Internal audit operating at the strategic level

Strategic collaboration

Auditing strategic risks

Audit plan alignment Malcolm Zack – Director Zack Associates Limited

Zack Associates Limited

Logos sourced from publically available internet sources

Major retailer

Strategic risks are risks that affect or are created by an organization’s

business strategy and strategic objectives – Deloitte. Exploring Strategic Risk -

a global survey

So… what do we mean by strategic risk?

• Poor Business Decisions

• Poor Execution

• Inadequate resource allocation

• Not responding to changes in the environment

• Risks identified in the strategic plans

• Financial • Economic environment • Political risks • People

Allianz Risk Barometer 2016 1. Business Interruption 2. Market (volatility, stagnation, competition 3. Cyber incidents 4. Natural Catastrophes 5. Changes in Legislation 6. Macro economic changes 7. Loss of Reputation/Brand Value 8. Fire Explosion 9. Political risks (war, terrorism) 10.Theft, fraud and corruption

Protiviti –Audit Committee Top Risks 2016 1. Regulatory Change/Scrutiny 2. Managing Cyber Threats 3. Economic conditions restrict growth 4. Succession and attracting talent 5. Privacy and information security 6. Resistance to change 7. Rapid speed of disruptive technology 8. Culture: - impact on risk management 9. Volatility in global financial markets 10.Sustaining customer loyalty

KMPG Top Risk Management Issues 2016 1.Technology Risk Management 2.Third Party Risk Management 3.Fraud and Misconduct 4.Crisis Management 5.Data Security 6.Achieving Compliance 7.Risk Data – aggregation and

Reporting

KMPG Top Risks for Internal Audit – Capital and Markets 2016 1. Increased regulatory expectations 2. Culture and conduct 3. Regulatory reporting 4. Stress testing 5. Model risk management 6. Cyber security 7. Third-party relationships/vendor

management 8. Continuous risk assessment 9. Use of data analytics and continuous

auditing 10.Internal audit talent recruitment and

retention

Top sets of risks Differ from sector to sector Not all top risks are strategic Most appear operational, value preserving risks. I.e they could threaten achievement of business objectives/strategy So should we focus on risks or objectives?!

Wartsila – Risk Management Report 2010

EXAMPLES….

Source: Global Advantage

• Achievement of the organization's strategic objectives.

• Reliability and integrity of financial and operational information.

• Effectiveness and efficiency of operations and programs.

• Safeguarding of assets.

• Compliance with laws, regulations, policies, procedures, and contracts.

• Organisation strategy should be a foundational element of plan

• Aligns IA with strategic priorities

• Helps allocate IA resources.

• Leverage management and other assurance providers

• Consider providing assurance

• Assess if strategic risks are being managed.

• Evaluate mitigation methods

• Opportunity to deliver advisory services that impact organisation evolution directly

• Assess skills and knowledge in team

• Consider other sources if necessary

Executives responsible for risk management in persuit of strategic objectives

Strategic opportunities and threats drive creation of short and longer term strategic initiatives/investments to deliver value.

IIA standards - 2120 – 3 Internal audit coverage of risks to achieving strategic objectives.

IA provide assurance

IA skills IA

evaluates IA focus on critical risks

IIA – Research Foundation

• More involved with strategic initiatives – Better connected

• Become business partner/risk advisor

• Greater value when involved early on in inititative

• Link ERM to strategic thinking

• IA Gains knowledge and insight

• Skills include strategic planning and consulting

• Increase demand for advisory work, reality checks

• Balance assurance and advising management

The reasons and benefits for internal auditing are clear… but how do you go about getting your team involved?

Risk

(what could happen?)

Risk Factors

(what contributes to the risk?)

Impact What outcomes if the risk is realised?

Business Objectives affected

Key Controls Assurance/audits

Risk that…..

a..

b..

c..

Xxxxxx, yyyy

Growth

Customer

Experience

Mgt..

Review..

High level view

of audit area

Risk Operational

Excellence

Risk Growth

Customers

Shareholder

value

Risk Operational

Excellence

Stategic Financial Operational Regulatory

Link strategic risks to the business objectives most impacted and identify sources of assurance and audit potential.

Helps board audit committee understand where assurances over key strategic risks come from and any gap

Risk and Opportunity Matrix R

isk

Opportunity – how much is business moved forward?

Top Strategic projects Significant change New products/businesses “pushing the envelope”

Projects /initiatives providing high benefit to the business but lower risk.e.g. rolling out new stores/locations

Complex operational areas. E.g. BCP, IT Security, Treasury

Map audit plan candidates……

[Audit functions] “often fail to provide assurance on strategy creation and execution, management's value creation work”. – “Why firms should audit strategic risk” – Business Week July 2010

Important areas

needing some audit review but less frequent

So what could internal audit

do?

Sales Development

New Products

Going into new markets

Diversification

New locations

Expansion/Merger/takeover/demerger

Transformation Programmes

Reviewing the strategic plan itself • risk assessment assumptions and drivers,

Information obtained, Scenarios planning and stress testing, softer areas (strong personalities and committment), alternatives rejected,

Major Systems

Strategic Programme Office

Benefits Realisation

1 Sales Structure Reviews Market Growth

2 Service Improvement Market Growth

3 Telesales alignment Market Growth

4 Leadership Market Growth

5 Development/Pipeline Market Growth

6 RCEO coaching Market Growth/Market Share Gain

7 Customer Service alignment Market Growth

8 HR KPI Delivery All

9 People capability Market Share Gain/Specialist Growth

10 Regional Structure reviews Market Share Gain

11 Competitive/aligned reward & recognition Market Share Gain

12 Driver/Telesales/Sales Alignment Market Share Gain

13 Aligned with UK policies and practices Specialist Growth

14 Develop and support senior team Specialist Growth

15 Continous Evaluation of organisation Cost Reduction

16 Performance management Cost Reduction

17 Continous improvement focus Cost Reduction

18 Head count monitoring Cost Reduction

19 Management information integrity Acquistions

20 Communication platform/tools Acquistions

21 External framework in place Acquistions

22 Corporate Governance Acquistions

23 HRBPs prepared Acquistions

• Where I have succeeded more

• Focusing audit team capabilities on initiatives that are important/critical to

achieving the strategic goals. E.g. major projects, transformations, significant acquisitions.

• “why isn’t IA on this call?”

• Attempts to review the strategy itself –

• Helping management pull out risks with the strategy and risks arising because of the strategy that has been agreed has added more value.

PLANNING RISK < EXECUTION RISK

Are YOU strategic enough? A place to start your thinking…… What is your Internal Audit Strategy for the next 3-5 years? Where is it now, Where does it need to go, and how will it get there? How often do you review it? And… what are the risks to your strategy? Involve your Audit Committee….

Work on strategic initiatives

Well connected

Recognised

business partner/risk

advisor

Involved early

Linkd ERM to strategic thinking

IA sought for

knowledge and insight

Stratiegic Skills

Demand for

advisory work,

Balanced assurance and advising management

Development route

for management

Obstacles and assumptions

View of IA capability

Its difficult

Its “confidential”

Where do you start?

Strategic risk is just a category like the others… but projects do lend themselves. Needs a different approach to auditing and

reporting

More advisory than assurance

More upfront and ongoing involvement and challenge

Dynamic reporting

Needs audit team to be able to think

strategically and have commercial understanding

Look at the backgrounds – do you have the

right mix?

Internal Audit and Strategic Risk

Strategic collaboration - Essential

Auditing strategic risks – Be selective

Audit plan alignment – back to basics

But…….

Ris

k

Opportunity – how much is business moved forward?

Top Strategic projects Significant change New products/businesses “pushing the envelope”

Projects /initiatives providing high benefit to the business but lower risk.e.g. rolling out new stores/locations

Complex operational areas. E.g. BCP, IT Security, Treasury

[Audit functions] “often fail to provide assurance on strategy creation and execution, management's value creation work”. – “Why firms should audit strategic risk” – Business Week July 2010

Remember • Which business objectives are impacted or

benefited from the results of your audit work?

• Link findings from audits back to the top risks and business objectives.

• Achievement of the organization's strategic objectives.

• Reliability and integrity of financial and operational information.

• Effectiveness and efficiency of operations and programs.

• Safeguarding of assets.

• Compliance with laws, regulations, policies, procedures, and contracts.

IA evaluates

Remember to kick the tyres……

We still have to kick the tyres

If the tyre’s flat, your strategy is going nowhere…