Transcript Risk Management
Energy Trusts of New Zealand 2011 Spring Conference Risk Management and Internal Audit What are they and how do they work?
Presenter: Rodger Murphy Partner – Deloitte
Areas for Discussion
• • • • • • Risk management - What is it?
- How it works - Principles of risk intelligenc e Three lines of defence Top down approach - Risks, risk mapping, risk prioritisation, measurement - Assurance sources Internal audit - What is it?
- How can it work for your organisation What could be included in an internal audit plan?
Some risks facing Energy Trusts
2
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Risk Management
• What is it: Co-ordinated activities to direct and control an organisation with regard to risk or A Process to Manage What Keeps You Awake At Night • Risk Management: A set of components that provide the foundations and Framework: organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout an organisation See diagram
3
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Risk Management Process – how it works
Establish context
Risk assessment
Risk identification Risk analysis Risk evaluation Risk treatment
4
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Principles of Risk Intelligence
5
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Principles of Risk Intelligence
6
• • • • • • • • • Common definition of risk applied consistently Common risk framework used to manage risks Key roles, responsibilities and authority relating to risk management are clearly defined and delineated Governing bodies (boards, committees) have transparency and visibility into the organisations risk management practices A common risk management infrastructure is used to support business units and functions to deliver on their risk responsibilities Executive management responsible for designing, implementing and maintaining an effective risk program Business units are responsible for managing their risks Certain functions (finance, legal, IT) are pervasive and need to support business units on risk Certain functions (e.g. Internal audit) providing objective assurance and monitoring Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
The ‘Three Lines of Defence’ Risk Governance Model
7
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Top Down Approach Understand the full picture of your organisation Take a Top Down Perspective
Financial Treasury Reputational Tax External Regulatory
RISKS
Operational Health & Safety Assets/IT Legal Strategic Business Continuity Management Revenue Growth Internal Audit
Assurance
External Audit Compliance Specialists H&S / Engineering Operating Margin
Value Drivers
Asset Efficiency Management & Governance Effectiveness Execution Capabilities External Factors
8
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Risk Prioritisation
• • • • Identify key risks in your organisation Prioritise the top risks for Board oversight Review top risks on a regular basis Seek attestation from management on risks and mitigating controls
9
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
10
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Risk Assessment and Risk Measurement
Certain Almost certain Likely Unlikely Highly unlikely Minor
H M L L L
Moderate
CONSEQUENCE
Serious
H VH
Major
E H VH VH M M L H M L VH H M
Catastrophic
E E VH VH H
• Consistency • Five point scale
11
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Internal Audit
• • What is it: Independent activity providing assurance and feedback on risks, controls and process improvement opportunities How can it work for your organisation / trustees?
Focus is primarily on assurance Helps protect an organisation from downside or risk and control weakness / failure Can be used to find smarter ways of doing business – process improvement One component of wider assurance activity
12
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Effective and Value Add Internal Audit Functions
• • • • • • • • • • • Have independence Appropriate reporting line to the Board Strong on risk profiling / risk based approach Get planning at overall and individual audit level right Apply specialist skills – e.g. Treasury, IT, modelling Must be practical with recommendations Input at design and build stage of new processes and systems Recognise new and changing risk areas e.g. Modelling, IT security and automated operating environments (Scada systems) Provides context reporting Provides opinion on control effectiveness Follow-up is critical on remedial actions
13
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
What could be included in your internal audit plan?
• • • • • • • • • Links to top down risk profiling process Identifies organisations core business processes as plan framework Risk based Follows organisation minimum requirements from policy/charters Applies cycle of reviews over business processes Provides you with a full 3 to 5 year picture of assurance reviews Allocates sufficient budget to internal audit activity Applies structured approach to review of IT areas (CoBiT/ITIL) Focus on new and emerging risk areas e.g. IT security
14
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Sample risks facing Energy Trusts
Managing the Trust • • • • • • • • Inadequate/ inappropriate risk management to ensure fiduciary responsibilities and beneficiary expectations are met Key personnel risk and segregation of duties due to a small team Succession planning for trustee role Legislative compliance risk Inappropriate investment decisions Trustee disagreement Reputation risk (non-performing assets/investments/incidence management) Inappropriate/lack of communication to beneficiaries regarding key issues
15
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
Sample risks facing Energy Trusts
Managing the Trust’s Assets • • • • • • Insufficient technical knowledge of the business or industry risks Regulatory Compliance Key issues/ concerns of management unknown/ inappropriately communicated to Trust Lack of presence/ authority on relevant business’ boards Increased population vs. fixed payment amount (solvency risk) Failure to appropriately distribute dividend payments - Incorrect/ duplicate payments - Fraud - Cheques not cashed
16
Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited
17
Strictly Private & Confidential
Questions
© 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited