Transcript Module 2

School Board Audit Committee Training
Module 2
Assessing Risk and Risk Management
1
Session objectives
After completing this session you will:
Understand the Audit Committee’s responsibilities related to risk management
Identify and assess the various types of risks
•
Governance
•
Service Delivery / Operational
•
Stakeholder Satisfaction / Public Perception
•
Human Resources
•
Financial
•
Legal & Compliance
•
Information Management
•
Technology
Assess risk against likelihood and significance
Understand the assessment of risk within the School Board Audit Universe
Understand standard risk management techniques
2
Risk terminology
Definition of risk1
Risk is defined as “anything of variable
uncertainty and significance that
interferes with the achievement of
organizational strategies and objectives”.
.
1
Source: COSO
3
Audit Committee duties related to Risk Management
[ON Regulation 361/10 9(6)]
•
To inquire about significant risks
•
To review the School Board’s policies for risk assessment and risk
management and to assess the steps taken to manage such risks
(i.e. Internal controls, the adequacy of insurance).
•
To perform other activities related to the oversight of the School
Board’s risk management issues or financial matters, as requested.
•
To initiate and oversee investigations, as appropriate.
4
Risk categories
•
•
•
Collectively, Ontario’s 72 District
School Boards (DSBs) have the
responsibility for education over two
million students. School boards are
faced with a wide range of risks that
must be managed in order to
achieve the educational outcomes
demanded by stakeholders.
These risks may be categorized to
better facilitate the risk identification
and management process.
It is the responsibility of the Audit
Committee to oversee the process
used to assess risk and be
comfortable that significant risks are
identified and emerging risks
considered.
Technology
Legal &
Compliance
Governance
Operational
Human
Resources
Risks
Public
Perception
Financial
Information
Management
An integrated approach to risk management is critical
5
Risk type: Governance
•
•
Operationa
Governance
l
The risk that the organization structure, accountabilities, or responsibilities
are not designed, communicated or implemented to meet the organization's
objectives, and the risk that culture and management commitment do not
support the formal structures.
Example of a governance risk that could potentially impact a DSB:
– Accountability and Oversight
• The risk that ineffective or undefined lines of authority may cause managers or
employees to do things they should not do or fail to do things they should.
6
Risk type: Service Delivery / Operational
•
•
Operational
The risk that ineffective and/or inefficient operations or interruptions to
service delivery will impact the school board's ability to meet its goals and
objectives.
Examples of operational risks that could potentially impact a DSB:
– Outcome achievement:
• The risk that academic outcomes will not be achieved due to an inability to effectively
deliver the academic curriculum to the student population.
– Student experience
• The risk of failing to deliver quality programs to students to allow them to develop the
skills of lifelong learning.
– Personal security
• The risk of failing to provide a safe and secure environment for students, educators,
parents and other members of the school community.
7
Risk type: Stakeholder Satisfaction/Public
Perception
Public
Perception
•
The risk the school board will not meet the expectations of the public, the
Ministry of Education and other external stakeholders and that the school
board's actions will affect its public image.
•
Example of stakeholder satisfaction/ public perception risks that could
potentially impact a DSB:
– Stakeholder Engagement:
• The risk that stakeholders are not sufficiently engaged or provide the necessary
oversight required to monitor and assess the organization.
8
Risk type: Human Resources
Human
Resources
•
The risk that insufficient, inappropriate or unqualified staff are
hired/retained and that the turnover ratio of qualified staff is high.
•
Examples of potential people risks in the context of a DSB include:
– Recruiting and retention
• The risk of failing to attract and retain personnel with the requisite knowledge, skills
and experience to allow the DSB to effectively achieve its educational outcomes and
business objectives.
– Attendance management
• The risk of impacting curriculum delivery and incurring additional teaching costs due
to unplanned or excessive educator absences.
– Succession planning
• The risk of the DSB failing to appropriately anticipate and plan for the succession
and renewal of key personnel resulting in the ability to perform critical functions or
the loss of organizational knowledge capital.
9
Risk type: Financial
•
Financial
The risk of financial loss caused by theft, incorrect financial reporting, fraud
and/or the inability to meet budget requirements. Examples of financial
risks facing a DSB include:
– Budgeting and forecasting
• The risk that unrealistic, irrelevant or unreliable budget and planning information or
inadequate Ministry funding knowledge may cause inappropriate financial
conclusions and operational decisions.
– Accounting and financial reporting
• The risk that transactions are not properly processed, reviewed, reported and
disclosed resulting in errors or omissions in financial reporting.
– Cash Handling
• The risk that cash is misappropriated, is not accounted for, or is not adequately
safeguarded.
– Fraud
• The risk of fraudulent activities (such as the misappropriation of assets) perpetrated
by management, administrative employees, teachers or students, causing loss.
10
Risk type: Legal & Compliance
Operationa
Legal &
l
Compliance
•
The risk the school board will not be in compliance with legislation,
regulations, contracts, guidelines and policy direction.
•
Examples of legal & compliance risks in the context of a DSB include:
– Compliance risk
• The risk of the organization failing to comply with Ministry requirements or guidelines,
resulting in corrective action and/or negative publicity.
– Legal risk
• The risk of the organization failing to meet or adhere to legal obligations and/or
violating statutory requirements.
11
Risk type: Information Management
•
Information
Management
The risk that school board information is incomplete, out-of-date, irrelevant
or inappropriately disclosed. Examples include:
– IM/IT strategy
• The risk of a DSB failing to develop and implement an effective information
management and technology strategy in order to meet the needs and requirements
of multiple stakeholders.
12
Risk type: Technology
•
•
Technology
The risk that IT does not align with business and does not support
availability, access, integrity, relevance and security of data.
Examples include:
– IT reliability and availability
• The risk of information technology systems, business applications and
telecommunications systems being unavailable to support operations.
– Data privacy, quality and integrity
• The risk that there are inadequate controls in place to ensure the privacy, quality,
integrity and accuracy of a DSB’s electronic information.
– IT security
• The risk of failing to appropriately secure a DSB’s networks, systems, applications.
13
Discussion - Risk Categories
 Identify other examples of risks affecting a DSB under the following categories:
o Governance
o Service Delivery / Operational
o Stakeholder Satisfaction / Public Perception
o Human Resources
o Financial
o Legal & Compliance
o Information Management
o Technology
 How would these risks impact the Board?
 What can be done to prevent these risks from impacting the organization?
14
Assessing risk: likelihood and significance
•
•
Risk has two dimensions — likelihood and significance
Likelihood:
– The probability that the risk will occur and impact the organization
•
Significance:
– The potential impact that the risk will have (should it occur) on the organization
– Significance can be rated using various criteria. For the purposes of the DSB
risk assessments the following criteria are used:
• Reputational – How would the occurrence of the risk impact the school / DSB /
Ministry's reputation?
• Financial – What would be the financial impact/ consequences of the occurrence of
the risk?
15
Assessing risk: likelihood and significance
Significance of risk
High Damage
High
Likelihood
Likelihood of occurrence
16
Exercise – Assessing Risk
•
•
In your groups, identify 8-10 risks that might prevent the workmen from
meeting their objective (having lunch on top of the tall building)
Using a flipchart, draw a risk map and map the risks to the appropriate
quadrant.
17
Exercise – Assessing Risk
Significance vs. Likelihood
High
Building falling down
Significance
Losing balance
Strong wind
Dropping lunch
Small birds hitting workmen
Losing hard hat
Low
Likelihood
High
18
Assessing risk: inherent vs. residual
•
•
•
•
Risk can be assessed on two levels, Inherent and Residual.
Inherent risk is the assessed level of risk in the absence of internal
controls.
Residual risk is the assessed level of risk once internal controls are taken
into account.
Internal controls can aid in the reduction of both the likelihood and
significance of risk.
19
Why should we assess risks?
•
Executing an organizational risk assessment is the first step in determining
the focus of the internal audit function. It is completed to:
– Understand the risks within the environment in which the DSB operates
– Assess the potential likelihood and significance of the impact of these risks on
the various processes undertaken by the DSB
– Identify the DSB’s higher risk processes
20
How is risk assessed?
•
•
•
•
As part of the risk assessment process, the population of risks the DSB
faces needs to be identified to understand how and where they could
impact the organization.
Using the risk categories as a guide, relevant sub risks in each category
can be identified and assessed for applicability.
As risks impact the organization in different areas, a top-down process
view of the organization is required.
This top-down, process view of the organization is referred to as the
process universe.
21
District School Board Audit Universe
District School Board:
London District Catholic School Board
For the period:
September 1, 2009 to August 31, 2010
Entity Level Risk Ranking:
Process Level Risk Rating:
Process
LK
FI
RI
Plan and develop
programs
H
M
L
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
Plan and provide
support services
Enrolment
Attendance
Managing instructional
day
Special Education
Special Education - High
Needs
Coordinate Student
organizations & athletics
Professional
Development
Management of
Suspensions &
Expulsions
Budget planning,
development & control
Management reporting
and analysis
Ministry reporting
Grant and non grant
revenue management
Fundraising
Treasury
Facility Procurement
Procurement & A/P
Purchasing Cards
Expense Reporting
Risk Management
Payroll
Facility requirement
forecasting/capital
planning
EDC by law process
Manage facility
operations
Repairs & Maintenance
Custodial services
Construction monitoring
& management
Recruiting and retention
Hiring
Teacher staffing
Non teacher staffing
allocation
Attendance support
Compensation &
benefits
Termination & retirement
Manage labour relations
Health & Safety
Supply Teachers
Develop IT strategy
Develop & deploy
applications
Netw ork and application
access management
Manage IT security
Data management
Records Management
Back up
Manage communication
system
Deploy non-IT
resources
Define parameters for
transportation service
Monitor consortium
relationship
Manage service delivery
LK
FI
RI
Monitoring & Reporting
outcomes
Instruction and Schools
Business Services
Facilities
ODA Compliance
Hum an Resources
Inform ation Tech & Com m .
Transportation to
Provincial school
Transportation
22
Legend:
LK - the likelihood (probability) of risk occurring based on the risk assessment findings after considering mitigating factors
FI - the financial impact to the school board should a risk materialize
Colour Legend:
Low Risk
RI - the reputational impact to the school board should a risk materialize
Medium Risk
% - Process risk assessment percentage based on the combined assessment of likelihood and impact
High Risk
%
Executing a risk assessment
Define Process
Universe
Create Risk
Framework
• To create a
framework for
assessing significant
real and potential
risks facing the DSB
across business
processes
Assess Process
Risk
Objective
• To identify the
DSB’s major
instructional and
supporting activities
Activities
• Conducted
• Leveraged internal
interviews, reviewed
and external risk
documentation and
knowledge based on
validated with
discussions, research
stakeholders
and prior experiences
• Assessed process risk
based on likelihood,
financial impact and
reputational
consequences
Deliverables
• DSB Process
Universe
• Risk-ranked DSB
Process Universe
• DSB Risk Framework
• To assess inherent risk
of each process
contained in the DSB’s
Process Universe in
order to focus internal
control documentation
23
Risk Assessment Results
District School Board Audit Universe
District School Board:
London District Catholic School Board
For the period:
September 1, 2009 to August 31, 2010
Entity Level Risk Ranking:
Medium
Process Level Risk Rating:
Process
LK
FI
RI
Plan and develop
programs
H
L
Special Education
L
Budget planning,
development & control
%
Process
LK
FI
RI
M 52.00%
Plan and provide
support services
L
M
H
H 66.50%
Special Education - High
Needs
H
M
H
H 89.67%
Management reporting
and analysis
Facility Procurement
L
H
M 60.28%
Facility requirement
forecasting/capital
planning
L
M
M 49.84%
ODA Compliance
L
M
H 60.17%
Recruiting and retention
M
M
Termination & retirement
M
Develop IT strategy
%
Process
LK
FI
RI
L 42.12%
Enrolment
H
M
M
M 74.34%
Coordinate Student
organizations & athletics
L
M
M
M 65.84%
Ministry reporting
Procurement & A/P
M
M
H 77.17%
EDC by law process
L
L
L 37.17%
Hiring
M
M
M 57.46%
Manage labour relations
L
L
L 24.83%
Back up
L
L
Define parameters for
transportation service
L
H
%
Process
LK
FI
RI
L 68.50%
Attendance
H
M
L
L 38.00%
Professional
Development
L
M
L
L 35.33%
Grant and non grant
revenue management
Purchasing Cards
H
M
L 68.00%
M 44.59%
Manage facility
operations
M
H
M
M 65.45%
Teacher staffing
H
H
L
H 72.83%
Health & Safety
Develop & deploy
applications
L
M
L 43.28%
M 49.67%
Manage communication
system
L
M
L 50.33%
Monitor consortium
relationship
M
M
%
Process
LK
FI
RI
%
Process
LK
FI
RI
M 72.60%
Managing instructional
day
L
M
M 48.96%
H
M 59.67%
Management of
Suspensions &
Expulsions
M
M
L 57.13%
M
M
M 53.72%
Fundraising
H
L
Expense Reporting
L
H
H 67.00%
Risk Management
L
L 59.45%
Repairs & Maintenance
H
H
H 86.17%
Custodial services
H
M 88.50%
Non teacher staffing
allocation
H
L
L 36.00%
L
M
M 51.62%
Supply Teachers
H
M
L 68.50%
Netw ork and application
access management
M
L
H 56.28%
Manage IT security
H
M
M 76.95%
L 34.95%
Deploy non-IT
resources
L
M
L 33.17%
M 57.34%
Manage service delivery
L
M
H 58.17%
Transportation to
Provincial school
L
L
H 49.83%
%
Monitoring & Reporting
outcomes
M
L
M 59.96%
H 72.40%
Treasury
H
M
M 65.00%
L
L 26.83%
Payroll
M
H
L 66.83%
L
M
M 49.84%
Construction monitoring
& management
L
L
L 33.75%
Attendance support
M
H
H 78.00%
Compensation &
benefits
M
L
L 39.17%
Data management
M
L
M 56.57%
Records Management
L
L
M 41.17%
Instruction and Schools
Business Services
Facilities
Hum an Resources
Inform ation Tech & Com m .
Transportation
24
Legend:
LK - the likelihood (probability) of risk occurring based on the risk assessment findings after considering mitigating factors
FI - the financial impact to the school board should a risk materialize
Colour Legend:
Low Risk
RI - the reputational impact to the school board should a risk materialize
Medium Risk
% - Process risk assessment percentage based on the combined assessment of likelihood and impact
High Risk
What to do with the Risk Assessment Results?
•
•
Internal Audit should focus efforts and resources on areas of highest
perceived risk
Process reviews of higher risk areas should be performed to:
– Identify and evaluate the internal controls currently in place within the DSB’s
current processes
– Find and remediate existing internal control gaps
– Promote the achievement of the DSB’s objectives by strengthening processes
and controls
25
Risk Management Techniques
Risk Management Techniques
Avoidance
Prevention or
modification
Eliminate a service or an activity it considers too risky.
Reduce the likelihood of a risk (and related losses) occurring, by changing the
activity so that internal controls reduce the probability of risk occurrence.
Mitigation
Accept the risk but lessen the impact of losses should they occur through
existing or additional internal controls.
Retention
Accept the risk (and its consequences) as is. Some risk is inherent in the
activities of your operation.
Transfer
(sharing)
Transfer either the actual risk or the financial consequences of a loss to
another party.
26
Leading risk management practices
•
•
•
•
•
•
•
•
•
Applying risk management to manage transformation issues
Aligning strategic planning with risk management
Focus on integration of risk management with existing business
process/initiatives
Integrating dispersed risk management roles through clear governance
structure
Developing key risk indicators to link risk management with
performance measurement
Performing controls reviews/audits to assess financial risks and controls
Performing operational reviews
Information technology risk assessments and reviews
Instilling “ethical”, open culture by promoting risk management and
enhancing linkage to incident reporting
Some risk management techniques exist in the absence of an internal control.
27
Discussion - Risk
1. In groups, select a business process within the organization that your
group members are familiar with.
2. Identify the most important risks impacting this area.
3. If these risks weren’t managed, assess the likelihood of risk occurrence
and significance to the organization.
28