Risk Management

Transcript Risk Management

Energy Trusts of New Zealand 2011 Spring Conference Risk Management and Internal Audit What are they and how do they work?

Presenter: Rodger Murphy Partner – Deloitte

Areas for Discussion

• • • • • • Risk management - What is it?

- How it works - Principles of risk intelligenc e Three lines of defence Top down approach - Risks, risk mapping, risk prioritisation, measurement - Assurance sources Internal audit - What is it?

- How can it work for your organisation What could be included in an internal audit plan?

Some risks facing Energy Trusts

Risk Management

• What is it: Co-ordinated activities to direct and control an organisation with regard to risk or A Process to Manage What Keeps You Awake At Night • Risk Management: A set of components that provide the foundations and Framework: organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout an organisation See diagram

Risk Management Process – how it works

Establish context

Risk assessment

Risk identification Risk analysis Risk evaluation Risk treatment

Principles of Risk Intelligence

• • • • • • • • • Common definition of risk applied consistently Common risk framework used to manage risks Key roles, responsibilities and authority relating to risk management are clearly defined and delineated Governing bodies (boards, committees) have transparency and visibility into the organisations risk management practices A common risk management infrastructure is used to support business units and functions to deliver on their risk responsibilities Executive management responsible for designing, implementing and maintaining an effective risk program Business units are responsible for managing their risks Certain functions (finance, legal, IT) are pervasive and need to support business units on risk Certain functions (e.g. Internal audit) providing objective assurance and monitoring Strictly Private & Confidential © 2011 Deloitte. A Member of Deloitte Touche Tohmatsu Limited

The ‘Three Lines of Defence’ Risk Governance Model

Top Down Approach Understand the full picture of your organisation Take a Top Down Perspective

Financial Treasury Reputational Tax External Regulatory

RISKS

Operational Health & Safety Assets/IT Legal Strategic Business Continuity Management Revenue Growth Internal Audit

Assurance

External Audit Compliance Specialists H&S / Engineering Operating Margin

Value Drivers

Asset Efficiency Management & Governance Effectiveness Execution Capabilities External Factors

Risk Prioritisation

• • • • Identify key risks in your organisation Prioritise the top risks for Board oversight Review top risks on a regular basis Seek attestation from management on risks and mitigating controls

Risk Assessment and Risk Measurement

Certain Almost certain Likely Unlikely Highly unlikely Minor

H M L L L

Moderate

CONSEQUENCE

Serious

H VH

Major

E H VH VH M M L H M L VH H M

Catastrophic

E E VH VH H

• Consistency • Five point scale

Internal Audit

• • What is it: Independent activity providing assurance and feedback on risks, controls and process improvement opportunities How can it work for your organisation / trustees?

Focus is primarily on assurance Helps protect an organisation from downside or risk and control weakness / failure Can be used to find smarter ways of doing business – process improvement One component of wider assurance activity

Effective and Value Add Internal Audit Functions

• • • • • • • • • • • Have independence Appropriate reporting line to the Board Strong on risk profiling / risk based approach Get planning at overall and individual audit level right Apply specialist skills – e.g. Treasury, IT, modelling Must be practical with recommendations Input at design and build stage of new processes and systems Recognise new and changing risk areas e.g. Modelling, IT security and automated operating environments (Scada systems) Provides context reporting Provides opinion on control effectiveness Follow-up is critical on remedial actions

What could be included in your internal audit plan?

• • • • • • • • • Links to top down risk profiling process Identifies organisations core business processes as plan framework Risk based Follows organisation minimum requirements from policy/charters Applies cycle of reviews over business processes Provides you with a full 3 to 5 year picture of assurance reviews Allocates sufficient budget to internal audit activity Applies structured approach to review of IT areas (CoBiT/ITIL) Focus on new and emerging risk areas e.g. IT security

Sample risks facing Energy Trusts

Managing the Trust • • • • • • • • Inadequate/ inappropriate risk management to ensure fiduciary responsibilities and beneficiary expectations are met Key personnel risk and segregation of duties due to a small team Succession planning for trustee role Legislative compliance risk Inappropriate investment decisions Trustee disagreement Reputation risk (non-performing assets/investments/incidence management) Inappropriate/lack of communication to beneficiaries regarding key issues

Sample risks facing Energy Trusts

Managing the Trust’s Assets • • • • • • Insufficient technical knowledge of the business or industry risks Regulatory Compliance Key issues/ concerns of management unknown/ inappropriately communicated to Trust Lack of presence/ authority on relevant business’ boards Increased population vs. fixed payment amount (solvency risk) Failure to appropriately distribute dividend payments - Incorrect/ duplicate payments - Fraud - Cheques not cashed

Strictly Private & Confidential

Risk Management

Transcript Risk Management

Energy Trusts of New Zealand 2011 Spring Conference Risk Management and Internal Audit What are they and how do they work?

Areas for Discussion

Risk Management

Risk Management Process – how it works

Principles of Risk Intelligence

Principles of Risk Intelligence

The ‘Three Lines of Defence’ Risk Governance Model

Top Down Approach Understand the full picture of your organisation Take a Top Down Perspective

Risk Prioritisation

Risk Assessment and Risk Measurement

Internal Audit

Effective and Value Add Internal Audit Functions

What could be included in your internal audit plan?

Sample risks facing Energy Trusts

Sample risks facing Energy Trusts

Questions

Directory