it’s a risky business › html › publications › risky... · it’s a risky business \ 2014 ....

$: it’s a risky business › html › publications › risky... · IT’S A RISKY BUSINESS \ 2014 . Page . 2. WHY IS THIS PUBLICATION NEEDED? The 2005 edition of . It’s a Risky Business$
2014 edition

it’s a riskybusiness

CIPFA, the Chartered Institute of Public Finance and Accountancy, is the professional body for people in public finance. Our 14,000 members work throughout the public services, in national audit agencies, in major accountancy firms, and in other bodies where public money needs to be effectively and efficiently managed. As the world’s only professional accountancy body to specialise in public services, CIPFA’s qualifications are the foundation for a career in public finance. We also champion high performance in public services, translating our experience and insight into clear advice and practical services. Globally, CIPFA shows the way in public finance by standing up for sound public financial management and good governance.

CIPFA values all feedback it receives on any aspects of its publications and publishing programme. Please send your comments to [email protected]

Our range of high quality advisory, information and consultancy services help public bodies – from small councils to large central government departments – to deal with the issues that matter today. And our monthly magazine, Public Finance, is the most influential and widely read periodical in the field.

Here is just a taste of what we provide:

� TISonline – online financial management guidance � Recruitment services

� Benchmarking � Research and statistical information

� Advisory services � Seminars and conferences

� Professional networks � Education and training

� Property and asset management services � CIPFA Regions – UK-wide events run by CIPFA members

Call or visit our website to find out more about CIPFA, our products and services – and how we can support you and your organisation in these unparalleled times.

020 7543 5600 [email protected] www.cipfa.org

Environmental Information

This CIPFA publication is printed on certified FSC mixed sources coated grade stock containing 50% recovered waste and 50% virgin fibre.

Printed on stock sourced from well-managed forests, ISO 14001.

2014 edition

it’s a riskybusiness

IT’S A RISKY BUSINESS \ 2014 EDITION

Page ii

Published by:

CIPFA \ THE CHARTERED INSTITUTE OF PUBLIC FINANCE AND ACCOUNTANCY

3 Robert Street, London WC2N 6RL

From 1 January 2015, CIPFA will be moving to 77 Mansell Street, London E1 8AN

020 7543 5600 \ [email protected] \ www.cipfa.org

© November 2014 CIPFA

ISBN 978 1 84508 425 7

Edited by Sarah Williams ([email protected])

Designed and typeset by Ministry of Design, Bath (www.ministryofdesign.co.uk)

Printed by Complete Product Company, Malmesbury

No responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication can be accepted by the authors or publisher.

While every care has been taken in the preparation of this publication, it may contain errors for which the publisher and authors cannot be held responsible.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act, 1988, this publication may be reproduced, stored or transmitted, in any form or by any means, only with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms of licences issued by the Copyright Licensing Agency Ltd. Enquiries concerning reproduction outside those terms should be sent to the publishers at the above mentioned address.

mailto:[email protected]

http://www.cipfa.org.uk

Page iii

Foreword

This publication is an enhanced and updated edition of the 2005 publication It’s a Risky Business. It has been brought up to date to reflect the latest in professional standards for internal audit, and developments in governance and in the UK public sector generally. It includes examples and case studies from audit practitioners to illustrate how internal auditors can provide assurance on and contribute to the improvement of their organisation’s risk management processes, and how auditors can develop risk-based plans and approaches to their work. It has been redesigned to enable internal auditors to use the approaches to assurance gathering and assessing risk maturity interactively.

Although a great deal has happened since 2005, the key approaches designed then still hold true today. Internal auditors still need to understand risk and how they can evaluate and, where possible, improve upon their organisations’ risk management arrangements. They need to consider risk as the fundamental concept driving internal audit methodologies and techniques. Above all, they need to keep abreast of the changing, challenging public sector environment which exposes their organisations to ever more complex risks and offers ever greater opportunities to innovate in public service delivery.


Page iv

Page v

Acknowledgements

CIPFA is grateful to the author, Patrick Clackett, independent consultant, and also wishes to thank the following for their assistance with the preparation of this guide:

Matthew Allen Policy Support Officer, CIPFA

Derek Corbett Director, London Audit Consortium, Barts Health NHS Trust

Tim Crowley Chair, CIPFA Audit Panel

Sallie Dailly Chief Internal Auditor, Dundee City Council

Ian Haldenby Director of Internal Audit, HMRC

Richard King Independent Consultant

Ruth Lowry Chief Internal Auditor, Lancashire Council

Keeley Lund Policy and Technical Manager, CIPFA

Diana Melville Governance Advisor, CIPFA

Mervyn Murphy Divisional Manager, Audit and Operational Finance, Halton Borough Council

John Pearsall Internal Audit and Risk Manager, Stockport Council

Ceri Pilawski Audit Service Manager, Shropshire Council

Julie Sharp Chief Internal Auditor, London Borough of Redbridge

Karan Wheatcroft Operations Director, Mersey Internal Audit Agency

Jon Whitfield Director, XDIAS Head of Government Internal Audit

Marianne Wood Head of Internal Audit, London Borough of Newham


Page vi

Page vii

Contents

CHAPTER ONE: INTRODUCTION ............................................................................................................................... 1

BACKGROUND .........................................................................................................................................................1

WHY IS THIS PUBLICATION NEEDED? ................................................................................................................2

WHO IS THIS PUBLICATION FOR? ........................................................................................................................2

DEFINING RISK AND RISK MANAGEMENT .........................................................................................................3

INTERNAL AUDIT’S ROLE ......................................................................................................................................3

STRUCTURE OF THIS PUBLICATION ....................................................................................................................6

CHAPTER TWO: GOVERNANCE, RISK MANAGEMENT, CONTROL AND ASSURANCE .......................................... 7

GOVERNANCE IN THE PUBLIC SECTOR ...............................................................................................................7

EXPLORING THE CONCEPT OF RISK MANAGEMENT .........................................................................................9

THE ROLE OF THE GOVERNING BODY ................................................................................................................18

THE ROLE OF THE AUDIT COMMITTEE ..............................................................................................................20

INTERNAL AUDITORS AND RISK MANAGERS ..................................................................................................21

ASSURANCE ...........................................................................................................................................................23

RISK MANAGEMENT AND GOVERNANCE ROLES AND RESPONSIBILITIES .................................................28

CHECKLIST FOR AUDITORS .................................................................................................................................30

ANNEX 2.1: MANAGING RISK – A PRAGMATIC EXAMPLE ..............................................................................31

ANNEX 2.2: BUILDING AN ASSURANCE FRAMEWORK ...................................................................................33

ANNEX 2.3: HM TREASURY EXAMPLE ASSURANCE FRAMEWORK ARRANGEMENTS ................................39

ANNEX 2.4: NHS TRUST ASSURANCE FRAMEWORK EXTRACT ......................................................................40

CHAPTER THREE: INTERNAL AUDIT’S ROLE IN EVALUATING RISK MANAGEMENT .......................................41

RISK MATURITY ....................................................................................................................................................41

INTERNAL AUDIT’S APPROACH BASED ON RISK MATURITY ........................................................................43

INTRODUCING CIPFA’S MODEL FOR ASSESSING RISK MATURITY ...............................................................44


ANNEX 3.1: HM REVENUE & CUSTOMS – REDESIGNING INTERNAL AUDIT’S APPROACH TO RISK ........49

CHAPTER FOUR: RISK-BASED AUDITING .............................................................................................................51

DEVELOPING A RISK-BASED AUDIT PLAN .......................................................................................................51

RISK-BASED AUDIT ASSIGNMENTS ...................................................................................................................61


ANNEX 4.1: EXAMPLE OF A RISK-BASED AUDIT PLAN – NHS .......................................................................67

ANNEX 4.2: RESOURCING AN AUDIT PLAN – EXAMPLE MODEL ...................................................................70

APPENDIX: CIPFA’S MODEL FOR ASSESSING RISK MATURITY .........................................................................73

GLOSSARY ..................................................................................................................................................................89

FURTHER READING ..................................................................................................................................................93


Page viii

Page 1

CHAPTER ONE

Introduction

BACKGROUNDFailure to manage risk properly continues to hit the headlines. When the 2005 edition of this publication was written, it was predominantly business failure that attracted attention to poor governance and poor risk management – the Maxwell scandal, Barings Bank, BCCI, Enron, Parmalat, Shell and Equitable Life. Business and financial failings have continued – the collapse of Northern Rock, rogue trading at Societe Generale, the Icelandic banking crisis, and the much wider crisis in banking around the world.

Now, governance and risk management failings have broadened beyond the financial sector – the BP oil spill; The Co-operative Bank scandal; tragic failings in child protection; lack of public confidence in patient safety at the Mid Staffordshire NHS Foundation Trust; nursing and care home scandals; reputational damage to government through the failure of security services at the Olympic Games; the inability of healthcare providers to deliver effective sickness benefit assessments; failures to safeguard personal data; and costly major IT project failures. The list goes on.

Such adverse events directly affect the safety, wellbeing and economic livelihood of individuals. They have many complex causes but there are common threads – poor standards of ethical behaviour; lack of governing body or governance leadership; ineffective regulation or scrutiny; weak financial reporting; fraud; and failings in control and power vested in the hands of too few dominant senior executives or chair-persons. They can also be due to organisations having too narrow or short term a risk horizon and failing to anticipate changes and their impact on risks.

Unless organisations can manage and mitigate their risks more effectively, service failure and reputational damage will continue.

We live in a riskier world, but we also live in a more controlled and regulated world. Processes designed to avoid risk can have costly and inefficient consequences – for example, measures intended to prevent terrorism or illegal immigration can result in longer waiting times for passports or at border control.

A balance needs to be struck between the risks we are prepared to accept and those that we need to control. As a source of assurance on the adequacy of risk management and control, internal audit has a vital contribution to make in helping avoid public service failure.


Page 2

WHY IS THIS PUBLICATION NEEDED?The 2005 edition of It’s a Risky Business was itself an update of the 1997 publication It’s a Risky Business: The Auditor’s Role in Risk Assessment and Risk Control. The 2005 edition was a practical guide for public sector internal auditors to help them play a major role in reducing risk and make a valuable contribution to their organisations’ annual governance statements.

Much has changed since 2005:

� developments in public sector governance, including a clearly defined role for governing bodies and those charged with governance, and a higher profile for audit committees

� reform of the regulatory regime across the public sector

� greater expectations around ethical behaviour and codes of conduct for those who govern

� continuing concern about high-profile risk failure, affecting everyone, not just businesses, investors and shareholders

� the economic downturn, reduced resources and the consequent need for public sector organisations to seek innovative ways to deliver better for less

� the introduction of Public Sector Internal Audit Standards, setting out a clear role for auditors in evaluating, reporting on and improving risk management in their organisations.

There have also been a number of detailed changes to legislation, professional standards and practices. But the main elements of the 2005 publication still hold true:

� internal auditors need to understand the concepts of risk and risk management and to have the skills to deliver assurance on the quality and effectiveness of risk management

� the audit programme needs to be based on an assessment of the maturity of risk management

� internal audit needs to take a risk-based approach to planning and undertaking its work in order to provide an opinion on the internal control environment.

WHO IS THIS PUBLICATION FOR?Those charged with setting the strategic direction for the organisation and for ensuring its achievement (the governing body or board) are responsible for owning the risks to objectives and managing them effectively. But internal auditors have a valuable part to play in evaluating and contributing to risk management, governance and assurance processes.

This publication is therefore aimed at internal audit, and has been written by audit practitioners for audit practitioners to provide step-by-step guidance to assist auditors through the complex world of public sector risk management. It also has a wider audience in the public sector – all those interested in or responsible for public service governance and risk management, including leadership teams, chief executives, audit committees, other stakeholders and those responsible for managing the internal audit function.

CHAPTER ONE \ INTRODUCTION

Page 3

DEFINING RISK AND RISK MANAGEMENTThis is not a manual on risk management (on which there is already a wealth of published material). Instead, it has been designed to enhance internal auditors’ understanding of the contribution they can make to improving risk management.

To start, it is important to be clear about what is meant by risk.

Risk is the effect of uncertainty on objectives, where effect is any deviation from the expected – positive or negative.

Source: ISO 31000

It is important to make a distinction between audit risk and business risk.

Audit risk has a specific meaning: the risk that the audit process provides an inappropriate opinion – ie that the accounts contain a material misstatement or error.

This publication focuses on business risk: the risks that might prevent a business achieving its objectives, and the role that audit can play in giving confidence to the business that its risk is being managed.

In a sense, this is nothing new. We all deal with risks on a daily basis in our personal and working lives, from crossing the road to making an investment decision. Risk has always been the business of internal audit. The auditor’s job is to assess the likelihood of something adverse happening as a consequence of a control or a process not working properly. The concept of risk gives meaning to the audit process; if there is no risk of anything ever going wrong, there is no point to the audit process. Identifying risk and judging the materiality of risk in any system of control are the key skills required of an effective internal auditor.

It is important to appreciate the positive as well as the negative aspects of risk. There is as much danger in not taking action as there is in taking action, since failing to take an opportunity to invest in a service or to transform the way it is delivered can lead to the risk of wasting ever scarcer resources. This is particularly important in times of austerity.

Risk management comprises the set of co-ordinated activities to direct and control an organisation’s risks. Specifically it enables organisations to safeguard their objectives and make the right decisions about taking opportunities and investing resources effectively. The concept of risk management is explored in more detail in chapter two.

INTERNAL AUDIT’S ROLEInternal audit’s role in risk management is more explicit than ever before – not just contributing assurance through the governance statement, but helping the organisation to achieve its objectives by managing risk more effectively. It needs to provide both objective challenge and support, and to act as a catalyst for positive change and improvement in governance. The developing role of internal audit is illustrated below.


Page 4

The developing role of internal auditGovernance and

business objectivesand risk

Operationalcontrols

Complianceand IT controls

Financialcontrols

1980s 1990s 2000s Today

Source: Scottish Local Authorities Chief Internal Auditors Group

This diagram indicates the raised expectations of audit, moving from a traditional focus on financial control and compliance, to supporting the organisation’s governance, objectives and risk management arrangements.

CIPFA’s 2010 statement The Role of the Head of Internal Audit in Public Service Organisations emphasises the critical role internal audit plays in delivering the organisation’s objectives by championing best practice in governance, objectively assessing the adequacy of governance and management of existing risks, and commenting on responses to emerging risks and proposed developments. Internal audit also provides an opinion on the adequacy and effectiveness of the organisation’s control environment; the systems of governance, risk management and internal control.

Since 2013, internal audit’s developing role has been recognised further in the Public Sector Internal Audit Standards, which were adopted across the public sector. These standards require internal audit to provide an objective assessment on the framework of governance, risk management and control. The standards define the role of internal audit as:

… an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Both these descriptions of internal audit’s role indicate the expectations placed on internal audit in relation to risk. It is CIPFA’s view that there are core functions that internal audit must deliver, discretionary functions that it can undertake to support or improve risk management, and some functions that it should not be involved in to avoid the danger of losing independence or objectivity. A clear distinction needs to be made between internal audit supporting and improving risk management (including working with risk managers and

CHAPTER ONE \ INTRODUCTION

Page 5

sharing expertise and knowledge) and internal audit being relied upon to perform part of the risk management function.

Internal audit needs as a minimum to perform the following core functions:

� audit risk management processes, provide assurance on their adequacy and comment on whether the organisation’s attitude to risk is suitable for its environment and financial capacity

� assess the risk maturity of the organisation and developing an audit plan based on such an assessment; as maturity is reached the internal audit approach should move from risk identification to assurance on the effectiveness of the risk management system

� take a risk-based approach to audit assignments by identifying objectives, risks and controls, evaluating the extent to which those controls address the organisation’s risks, identifying over- or under-control, articulating residual risk and recommending management action as appropriate

� specifically:

… the internal audit activity must evaluate risk exposures relating to the organisation’s governance, operations and information systems regarding the:

� achievement of the organisation’s strategic objectives

� reliability and integrity of financial and operational information

� effectiveness and efficiency of operations and programmes

� safeguarding of assets

� compliance with laws, regulations, policies, procedures and contracts.Source: PSIAS 2120.A1

Internal audit can also perform the following discretionary functions:

� help improve risk management through facilitating, advising on and supporting the identification of current and emerging risks

� advising on how to treat and manage risks

� provide training on risk

� identify and report on the consequences of risk not being managed effectively.

In carrying out the core and discretionary functions, there are advantages to be gained from internal audit and risk managers working together (this issue is explored in more depth in chapter four), but not at the expense of threats to internal audit’s independence and objectivity. Therefore, internal audit should not:

� be part of the risk management process

� dictate or influence risk identification, profiling or risk appetite

� act to mitigate or control risks.

The rest of this publication provides guidance to help internal auditors fulfil their challenging role.


Page 6

STRUCTURE OF THIS PUBLICATIONChapter two describes the concepts and sets out internal audit’s responsibilities for governance, risk management, internal control and assurance. It provides guidance on building an assurance framework.

Chapter three provides guidance for internal auditors on assessing the risk maturity of the organisation, developing an approach to auditing the elements of the risk management process and contributing to the assurance framework. It introduces CIPFA’s model for assessing risk maturity, which is provided as an interactive tool in the appendix to this publication.

Chapter four sets out how internal auditors can apply the concept of risk to the audit planning process, undertaking risk-based audit assignments and thereby supporting the head of internal audit opinion.

Page 7

CHAPTER TWO

Governance, Risk Management, Control and Assurance

Internal audit is one of the cornerstones of good governance, reviewing and reporting on the organisation’s arrangements for controlling its resources and managing its objectives.

The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

� Promoting appropriate ethics and values within the organisation;

� Ensuring effective organisational performance management and accountability;

� Communicating risk and control information to appropriate areas of the organisation; and

� Coordinating the activities of and communicating information among the governing body, external and internal auditors and management.

Source: PSIAS 2110 Governance

To perform this role, internal audit needs to have a good understanding of the governance arrangements in their organisation, and the way in which risk management and internal control support governance. This chapter helps the internal auditor’s understanding of these areas by:

� summarising the key features of public sector governance and the importance of risk management and internal control

� clarifying the responsibility of senior management/the governing body and the audit committee in leading and championing governance

� exploring the concepts of assurance, assurance frameworks and assurance mapping.

GOVERNANCE IN THE PUBLIC SECTORThe public sector landscape is wide; it has expanded beyond the traditional boundaries of central and local government, health and education to cover a wide variety of agencies, arm’s-length bodies, public–private partnerships and joint arrangements, not-for-profit organisations, and community and voluntary groups.

Although the form that governance takes varies widely across the public sector, governance commonly means the arrangements in place to ensure that an organisation fulfils its overall purpose, achieves its intended outcomes and operates in an economical, effective, efficient and ethical manner.

Risk management is a key concept in good governance. In 2014 CIPFA and IFAC (the International Federation of Accountants) published International Framework: Good


Page 8

Governance in the Public Sector. One of the framework principles is managing risks and performance through robust internal control and strong public financial management:

The governing bodies of public sector entities need to ensure that the entities they oversee have implemented – and can sustain – an effective performance management system that facilitates the effective and efficient delivery of planned services. Risk management and internal control are important and integral parts of a performance management system and crucial to the achievement of outcomes. They consist of an ongoing process designed to identify and address significant risks involved in achieving an entity’s objectives.

Responsibility and accountability for governance flows from the top; every public sector entity needs one or more individuals who are explicitly responsible for providing strategic direction and oversight while being accountable to stakeholders. The CIPFA/IFAC framework uses the term ‘governing body’ to identify the person(s) or group with primary responsibility for overseeing an entity’s strategic direction, operations, and accountability. This publication uses this definition.

Relationships between good governance principles in the public sector

C. Defining outcomesin terms of sustainableeconomic, social, andenvironmental benefits

A. Behaving withintegrity, demonstratingstrong commitment to ethicalvalues, and respectingthe rule of law

B. Ensuring opennessand comprehensivestakeholder engagement

D. Determining theinterventions necessaryto optimize theachievement of theintended outcomes

G. Implementing goodpractices in transparency,reporting, and audit, todeliver effectiveaccountability

F. Managing risksand performance throughrobust internal controland strong publicfinancial management

E. Developing theentity’s capacity,including the capabilityof its leadership and theindividuals within it

Source: International Framework: Good Governance in the Public Sector, CIPFA/IFAC, 2014

CHAPTER TWO \ GOVERNANCE, RISK MANAGEMENT, CONTROL AND ASSURANCE

Page 9

Good governance requires a well-defined framework to operate in. The key elements of a governance framework are clear strategic objectives, an effective governing body focused on achieving these objectives and managing related risks, an effective scheme of delegation for executive decisions to be taken, and all parts of the framework understanding their roles and responsibilities, and how they relate to each other. A wide range of systems, activities and processes make up an organisation’s governance framework. These are considered later in this chapter.

EXPLORING THE CONCEPT OF RISK MANAGEMENTRisk management needs to be treated as a positive concept, enabling organisations to identify, assess and seize opportunities in ways that were not necessarily possible before, to take decisions about making the most of these opportunities, and to invest resources in a consistent, controllable way.

What is important is that risk is managed in the right way to make the most of opportunities and to safeguard an organisation’s objectives from harm.

The international standard on risk management, ISO 31000, has been widely adopted and replaces other national or sectoral risk management standards. Its principles for effective risk management are:

� Risk management creates and protects value; contributing to the organisation’s objectives, improving performance, efficiency, governance and reputation.

� It is an integral part of all organisational processes, not a standalone activity. It is a part of management’s responsibility, and part of strategic planning, project and change management.

� It is part of decision making, helping management take informed choices and prioritise actions.

� It helps organisations understand and address uncertainty.

� It needs to be systematic, structured and timely.

� It is based on the best available information – historical data, stakeholder and customer feedback, forecasting and expert judgment. It should be tailored to the organisation’s internal and external context and risk profile.

� It takes human and cultural factors into account – recognising that people’s capabilities, behaviours and intentions can facilitate or hinder the organisation’s objectives.

� It is transparent and inclusive, needing the timely and appropriate involvement of stakeholders and decision makers at each stage, and ensuring proper representation of all those affected.

� It needs to be iterative, dynamic and responsive to change, taking account of changes in the internal and external environment.

� Finally, it needs to demonstrate continuous improvement.


Page 10

Strategic and operational risksIt is important that the governing body has a clear understanding of strategic risks.

Strategic risks are those that represent major threats to achieving an organisation’s strategic objectives; for example, a health body failing to increase life expectancy or to reduce teenage pregnancies, or an education body failing to improve academic performance. These can also include serious service failures; for example, failing to safeguard a vulnerable client. The way in which internal auditors consider strategic risk as part of the risk-based audit planning process is covered in detail in chapter four.

Operational risks relate to the day-to-day running of the organisation and include financial and resource risks; threats to assets through fraud, loss or error; the risk of system failure; and legal and compliance risks. These risks are identified and controlled by line management, but they need to be reported to the governing body level on an exception basis.

Whichever type of risk is being managed, organisations need to ensure that risk is integral to decision making: weighing up the consequences of decisions, their likelihood and impact on strategic objectives, and the potential losses through not taking opportunities by avoiding risk. Once a decision is made, the governing body remains accountable for the risk taken.

Identifying, measuring and recording riskRisk identification involves understanding what could threaten the achievement of the organisation’s objectives. It is necessary to know how and why things could go wrong. Risks need to be described so that others understand what the risk is, and its cause, effect and impact; and each needs to be assigned an owner.

The likelihood of a risk materialising and its impact need to be scored, and the likely timeframe identified. The organisation should then list the actions that need to be taken to reduce the likelihood of the risk happening or to mitigate its effects should it happen.

Risks are typically assigned a score based on a combination of the likelihood of occurrence and the expected impact.

Likelihood may range from remote to very likely. Impact may range from minor service disruption, minor loss of budget or occasional complaints to employee fatality, service suspension or loss of most or all of budget. The higher the score, the more attention the risk requires and the more likely it is that the governing body will seek assurance about how that risk is being managed. Some organisations allocate a cost to the impact, enabling them to match their ability to deal with the risk to financial capacity.

The net impact of a risk is effectively the residual risk after taking into account the controls in place to reduce the likelihood of it materialising, or to minimise its impact should it do so. This evaluation determines the appropriate level of managerial supervision and action and so, while gross risk is important in considering the risk profile of the organisation, it is the residual risk that largely drives operational risk management.

A risk register is the way in which an organisation records its risk management process. There are many different ways of presenting risk registers and terminology also varies, but the following example covers the concepts described above.


Page 11

Risk matrix assessment template

Ris

k M

atri

x/As

sess

men

t Tem

plat

eRI

SK A

SSES

SMEN

T BY

:D

ATE:

30/2

/20x

xSE

RVIC

E:St

rate

gic

Fina

nce

and

Audi

tH

EAD

OF

SERV

ICE:

An o

ther

CORE

OBJ

ECTI

VE:

To A

ccom

plis

h &

Del

iver

the

Com

mun

ity P

riorit

ies

BUSI

NES

S OB

JECT

IVE:

Cont

aine

d w

ithi

n th

e Co

rpor

ate

Prio

ritie

s, th

e Se

rvic

e su

ppor

ts th

e fo

llow

ing;

Embe

ddin

g an

d de

liver

ing

the

MTF

S (1

1), I

mpr

ovin

g Pr

ocur

emen

t Pra

ctic

e (1

2),

Max

imis

ing

Fina

ncia

l Res

ourc

es (1

3), I

mpr

ove

the

CPA

ratin

g (1

6), E

mbe

ddin

g a

cult

ure

of R

isk

Man

agem

ent (

17)

ASSE

SSM

ENT

TYPE

: St

rate

gic

Det

ails

of R

isk,

Incl

udin

g Co

nseq

uenc

esAs

sess

men

t of

Ris

kAs

sess

men

t of

Res

idua

l Ris

kRe

view

Fr

eque

ncy

Dat

e of

Nex

t Rev

iew

Risk

Ow

ner

(Ass

ume

NO

cont

rols

in p

lace

)(C

ontr

ol m

easu

res

in p

lace

)

Impa

ctLi

kelih

ood

Risk

Rat

ing

Impa

ctLi

kelih

ood

Resi

dual

Ris

k Ra

ting

12

34

1213

1415

1617

Med

ium

Ter

m F

inan

cial

Str

ateg

y fa

ils to

refle

ct re

sour

ces

requ

ired

to

deliv

er c

orpo

rate

pri

oriti

es th

roug

h in

accu

racy

or p

oor f

orec

asti

ng

42

81

116

mon

ths

01/1

1/20

xxAN

Oth

er

Cont

rols

Reso

urce

s Re

quir

edSt

atus

(eg

impl

emen

ted,

in

prog

ress

, pro

pose

d)%

Com

plet

eRe

view

Fr

eque

ncy

Dat

e of

Nex

t Rev

iew

Cont

rol O

wne

r

56

78

910

11

MTF

S is

che

cked

aga

inst

sou

rces

of d

ata

and

assu

mpt

ions

incl

uded

hav

e be

en

subj

ect t

o ch

alle

nge.

Sou

rces

incl

ude

capi

tal

proj

ecti

ons,

reve

nue

impl

icat

ions

of c

apit

al

spen

ding

, rev

enue

out

turn

pro

ject

ions

, co

unci

l tax

, gov

ernm

ent g

rant

and

inco

me

fore

cast

s.

Corp

orat

e Re

sour

ces;

not

kno

wn

impl

emen

ted

100%

6 m

onth

s01

/11/

20xx

AN O

ther


Page 12

Of course, organisations do not exist in a risk-free environment; they must accept that risks exist and put in place measures to reduce, control and mitigate them. But there are consequences to over-controlling risk. The more an organisation attempts to remove risk from a service or activity, the more costly it can be to deliver, as complex procedures are required to mitigate risk. The following extract illustrates this point well.

Consideration of risk and benefit can be formalised. For example, the As Low As Reasonably Practicable (ALARP) principle is used to define the tolerable level of risk for health and safety. The principle recognises that risk cannot be reduced to zero, and that risk reduction will have a cost attached (in terms of time, money, or quality/functionality). Decisions to take risks are often harder as the benefits are often less tangible and the probability of success is uncertain. This is particularly true when considering investment in research and development

Source: Thinking About Your Risk – Setting and Communicating Your Risk Appetite, HM Treasury, 2006

In order to judge whether risks are being over-controlled, risk registers should therefore include the cost of any investment needed either to reduce the risk to an acceptable level or to remove it. This allows clear evaluation of investment decisions, whether during the planning round or as part of in-year financial management processes.

Developing the theme of risk as a positive concept, risk management has become a key ingredient of new forms of public service delivery. The challenge for public sector organisations now is to thrive in an environment of greater risk opportunity and radical change and transformation. They cannot survive by standing still. Innovative solutions need to be supported by effective risk appraisal.

Transformation is frequently used to describe innovative approaches to service delivery, involving service redesign, alternative ways of commissioning or providing, or deciding whether a service is required at all. Even services focused on safety or security, such as fire authorities or HM Prison Service, are looking to service transformation (for example, reducing firefighting personnel in favour of fire safety advice, increasing non-custodial options). Risk management underpins effective transformation.

CIPFA has identified effective financial and risk management as one of the ten key actions for leaders to take in response to the challenging climate of austerity.

Ten key actions leaders need to take

Engage and communicate

Build the capacity to change

Implement effective financial and risk management

Ensure governance is fit for purpose

Identify options for change

Build a balanced portfolio of change projects

Build a vision for how you will look

Understand funding scenarios

Understand where value lies

Know where your costs are now

Acti

ons

Source: Leading in Hard Times, CIPFA, 2011


Page 13

Organisations need to use risk creatively to support innovation.

Risk needs to be managed rather than avoided, and consideration of risk should not stifle innovation. The Council delivers services in an increasingly litigious and risk averse society and believes that risk management is a tool for exploiting opportunities as well as safeguarding against potential threats. LBBD uses the discipline of risk management to promote innovation in support of the council’s strategic objectives as detailed in the Corporate Plan.

Source: London Borough of Barking and Dagenham

Internal audit can play an important role in this ‘risk opportunity’ environment; for example, providing assurance over more innovative forms of service delivery, such as joint ventures.

Case study: Deploying internal audit to review governance and risk in an NHS joint venture

The service provision landscape continues to change and foundation trusts are using new delivery models to support the provision of optimal care.

An NHS trust had entered into an innovative joint venture arrangement with a large multi-national private sector healthcare organisation to provide an enhanced private patient experience. Trust executive directors formed part of the joint venture governing body and were keen to seek independent support and assurance on the risk management and governance arrangements. Internal audit’s credibility, relationships and risk and governance expertise led to a request for advice on the adequacy of the arrangements in place around the joint venture and whether the trust governing body was receiving sufficient and accurate information to be assured about the operation of the venture.

This work was undertaken through flexing the core risk-based audit plan as there was a significant reputational risk to the trust in the event of failure or poor performance as well as financial risks in terms of non-receipt of anticipated income.

Internal audit’s review highlighted key weaknesses in the governance arrangements and the absence of a defined risk management system. The report was well received at the trust governing body and provided a clear action plan to support executive directors to proactively address the issues raised. The audit committee chair commented that it was ‘one of the best pieces of internal audit work’ he had read.

In addition to the high-profile interactions within the trust, internal audit liaised closely with the trust’s external auditors as there were a number of areas of shared interest, due to the profit-sharing arrangements in place and their impact on the trust’s annual accounts.

Source: Mersey Internal Audit Agency

Using risk proactively has been a feature of partnership and project management working in the public sector for many years now.

Most public sector organisations rely on partnership working for at least part of their service delivery. The key challenge in partnership risk management is that there are risks that the organisation cannot by itself fully own or control. There needs to be a shared understanding and management of risks facing the partnership in addition to those faced by each partner. Organisations also need to be aware that partners might be more skilled in risk management and might offload risk to them. Partnership risk management therefore usually requires the


Page 14

development of a shared risk management approach as part of the governance arrangements for the partnership.

Project management methodology (for example PRINCE2) and standards usually require a robust risk management element to ensure the achievement of the project’s objectives. Projects are subject to risk appraisal as part of project initiation. The appraisal usually takes the form of a risk register for the project, setting out key risks in terms of resources, people, delivery, operations, and external threats such as legislative, economic, social or market issues. Project risk management will be owned and regularly reviewed by the project governing body, and mitigation or control action identified if risks change during the life of the project.

There are two types of risk associated with projects: business risk and project risk. Business risk relates to the environment in which the project operates – the economic, environmental or political risks that might adversely affect the outcomes of the project. These are generally external risks. Some may be beyond the project manager’s control; for example, a downturn in the economy affecting the price and supply of building materials, but some may be controlled; for example, taking out insurance to safeguard against damage to the building of a library during construction. Project risk relates to the management of the project; for example, the risk that financial resources become unavailable, that timescales are not met or that key project personnel leave at critical stages.

Risk appetiteRisk appetite is the term commonly used to describe where an organisation considers itself to be on the spectrum ranging from willingness to take or accept risk through to an unwillingness or aversion to taking some risks.

It is based on the level of unmitigated or residual risk that an organisation is prepared to tolerate, or in other words the risk target to be aimed at. The following extract from the Home Office risk management policy describes the approach:

When deciding your risk target consider the following:

What risk rating would [you] like to manage an individual risk down to in an ideal world?

What level [can you] actually and practicably manage this risk down to? (Always think what cost is attached to managing a risk downwards as this may ultimately affect what level you set your risk target at.)

Given that you may have limited resources to use to counter this risk, realistically, what level of risk would you be happy with and can [you] afford?

Having considered the above, assign the risk target a colour that best represents what you are prepared and able to manage it down to using the existing BRAG colours and matrix. If your risk target is:

� BLACK represents a very high tolerance of this risk, ie you are willing to tolerate a risk rated with either a very high likelihood or [a very high] impact (or both).

� RED represents a reasonably high tolerance to the threat – you are more open to the threat occurring, often if there are operational or resourcing constraints.


Page 15

� AMBER will show you are prepared to tolerate and accept a little more threat – are prepared to be more ‘scared’ as you’re accepting more risk, but are still cautious.

� GREEN, you are risk averse as you can’t tolerate this risk materialising. Source: Home Office: Risk Management Policy and Guidance, Home Office, 2011

Risk appetite in the public sector may be particularly relevant when the organisation has a policy or delivery role which involves the opportunity to make choices about investment in projects, research and work which are inherently uncertain in its effect or outcome.

Risk appetite will vary according to the nature of the business and the type of service provided. Investment, trading or physical delivery services will focus more on opportunities and their consequent risk than services whose prime purpose is stewarding public funds or protecting the public; so a local authority supply trading organisation will have a different risk appetite to child protection services. Risk appetite may also vary within the organisation if it has a number of discrete functions; for example, risk appetite around a major construction project in a local authority may differ from risk appetite in relation to treasury management or archiving services.

As public sector organisations face reducing financial resources at a time when the demand for public services is increasing, governing bodies need to ensure that their risk appetite is still appropriate to make the most of opportunities as well as to guard against threats.

It is important that the organisation has a clear idea of its risk profile. This is the selection of risks that the organisation is prepared to tolerate or manage; depending on its risk appetite, it may include some higher-scored risks. The organisation needs to understand the strategic risks to the achievement of its objectives, how these risks are scored and graded in terms of likelihood and impact, which of these risks it is prepared to tolerate and which it is not, and how these many change. These are helpfully illustrated on a grid, with one axis indicating impact from low to high, and the other indicating likelihood from low to high. Risks in the top-right quadrant of the grid would then be scored high or unacceptable; risks in the bottom left quadrant would be low or acceptable.


Page 16

Example risk appetite grid

Risks above this levelattract appropriate effort

and resources

Risks below this levelattract minimum effort

and resources

5

4

3

2

1

1 2

Likelihood

Impa

ct

3 4 5

Risk ToleranceLevel

Risk AcceptanceLevel

Source: Shropshire Council

In this example, risk appetite is defined as the risk tolerance level, with risks above this level attracting effort and resources to reduce it to below this level. This target therefore acts as a management indicator, with greater levels of monitoring being required for these risks than for those below it. In addition to this upper level, a lower target has been set, which is the risk acceptance level. Any risks below this level should require minimal effort and resources to manage. This helps ensure that resources are not wasted trying to reduce risks unnecessarily.

Risk cultureThe governing body has a key role in embedding a culture of risk management into the organisation. The benefits of this include:

� improved management of resources

� enhanced internal and external communications and reporting of risk and control information

� increased responsiveness to internal and external change

� increased likelihood of successful delivery of objectives

� ownership of risk management and mitigations by everyone in the organisation.

Risk intelligenceAn effective risk management culture is one in which risks and issues outside the radar can be identified and acted upon. Many organisations have systems in place to determine existing risks, but the identification of emerging risks, particularly emerging external risks, is typically less well developed.

Processes to determine emerging risks could be enhanced by risk managers and auditors within sectors pooling and analysing common risks. In the NHS, a recent survey undertaken of 10 board assurance frameworks covering four NHS regions and 211 clinical commissioning


Page 17

groups found a variety of approaches to the layout and detail of frameworks, but consistent patterns of risk themes and key risks, as illustrated in the following table.

Top three risk themes Sample of common key risks

Safety/quality/experience Failure to safeguard vulnerable adults or children

Inability to gain adequate clinical governance assurance from providers

Inability to secure improvement in quality of care in residential/nursing homes

Performance Failure to provide prompt patient access; for example, cancer treatment or A&E

Failure to meet ambulance response times

Failure to achieve key performance targets

Finance Funding loss through new group allocations formula

Overspending on emergency and elective referrals

Failure to meet group financial targets

Source: NHS London Audit Consortium

Such exercises could usefully inform individual organisations of the pattern of risk across the country. In addition to assurance frameworks, head of audit opinions could also be analysed to share intelligence on risk.

Another means of gaining risk intelligence is for internal auditors or risk managers to liaise collectively with regulators and national stakeholders who typically have wider insight about the pattern of risks and have considered the risks associated with new policies. For example, NHS internal auditors are seeking to liaise with national stakeholders such as the Care Quality Commission and Monitor to understand emerging risks and disseminate key facts across the service.

The NHS now requires individual organisations to assess their vulnerability to the problems found in investigations such as the Francis Inquiry report into the Mid Staffordshire NHS Foundation Trust and to develop action plans. It is obviously good practice for organisations to remain appraised of national investigations and to undertake local assessments.

Risk management and the system of internal controlInternal controls are designed to ensure that there are processes in place to safeguard against fraud, loss, waste, inefficiency, damage to assets or other adverse events that prevent an organisation achieving its objectives. Risk management is therefore another way of looking at internal control, since no control should be present unless it is designed to prevent the risk of something adverse happening.

The system of internal control facilitates the effective exercise of an organisation’s functions. It is the totality of the way an organisation designs, implements, tests and modifies controls in specific systems, to provide assurance at the corporate level that the organisation is operating efficiently and effectively. As such, it includes the governance framework, risk management, information and communications, monitoring processes and assurance


Page 18

activities. It is the effectiveness of all this that the accountable officer is certifying when signing the governance statement. So, as risk management underpins the system of internal control, it also forms an essential contribution to the governance framework.

To finish this section on exploring the concept of risk management, here are some straightforward questions to help organisations manage their risks:

� What are you trying to achieve/what are your desired outcomes (eg promoting healthier lifestyles)?

� What is the risk (risk identification)?

� What will happen to desired outcomes (risk evaluation – impact should the risk occur)?

� How likely is it that the risk will occur (risk evaluation – probability)?

� Does the benefit outweigh the risk (risk–benefit analysis)?

� Can we do anything to reduce the risk (risk reduction)?

� Has anything happened that alters the risk (risk monitoring)?

� What plans can we put in place in case the risk occurs (contingency/service continuity planning)?

� Would insurance be a cost-effective way of mitigating the risk, or can we contract out this risk (risk transfer)?

� What financial provisions should we hold for the primary or residual risk (risk funding)?

Remember: risk management is about being ‘risk aware’, not ‘risk averse’.

THE ROLE OF THE GOVERNING BODYThe nature of governing bodies varies widely across the public sector; from school governing bodies, cabinet or executive models in local government, NHS trust boards, and trustee boards of charities to central government department boards chaired by secretaries of state. Composition can also vary, with different combinations of elected members, non-executive directors or nominated laypersons. But the main purpose of any governing body remains the same – to lead and govern the organisation, to define its purpose, vision and objectives, to ensure the achievement of outcomes, to promote a culture of ethical behaviour and to ensure effective risk management and control.

Too often, the sorts of high-profile failures and disasters mentioned in chapter one stem from governing bodies failing in their purpose. In the wake of the banking crisis and the resulting perception that financial institutions had failed to identify and manage their financial risk, there were a number of reviews and developments in governance, focused on risk management.

While not applicable directly to public sector bodies, one of the main principles of The UK Corporate Governance Code (FRC, 2012) is that the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems. The relevant provision of the Code is that the board should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems


Page 19

and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls.

Given that the governing body owns and is responsible for the organisation’s objectives, it therefore has overall responsibility for risk management. The governing body may delegate management of risk and risk identification to officials or the executive, but it remains accountable and cannot avoid owning risk and the consequences of it not being effectively managed. This responsibility is best described as risk governance:

The leadership of risk management and the means by which it is successfully and effectively integrated into the governance arrangements of the organisation.

Source: Risk Governance: Risk Management Guidance Note 13, CIPFA Better Governance Forum, 2011

Key features of effective risk governance are:

� a high-level mandate and commitment to risk management from senior managers and those charged with governance

� integration with the governance framework

� clear alignment with the organisation’s objectives and performance management framework

� accountability at all levels

� transparency of activities and key information

� a clear strategy for the management of risks when working in partnership and integration with wider partnership governance arrangements.

In overall terms, the governing body’s role is:

� to oversee the effective management of risks by officials

� to get involved in the identification of high-level, strategic risks and to understand their potential impact.

Its specific role in terms of risk management is:

� to gain a broad understanding of risk management and its benefits

� to require officials to develop and implement an effective framework for risk management

� to challenge officials to ensure risks are considered and documented in all reports

� to require that risk is formally considered at the start of major projects and re-evaluated throughout the life of the project

� to require officials to report significant risks on a regular basis.

It is also responsible for ensuring effective escalation processes are in place where there may be concerns that risks have not been properly addressed through the organisation’s risk management arrangements.

There have been number of high-profile failings where the adverse event has not been anticipated by the organisation. The governing body needs to be confident that issues and events happening outside the risk management environment can be quickly identified,


Page 20

controlled and dealt with. Part of this requires effective forecasting and anticipation based on the governing body’s understanding of the external environment the organisation operates in.

It is also important that the governing body is aware of the internal environment, for example by putting in place effective whistleblowing arrangements where people feel confident and able to express their concerns. Recent experience in the NHS demonstrates how harmful it can be if the culture of an organisation is not open to concerns expressed through whistleblowing or other means.

To summarise, here are some key questions all governing bodies should ask of themselves:

� How do we ensure that our focus is on managing the things that matter? Are we content that management’s assessment of risk is not overly optimistic?

� Are we clear about where we are prepared to tolerate differing levels of risk and, in turn, how this influences and drives the actions of management?

� How are we confident those risks are being managed appropriately and that we will be informed of the most significant risks to our business?

� What information do we need both to take decisions and to challenge the rigour with which risk is managed throughout the organisation?

� How do we ensure that our decisions are based on a clear and balanced evaluation of the costs and impacts associated with risks and mitigations?

� How do we learn from successes and failures both within our own and other organisations?

Source: Managing Risks in Government: Good Practice, National Audit Office, 2011

THE ROLE OF THE AUDIT COMMITTEEAudit committees have become a key feature of public sector governance in recent years.

The purpose of an audit committee is to provide to those charged with governance independent assurance on the adequacy of the risk management framework, the internal control environment and the integrity of the financial reporting and annual governance processes.

Source: CIPFA Position Statement: Audit Committees in Local Authorities and Police, CIPFA, 2013

This purpose is common across the public sector, as is an audit committee’s role in relation to risk management. There are three major areas.

First, assurance over the governance of risk, including leadership, integration of risk management into wider governance arrangements and the top-level ownership and accountability for risks. The specific actions this requires include:

� Overseeing the authority’s risk management policy and strategy, and their implementation in practice.

� Overseeing the integration of risk management into the governance and decision-making processes of the organisation.

� Ensuring that the governance statement is an adequate reflection of the risk environment.


Page 21

Second, keeping up to date with the risk profile and the effectiveness of risk management actions by:

� Reviewing arrangements to co-ordinate and lead risk management. An example of such an arrangement is the existence of a group to examine, challenge and support the risk assessment process to ensure consistency.

� Reviewing the risk profile and keeping up to date with significant areas of strategic risks and major operational or project risks and seeking assurance that these risks are managed effectively and owned appropriately.

� Seeking assurance that strategies and policies are supported by adequate risk assessments and that risks are being actively managed and monitored.

� Following up risks identified by auditors and inspectors to ensure they are integrated into the risk management process.

Third, monitoring the effectiveness of risk management arrangements and supporting the development and embedding of good practice in risk management by:

� Overseeing any evaluation or assessment, such as a risk maturity assessment or risk benchmarking.

� Reviewing evaluation or assurance reports on risk management and monitoring progress on improvement plans.

� Making use of the assurance framework to identify gaps in assurances, challenging where there have been late or inadequate submissions by management, and obtaining assurance that emerging or worsening risks are adequately covered and that the internal audit plan responds to changes in risks.

� Monitoring action plans and development work in the field of risk management practice.

INTERNAL AUDITORS AND RISK MANAGERSThe developing role of internal audit clearly indicates that risk is the business of audit. It is essential that internal audit’s work is closely linked to the way in which risk is managed in the organisation. There are benefits from internal audit and risk managers working together:

� sharing knowledge about the organisation’s current and emerging risks and the mechanisms to manage risk

� audit findings will have a bearing on the way in which risks are managed and whether there are weaknesses that need improvement

� risk managers often have direct experience of services and work with them to identify and improve the management of their risks

� both functions have expertise in understanding risks and designing adequate controls to meet them.

Some organisations use workshops involving both auditors and risk managers to facilitate risk identification and management with service managers. There are also benefits in terms of planning the work of both functions, illustrated in the case study below.


Page 22

Case study: Shropshire Council – planning the work of the risk and internal audit functions

In evaluating the risk management process and informing the planning process at Shropshire Council, the head of internal audit invites the risk and insurance manager to sit in on audit planning exercises with senior officers. This satisfies an audit and a risk management requirement with one meeting. This allows the risk and insurance manager to seek reliance on the robustness of risk assessments already completed and the mitigation in place or planned, and allows internal audit to benefit from this sense-check and receive reassurance or otherwise by audit identifying areas where risk management is mature and working.

In addition, the risk and internal audit functions meet monthly, during which meetings emerging risks are discussed to inform the audit planning process and learning from audit reviews is fed back to inform risk assessments and to triangulate with information being received from elsewhere.

A developing practice is to combine the internal audit and risk management functions organisationally; either heads of audit also manage the risk function or both the internal audit and the risk functions are managed by the same senior manager. This can have practical benefits in times of scarce resources and formalises the benefits of joint working. But a key factor to take into account is whether the activity raises any threats to the independence of internal audit and its objectivity. Any such arrangements must clearly meet the requirements of the PSIAS in terms of preserving the independence and objectivity of internal audit (PSIAS 1130) and ensuring internal audit’s ability to evaluate the effectiveness of the organisation’s risk management processes (PSIAS 2120).What is important is whether a combined approach is likely to improve the organisation’s risk management control and governance processes.


Page 23

ASSURANCE The concepts described in this section are illustrated in the following diagram.

Assurance concepts

The Assurance Framework

Sets out the risks in relation to the strategic objectives along with controls in place and assurances available on their operation.

Annual Governance Statement

Sets out organisational approach to internal control. Scrutinised by the governing body to ensure supported by robust body of evidence.

Organisatonal Risk Management

The executive, wider management and risk management function will lead and manage risk identification and management processes.

Audit

Internal and external audit have an important independent assurance role to play. Clear link between assurance framework and internal audit.


Assurance is defined as:

… an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.

Source: Assurance Maps, Institute of Internal Auditors Practice Advisory 2050-2, 2009

Assurance is being confident, based on sufficient, relevant and reliable evidence, that something is satisfactory, with the aim of giving comfort to the recipient. The basis of the assurance will be set out and it may be qualified if full comfort cannot be given.

Effective assurance brings together the right governance framework and risk culture for the organisation and a clear understanding of strategic objectives and risks, good internal controls and evidence that internal controls are operating effectively. It is not just about process, but making sure that the assurance framework is relevant to the organisation and is actually working in practice.

Assurance is about knowing what is actually going on and having strong evidence to prove it. It is not about having a cosy feeling based on little hard evidence that all is well within the organisation, or even worse, not really knowing what is going on but making assumptions. Recent experience shows how important it is not just to rely on trust; Mid Staffordshire NHS Foundation Trust certified that it was compliant with all Care Quality Commission standards


Page 24

except that relating to waste disposal, but it subsequently became clear that it was very far from providing safe, high-quality care.

Organisations therefore need assurance, based on strong evidence, that their risk management and operations support their ability to achieve their objectives. They also need to be able to respond effectively where assurance is negative; where the evidence indicates that controls are not operating to deal adequately with a risk. Actions then need to be identified and the risk score updated.

Risk management and performance management have the same objective – supporting the achievement of organisational objectives – but many organisations run the two systems in parallel tracks and do not link them. This could result in, for example, an emerging service failure risk being identified through worsening performance against an indicator which is not identified in the organisation’s risk register or risk management framework.

Organisations need to take care that they are not taking assurance from performance management systems where the underlying internal control is inadequate.

Assurance frameworks and assurance mappingAssurance frameworks have developed across the public sector, with a substantial amount of specific guidance for local government, the NHS, central government and other bodies. Across the sector, there is now a generally shared understanding of the meaning of assurance and of its key elements. An assurance framework is a structured means of identifying and mapping the main sources of assurance in an organisation, and co-ordinating them to best effect.

It is essential that there is an effective and efficient framework in place to give an organisation sufficient, continuous and reliable assurance on stewardship and the management of the major risks to success and to the delivery of improved, cost-effective public services.

This assurance framework should be structured to provide reliable evidence to underpin the assessment of the risk and control environment for the governance statement, supported by independent appraisal from internal audit. Assurance frameworks need to be used to identify gaps in controls or assurance, as illustrated below.


Page 25

The assurance cycle

Gaps in assurance

Gaps in control

AssuranceControls

Risks

Board/auditcommittee

Source: NHS London Audit Consortium

There are many sources of assurance in an organisation available to evidence the management of risk and internal control. Understanding the sources of assurance and their scope means internal audit can focus most effectively on the riskier areas and those where gaps in assurance exist. Annex 2.2 to this chapter provides more detail on assurance sources.

Assurance mapping is a mechanism for linking assurances from various sources to the risks that threaten the achievement of an organisation’s outcomes and objectives. The structured mapping of assurances is one of the fundamental steps in building an assurance framework. An overview of the process is presented below.


Page 26

Assurance mapping

Top-down Strategic Risk

Assessment(annual)

Cent

re

Bottom-Up Operation-wide Risk

Assessment

Current and Future Risk Profile(monthly/quarterly)

Integrated Board/Executive Reporting(monthly/quarterly)

Oper

atio

ns, P

roje

cts

& F

unct

ions

Feedback andActions

Functional Support Risk Review

Programme and Project Risk Review

Operations Risk Review

Collation of Operational Risk Reviews

Risk embedded inStrategic Planning

Action Planning

Key Risk and Mitigation Reporting

Integration of Strategic and Operation-wide Reviews

Operations risk reporting with mitigating actions (quarterly)

Collated operational risk reportingwith mitigating actions (monthly/quarterly)

Functional risk reporting with mitigating actions (quarterly)

‘Watch List’ of risky business initiatives

Key overall risks and adequacy of mitigation

High-level SWOT/STEP and Strategic Risk

Register

Programme and project risk reporting with mitigating actions (monthly)

Level of risk, mitigation effectiveness,assessment of impact on overall risk profile

Coordinated mitigation plan and

action tracking

Board understanding of risk appetite

Source: Risk Management in Higher Education: A Guide to Good Practice, HEFCE/PwC, 2005

Annexes 2.3 and 2.4 to this chapter provide further examples of assurance mapping.

One way of bringing risk management and compliance into a common framework is to use the three lines of defence approach.

Three lines of defence

Board/audit committee

Senior management

Front-line staff and management

Internalcontrols

Executive/policy

Governance framework

Internalaudit and other review agencies

Independentreview

Externalaudit

First line Second line Third line


Page 27

The first line of defence is front-line staff and management. Front-line staff are responsible for understanding their roles and responsibilities and carrying them out properly and thoroughly. Controls are designed into systems and processes, so, assuming the design is sound, compliance should mean the internal control environment is sound. Other staff within a department, usually undertaking administrative roles, are responsible for routinely verifying compliance with policies and procedures, in respect of both service delivery and decision-making processes. These staff are also responsible for providing information on key risk and control indicators to the second line of defence.

The second line of defence is a corporate governance framework, incorporating compliance and risk management functions. This is made up of a range of executive functions or committees which set and police policies, define work practices and oversee the operation of the first line of defence. Typically this would involve holding the first line of defence to account for the effectiveness of their risk management and compliance arrangements but, for particularly high-risk matters, they would also routinely inspect for compliance with policies and procedures.

The third line of defence is independent review, which is used to monitor the operation of the overall compliance and risk management system and examine the operation of the first and second lines of defence. This is the role of internal audit but there are other sources of independent review that can be used. Sources of independent review need to collaborate, for example internal audit liaising with external inspection to ensure there are no gaps or duplication and that there is a shared understanding of compliance and risk issues. Review findings are considered by the audit committee, which can then ensure that the executive is addressing identified weaknesses properly.

Finally, although not in itself part of the defensive lines, external audit is responsible for reporting externally on the adequacy of the organisation’s arrangements for managing assurance.

Another way of looking at assurance is to consider the nature of the evidence being sought for assurance. The nature of the evidence will vary in terms of its currency, independence, expertise and scope. Governing bodies’ needs will vary, as set out in the table below.

Tell me Show me Prove it to me

The governing body needs evidence to support a statement or source of assurance; for example a report from management that an action has been taken

The governing body needs a stronger source of evidence; for example performance information that a key target has been achieved

The governing body needs to be assured that there is proof that actions have been undertaken to support an assurance or a statement they rely upon; for example, independent inspection or audit

Annex 2.2 to this chapter sets out the detailed steps required to build an effective assurance framework.


Page 28

Governance statementsIt is now common practice for the results of assurance review to be made public in a governance statement. The governance statement is published separately but usually with the organisation’s annual report and accounts. It covers the organisation’s corporate governance, risk management and internal control arrangements. The statement should incorporate an evaluation of how well the arrangements have operated in practice, based on the ongoing assessment processes. The exact format of the governance statement will vary across the public sector, but the following extract from Department of Health guidance provides a good summary:

The governance statement records the stewardship of the organisation to supplement the accounts. It will give a sense of how successfully it has coped with the challenges it faces and of how vulnerable the organisation’s performance is or might be. This statement will draw together position statements and evidence on governance, risk management and control, to provide a more coherent and consistent reporting mechanism.

The governance statement should be a ‘live’ document reflecting the organisation’s governance procedures and systems. It should not be produced through a process designed solely for the annual report and accounts.

The governance statement should refer to the [governing body]’s committee structure; the [governing body]’s performance, including its assessment of its own effectiveness; and to ensuring that required standards are achieved. This should make reference to performance against the national priorities set out in the NHS Operating Framework 2011/12.

Source: Annual Governance Statements – Guidance, Department of Health letter to strategic health authority directors of finance, February 2012

For further guidance on completing governance statements and the role of internal audit as a source of assurance, see the Further Reading section.

RISK MANAGEMENT AND GOVERNANCE ROLES AND RESPONSIBILITIES

Risk management and governance roles and responsibilities are summarised in the following table.


Page 29

Roles and responsibilities

Role/function Senior management/governing body

Audit committee

Non-executives

Internal audit

External audit

Setting strategy and objectives

Achieving strategy and objectives

Identifying risks to strategies and objectives and managing risks

Ensuring risks are controlled mitigated or managed (4Ts)

Evaluating whether controls are sufficient to control or mitigate risk

Maintaining a sound system of internal control

Evaluating the system of internal control

Managing the assurance framework

Reporting on the assurance framework

Scrutiny/evaluating the assurance framework

Providing independent assurance

Improving the assurance framework


Page 30

Chapter Summary

Forms of governance vary across the public sector, but all organisations need robust and effective risk management processes. The governing body is responsible for ensuring that risk management is adequate, that it has the appropriate risk appetite and that there is an embedded risk culture throughout the organisation.

The audit committee plays a vital role in seeking assurance that the governing body is managing risk well, and in challenging assurances about how the organisation controls and manages risk. A robust assurance framework is required to give confidence to an organisation’s risk management and governance processes. Internal audit is one of the key defences in providing assurance.

CHECKLIST FOR AUDITORS

Do you fully understand your organisation's governance and risk management arrangements?

Are you confident that the governing body and audit committee perform their roles effectively?

Are you able to contribute to the identification of risk and to improving risk management?

Are you valued as part of the assurance framework?


Page 31

ANNEX 2.1: MANAGING RISK – A PRAGMATIC EXAMPLE

This example brings together the issues covered in the previous chapter in a clear and pragmatic way.

Lancashire County Council’s approach to managing risk is to use knowledge the council already has of its key issues to identify and understand risks. Rather than documenting each and every risk (which can be time-consuming and resource-intensive), it draws upon what is in place already – corporate strategies, senior management team agendas, discussion and actions around emerging issues, new projects and ongoing service delivery – to identify the risk environment.

Some key strategic issues are already well known and well managed and do not require any further layer of risk management documentation, whereas new projects or developments require a more structured risk approach. Day-to-day operations and service delivery receive assurance through internal audit activity and other forms of assurance.

LANCASHIRE COUNTY COUNCIL: A REVISED APPROACH TO RISK MANAGEMENT

The council already manages its risks well in practice. In the past it had not always documented risks in the ways demanded by the external regulator, but action being taken by management teams across the council amounts to an effective ongoing process of risk identification, assessment and management.

Managers should therefore continue to be encouraged and supported to consider the potential threats and opportunities involved in any new service developments and improvements, and to monitor ongoing performance. Documentation of risks, related controls and mitigating action plans should be considered where this is helpful and appropriate and, where this is the case, risk registers should be prepared. This is likely to be appropriate for specific service development projects, when project risk registers should be monitored closely by the lead project manager and sponsor. Individual directorates should also consider risk specifically as business plans are prepared and monitored.

The management team will obtain assurance annually that risks are being adequately identified, assessed and managed by an annual snapshot of the issues being addressed by management across the council. The audit committee has also expressed a desire to periodically review a statement of the council’s key risks.

Assurance over specific risk areas will continue to be provided by the internal audit service through the annual internal audit plan. Internal audit work is designed to provide assurance over the management not only of changing risks, but also of those that may be significant but relatively constant while services remain stable. Such risks may not therefore be


Page 32

identified through a snapshot of management discussions but will be highlighted through directors’ discussions with the internal audit service and the resulting annual audit plan.

Principles The county council generally manages risk effectively within the course of its normal operations through its management structure and governance arrangements:

� Managers have a good understanding of their services and service developments, and are able adequately to identify the risks involved.

� Managers understand the limits that the organisation places on the action that can be taken by any individual officer. There is a general awareness of what management action is appropriate and where further consultation and approval are required with colleagues and more senior managers. The organisation therefore recognises its risk appetite in relation to the decisions it takes.

� There is a good level of understanding of what risk it is acceptable to take during the normal course of work and the organisation recognises its risk appetite in relation to its ongoing activities.

� Managers’ workloads should not be increased through unnecessary bureaucracy, in particular by preparing documentation solely to demonstrate (rather than support or enhance) effective management. The cost (in terms of the time involved) relative to the benefit gained by defining every possible risk in detail and assigning impact and likelihood scores to each risk associated with every planned or current activity is deemed too great to be generally worthwhile. However where there are known concentrations of risk, such as in new service developments, managers understand that they should document, monitor and manage these risks using the council’s scoring framework.

� The internal audit service works with individual directors and executive directors to consider the council’s assurance needs, and makes its own assessment of the internal audit work required to provide this assurance. Priority is given to providing assurance over the controls that reduce the greatest inherent risks to the greatest degree.

It is therefore considered unnecessary and an inappropriate use of resources to attempt to document and individually score each risk arising across the whole of the council’s business. Instead, an assessment of the risk management arrangements is made; for example:

New projects and service developments

Management control Evidence of management

Directorate management teams, with cascade down to service teams as the issues develop, and up to management team for information

Corporate strategy or equivalent

Directorate strategy/business plans

Directorate management team agendas and papers

Project risk registers


Page 33

ANNEX 2.2: BUILDING AN ASSURANCE FRAMEWORK

BENEFITSThe following are some of the benefits of a planned assurance process:

� It provides an evaluated opinion, based on evidence gained from review, on the organisation’s risk and control framework, particularly the management of key risks and the achievement of objectives and targets.

� It informs the components of the governance statement and the ongoing assessment and positioning of risks on the corporate risk register.

� It supports the demonstration of governance arrangements.

� It is a means of rationalising assurances. Focusing on key assurance needs may identify some efficiency savings. Undertaking a whole service delivery assessment of assurance needs provides opportunities to streamline the existing review, monitoring and reporting requirements.

The assurance process can also be used as a means of communication, enabling management and others to focus on key assurance needs:

� for directors and divisional heads, in informing them in a graphic way of their assurance responsibilities as risk owners, and in turn informing year-end stewardship declarations

� for audit committee members, as a useful training aid on the key assurance needs of the organisation; how these are obtained, evaluated and co-ordinated into an overall opinion on risk, control and governance

� for the external auditor, in informing the annual certification audit of accounts that the key issues have been thought through.

SOURCES OF ASSURANCEAssurance can be derived from all aspects of work that deliver feedback; that is, management information in the form of reviews, quality control and the oversight of deliverables. For example:


Page 34

Sources of assurance

IndependentAssurance

External AuditManagement Letter Benchmarking

Annual Reporton Insurance

ManagementAssurance Group Monitoring

FrameworkAnnual ReviewOn HR Policies

RiskManagement

ActivitiesFraud Reports

OtherExternal

Consultants

KPIs Risk Panel Reports and

Oversight

Group RiskAssessments

LegalAdvice

AnnualReport

of Health andSafety

Board/Audit

CustomerFeedback

DirectorsControl

Self-certificationCommittee Oversight Subsidiary Risk

Assessments

OtherRegulatory

Reportseg NCSC

BudgetaryControl

Management

Divisional/DepartmentalRisk Assessments

BusinessPlan/Action

PlanProgress

ExceptionReports

Accounts Group andSubsidiary Chief

Executives'Annual Report

Annual Reviewof Financial

Regulations/StandingOrders

QualityManagement and

Audit Reports

ISO9000Reports

Internal Audit AnnualReport and Assurance

Statement

Housing CorporationReviews and Inspections

CHALLENGING ASSURANCEManagement governing bodies and audit committees receive assurance in various forms throughout the year on their risk management and delivery frameworks. They need to question the relevance, reliability and completeness of the assurance received:

� Is there sufficient evidence to support the conclusions reached on key risks and key delivery targets?

� Where does the assurance come from and is it relevant to the key concerns and the key risks?

� How competently has the work on which it is based been undertaken?

� Is too much assurance being obtained?

� Are there opportunities to streamline the whole process and make efficiency savings?

In order to answer these questions and to be able to place reliance on the assurances received, the governing body must first have determined its assurance needs and assessed from where the assurance is to be derived.

This assurance is based on a number of principles.


Page 35

Principle 1 – Planning to gain assurance

Assurance strategy

Reliable, relevant and complete assurances will only be gained if the top of the organisation decides to obtain them, and this requires a dialogue reported through the various layers of management to the governing body about what is required. This is a key stage in the process.

It may be necessary to map the assurance needs of the organisation against the key risks/delivery targets and to describe how the assurance needs are to be met, including the sources of the assurance providers. This may initially be quite a resource-intensive exercise, but could be carried out by a workshop of key players. Without it the organisation will never be absolutely sure it is getting reliable, relevant and complete assurance – and that in itself is a risk the organisation needs to assess.

Assurance process

The processes for obtaining assurance should be embedded into existing management processes (see the diagram below). Some organisations, for example, require their divisional heads to complete periodic and annual stewardship/assurance statements. These confirm that they understand the risk management systems they have in place, including where risks are transferred to a partner or third party organisation, and that they have provided assurance on those key risks identified by the assurance strategy.

It is very important that the assurance process is seen as integral to the normal risk management and delivery chain.

The assurance process

Service (business objectives) delivery process

Evaluatedassurances(acceptable;too much;deficiencies and/or gaps)

Evaluatedassurances(acceptable;too much;deficiencies and/or gaps)

Assessingrisks

Addressingrisks

Policy/deliverydevelopment:Analysis of policy/delivery options.Create ownership.Define measures ofsuccess. Take account of external environment

Implementation:Build deliveryprocesses andsupport systems.Set targets andperformanceoutcomes

Performancemanagement:Report based on validatedperformanceinformationsystems

Reviewbusinessobjectives.Update riskassessment/review targets

Identifyingrisks

Definebusinessobjectives,targetsand assurancestrategy

Risk management process


Page 36

Maintenance

Departments need to plan how the assurance framework is going to be reviewed and maintained, who is going to do it and how often it needs to be done.

Principle 2 – Making the scope of the assurance boundaries explicitIn order to arrive at an overall opinion, the scope of the processes required for obtaining assurance needs to encompass the whole of the organisation’s risk and performance management lifecycle. This does not mean that every risk, every measure and every control has to be reviewed in order to obtain assurance. Corporately, assurance may only be needed on key risks and controls and enough of the other risks to support the overall conclusion. However, the review that takes place will need to provide:

� assurance on the risk/performance management strategy – ascertaining the extent to which all line managers review the risks/controls within the ambit of their responsibility and maintain dynamic risk and performance management arrangements

� assurance on the management of risks/controls – encompassing the key risks and enough of the other risks to support the overall opinion reached, and incorporating the extent to which the position of a risk might change on the risk register based on the assurances received

� assurance on the adequacy of the review/assurance process – quality assured to engender confidence in the review process.

Principle 3 – EvidenceThe evidence supporting assurance should be sufficient in scope and weight to support the conclusion and be:

� relevant

� reliable

� understandable

� free from material misstatement

� neutral/free from bias

� such that another person would reasonably come to the same conclusion.

Principle 4 – EvaluationThe objective is to:

� evaluate the adequacy of the risk and performance management policies and strategies to achieve their objectives

� evaluate the adequacy of the risk management processes designed to match residual risk to the risk appetite

� evaluate the adequacy of the performance management processes to support the achievement of targets and goals

� identify limitations in the evidence provided or in the depth or scope of the reviews undertaken


Page 37

� identify gaps in control and/or over-control, and provide the opportunity for continuous improvement

� support preparation of the annual governance statement.

The organisation will need to bring together and evaluate the various assurances. Internal audit has a key role in this process and its audit programme should allow it to:

� Understand what is actually going on and to make a judgment about whether improvements are necessary. (Is there sufficient evidence to support the conclusions reached in relation to key risks/outcomes achieved?)

� Measure the effect of control against the effect intended in relation to the delivery of objectives. (Are risks relating to all business operations actively managed and responded to, so as to prevent control failures or the undesired exposure to threats to the achievement of objectives?)

� Know whether the organisation is living within its risk appetite. (Is the organisation exposed to risks beyond its risk appetite and/or has the nature of a risk changed such that its position changes on the corporate risk register?)

� Know whether the performance management framework and processes to measure achievement against targets and goals accurately inform management of progress towards the achievement of objectives.

� Take opportunities to progress through continuous improvement. (Is there a plan to address weaknesses where these exist, and to ensure continuous improvement to risk management and control?)

� Report and evaluate the assurance evidence in order to form an overall opinion. (Are there gaps in the assurance provision or in risk/performance management leading to control failures?)

In evaluating evidence to arrive at an overall judgment or opinion, all of the evidence criteria need to be considered. However, it is important to recognise that:

� Not all evidence is of the same weight in deriving assurance. Evidence should be weighted according to its:

– independence – the more independent the evidence, the more reliance can be placed on it; however, circumstances may exist that could affect the reliability of the information obtained (eg for independent external evidence to be reliable the source of the evidence must be also reliable)

– relevance – in determining the overall assurance, there is a need to ensure that the evidence relates to those elements of the risk management lifecycle that are considered significant, and evidence relevant to the more significant risks is consequently of greater relevance to the overall assurance.

� Evidence may be flawed in terms of both quantity and quality where the evidence criteria are not met, leading to limitations in the assurance that can be provided. For example, merely obtaining more evidence will not compensate where the quality of evidence is low or where the source of evidence is not reliable.


Page 38

Principle 5 – Reviewing and reportingAssurances come from many different sources, both external (eg suppliers and contractors, third parties) and internal (eg management, practitioner review). The assurance strategy needs to define stages where assurances will be evaluated and opinions reported through the various layers of management to the governing body.

Assurance opinions need to be reported clearly, and worded so as to communicate clearly the scope and criteria used in arriving at those conclusions.


Page 39

ANNEX 2.3: HM TREASURY EXAMPLE ASSURANCE FRAMEWORK ARRANGEMENTS

Performance management

and data quality

Legal, regularity, information and

security assurance, etc

Assurances by directors/heads

of service

Other sources of assurance

including thirdparty

Financial control

assurance

Internal audit Other

independent sources of assurance

External auditOperational

delivery assurance

Programme and project assurance

Strategic risk and quality assurance

Corporate group with responsibility for drafting annual governance statement, maintaining assurance framework and supporting evidence

Authority and directorate policies, business plans and risk registers

Central GuidanceHM Treasury guidanceCorporate Governance CodeManaging Public Money Government Risk Management guidancePublic Sector Internal Audit Standards, etc

Organisational control frameworkOrganisational objectives and outcomesBusiness strategy and planning processPerformance managementBudget and budgetary controlProject and programme management Risk managementCounter fraud policy Ethical governancePolicies, procedures, codes of conductPartnership protocol

Annual Governance Statement

Accounting Officer and Board

Assurance Map Components

First line ofdefence

Second line ofdefence

Third line ofdefence

Otherassurances

Audit and Risk Assurance Committee Review and monitor effectiveness of governance, risk management and internal review and approve annual governance statement

Source: Assurance Frameworks, HM Treasury, 2012


Page 40

ANNEX 2.4: NHS TRUST ASSURANCE FRAMEWORK EXTRACT

Strategic objective

Risk Controls Governing body assurance

Improve quality outcomes and patient satisfaction

We do not have in place effective arrangements for monitoring and continually improving the quality of healthcare provided to our patients, which have regard to:

i) assessment against Monitor’s quality governance framework

ii) Care Quality Commission information

iii) trust metrics including information on serious incidents, patterns of complaints.

C1 – Executive accountability – all execs

C2 – Organisational structure

C3 – Performance management system

C4 – Assurance committee (quality and safety)

C5 – Governing body of directors

C12 – External regulation

Quality strategy

Assurance reporting:

� design of strategy, expected levels of performance and metrics

� risks to delivery and mitigation

� delivery: have we improved what we set out to improve?

Performance dashboard:

� performance against goals (targets, clinical outcomes, patient safety and experience, cleanliness).

Quality and safety assurance report:

� serious incidents and patterns of complaints, resolution.

Audit assurance:

� audit of processes for escalation, resolution and data quality

� compliance with legislation

� governance systems.

Triangulation assurance:

� staff satisfaction

� patient voice

� quality and other benchmarking data

� peer and external review

� readmissions.


Page 41

CHAPTER THREE

Internal Audit’s Role in Evaluating Risk Management

As a minimum, internal audit needs to audit the risk management processes, provide assurance on their adequacy and comment on whether the organisation’s attitude to risk – appetite and tolerance – is suitable for its environment. Internal audit’s evaluation needs to be based on a view on risk maturity. This chapter provides guidance on reaching such a view.

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Source: PSIAS 2120 Risk Management

RISK MATURITYRisk maturity is the concept that the more established and embedded risk management arrangements are in an organisation; the more confidence the auditor can have in their ability to safeguard it against risk. Although the concept of risk management has now been around for some time, many organisations have yet to achieve full maturity.

In its most recent survey of heads of internal audit (Governance and Risk Report 2013: Internal Audit’s Perspective on the Management of Risk) the IIA found that 45% of respondents felt that the level of risk maturity within their organisation could be classified as in the early stages of implementation, in development or non-existent (at level 3 or below in the following illustration). This figure was consistent whichever sector was looked at.

The first step is for the auditor to assess risk maturity. The following illustration explains the concept clearly.


Page 42

Assessing risk maturity

Use managementassessment of riskfor audit planning asappropriate

Risk ManagedLEVEL 4

Use managementassessment of riskfor audit planning asappropriate

Risk DefinedLEVEL 3

Strategy, policies,and risk appetitedefined

Incorporatemanagement riskassessment intoaudit plan but useaudit assessment ofrisk to checkcomprehensive

Some areas riskaware, probably dueto culture, history orstaff in post

Rely on auditassessment of risk

Risk NaiveLEVEL 1

No formal approachdeveloped

Rely on auditassessment of risk

Organisation’sRisk Maturity

Approach toRisk Management

Internal AuditStrategic Response

Internal AuditWork Covers

Risk EnabledLEVEL 5

Risk management and controlsassurance policyembedded intoorganisationalculture andoperations

Risk AwareLEVEL 2

Review riskmanagementprocesses to confirmcontinued reliance can be placed uponthem

Review riskmanagementprocesses to confirmreliance can beplaced upon them

Liaise with riskmanagementfunction/facilitaterisk assessments.Review approach for adequacy andcompleteness

Promoteorganisation-wideapproach to riskmanagement.Process map toidentify key risks andgain managementapproval of audit riskassessment

Promoteorganisation-wideapproach to riskmanagement.Process mapidentify key risks andgain managementapproval of audit riskassessment

Organisation-wideapproach to risk managementcommunicated andimplemented

CHAPTER THREE \ INTERNAL AUDIT’S ROLE IN EVALUATING RISK MANAGEMENT

Page 43

INTERNAL AUDIT’S APPROACH BASED ON RISK MATURITYIn order to consider the most appropriate stance, and to provide the requisite assurance, as a minimum the processes by which risks are identified, analysed and managed must be reviewed as set out in the diagram above. Internal audit’s role moves along a spectrum depending upon the level of maturity the organisation has reached, as illustrated below.

Risk maturity and internal audit’s approach

Risk Management Maturity

• Risk naive• Initial• Ad hoc• Undefined• Reliance on

key people

• Risk aware• Repeatable• Intuitive• Defined

tasks• Initial

infrastructure

• Risk defined• Standardised• Rigorous• Defined

policies,processes andappetite

• Uniformity

• Risk managed• Embedded• Comprehensive• Widely

adopted• Measured• Increased

competency

• Risk enabled• Optimised• Continuous• Integral• Competitive

advantage• Core

competency

Internal Audit Role

Promote, facilitate, supportReview, assess, use

Internal audit’s role depends on the level of maturity that the organisation has reached. The spectrum of tasks ranges from supporting, promoting and facilitating the improvement of risk management where the organisation is risk naive, to reviewing, assessing and using arrangements to provide assurance that they operate effectively when the organisation is fully risk mature.

As a minimum, or core function, internal audit should always critically review management’s assessment of risks and consider this in relation to the scope of work over which it must provide assurance. In particular, it should ensure that in addition to the key strategic and operational risks to objectives, on which management are often primarily (and rightly) focused, there is sufficient understanding and coverage of other risks arising over:

� projects, systems developments and change

� the reliability and integrity of operational and financial information

� the stewardship of financial and non-financial assets

� compliance with relevant legislation.

Internal audit should also ensure that risk assessment appropriately reflects risks in areas where there are previously identified control deficiencies.

Where management’s assessment of risk is considered by internal audit to be incomplete or flawed, additional or revised risks should be defined, assessed and reflected in the


Page 44

design of the audit plan. Any additions and revisions should be shared and discussed with management and the audit committee to continue to promote a comprehensive and shared view of risks and required action.

Where the risk management process is immature, internal audit has a key role in furthering development and process improvement and should work with management to facilitate the identification and assessment of risks. This is more of a consultancy role, and the relevant PSIAS requirements should be followed.

Where the risk management process is mature and provides for a robust consideration of the risks faced, it should be used to direct the internal audit plan to support the continuous provision of assurance. In reality, few organisations are at the extreme ends of this continuum, and a tailored combination of these actions is the most likely response. In order to consider the most appropriate stance, and to provide the requisite assurance, as a minimum the processes by which risks are identified, analysed and managed must be reviewed.

But there are tasks and issues which internal audit should not be involved in, since this would compromise independence and objectivity; for example, becoming part of the day-to-day risk management process or deciding on risk categorisation or appetite for the organisation.

The way in which internal audit plans its work therefore depends on the assessment of risk maturity. Annex 3.1 to this chapter provides an example of internal audit redesigning its approach to support the organisation’s risk management processes.

INTRODUCING CIPFA’S MODEL FOR ASSESSING RISK MATURITYCIPFA developed a model for assessing risk maturity in 2005. The model holds good, although it has been enhanced and updated for this publication. It is included in the appendix to this publication in a form that can be copied or adapted by internal audit.

Summary of the modelEach element in the model and in the following table shows the key issues that are critical to the successful implementation and management of a risk framework. The model also sets out key questions to consider, which the auditor should test for design and application in practice. If these elements are in place and working effectively, the risk management framework can be considered to be embedded. Some key documents are suggested but will vary between organisations. Finally, there is space for the auditor to conclude on the organisation’s risk maturity for each element of the framework. This provides a clear overview of where improvement is needed, what action should be taken and where good practice should be recognised.

The model encourages the auditor to assess risk maturity at present, where the organisation would wish to be in the short term (12 months), and where the organisation would wish to be in the long term (say three years or more). This can be carried out at group, organisational or business unit/division/department level.

The level of risk maturity will vary for different parts of the organisation. It is important to have a sense of what is appropriate to each business unit or area on a cost–benefit basis.


Page 45

Not all areas will need to leverage risk management to an area of competitive advantage or top performance (level 5), but all in the public services are likely to need to attain level 3 in order to contribute to the overall control framework and disclosures on internal control in the annual statements. Those parts of the organisation dealing with major business risks are the most likely to need to achieve level 5.

The model enables the auditor to develop an audit programme, considering the risk maturity for each of the following elements.

Risk maturity model

Vision, commitment and ownership

Action and response

Categorising and prioritising

the risks

Structure, roles and

responsibilities

Identifying the risks

Extended enterprise

Monitoring and review

Embedding risk management

EnabledManagedDefinedAwareNaive

The model relates to PSIAS 2120 Risk Management, as set out in the following table.


Page 46

PSIAS 2120: Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:

CIPFA model elements

Organisational objectives support and align with the organisation’s mission

Vision, commitment and ownership

Vision comes from the top and should be shared throughout the organisation. To have any impact, risk management must have strong support and endorsement from the top. The ownership of risk cannot be delegated and must be owned by those accountable for the achievement of their element of the organisation’s objectives, at whatever level.

The extended enterprise

No organisation is entirely self-contained – it will have a number of interdependencies with other organisations. These are sometimes called the ‘extended enterprise’ and will impact on the organisation’s risk management, giving rise to certain additional risks that need to be managed.

Significant risks are identified and assessed

Identifying the risks

Ultimate responsibility and ownership of the process of risk identification lies with the organisation’s executive/governing body. The task of risk identification may be carried out at this top level of management or devolved or delegated to a corporate risk management group/committee.

Monitoring and review

Performance monitoring of risk management activity must ensure that the treatment of risks remains effective and that the benefits of implementing risk control measures outweigh the costs of so doing.

Appropriate risk responses are selected that align risks with the organisation’s risk appetite

Action and response

Having identified the key risks and prioritised them, the next stage is to decide what the response should be. The organisation will want to tackle those risks that threaten the key business objectives and service provision, and/or areas where the existing controls are weakest.


Page 47

PSIAS 2120: Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:

CIPFA model elements

Relevant risk information is captured and communicated in a timely manner across the organisation, enabling staff, management and the governing body to carry out their responsibilities

Structure, roles and responsibilities

An effective structure is likely to include a working group or risk committee, bringing together staff from the main services, with a chair at a senior responsible level to organise and lead the activity.

Categorising and prioritising the risks

The key risks and main contributory risks will need to be linked, prioritised and categorised – possibly into ‘high’, ‘medium’ and ‘low’ – to ensure a comprehensive understanding of the threats to achieving the business objectives and opportunities to take risks. This is not an exact science. The process can range from a group of people using their collective judgment and wisdom, to complex scoring mechanisms.

Embedding risk management within the organisation

Within an organisation there needs to be a framework of the various risk management processes that occur as part of the organisation’s normal procedures. Integrated risk management can only be said to have been fully achieved when the management of risk is embedded into all the functions and processes within the organisation; when everyone from the chief executive down is risk aware.

Chapter Summary

The more established and embedded risk management arrangements are, the more confident internal audit can be that the organisation is safeguarded from risk.

Where risk management is immature or naive, internal audit will need to rely on its own assessment of risk. Where risk management is enabled, it can rely on management's assessment of risk. Internal audit's role will be more supportive in risk-naive organisations, working with management to further and develop risk management. Its role will be more assurance based in risk-enabled organisations.

CIPFA's model can be used interactively to determine risk maturity.


Page 48


Do you know where your organisation is on the spectrum from risk naive to risk enabled?

Does your audit strategy take account of risk maturity?

Are you performing your minimum role of critically reviewing management’s assessment of risks and considering this in relation to the scope of work over which internal audit must provide assurance?


Page 49

ANNEX 3.1: HM REVENUE & CUSTOMS – REDESIGNING INTERNAL AUDIT’S

APPROACH TO RISK

HM Revenue & Customs fundamentally redesigned its internal audit approach in 2012 alongside its risk management assurance practices which, up to that date, had been largely separate. In both instances, it was recognised that a significant proportion of the activity was process driven rather than conversation driven. This had led to:

� potential misunderstanding by the business of the actual assurance it had by confusing a tick-box data capture exercise with active risk management

� a perception of both as a process that had to be ‘tolerated’ rather than actually adding value.

Over the next two years internal audit reviewed how it spent its time, changed the emphasis of its work and more importantly used every opportunity with audit clients to reinforce good risk management principles and to learn about clients’ perspectives.

Rather than describing every detail of the changes made by internal audit, there are three key features to HMRC’s approach that fundamentally made the difference:

� Instead of always looking at the same A3 sheet of paper with all the risks on, the focus is on the quality of the first point of contact. What this means is that the internal audit resource is dedicated to the first time a risk or issue is identified. The emphasis is placed on really getting clarity on the risk or issue, the actions that needed to be taken, the results of those actions, and the timescale. A ‘flight path’ is developed. Senior management can watch these risks or issues knowing that they will get flagged by exception when they come off the flight path, so they do not have to trawl each time to find out what has moved.

� As well as rating the overall report and individual agreed management actions, internal audit reports give assurances on the control framework and risk management, and explicitly the risk tolerance. The last element has allowed frank conversations to take place with management where they have set a tolerance, eg management look only at transactions over £X. Internal audit then talks openly with management about how this lines up with the control framework they are operating within and therefore links it to their risk management activities.

� Language – internal audit has actively changed the language of its products. Specifically there are two core instances:

– Terms of reference – there is now an audit and client agreement that makes it clear that there is a two-way commitment to the work before it starts, and not something that is ‘done to’ the client.

– Recommendations are now split into agreed management actions (to which management sign up to do) and accepted management risks. This allows internal


Page 50

audit to have a conversation with management where, for whatever reason, eg conflict of priorities, while they accept what internal audit has found and agree the proposal for correcting it, they choose within their control framework to tolerate it. This reinforces the principle that management should actively manage risk.

This cuts down on delays due to wordsmithing, results in greater appreciation by the internal audit team of the pragmatic issues facing the business, and improves the business’ opinion of internal audit balancing delivery challenges with being independent and holding the business to account.

Page 51

CHAPTER FOUR

Risk-based Auditing

This publication emphasises the change in the focus of internal audit. In fulfilling this new role, internal audit must methodically review and provide an opinion on the:

� design and operation of the risk management process

� responses adopted to reduce risks to an acceptable level

� adequacy and effectiveness of the system of internal control in sufficiently mitigating risks.

The chief audit executive must deliver an annual internal audit opinion and report that can be used by the organisation to inform its governance statement.

The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.

Source: PSIAS 2450 Overall Opinions

In order to provide such an opinion, internal audit needs to take a risk-based approach to planning its work and undertaking audit assignments. Previous chapters have covered audit’s role in the assurance framework, and in assessing risk management arrangements and contributing to their effectiveness. This chapter focuses on developing a risk-based plan, and how risk-based auditing can be used for individual audit assignments. Findings and evidence from risk-based auditing then serve to support the audit opinion.

DEVELOPING A RISK-BASED AUDIT PLANAs a minimum, internal audit needs to develop an audit plan based on the assessment of risk maturity, and to take a risk-based approach to audit assignments by identifying objectives, risks and controls, evaluating the extent to which those controls address the organisation’s risks, identifying over- or under-control, articulating residual risk, and recommending management action as appropriate.

The requirement of the PSIAS with regard to audit planning is that:

The [head of internal audit] must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals.

Source: PSIAS 2010 Planning

When developing the audit plan, internal auditors also need to ensure that they have addressed the requirements of the PSIAS:

� The internal audit activity must assess and make appropriate recommendations for improving the governance process. (PSIAS 2110)


Page 52

� The internal audit activity must assess whether the information technology governance of the organisation supports the organisation’s strategies and objectives. (PSIAS 2110.A2)

� The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. (PSIAS 2120)

� The internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk. (PSIAS 2120.A2)

� The internal audit activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. (PSIAS 2130)

The audit plan needs to demonstrate that it is based on an evaluation of the organisation’s risk management, and that it meets the PSIAS requirements set out above. The Shropshire Council case study presented later in this chapter gives a practical demonstration of how internal audit can ensure it has addressed PSIAS requirements.

As a start, it can be useful to think about the risk-based planning process as a ‘top-down’ approach, following three main stages.

The first stage is a strategic risk assessment. This involves building up a picture of strategic risks and the regulatory environment in which the organisation operates, understanding key internal and external developments. It draws on the assessment of risk maturity, internal audit’s participation in the assurance framework and discussions with governing body and audit committee members on their assurance requirements. This assessment should also take into account the risk appetite of the organisation.

A useful way to check whether the strategic assessment has covered all of the key risks is to compare planned audits to the strategic risk register, as in the following example.

CHAPTER FOUR \ RISK-BASED AUDITING

Page 53

Coverage by strategic risk

4

3

2

1

1 2 3 4Impact

Like

liho

od

BE

CF

G

AH

D

Note: the larger the circle, the greater the number of audit assignments.

Strategic risk Number of audits

A Maintaining a balanced budget while delivering current and future political objectives. 13

B OneSource (transformation programme) does not deliver savings required in the timeframe set, improve efficiency and customer satisfaction or generate income from new customers as expected.

20

C Failure of corporate governance and leadership. 13

D Newham Private Rented vehicle does not provide a viable business plan to meet the objectives of delivering an increase in the number of private rented properties.

1

E Major development and big projects being considered fail to meet stated objectives or interfere with the council’s priorities.

2

F Major failure in the health service causes strain on the delivery of adults’ and children’s services.

6

G Changes to legislation and statutes impact adversely on the council’s delivery of the priorities for residents.

8

H The change programme does not deliver the priorities for residents as expected. 1

Source: London Borough of Newham

The second stage of the process is to focus on systems that are critical to the delivery of the organisation’s business and operations, taking into account regulatory requirements specific to each operational area, and liaising with other assurance providers such as external audit.


Page 54

The final stage is to translate this understanding into audit planning by reviewing local risk assessment for specific activities and systems, and using this to scope out specific audit assignments and objectives.

These stages set out in the following example of an NHS risk-based audit planning approach.

Audit planning: risk-based approach

Aligned Strategic Risk

Assessment

• Environment risk analysis, including sector risks and developments, regulatory requirements.Asessment of the organisation’s risk maturity (this is an overview of the governance, risk management and assurance processes). Review of the assurance framework, risk registers and annual plan.Discussions with board members and management interrelated with an understanding of the audit committee’s assurance requirements.

•

••

Business-critical Systems

•Ensuring review of all business-critical systems over the life of the contract.Incorporating regulatory requirements, including Monitor declarations, to support board approval.Liaising with external audit and other assurance providers to ensure co-ordinated audit assurance.

•

•

Audit Methodology

•

Periodic audit planning supported by an annual plan that is developed from the assurance framework.Specific local risk assessment to set the scope and objectives for individual assignments.System mapping and evaluation.

•

•


The cyclical planning processAlthough the strategic assessment described above employs a top-down approach, the audit planning process itself is cyclical. The lifecycle is unlikely to fit into a neat annual exercise, as the process must be dynamic in responding to changing environmental and organisational risks and needs. However, the formal documentation and agreement of the plan will normally align to annual audit committee meetings and organisational strategic planning milestones. The process encompasses five phases, shown below.


Page 55

The five phases of the cyclical planning process

Understanding the organisational

context

Evaluating the risk management

process

Designing the audit plan

Communicating and agreeing the

plan

Reviewing and revising the plan

Phase 1: understanding the organisational context

Knowledge of the organisation’s strategy, objectives and targets, and a sound understanding of the environment in which it operates, and the challenges it faces, are prerequisites for the effective identification, analysis and management of risk. This awareness must therefore be the starting point for any consideration of the risk management process for internal audit planning purposes and the design of a value-adding programme of work.

To be most effective, this phase should go beyond a review of formal documentation, as objectives and the operational environment, as well as external factors such as sector policy and directives, are continually shifting. Appropriate forums and communication should be used to stay alive to these changes and to ensure that the organisational direction and the internal audit plan remain aligned. This should include regular and open dialogue with senior management and close knowledge of the work of groups where strategy, objectives and policies are agreed and where change is determined and managed.

Phase 2: evaluating the risk management process

The relative maturity of the risk management process determines whether internal audit can use the organisation’s own view of risk. The approach adopted must be tailored to each organisation, and during the evolution of the risk management process the internal audit role should adapt from an initial focus on promotion, facilitation and support through to review, assessment and use of the outputs within a fully risk-enabled organisation. Chapter three of this publication sets out how the auditor assesses risk maturity.

Phase 3: designing the audit plan

Designing a risk-based audit plan is a professional judgment, rather than a mechanistic process. Key to this judgment is ensuring that the audit plan can provide assurance on the achievement of the organisation’s objectives (PSIAS 2120.A1) and in doing so is able to


Page 56

demonstrate that the scope of planned work meets the requirements of the PSIAS as set out at the start of this chapter.

It is essential that internal audit understands the relationship between the risks identified, their relative assessment and where within the organisation they are being managed.

The relationship between risks and the processes that manage them is unlikely to be one to one. Most risks are managed via a number of processes and each process is likely to manage a number of risks. It is also useful to understand the relative weight of this relationship – each process will have a greater or a lesser role in managing each risk.

Reviews may be designed to cover all of the key processes necessary to provide assurance over the management of an individual risk or may cover a logical range of related processes and the risks that these manage. In some cases, a number of reviews may contribute to, or cross-validate, assurance over the management of certain key risks. The important point is that the relationship between each review and the risks over which it is designed to provide assurance is fully understood and can be clearly explained.

The aim is to provide reasonable, rather than absolute, assurance over the management of risks. This is achieved through the delivery of a programme of work designed to provide a balanced assurance over:

� the effective management of those risks assessed as highest by the organisation, often referred to as ‘key’ risks

� the effectiveness of the control environment as a whole, including the ongoing management of other, lesser, ‘non-key’ risks

� any specifically identified areas of uncertainty or concern, for example internal audit’s own knowledge based on previous years’ audit work, the time elapsed since the last review, history or potential exposure to fraud.

Coverage of lesser risks ensures that the assumptions made over the effectiveness of control within management’s risk assessment remains informed and valid.

The level of assurance required will depend on the nature of the business being undertaken and the risk appetite of the organisation.

The type of internal audit input will depend on the level of assurance required by the organisation and the potential for process improvement in the management of the related risks. Processes that have been subject to regular review, and are not impacted by significant change, are unlikely to benefit from full repetitious review of the design and operation of risk management actions. Similarly, areas of high risk where there is potential for significant process improvement are unlikely to be best served by a review of compliance or the sole use of self-assessment, and would commonly be the focus of systems development and change projects.

Appropriate consideration should be given to the intended outcome of each review and the best tools and techniques available to internal audit to achieve this.

After analysing the reviews necessary to provide the required level of assurance and the nature of the internal audit input, the sources and skills required to deliver the programme can be assessed and the relative priority and timing of each review can be considered.


Page 57

2030 Resource Management

The [head of internal audit] must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan.

Interpretation:

Appropriate refers to the mix of knowledge, skills and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimises the achievement of the approved plan.

Public sector requirement

The risk-based plan must explain how internal audit’s resource requirements have been assessed.

Where the [head of internal audit] believes that the level of agreed resources will impact adversely on the provision of the annual internal audit opinion, the consequences must be brought to the attention of the [governing body].

Source: Public Sector Internal Audit Standards: Applying the IIA International Standards to the UK Public Sector, the Relevant Internal Audit Standard Setters, 2013

Identifying the exact level for resources required for the audit plan is not an exact science. But it is important that internal audit is able to demonstrate a methodical, evidence-based approach to identifying and justifying the resources – either in audit staff time or sourced elsewhere – required to meet the audit plan.

Depending on the size of the organisation and the overall resources available to internal audit, there will usually be a standard allocation of days or time to deliver each audit assignment. The number and type of reviews required will be identified from the processes described above. The total requirement in days or time can then be calculated, and compared to available resources expressed in auditor days.

Where the total requirement exceeds available resources, decisions will need to be made to include only the highest-priority reviews in the audit plan, or to consider whether to increase audit resources to cover all the reviews identified by the risk-based audit planning process. Approaches to calculating resource requirements vary according to the size and nature of the organisation. Annex 4.2 to this chapter provides an example of a method for allocating resources.

Auditor judgment and the principle of triangulation

Risk-based audit planning requires the auditor to make judgments based on their understanding of the organisation. Auditors build up a sense of the business and knowledge of the whole organisation through time, drawing on a number of sources; current and previous audit findings, risk registers and the assurance framework. It is based on the exercise of professional judgment, reviewing different sources of evidence and assessing whether as a whole, the evidence tells the correct story. Assurance statements from management might, for example, be contradicted by the findings of recent audit assignments that indicate that the controls are not operating as effectively as management have stated. This judgment is a process of triangulation – seeking several evidence sources and comparing what they say.


Page 58

Phase 4: communicating and agreeing the plan

All of the above analysis provides a sound basis from which to communicate and agree the audit plan, and in particular to share the links between the reviews to be undertaken, the processes covered, the risks over which assurance will be provided and the techniques to be used. It also allows internal audit to be explicit over any risks where it will not contribute an assurance as a part of the plan and where other sources should be utilised.

The documented plan should provide sufficient information and analysis to support communication of the scope and approach of each review. The plan should be shared and agreed with senior management and the audit committee. The following case study is an extract from the internal audit plan report to the London Borough of Newham’s audit committee.

Case study: Extract from London Borough of Newham’s internal audit plan report 2013

The other major factor that is considered when identifying audits is risk. The audit plan has been informed to a significant extent by the corporate risk register. This register records the operational risks each service has identified and the controls it is planning to put in place for controlling these risks. The estimated severity of the risk (high, medium, low) before and after it is controlled is also shown. In addition, the following matters may be considered when deciding whether an audit should be carried out:

� value of transactions

� complexity

� volume of transactions

� impact of failure of system

� sensitivity

� new activities or projects.

The risks within the council are reviewed and prioritised, with potential audits being graded according to risk and to ensure coverage over a five-year period. The audit plan only covers very high (priority 1), high (priority 2) and medium (priority 3) risks; low risks are not subject to audit coverage. A list of topics excluded from the plan is maintained and reviewed annually as part of the review of the strategic audit plan. An extract from the audit plan is shown below.

Area Days Priority Source Risk Audit outline

Strategic Commissioning and Partnership Development; Commissioning Services

30 1 Risk register The move towards a single approach to a strategic commissioning model fails to deliver a more efficient and effective use of resources and a better way of delivering services

The audit will examine the commissioning strategy, the commissioning framework, needs assessments and community engagement in the commissioning process


Page 59

Area Days Priority Source Risk Audit outline

Highways – Capital Monitoring

20 1 Intelligence Capital monitoring processes are inadequate, leading to significant over- or underspends against budget

To confirm that there are arrangements in place to ensure that there is adequate monitoring and reporting on the progress of capital projects

Traffic Management Orders

20 3 Strategic audit plan

Traffic management orders are required, in order to enable the council to enforce parking regulations (among other things). If the orders are not in place, enforcement can be challenged, with a negative impact on income

To confirm that the council has arrangements in place to ensure that traffic management orders have been implemented

Source: London Borough of Newham

Phase 5: reviewing and revising the plan

Risks are dynamic in nature and the direction and coverage provided through the audit plan should be reviewed regularly to ensure that it remains aligned to the corporate risk profile. In effect, the work of internal audit can be regarded as a rolling programme to be revised as new business opportunities arise, risks change and new information about the risk management process is identified.

The audit planning cycle and the provision of assurance should be continuous, with the impact of changes to the risk profile and any associated changes to plans being analysed and communicated at appropriate milestones, such as audit committee meetings. Review and revision of the plan should as a minimum be aligned with formal changes to the organisation’s objectives and risk profile.


Page 60

Case study: Shropshire Council – a practical approach to risk-based planning

A practical challenge for auditors is that it is sometimes difficult to directly read across from the organisation’s risk registers to the requirement to produce an audit plan. Shropshire’s approach meets this challenge by bringing together strategic risks, audit’s assessment of risk, and the requirements of PSIAS, and identifying any areas that, although they do not necessarily score ‘high’ in risk terms, need to be kept under review by the audit committee.

Planning phases set out in this chapter: understanding the organisational context and evaluating the risk management process

Assignments are identified based on information about the organisation’s risks, and discussions with key personnel, external audit and other relevant stakeholders. Where risk registers are not mature, a risk assessment needs to be completed by the auditor and coverage of the PSIAS requirements considered. The risk assessment takes account of the following criteria:

� impact and political sensitivity

� non-financial impacts

� links to strategic and operational risks

� materiality (value and transactions)

� previous internal audit assurance categories

� links to risk management – controls assurance from other providers

� management arrangements (partnership/shared service, etc)

� stability of the system

� requests from stakeholders

� susceptibility to fraud and corruption.

Planning phases set out in this chapter: designing the audit plan

Once all assignments have a risk assessment score, they are categorised as to whether the assignment provides assurance for risk management, internal (financial) controls, fraud, governance or other category (an area of review that may cover different operational risks than the bulleted criteria set out above, for example a library) to ensure that all assignments identified in the final plan can be linked back to the PSIAS requirements.

Resources available are identified (as available working days per auditor). Days are allocated against assignments based on past and professional knowledge, the size of the organisation and the potential impact of risks, and an understanding of the skill levels of available resources in the given timeframes. Some types of audit attract standard day allocations but each area needs to be considered in line with its risks and adjusted to reflect them.


Page 61

Plans and resources are then compared to actual resources available and adjusted following overall review. The impact of any resource issues is raised and clarity provided on what areas are not to be audited, further resources required or to be provided, or where assurance may be provided independently of audit.

Planning phases set out in this chapter: communicating and agreeing the plan/reviewing and revising the plan

The audit plan spreadsheet enables internal audit to see where audits score on the audit risk assessment against the delivery of assurances for key risk areas relating to the PSIAS. This provides the basis for deciding which audits should be done; with 1 = must do, 2 = should, 3 = optional and 4 = do not do.

Audits receiving a score of 4 are reported to the audit committee, who must seek assurances direct from managers that, because internal audit will not be looking at them, evidence can be provided through other methods. Audits attracting a score of 1 are completed in year and some of the 2s as resources allow. This quick rating allows changes to be made throughout the year as resources and risks change.

See Annex 4.1 to this chapter for an example of a risk-based audit plan.

RISK-BASED AUDIT ASSIGNMENTSThe previous section describes in general terms how audit assignments can be identified and scoped by analysing the relationship between the risks identified, their relative assessment and where within the organisation these risks are being managed.

A risk-based audit assignment can be defined as one that:

� identifies and records the objectives, risks and controls relating to a system or activity (including consideration of whether it is required to meet corporate objectives or is being delivered in a way that provides value for money)

� establishes the extent to which the objectives of the system are consistent with higher-level corporate objectives

� evaluates the controls in principle to decide whether they are appropriate and can be reasonably relied upon to address the organisation’s risks and therefore achieve their purpose

� identifies any instances of over- and under-control and provides management with a clear articulation of residual risks where existing controls are inadequate

� determines an appropriate strategy to test the effectiveness of controls, ie through compliance and/or substantive testing

� arrives at conclusions and produces a report, leading to management actions as necessary and providing an opinion on the effectiveness of the control environment.

A risk-based audit assignment will usually be scoped by identifying the risks relating to the service or activity being audited, assessing the controls or mitigation currently in place to safeguard against these risks, and then designing tests and audit processes to evaluate the effectiveness of the controls to minimise risk.


Page 62

Unmitigated or residual risks will also be identified and their impact and likelihood identified and reported to management.

It is important that auditors do not just rely on risks identified at the audit planning stage; risks and controls can only be properly understood in the context of ongoing operations. Internal audit should therefore have a high-level and up-to-date understanding of the objectives and operational environment of the business area under review, including significant recent or planned organisational changes and the management structure. Internal audit’s understanding of the business area and of its risk profile will develop throughout the assignment and consideration should be given to whether new information should affect decisions and judgments already made.

A useful technique in scoping the assignment is to hold discussions or workshops with management and staff in order to better understand the operation of the activity, and the risks to its achievement. Such workshops can help all participants understand better the objectives of the activity, the potential risks, the controls and processes currently in place, and any key gaps in control or areas that might need improvement. In a sense, the workshop becomes part of the audit testing procedure as well as helping focus the actual audit. It also helps develop the ownership of risk by staff and managers, and is more likely to lead to agreement on the recommendations that internal audit makes because the client more easily understands their purpose and relevance.

Scoping also draws on previous audit findings and review of all relevant documentation. It is important that key audit risks are identified at the scoping stage so that the assignment does not produce an inappropriate opinion based on poor evidence or testing.

Once the audit assignment has been scoped, the auditor will undertake testing to seek evidence about how well controls are operating to safeguard against the risks identified. This is an essential part of the risk-based auditing process; the auditor needs to be confident that controls are designed appropriately to safeguard against risks (they meet their objective).

Audit should consider whether the design of controls will, in theory, produce a portfolio of residual risks which is reasonable given the organisation’s defined risk appetite. Consideration should also be given to whether there are any instances of over-control, where more risk management actions are in place than are required by the organisation’s risk appetite.

Weaknesses in the design of controls should be identified and communicated to management through the reporting process. Audit testing will then determine whether there is sufficient and reliable evidence that controls are operated in practice in the manner and to the extent required to mitigate risks to the level of the organisation’s risk appetite.

Evidence can then be assessed and a judgment made about how well controls safeguard against risks. This part of the approach uses the usual audit techniques for evaluating and testing internal controls.

Deficiencies in the operation of controls should be identified and reported to management through the reporting process. For each failure in the design or operation of a control, internal audit should consider whether there is a resulting risk to management’s objectives.

Documentation should clearly show how controls relate to risks and how both relate to the audit scope and objectives; matrices are often used to document the relationship between


Page 63

risks, controls, work done and audit findings. The two examples at the end of this section show how risk-based audits can be documented.

At the end of the risk-based assignment, internal audit will make recommendations to management to:

� improve controls where there is evidence from testing that they are not performing as they should

� design and implement controls where currently none exist to guard against risks

� recommend other action where residual risks remain high and unacceptable (for example, transferring the risk, etc).

In order to have a positive impact on the organisation’s risk profile, audit reports must be acted on by management. While action to remedy deficiencies or to improve processes is the responsibility of management, internal audit should have in place effective follow-up processes to ensure that progress has been made to implement agreed actions. This is so that assurance can be reassessed on the basis of the improved management of risks leading to a reduction in residual risk.

A common practice in internal audit reporting to audit committees is keeping the committee informed of any instances where there has been a failure to reach agreement on the recommendation to improve a control to safeguard against a high-priority risk. The committee can then require management to comply or explain. Progress in agreeing and implementing high-priority recommendations can also be part of regular monitoring by the audit committee. Such reporting reinforces the audit committee’s role in ensuring that the organisation has a robust assurance process.


Page 64

Example of a risk and control evaluation matrix for Lancashire County Council’s review of information governance

Risk and Control Evaluation (RACE)

Information governance

Preliminary assessment of the council's controls against expected controls

Risk 1 Risk 2 Risk 3 Risk 4

The

org

anis

atio

n do

es n

ot m

eet t

he

expe

ctat

ions

of t

he g

over

nmen

t or

Info

rmat

ion

Com

mis

sion

er a

nd h

as n

ot

mad

e de

fens

ible

alt

erna

tive

arr

ange

men

ts

The

orga

nisa

tion

is n

ot c

ompl

iant

wit

h th

e re

quir

emen

ts o

f rel

evan

t leg

isla

tion

Info

rmat

ion

is g

athe

red

and

held

in

appr

opri

atel

y

Info

rmat

ion

is h

eld

for l

onge

r tha

n is

ne

cess

ary

or le

gal

Organisational environment controls

C1 There is a designated senior information risk owner (SIRO) who sits at an appropriately senior level and has been trained to meet the requirements of the role.

The Information Commissioner's and Permanent Secretary of DCLG's view is that this should be a member of the board, ie management team.

• •

C2 The SIRO is supported by specialist officer(s) with adequate and appropriate knowledge of the council’s responsibilities under the relevant legislation, including the Data Protection Act 1998 and the Freedom of Information Act 2000.

•

C3 The SIRO and specialist officer(s) are supported by officers across the council who understand the information needs and risks of the council's business, and who can interpret the council’s information governance framework and policies for their business areas.

• • •C4 A clear information governance framework has been

established setting out an information classification scheme, how each class of information must be held, for how long, where, and how it can be retrieved.

The framework is likely to consist of standards, policies and procedures relating to each class of information (by sensitivity) and each media (for example, electronic, paper or audio), and will set out how information owners are defined and identified.

• • •

Source: Lancashire County Council

The advantage of such a document is that it presents as a snapshot the controls expected for each risk and where there are gaps or shortcomings requiring management action.


Page 65

The following example illustrates the results of a risk-based audit assignment for a local authority’s children’s activity centre. It describes the risk for each control objective, the evaluation of the actual control (that the control is designed in a satisfactory way to meet the objective), the testing undertaken by internal audit and the evaluation of the testing. This is a straightforward and transparent way of communicating a risk-based audit to the client.

London Borough of Redbridge control evaluation sheet

Control Objective: To ensure that there is an effective system in place for bookings and admissions

Ref Expected Control

(Risk)

Actual Control

(Evaluation)

Testing Test Results

(Evaluation)

WP Ref

(Action Plan Ref)

2.1 There are documented procedures in place for bookings at the centre.

Inconsistent processing leading to increased risk of fraud and error.

There are documented procedures for accepting bookings.

All LBR schools and regular ‘outside’ customers are issued with a pack that includes all of the information and documentation required to make a booking at the centre.

Satisfactory.

Obtain a copy of the booking procedure and confirm that this is up to date and adequate.

There are procedures covering what the customer needs to do for the booking but not what the centre has to do.

Unsatisfactory.

C1

E3

2.2 There is a price list that sets out the prices of the various activities and accommodation costs.

Incorrect rates applied for users.

There is a price list included within the pack that includes the charges that apply, which is based upon the number of students attending.

There are different price schedules that apply to in-scope courses and to non-in-scope groups.

Satisfactory.

Confirm that there are both in-scope and non-in-scope pricing schedules.

There are both in-scope and non-in-scope pricing schedules in place for the Main House and Bunkhouse.

Satisfactory.

E3

Source: London Borough of Redbridge


Page 66

Chapter Summary

In order to deliver an opinion on the adequacy and effectiveness of their organisation’s framework of governance, risk management and control, internal audit needs to take a risk-based approach. It needs to demonstrate that the audit plan relates to the organisation’s risk and from an evaluation of its risk management processes.

The plan needs to be adequately resourced, and based on professional judgment evidenced by a robust methodology. Risk-based auditing focuses on risks to objectives and the adequacy of controls to safeguard against risk. It is an approach that should be owned and appreciated by managers and staff as well as internal auditors.

It is essential that the outcomes of risk-based auditing are acted upon by management: by revising risk registers where required, by considering how residual risk will be managed and by acting upon any gaps or deficiencies in assurance.


Is the internal audit opinion adequately supported by a risk-based plan?

Does the audit plan link to the organisation's risks and is it based on an evaluation of the organisation’s risk management processes?

Does the audit plan cover the scope and nature of work set out in the PSIAS?

Are all audit assignments risk based?

Are the outcomes of risk-based audits acted upon effectively by management, and risk registers and risk management arrangements changed as a result?


Page 67

ANNEX 4.1: EXAMPLE OF A RISK-BASED AUDIT PLAN – NHS

Core Audit Plan Outputs Risk Source Days Proposed

Timing

Financial Systems

Combined Financial Systems – Assurance will be provided in respect of key controls within the main financial systems. The scope of the review will be restricted to the key controls supplemented with analytical review and surveys. The systems incorporated in the review will be:

Audit Risk Assessment

Qtr 3

� Financial Reporting

� Financial Ledger

� Accounts Payable

� Accounts Receivable (income)

� Treasury Management

� Budgetary Control

Departmental Locality Reviews: Deep Dives – As part of the rolling programme of reviews across the FT, a cross-system audit will be conducted. The overall objective is to review controls and systems in place to ensure that management arrangements, roles and responsibilities are clearly defined, and are operating effectively. The following areas (as appropriate) will be included: activity recording, ESQS process, general security, financial procedures, staffing, rostering and occupancy, annual leave recording and sickness absence, payroll and vacancy controls, computer security, patients’ property, retention of documents, bank and agency staff requirement, and cash handling and payroll.

Reviews to be included in 2014/15:

� Oak Ward (c/fwd from 13/14)

� COPD

Management Request

Qtr 1 & 2

IM&T

Business Continuity Planning/Disaster Recovery Plan (C/fwd 13/14) – To undertake the second phase of the review and provide an opinion on the effectiveness and coverage of the IT service continuity solution designed and implemented by the NMHIS and its alignment to business requirements in terms of supporting service continuity arrangements.

Management Request

Qtr 1

Critical Systems Review: EDMS Scanning Solution – As the trust has recently implemented EDMS, this review would evaluate the adequacy of the control framework around the technical solutions of the access controls, confidentiality and business continuity arrangements.


Qtr 2


Page 68


Timing

Threat and Vulnerability Management – To assess how the trust manages its technical architecture in regards to ongoing threats, ie antivirus, malware and patch management.


Qtr 3

Performance

Electronic Integrated Performance Report – To review the systems and processes to ensure the accuracy of data contained within the trust performance reports to governing body and standing committees following the introduction of new governance and reporting arrangements.

Management Request

Qtr 4

Quality

Care Quality Commission: Compliance with Regulations – To provide an opinion on the systems and processes in place to ensure regulatory compliance with the CQC outcomes.

Assurance Framework

Qtr 3

Electronic Patient Records – Following the implementation of the EPR, to undertake an assessment of the quality of the records that are kept.

Management Request

Qtr 3

Disconnect Survey – The survey will assess if there is a disconnection between the governing body and ward/department-level staff in relation to their perceptions around the five theme areas highlighted in the Keogh report. The statements will be sent as an electronic survey and the results from the two groups will be analysed and compared. The findings will be compiled in a written report and if requested, presented formally to the organisation.

Management Request

Qtr 2

Workforce

Payroll/Human Resources (ESR) – MIAA will provide an assessment of the effectiveness of the systems of control operating at the trust to ensure that only employees of the organisation are paid, and only for work that they perform on behalf of the organisation. This will include a review of the interface with Capita.

Assurance Framework

Qtr 3

Bank, Agency and Locum Staffing – A review will be undertaken of the overall arrangements, systems and processes for bank and agency staff following the introduction of new arrangements with the transfer of the operation from the capacity team to HR.

Management Request

Qtr 4

Consultant Job Plans – To evaluate the job planning process for consultants (under the 2003 consultant contract) to provide an assurance that these are completed in accordance with national guidelines and reflect local business objectives.

Management Request

Qtr 3

Governance, Risk and Legality

Assurance Framework Opinion – An annual opinion will be provided on the method by which the organisation produces, refreshes, manages and monitors the assurance framework. Ensuring risks identified through the annual plan are reflected accurately within the assurance framework and are a key focus for the governing body.

Mandated Requirement

Qtr 4


Page 69


Timing

Corporate Governance Manual Review – To support the trust with the annual review of the corporate governance manual.

Management Request

Qtr 3

Emergency Preparedness – To assess the adequacy of the arrangements in place within the trust to ensure legislative responsibilities are fulfilled in relation to emergency preparedness.

Management Request

Qtr 2

Estates Statutory Duties: Fire Safety – To provide assurance that there are adequate systems and controls in place to ensure fire safety is appropriately managed.

Management Request

Qtr 2

Business Cases: Phase 2 – The trust has updated the process for completion, review and approval of business cases. In 2013/14 a review was undertaken to provide an opinion on the adequacy of the design of the revised business case process. Phase 2 of the review will assess the effectiveness of the implementation of these revised processes.


Qtr 4

Serious Untoward Incidents – To undertake a review of the systems and processes in place relating to serious incidents, ensuring that controls are in place and are operating effectively.

Management Request

Qtr 1

Follow-up and Contingency

Follow-up will be conducted throughout the year to provide the audit committee with assurance regarding management’s implementation of agreed actions.


Qtr 1 & 3

Contingency – This element of the plan allows the flexibility to respond to management requests in order to meet specific client needs during the course of the financial year.


Audit Committee, Planning and Management

Audit Committee Self-assessment – MIAA will facilitate a session based on the self-assessment checklist contained within the audit committee handbook and provide a report summarising the outcomes agreed.

Management Request

Qtr 4

In providing an internal audit service, an allocation of time is required for the management of the contract:

� Planning liaison and management – Incorporating preparation and attendance at audit committee, completion of risk assessment and planning; liaison with the client and organisation of the audit reviews.


� Reporting and meetings – Key reports will be provided to support this, such as the director of audit opinion and annual report, annual plan and interim update reports.


Total Days



Page 70

ANNEX 4.2: RESOURCING AN AUDIT PLAN – EXAMPLE MODEL

For this suggested model there are some basic assumptions:

� The audit unit is usually expressed as a day or part of a day of an auditor’s time. Days can be broken down into small units; some as parts of an hour but for the sake of argument we will assume one unit is one person day (that is, available time taking account of public holidays, administrative time, leave, etc).

� Audit assignments are made up of audit units. The complexity of the assignment, the scale of the system (whether operated across the organisation, for example) and its priority usually determine the number of audit units needed for each assignment.

� Assignments can be classified as follows:

– Light touch: seeking evidence that a control continues to operate, or that a recommendation has been implemented. Level of evidence: usually observation/written confirmation/low-level sampling. Units required: 2.

– Medium touch: seeking evidence that controls or systems work as they should; some knowledge of a good standard of compliance in the past is needed. Level of evidence: usually sample testing. Updating of systems documentation required. Units required: 10.

– Full assignment: system not previously audited; seeking assurance about the controls in the system as a whole. Systems need to be documented and tests need to be designed for controls. Level of evidence: sample testing, analytical review, etc. Units required: 20.

� There are finite resources for the audit function (except for the possibility of buying in extra resources in exceptional, one-off circumstances).

� Resources are therefore calculated by combining the units required from each type of assignment required.

� Risks are identified from the risk register, which is maintained by management. Registers include details of the controls put in place to mitigate the risk, the extent to which risks remain after mitigation (residual risk), and indicators identifying potential risks that may appear on the risk register in the future.

� Some areas of the organisation or some systems will relate to more than one risk; it will never be possible to map every risk on a register to every system to be audited. The auditor therefore needs to apply professional judgment to relate a system to the risks; for example by identifying control objectives listing a range of potential risks.


Page 71

The following table shows how resources can be identified for any area.

Audit resource plan

Risk area or description of risks in areas

Is risk controlled or controllable?

Scale 1 to 5 where 1 = easily controllable

Has it been audited and what is audit’s confidence level?

Scale 1 to 5 where 1 = full confidence

Degree of residual risk

Scale 1 to 5 where 1 = low residual risk

Risk score:

Low =1

Medium= 2

High=5

Total score: type of assignment required

Light touch = less than 5

Medium touch = 5 to 10

Full = 10 plus

Audit units required

Payroll 2 1 3 2 8; M 10

Library fees and charges

1 1 1 2 5; L 2

Public health contracts

3 4 3 5 15; F 20

Total audit units

32

The model provides a clear link between planned audit resources for a particular auditable area and the risks related to that area.

Source: Patrick Clackett, independent consultant


Page 72

Page 73

APPENDIX

CIPFA’s Model for Assessing Risk Maturity

VISION, COMMITMENT AND OWNERSHIPVision comes from the top and should be shared throughout the organisation. To have any impact, risk management must have strong support and endorsement from the top. The ownership of risk cannot be delegated and must be owned by those accountable for the achievement of their element of the organisation’s objectives, at whatever level.

The approach and structure that the organisation uses to integrate risk management into its management arrangements should be reflected in a formal corporate risk policy/strategy which:

� is a method of communicating the risk philosophy of the organisation

� explains how risk management is to be implemented

� details the different responsibilities for risk management in the organisation

� highlights procedures that should be adopted in the risk management process.

The policy/strategy statement will include:

� a mission/objective statement

� a summary of the procedures needed to implement the policy

� a risk management organisational structure.

The organisation’s risk appetite and risk tolerance should be established and included:

� Risk appetite is the level of risk that the organisation will accept in providing value to its stakeholders. This ranges from ‘risk averse’ through ‘risk neutral’ to ‘risk taking’. It is important to have a good understanding within the organisation of the types of risk it is willing to take, and also at what level of activity staff have the necessary authority.

� Risk tolerance is used to consider the most appropriate responses to the management of the identified risks.


Page 74

1. Audit Programme – Vision, Commitment and Ownership

Key issue

Management, staff and the governing body have a shared view of risk and understand the acceptable level of risk taking.

Key questions for consideration

� Is there a common language used throughout the organisation relating to risk?

� Does the risk policy/strategy define risk in easy-to-understand terms?

� Is there encouragement to consider risks as opportunities as well as threats?

� Is the risk policy/strategy approved at governing body level and communicated to all managers?

� How is the organisational risk appetite and tolerance level expressed and communicated?

� Does the risk policy/strategy make it clear that risk assessment is an integral part of the business planning process?

� Is the risk policy/strategy specific about the outcomes and benefits that the organisation expects to achieve from risk management?

� Does the business plan set out a vision for risk management in the future as part of a continuous improvement approach?

� Does the annual governance statement disclosed by the governing body reflect the risk management approach and describe the organisation, and is it relevant to key stakeholders?

Key documents

� Risk policy and/or risk strategy (including risk appetite)

� Business plan

� Annual governance statement published in annual financial statements and report

� Strategic and project plans incorporating opportunities and initiatives

Consideration of risk maturity for this element

Risk enabled

Risk managed

Risk defined

Risk aware

Risk naive

Now

Short term

Long term

Comments:

APPENDIX \ CIPFA’S MODEL FOR ASSESSING RISK MATURITY

Page 75

STRUCTURE, ROLES AND RESPONSIBILITIESAn effective structure is likely to include a working group or risk committee, bringing together staff from the main services, with a chair at a senior responsible level to organise and lead the activity:

� Membership will depend on the size and the structure of the organisation and could include representatives from top management and those responsible and accountable for areas of significant risk.

� The roles and responsibilities of all parties is a critical area. All parties must play their part and have a share of accountability for managing risk in line with their responsibility for the delivery of objectives.

� Clear and effective reporting lines should be established between the governing body and the executive management team on the management of the key risks, informed by different specialist advisers and/or the risk committee.

� The key risks will need to be clearly aligned to the business objectives, with allocation of ownership, accountability and responsibility to individual top managers for a group of selected key risks, as well as collective/corporate responsibility. There needs to be a clear line of communication between the risk group/committee and the audit committee, whose terms of reference should include oversight of the risk management process.


Page 76

2. Audit Programme – Structure, Roles and Responsibilities

Key issue

There is a clear understanding of, and accountability for, risk.


� Is there a synergy between the objective of the team carrying out the risk assessment and the risks for which they are responsible? (Top management is responsible for strategic risks, departmental management for functional risks, project teams for project risks, etc.)

� Are accountability and responsibility for monitoring and reporting clearly shown for key risks at top management level?

� What is the process for reporting control failures and learning from problems, and how does this feed back into the risk assessment?

� Do the terms of reference for the governing body and committees set out their responsibilities for risk management?

� Do the governing body, management and staff have the knowledge and skills necessary to support the achievement of objectives and the management of risk?

� What training in risk management is offered to staff, management and governing body members?

� Has a risk panel or similar ‘expert’ co-ordination group been established or is this function carried out by another group?

� Do governing body papers and minutes show clear consideration of risk in making decisions?

� Has the role of internal audit in risk management been considered and have safeguards to independence been put in place if necessary?

� Have risk management responsibilities been written into the job descriptions and performance expectations of managers?

� How is best practice spread throughout the organisation?

Key documents

� Governing body and committee terms of reference including audit committee

� Governing body and committee minutes and papers

� Organisational training programme/documents

� Policy for sharing information on control failures

� Risk panel terms of reference

� Job descriptions


Risk enabled

Risk managed

Risk defined

Risk aware

Risk naive

Now

Short term

Long term

Comments:


Page 77

IDENTIFYING THE RISKSUltimate responsibility and ownership of the process of risk identification lies with the organisation’s executive/governing body. The task of risk identification may be carried out at this top level of management or devolved or delegated to a corporate risk management group/committee:

� No one person will have the depth of knowledge to take on the task of identifying risks for the whole organisation. A number of people should be involved, across disciplines, so that every aspect of risk and its impact can be identified.

� The process involves identifying the key aims and objectives of the business. Failures to achieve these aims and objectives therefore become the key risks.

� The process of identifying the key risks aligned to the business aims and objectives can be carried out by the top levels of management/the governing body.

� The various elements of the business that contribute to these key risks can be identified and mapped. The individual contributory risks can be identified at a lower and a specialist level.

� This simple approach can very quickly produce a logical basis for a risk register, with responsibility for the key risks allocated to individual members of top executive management and the contributory lower levels attributed to middle or specialist management.

� The reporting/monitoring structure will provide the link between these levels of management for regular monitoring and reviewing the key and contributory risks.

� Top management should concentrate on a finite number of top key risks – around a dozen is considered the optimum number – and perhaps 50 to 60 contributory risks. The compilation of a risk register with hundreds of risks is counterproductive and dilutes the focus of attention.


Page 78

3. Audit Programme – Identifying the Risks

Key issue

Risk identification is comprehensive, timely and part of the organisation’s business planning process.


� Is there a clear link between objectives and risks at all levels?

� Are strategic objectives clear, concise and set at the highest level to ensure that risk assessment is focused on strategic rather than operational risks?

� Is there an experienced and capable facilitator who can lead managers and governing body members through the process?

� Are risks described in a way that everyone can understand using common organisational language?

� How does the organisation ensure the risk identification process is comprehensive?

� Does the organisation make use of risk workshops and ensure that risks are identified by all relevant people?

� Has information been produced that could usefully inform the process? (Sector benchmarks, feedback on risks that have materialised, environmental scanning, best value reviews, budget reports, etc.)

� Does risk identification happen before and after the business planning process to help inform the planning process in terms of which risks to take and which to reduce and to consider achievement of key objectives?

� Is there a process for identifying opportunities?

Key documents

� Business plan and objectives

� Risk assessment timetable for governing body and management reviews, meetings and workshops categorising and prioritising risks

� Risk assessment guidance for managers or risk workshop agendas

� Sector guidance on common risks

� Project methodology


Risk enabled

Risk managed

Risk defined

Risk aware

Risk naive

Now

Short term

Long term

Comments:


Page 79

CATEGORISING AND PRIORITISING THE RISKSThe key risks and main contributory risks will need to be linked, prioritised and categorised – possibly into ‘high’, ‘medium’ and ‘low’ – to ensure a comprehensive understanding of the threats to achieving the business objectives and opportunities to take risks. This process can range from a group of people using their collective judgment and wisdom to complex scoring mechanisms.

To categorise risks, a systematic approach such as APRICOT can provide a structure to the process, taking into account:

� Assets (buildings, contents, material)

� People (personal security, safe working systems, welfare, health)

� Reputation (poor media coverage, political embarrassment)

� Information (breaks in service delivery, IT failures)

� Continuity of Operations (failure, poor service delivery)

� Targets (failure to meet targets, best value).

And using CEI, the following issues could be addressed:

� Cause (eg strikes, shortage of essential materials, natural phenomena)

� Effect (eg material damage, loss of staff, lack of required resources)

� Impact (eg service failure, inability to meet targets set by government).

The raw material can be refined by these techniques and a risk graph developed. The likelihood and impact can be scored on the graph, for example high = 3, medium = 2, low = 1. The objective of this simple process is the production of an approximate ranking that will allow immediate concentration on the risks judged to be high and their relevant controls, and, equally important, discussion of their cause and effect.


Page 80

4. Audit Programme – Categorising and Prioritising the Risks

Key issue

Risks are prioritised to ensure an appropriate management consensus on the level of control and monitoring and an appropriate level of reporting.


� Are there clear criteria for categorising and prioritising risks?

� Do the criteria make clear which are the primary risks for management focus?

� Are risks evaluated on the basis of the likelihood (or probability) of the risk occurring and the consequence (or impact) of occurrence?

� Is it clear whether risks are prioritised as inherent risks (before controls are applied) or residual risks (after controls are applied)?

� Are the risk scoring (or prioritisation) criteria sensitive enough to show differences between risk priority and simple enough to ensure that it is easy to review and keep up to date?

� Does the scoring process ensure consensus from the management team about the significance of the risk?

Key documents

� Risk assessments

� Risk register

� Risk assessment guidance

� Reports on changes to risk positions


Risk enabled

Risk managed

Risk defined

Risk aware

Risk naive

Now

Short term

Long term

Comments:


Page 81

ACTION AND RESPONSEHaving identified the key risks and prioritised them, the next stage is to decide what the response should be. The organisation will want to tackle those risks that threaten the key business objectives and service provision, and/or areas where the existing controls are weakest. There are a number of generally accepted techniques – known as the ‘four Ts’:

� Tolerate – informed decision by management to accept the impact or consequences of a particular risk occurring.

� Transfer – traditionally, organisations have sought to transfer risks to an insurer. Outsourcing and public–private partnerships also provide an opportunity to transfer risks. It is important to note that the responsibility is not transferred.

� Terminate – take steps to remove the risk by stopping the activity.

� Treat – take action.

A fifth T is ‘Take the opportunity’. This option is not an alternative to those above; rather, it is an option that should be considered whenever tolerating, transferring or treating a risk.

Having identified and prioritised the risks and the controls in place to manage them, there will always be an element of risk remaining. This is referred to as residual risk. The organisation will have gone through the process of deciding whether it can live with this level of risk. This will be influenced by the organisation’s risk appetite – see chapter two.


Page 82

5. Audit Programme – Action and Response

Key issue

There is a clear understanding of how the risk is to be managed.


� Does the risk assessment document show how each risk is to be managed in terms of the four Ts or similar criteria?

� Is it clear that those risks to be ‘tolerated’ are within the organisation’s risk appetite?

� Where risks are being ‘treated’, are the key controls documented and evaluated and will they actually reduce the risk (likelihood and/or impact)?

� Where a risk is to be ‘terminated’, are there plans in place to do so and is the action to date timely and appropriate?

� Are liability and accountability for ‘transferred’ risks sufficiently clear?

� Are actions taken in a timely way?

� Are actions, ownership and timetables for treating residual risks clear and appropriate?

Key documents

� Risk assessment

� Risk strategy (risk appetite definitions)

� Exit strategies and plans

� Insurance records

� Partnering agreements

� Contracts

� Service level agreements (where risk is transferred to another department)

� Monitoring reports on outstanding risk actions


Risk enabled

Risk managed

Risk defined

Risk aware

Risk naive

Now

Short term

Long term

Comments:


Page 83

MONITORING AND REVIEWPerformance monitoring of risk management activity must ensure that the treatment of risks remains effective and that the benefits of implementing risk control measures outweigh the costs of so doing:

� The performance monitoring procedure needs to be continually reviewed – not only the whole process, but also individual risks and projects.

� There should be a clear structure for reporting risk management activity back to the governing body/executive regularly – at the very least annually to review risk management policy/strategy and identify and agree major changes; at least quarterly to track key risks and action plans, and new and emerging risks.

� Members of the top executive management will also require regular interim updates from delegated managers on the individual risks that contribute to the key risks for which they have personal responsibility.

� High-quality, accurate and timely information is essential at the top and at intermediate reporting levels to identify and review the risks, and their management and action.

� Successful initiatives and the reduction of risks should be publicised, as should the continuing commitment from the very top.

� Top management needs to promote a positive attitude towards the understanding and treatment of risks, ranging from major projects to individual jobs.

� The audit committee has a role in reviewing the effectiveness of the process and ensuring there are no surprises for the governing body/top management.


Page 84

6. Audit Programme – Monitoring and Review

Key issue

The organisation’s risks and controls are regularly assessed, evaluated and reported in relation to changes in objectives, market and environment.


� Does the organisation have key performance measures relating to important risks?

� Are actions arising from control weaknesses implemented in a timely way?

� Is there a process for assessing significant emerging risks in between normal risk assessment timescales?

� Does the audit committee (or committee with oversight of risk management) annually review the risk management approach?

� Are risk assessments dynamic, demonstrating changes in priority and risk exposure, and are these trends reflected in reports?

� Does internal audit report on the reliability of management assessment of risk and control when auditing risk areas?

� What is the frequency for reporting to top management?

Key documents

� Performance management framework

� Governing body reports

� Risk committee reports

� Trend reports

� Control failure reports

� Risk assessments

� Audit committee terms of reference, minutes and meeting papers

� Internal audit reports


Risk enabled

Risk managed

Risk defined

Risk aware

Risk naive

Now

Short term

Long term

Comments:


Page 85

THE EXTENDED ENTERPRISENo organisation is entirely self-contained – it will have a number of interdependencies with other organisations. These are sometimes called the ‘extended enterprise’ and will impact on the organisation’s risk management, giving rise to certain additional risks that need to be managed.

Where one organisation has a direct impact on the risk another organisation faces, an effective liaison between the two organisations is essential to facilitate a risk management approach to allow both to achieve their objectives. These relationships may range from straightforward supply of goods that the organisation requires in order to function, through to delivery of major services. This could include public–private partnerships or contracted-out services such as IT.


Page 86

7. Audit Programme – The Extended Enterprise

Key issue

There are effective arrangements for managing risks with partners.


� Are the risks associated with all other influential organisations assessed and managed?

� Is consideration given to a consistent and common approach to managing risks that cut across organisation boundaries?

� Has the extent of risk transfer been considered and acted upon?

� Is there reliable and regular information to monitor the risk management performance of all organisations involved?

� Are there adequate contingency arrangements?

� Where risks are transferred, are accountabilities clearly established and performance monitored?

Key documents

� Service level agreements

� Contracts

� Contract management reports

� Performance statistics/monitoring

� Project risk assessments


Risk enabled

Risk managed

Risk defined

Risk aware

Risk naive

Now

Short term

Long term

Comments:


Page 87

EMBEDDING RISK MANAGEMENTWithin an organisation there needs to be a framework for the various risk management processes that occur as part of the organisation’s normal procedures. Integrated risk management can only be said to have been fully achieved when the management of risk is embedded into all the functions and processes within the organisation; when everyone from the chief executive down is risk aware:

� Given that all organisations must take risks, it is important that each one decides its tolerance level, ie its risk appetite. Risk management should become an integral part of business processes, including development and expansion, bids/tenders, investment appraisal and change management.

� A key factor in setting the tone for risk management is the right message from the top: personal objectives and targets embracing clear, concise and regular endorsement, so that risk assessment can be applied to the kinds of decision made every working day, at all levels of the organisation.

� Sufficient funding is required to enable risk treatment measures to be evaluated and implemented. Provision of staff time for training and attendance at the risk group/committee is essential.


Page 88

8. Audit Programme – Embedding Risk Management

Key issue

Risk management is embedded in the normal governance and management process of the organisation and is not seen as a ‘one-off’ or ‘add-on’ exercise.


� Is it clear that risk is on the agenda at strategy reviews, budget approval meetings, performance reviews, project planning and review meetings, as well as being scheduled items on the management team and governing body agenda?

� Is there evidence of senior management commitment to, and endorsement of, risk management?

� Is risk assessed at both pre- and post-business-planning sessions and are revised risk assessments approved along with the business plan and budget?

� Are control failures and the materialisation of risk discussed openly and in an environment that encourages learning that is shared throughout the whole organisation?

� Are insurance managers, risk managers and internal auditors asked to advise and review the quality of risk management?

� Is risk management part of every manager’s competency framework, job description and performance appraisal?

� Does the organisation reward good risk management and early problem prevention?

� Does the performance management system act as an early warning of risks materialising in the key risk areas of the business?

� Is there a common language for risk management that is communicated effectively and generally understood?

� Are successes publicised and managers rewarded for sharing lessons from things that did not go according to plan?

Key documents

� Governing body and management meeting agendas and away-day notes

� Business planning and risk assessment timetable

� Control failure/risk materialisation reports

� Risk panel meeting agendas and minutes

� Performance management framework

� Training programme

� Project methodology

� Job descriptions

� Performance appraisal records

� The organisation’s main communication tools


Risk enabled

Risk managed

Risk defined

Risk aware

Risk naive

Now

Short term

Long term

Comments:

Page 89

Glossary

The public sector covers such a wide and diverse range of services and organisations that this glossary can provide only an indication of the terminology that is commonly used.

AssuranceAn evaluated opinion, based on evidence gained from review, on the organisation’s governance, risk management and internal control framework.

Assurance frameworkA structured means of identifying and mapping the main sources of assurance in an organisation, and co-ordinating them to best effect.

Assurance mappingA mechanism for linking assurances from various sources to the risks that threaten the achievement of an organisation’s outcomes and objectives.

Audit committeeThe governance group independent from the executive charged with providing oversight of the adequacy of the risk management framework, the internal control environment and the integrity of financial reporting.

Corporate governanceThe system by which organisations are directed and controlled.

External auditIndependent, qualified person(s) who carry out a review to give assurance to external stakeholders on an entity’s financial statements, systems and processes.

GovernanceThe arrangements put in place to ensure that the intended outcomes for stakeholders are defined and achieved. These arrangements include political, economic, social, environmental, administrative and legal, and other arrangements.

Governance statementA public report on the extent to which organisations comply with their own code of governance on an annual basis, including how they have monitored the effectiveness of their governance arrangements in the year, and on any planned changes in the coming period. The process of preparing the governance statement should itself add value to the corporate governance and internal control framework of an organisation.


Page 90

Head of internal audit opinionThe internal auditor’s opinion is usually expressed within an annual report, and is a key aspect of the review of the effectiveness of the governance statement.

The opinion is usually expressed as providing reasonable, not absolute assurance on the effectiveness of the governance, risk management and control framework, given that audit cannot review every risk, control or process in the organisation. The concept of materiality is an important part of the opinion, in that only those issues that would significantly affect the operation of controls or exposure to significant risk form part of the auditor’s conclusion.

Governing bodyThe person(s) or group with primary responsibility for overseeing an entity’s strategic direction, operations and accountability.

Internal auditAn independent, objective assurance and consulting activity designed to add value and improve the organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Internal control � A system or process: the entirety of an organisation’s system of internal control, ie an

organisation’s internal control system.

� An activity or measure: the actual measure to treat risks and to effect internal control, ie individual internal controls.

� A state or outcome: the outcome of the internal control system or process, ie an organisation achieving or sustaining appropriate or effective internal control.

RiskThe effect of uncertainty on objectives. The effect can be negative (threats, loss, harm) or positive (opportunities).

Audit risk � Key risks are not identified or key controls are not properly tested, meaning that issues

are missed or a wrong opinion is given because of lack of the right skills, experience, supervision or specialist expertise.

� The audit is scoped too widely/loosely, leading to failure to meet resource and timeframe targets or to address issues on a timely basis.

� Real or perceived conflicts of interest impair audit objectivity and undermine the results of the audit.

� Audit work is performed in insufficient depth to meet specific management expectations or concerns.

GLOSSARY

Page 91

Inherent riskThe risk that an activity would pose if no controls or other mitigating factors were in place (gross risk or risk before controls).

Residual riskThe risk that remains after controls are taken into account (net risk or risk after controls).

Risk appetite/toleranceThe amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time.

Risk managementCo-ordinated activities to direct and control an organisation with regard to risk. The term is usually applied to a logical and systematic method of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating the risks associated with any activity, function or process in a way that will enable the organisation to minimise losses and maximise opportunities.

Risk policy/strategyA document incorporating the risk management objectives (mission), procedures to implement the risk management process, and risk management structure.

Risk registerA document, which may incorporate the risk assessment of the organisation, identifying the key risks, non-key or contributory risks, allocation of responsibility, controls and assessment of significance (eg high, medium, low).


Page 92

Page 93

Further Reading

The Accounts and Audit (England) Regulations 2011

The Accounts and Audit (Wales) (Amendment) Regulations 2013

The Local Authority Accounts (Scotland) Regulations 2014

Assurance Frameworks (HM Treasury, 2012)

Audit Committees: Practical Guidance for Local Authorities and Police (CIPFA, 2013)

Board Assurance Framework (Paper NHSE121312, NHS England, 2013)

Board Governance Essentials: A Guide for Chairs and Boards of Public Bodies (Public Chairs’ Forum/CIPFA, 2011)

CIPFA Position Statement: Audit Committees in Local Authorities and Police (CIPFA, 2013)

CIPFA Statement on the Role of the Head of Internal Audit in Public Service Organisations (CIPFA, 2010)

Corporate Governance in Central Government Departments: Code of Good Practice 2011 (HM Treasury/Cabinet Office, 2011)

Delivering Good Governance in Local Government: Framework (CIPFA/SOLACE, 2007)

Delivering Good Governance in Local Government: Framework (Addendum) (CIPFA/SOLACE, 2012)

Good Practice Guidance – Delivering Audit Assignments: A Risk-based Approach (HM Treasury, 2005)

Governance and Risk Report 2013: Internal Audit’s Perspective on the Management of Risk (IIA, 2013)

Home Office: Risk Management Policy and Guidance (Home Office, 2011)

IIA Position Paper: The Role of Internal Auditing in Enterprise-wide Risk Management (IIA, 2009)

International Framework: Good Governance in the Public Sector (CIPFA/IFAC, 2014)

Leading in Hard Times: Guidance for the Public Sector (CIPFA, 2011)

Local Government Application Note for the United Kingdom Public Sector Internal Audit Standards (CIPFA, 2013)

Managing Risks in Government: Good Practice (National Audit Office, 2011)

The Orange Book: Management of Risk – Principles and Concepts (HM Treasury, 2004)

Public Sector Internal Audit Standards: Applying the IIA International Standards to the UK Public Sector (Relevant Internal Audit Standard Setters, 2013)


Page 94

Risk Governance: Risk Management Guidance Note 13 (CIPFA Better Governance Forum, 2011)

Risk Management Assessment Framework: A Tool for Departments (HM Treasury, 2009)

Risk Management Guidance for Board/Elected Members: Risk Management Guidance Notes No. 10 (CIPFA Better Governance Forum, 2006)

Risk Management in Higher Education: A Guide to Good Practice (HEFCE/PwC, 2005)

Risk Management: Principles and Guidelines (BS ISO 31000:2009, 2010)

Taking it on Trust: A review of how boards of NHS trusts and foundation trusts get their assurance (Audit Commission, 2009)

Under Pressure: Securing Success, Managing Risk in Public Services (PwC, 2012)

Understanding Strategic Risk Management in Academies and Further Education Colleges (CIPFA, 2014)

Registered office:3 Robert Street, London WC2N 6RL

T: +44 (0)20 7543 5600 F: +44 (0)20 7543 5700 www.cipfa.org

CIPFA registered with the Charity Commissioners of England and Wales No 231060

From 1 January 2015: 77 Mansell Street, London E1 8AN

T: +44 (0)20 7543 5600 F: +44 (0)20 7543 5700 www.cipfa.org

From 1 January 2015: 77 Mansell Street, London E1 8AN

T: +44 (0)20 7543 5600 F: +44 (0)20 7543 5700 www.cipfa.org

IT’S A R

ISKY

BU

SINESS \ 2014 ED

ITION

it’s a risky business › html › publications › risky... · it’s a risky business \ 2014 ....

Documents