of terrorism or sabotage has a profound effect on the business
1317
07 Disaster
Strategic
1 5 IV
- Security on site - Risk Control Policy - Emergency Planning and Procedures (BSAF Plants) - SASRIA cover is in place for Max T against terrorism provided it is politically motivated (NASRIA in Namibia)
1 5 IVTBD
- Enhance and/or standardise contingency planning systems and procedures (at group level), giving special consideration to second-round effects (beyond initial financial impacts) - Consider outsourcing the management of catastrophes
TBD
CT
CSR / SQE
Yes
Note: Terrorist threat exists in Mozambique, but no SASRIA cover equivalent there
3 Your Key Role Players in Combined Assurance
23
Who are we relying on?
From the point of view of a multi-national...
Internal (Local) Group-Global External
Operating Management J-SOX Auditors External Audit
Group Audit and Risk TQM Auditors Corporate Lawyers
Legal / Secretarial Internal Auditing Consulting Engineers
CSR / SQE Business Continuity Insurers
Human Resources B-BBEE Verification Agency
Finance ISO Certification
Information Technology Labour Relations Consultants
Technical OEM Auditors (e.g. BMW)
Fire Protection Inspectors
Safety Inspectors
Forensic Consultants
3 Your Key Role Players in Combined Assurance (cont.)
24
Should we be relying on them?
Internal Assurers
• Highly Skilled, but not Independent
Group-Global
• Skilled and Independent, but limited Local Knowledge
External Assurers
• Skilled, Relatively Independent, and Accredited, but Costly
3 Your Key Role Players in Combined Assurance (cont.)
25
Special Case: J-SOX (Mutual Assurance)
The Group CEO (Global) performs a group assessment based on internal control confirmation statements submitted by each group company, and submits an internal control statement based on the assessment results to the Prime Minister of Japan. Each Group Company conducts their own control self-assessment.
Assurance is provided on the following control types:
• Entity Level Controls
• Financial Closing and Reporting Controls
• Business Process Controls
• IT General Controls
BSJ places reliance on our self-assessment.
We place reliance on their independent validation.
3 Your Key Role Players in Combined Assurance (cont.)
26
3 Your Key Role Players in Combined Assurance (cont.)
27
And for JSE-Listed Companies...
• Who gives you assurance on your integrated report?
• Are traditional auditors the right people?
• Do they have the right credentials?
• Is the report really integrated?
• Do we create value over time...?
On the other hand...
• Is independent assurance even possible?
• Are we taking assurance too far?
• Should we stop with Internal Audit?
• You cannot guarantee sustainability [King III vs JSE] Picture from www.pgsadvisors.com
4 How many Lines of Defense are Enough?
28
According to the IIA…
4 How many Lines of Defense are Enough? (cont.)
29
Line 1
• Risk and Control Owners [Management]
Line 2
• Risk Management Process Owners [e.g. Risk Management / Risk Forum]
Line 3
• Assurance Providers on Risk Management Process [Internal Audit]
Line 4
• External Assurance Providers and Consultants
Line 5
• Board Sub-committees
In other words...
5 Mapping Assurance Providers to Risks, Controls, and Objectives
30
Developing a Model (According to IRMSA)
4. Identify and Involve Assurance Providers
• Secure commitment• Especially Internal Audit
5. Map Risks to Assurance Providers
• Describe assurance mission of each provider• Draft assurance activities to be undertaken and
frequency
6. Decide on Optimum Model
• Design blueprint• Build infrastructure (risk methodology)
1. Create Awareness
• Define what it is• Explain the benefits
2. Identify a Champion
• Chief Internal Auditor• Chief Risk Officer
3. Develop an Assurance Strategy
• Identify business objectives and risks that affect their attainment
• Prioritise risks
5 Mapping Assurance Providers to Risks, Controls, and Objectives
31
Getting Started (getting a broad overview)
Business ProcessInternal Assurance Provider
OutputExternal Assurance Provider
Output
Economic / Financial
Economic Value Added External Audit Value Added Report
Financial Results External Audit External Audit Report
Safety, Health, Environment & Quality
Legal Safety Compliance CSR / SHEQ Department Inspection Reports Consultants (BSMP) Audit / Inspection Report
Safety Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) OHSAS18001:2007 Certification
Environmental Standards CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) ISO14001:2004 Certification
Quality Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF)ISO9001: 2008 and TS16949:2009 Certification
Empowerment
B-BBEE Credentials Service Provider B-BBEE Scorecard
Human Resources
Employee Satisfaction To be confirmed Employee Satisfaction Survey
Risk , Control and Governance
Internal Control Environment Group Audit and RiskInternal Audit Report to the Board
Risk Management Process Group Audit and RiskInternal Audit Report to the Board
Governance / King III Group Audit and Risk Governance Assessment Report To be confirmed Independent Statement
Sustainability Reporting CSR / SHEQ Department CSR Report External Audit Independent Assurance Report
5 Mapping Assurance Providers to Risks, Controls, and Objectives
32
Mapping by Risk
2014 Rank
Risk #
Date Risk Name Risk Description
Map to CSR Objective
BSJ Risk Category
COSO Risk Category
Likelihood (Pre-control)
Impact (Pre-control)
Inherent Risk
Existing Controls and/or Mitigation
Measures
Likelihood (Post-control)
Impact (Post-control)
Residual Risk
Risk Response
Action Plan
Action by date
Person Responsible
Risk Owner
BCP Indicator
Progress to Plan /
Follow-up Status
Supporting
Process
1st Line Assura
nce
2nd Line
Assurance
3rd Line
Assurance
External
Assurance
Assurance Gap
1001
26-Nov-13
Non-compliance with Competitions Act
A violation of the Competitions Act results in severe penalties (i.r.o. price fixing, market allocation, resale price maintenance, market power, collusion, etc.)
128
03 Legal
Compliance
4 5 IVCompetition Compliance Training Manual (on Intranet)
3 5 IV
Reduce
- Policy on anti-cartel activity (in-progress per BSJ instruction) - On-line compliance training
31-12-2013
RS
Legal
No
- Policy approved by the Board (Dec 2013) - Compliance Training rolled out to sales and marketing staff (Sep 2014)
Compliance
Training
Operating
Management
(Sales and
Marketing)
Legal / Secretar
ial
Internal Audit
Corporate
Lawyers
Legal Complia
nce Audit (A
- Z)
6005
26-Nov-13
Product Recall
Product failures result in recalls that cause reputational damage
15
09 Quality
Strategic
4 5 IV
- QA testing, manufacturing quality gates, QTR procedures - QS Procedure (Correct, updated testing procedures should be followed at all times; suspect tyres not released) - ISO9001 - Extension under liability policy
2 4 III
Accept
F Qualification audit at Brits (BSJ)[Quality Process Audit]
Ongoing
PW
Quality
Yes
Audit completed; IIP for corrective actions in progress
Quality Control
Operating
Management
(Plant)
CSR / SQE -
DQS (ISO900
1 and TS1694
9
TQM Auditors
(BSJ)
Quality Auditor / Inspecto
r or CQO
• Select high residual risks and high inherent risks
• Consider low level risks for overkill
5 Mapping Assurance Providers to Risks, Controls, and Objectives
33
A Different Perspective (public sector template)
6 Gap Analysis: Strengthening the Risk Net
34
An ongoing processAssess the
extent of Risk Coverage Assess
Assurance Providers
Identify Assurance Gaps
Identify Assurance
OverkillCompile Remedial
Action Plan
Report to Governing
Body
Track Actions
against Plan
Monitor, Update and
Improve
• Credentials• Methodologies• Independence• Business Knowledge• Cost
• Low level risks• Misunderstood risks• Duplication of effort
• Compare actual with desired levels
Gaps in coverage
Gaps in assurance provider capability
7 Discussion Time and Case Study
35
Food for Thought
The world changes in strange and unpredictable ways. Not one of the great political or economic shifts of the past 100 years was predicted with any degree of accuracy. Examples stretch from the end of the Cold War to the global financial crisis. Remember that in 1985 PW Botha warned that he would not lead white South Africa down the path of “abdication and suicide”. Ten years later Nelson Mandela celebrated his first anniversary in the Union Buildings. Most recently American officials have admitted that they did not see ISIS coming.
Therefore resist the temptation to use short-term current trends to come to fixed conclusions about (the) future – history suggests that your initial conclusions may be very wrong.
Frans Cronje, CEO: Institute of Race RelationsQuoted with permission
7 Discussion Time and Case Study (cont.)
36
Questions
Comments
Ideas?
7 Discussion Time and Case Study (cont.)
37
Case Study: African Bank
• Record Loss: “needed 8.5 billion rand to survive”
• Seven of the eleven directors had no previous banking experience
• Share price plummeted more than 95%
• Made loans at annual interest rates as high as 60%
• “…didn’t provide enough for bad debts” – Sanlam
• Ripple effects: Moody’s lowered credit ratings on the four largest banks
• Could even bring SA closer to a ratings downgrade – Standard Bank
• Sunday Times Front Page: “F*** the poor” – Chief Risk Officer
• Charming CEO + Weak Chairman No balance of power
Sources: BusinessReport and Sunday Times
7 Discussion Time and Case Study (cont.)
38
Case Study: African Bank (cont.)
What the company said…
ABIL Risk Management strategy is to embed a risk culture and support business units within the group
- Accountability – Risk Report financial year ended 30 September 2013
The audit Committee must ensure that the combined assurance received is appropriate to address the significant risks facing the company. The combined assurance model consists of management, the Risk committee, internal assurance providers i.e. finance, internal audit, risk and external assurance providers i.e. external auditors. The Audit committee must monitor the relationship between the external assurance providers and the company.
- Group Audit Committee Charter of ABIL and Group Subsidiaries
7 Discussion Time and Case Study (cont.)
39
SO WHERE WERE THEY?
Thank You
40
http://www.asksotiris.com/albert-einstein-quotes/
Thank You
Thank You
41