risk mapping workshop
TRANSCRIPT
1
BUSINESS IS
…OPPORTUNITIES MANAGEMENT
2
AS WELL AS
•WHO IS THE BAD
GUY …OR…GIRL?
…. RISKS MANAGEMENT
THE HEAD OF INTERNAL AUDIT
THE CEO
3
STEP 1: WRAP-UP
• CORPORATE OBJECTIVES (and related KPI if any)
• TOP 5 RISKS IDENTIFICATION AND ASSESSMENT
• ‘What Could Go Wrong’
• ‘Severity’ in terms of
•Impact (High, Medium and Low)
•Likelihood (High, Medium and Low)
•Velocity (Short, Medium and Long term)
• Keep also in mind the risk of fraud
4
STEP 2 : SELECT
• SHORT TERM RISKS :
• Keep only those who are very likely to occur within the next SIX
months
• TOP 5 RISKS
• Attributes validation
• Risk owner commitment and sign-off (upon validation by Group
Executive Committee and endorsement by the Board of
Directors)
5
STEP 3 : RISK MANAGEMENT
• MITIGATION FACTORS:
• Such controls as bank reconciliation or physical inventory
• RESIDUAL RISKS = inherent risks (STEP 2) – risk treatments
(mainly mitigate OR avoidance, sharing, transfer, accept)
• RISK MANAGEMENT GOVERNANCE
• RESIDUAL Risk owner commitment and sign-off (upon
validation by Group Executive Committee and endorsement by
the BoD)
6
Risk, risk management
RISK
“Risk is defined as the probability that an event will occur and adversely affect the achievement of
objectives. Risk assessment involves a dynamic and iterative process for identifying and
assessing risks to the achievement” COSO
RISK MANAGEMENT
Risk management aims at identifying, controlling and reducing risks and reporting them quarterly
before the Board of Directors.
7
Impact : “YOUR ORGANIZATION’S RISKS IN METRO
HEADLINES”?
Impact’s Level Criteria (guidance)
Low Below 10% deviation from the quantitative KPI (profit before tax or other
operational)
Medium Between 10 and 20% deviation from the quantitative KPI
High Above 20% deviation from the quantitative KPI
Any fraudulent risk starts from the first euro
Any damage to Transcom’s brand or reputation
Risk’s duration over one year
“Likelihood represents the possibility that a given event will occur, while “impact” represents its
effect.” COSO 2012 Definition
High impact High impact
8
“The courts have a clear duty to deter employees from committing serious offences of dishonesty,
in particular theft. “Higgins acted in a gross breach of trust and Ellis was not only involved in
sales but was quickly centrally involved.” An inquiry had been launched at the Orange call
centre, on the Cobalt Business Park, North Tyneside, after discrepancies were uncovered
between the number of phones being ordered and billed and the number being delivered. The
investigation showed a large number of orders had been delivered but had somehow avoided
going into the firm’s billing process. Robert Adams, prosecuting, said: “Michael Higgins was
identified as the analyst responsible in each case. “No payment was being taken for these
phones because no account had been set up with Orange. “All these transactions were
processed by Higgins, they all related to top of the range handsets and none of them was ever
paid for.”
Michael Higgins was working for Orange, in North
Tyneside, when he hatched the plot to line his pockets.
Higgins, who worked as an analyst for the firm,
managed to override an internal security system time
and time again to set up bogus sales. Newcastle Crown
Court heard a total of 1,158 handsets were stolen over a
two-year period worth £496,141, but the VAT avoided on
the sales pushed this up to almost £600,000. Now
Higgins has been locked up for three years and four
months while fellow former Orange worker Gavin Ellis,
who worked as Higgins’ ‘sales manager’ in the plot, was
jailed for 32 months. Judge Brian Forster said: “This
was planned theft over a significant period of time and
the value was substantial. “
A THIEVING call centre worker stole nearly £600,000 of
mobile phones from his firm in a nationwide scam
9
“When Higgins, 34, of Bothal Place, Pegswood, Northumberland, was interviewed by police he admitted stealing
the phones by bypassing the usual system, saying once the phones had been dispatched he would delete the
order. The court heard while Higgins spent his profits of £90,000 on clearing his debts, co-accused Ellis had
used his similarly sized share to pay off his mortgage, buy a £20,000 Ford Focus and private registration plate
and a £5,000 kitchen. Ellis, 36, of Gainford, Gateshead, had also worked for Orange but had left the firm before
the scam began. He admitted selling some of the phones on internet auction site eBay and meeting other people
to pass the handsets on. Both Higgins and Ellis pleaded guilty to conspiracy to steal between January 2006 and
January 2008. Ellis’ wife, Lynn Ellis, 31, of Gainford, Gateshead, also became embroiled in the plot and pleaded
guilty to allowing her bank accounts to be used by her husband for the transfer of criminal property, namely
£40,000 withdrawn to pay off their mortgage. She was jailed for 26 weeks, suspended for 18 months and ordered
to do 100 hours of unpaid work. Irtafa Dawood, 29, of Empire Road, Middlesex, who bought the phones from
Higgins and Ellis at knock-down prices then sold them on, was convicted by a jury of handling stolen goods. He
was jailed for two-and-a-half years. Carl Parker, 40, of Laburnum Grove, Staffordshire, who allowed his address
to be used for delivery of the phones, pleaded guilty to being concerned in the arrangement of criminal property
and was jailed for nine months, suspended for 18 months, with 150 hours of unpaid work. Malcolm Harvey, 30, of
Barningham Road, Richmond, admitted the same offence and received the same sentence. Detective Sergeant
Dave Swinburne, from North Shields CID said: “These convictions have taken place after extensive enquiries
have been carried out by officers over a two-year period the length and breadth of the country. “This
investigation established that more than 1,100 mobile phones were stolen worth nearly £600,000. "I hope today's
court case sends a clear message that such crimes will be fully investigated and those found guilty will be
brought to justice.“ He added that financial investigators will be making an application under the Proceeds of
Crime Act to recover any assets. “
ChronicleLive.co.uk November 2009
A fraud with a high impact
10
Likelihood : low, medium or high ?
Level Criteria Examples
Low Below 33 % Floods in Australia
Medium Between 33% and 66% Snow in Roma
High Above 66% Snow in Luxembourg
Medium likelihood High likelihood Low likelihood
“Likelihood represents the possibility that a given event will occur, while “impact” represents its
effect.” COSO 2012 Definition
11
Velocity
“Risk velocity refers to the pace with which the entity is expected to experience the impact of the
risk. For instance, a manufacturer of consumer electronics may be concerned about changing
customer preferences and compliance with radio frequency energy limits (…) Changes in
regulatory requirement develop much more slowly than do changes in customer preferences.”
COSO 2012 Definition
RISK VELOCITY Criteria
Short Within the next three months
Medium Between the next four and six months
Long Beyond the six months
Medium term Long term risk Short term
12
INTERNAL AUDIT
Definition
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's
operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.”
Source: The Institute of Internal Auditors (IIA)
Internal Audit vs. External Audit
Internal Audit External Audit
Statutory mission No Yes
Transcom employee Yes (on principle) Neither
Scope Financial statements, forecast
and budget process,
Operations,
Compliance
Financial statements only
Objectives Assess the adequacy and
effectiveness of the internal
control framework
Give an independent and
professional opinion whether
the accounts are free from any
material bias
Accountable before The Audit Committee The shareholders
13
FRAUD, INTERNAL CONTROL
Fraud
“The Institute of Internal Auditors defines fraud as: “… any illegal act characterized by deceit, concealment, or violation of
trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and
organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business
advantage.”
Internal control
“Internal control is a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of reporting
• Compliance with applicable laws and regulations”
Source: COSO 2012
On your right, you have the COSO cube describing internal control framework
by
• Category of objectives
• Process
• Organization
14
RISK REGISTER TEMPLATE SAMPLE
RISK IMPACT LIKELIHOOD VELOCITY
SIGNIFICANCE
Trainee
illness
Low Low Long term LOW
Agent
absenteeism
Low Medium Medium
term
Medium
Tax audit High Medium Short High
15
RISK SIGNIFICANCE RATING RULE