3

Click here to load reader

Your risk, control and governance advisor. White paper€¦ · Your risk, control and governance advisor. White paper • Adequate project management to attain the defined goals

Embed Size (px)

Citation preview

Page 1: Your risk, control and governance advisor. White paper€¦ · Your risk, control and governance advisor. White paper • Adequate project management to attain the defined goals

Your risk, control and

governance advisor.

White paper

“The chief audit executive

should share information

and coordinate activities

with other internal and

external providers of

assurance and consulting

services to ensure proper

coverage and minimize

duplication of efforts.”

IIA Assurance Maps

Practice Advisory 2050-2

A Global approach to Risk and Control (GRC)

This article proposes a Global Risk and Control (GRC) model, which moves away from a silo approach toward a holistic view of risk and

control across the organisation. Organisations able to effectively align risk management, control and compliance initiatives with their

strategic objectives can reduce their risks and make more valuable decisions regarding their strategy.

Corporate boards, CEOs, CFOs and other members of the senior leadership team are facing unprecedented levels of business complexity,

changing geopolitical threats, new legislation and regulations, and increasing shareholder demands. Achieving maximum performance and

ensuring full conformance in today’s complex environment require organisations more than ever to combine risk, control and compliance

management in a unique view. The present crisis illustrates that organisations did insufficiently integrate risk management and internal

control into their business management. While oversight requirements have significantly grown over the years, boards and audit

committees receive repeatedly different reporting with dissimilar views on risks from their stakeholders: executive management, risk and

control functions, and audit.

The established defence lines

A set of common control, risk and

compliance activities are executed across

business units and control functions, and

are organised as defence lines.

The primary goal is to organise these

functions within the organisation to

strengthen its defence.

Within the inner circle, the staff applies the

policies and the procedures issued by the

management, to ensure the regularity, the

security and the validity of the operations.

The internal control mechanisms are an

essential component of the successful

direction and control of the organisation.

The senior executive management should

focus on creating organisational

transparency by defining the mechanisms

an organisation uses to ensure that its

constituents follow established processes

and policies.

The second line of defence is composed of

those functions responsible for an area of

control expertise.

Internal control is a process, performed to

provide reasonable assurance regarding the

achievement of objectives in the following

areas:

• Effectiveness of operations and

efficient use of the resources;

• Reliability of financial and

operational reporting;

• Compliance with applicable laws,

regulations and internal policies.

Risk management brings a comprehensive,

systematic approach for helping the

organisation identify events and respond to

the risks challenging its most critical

objectives and related projects, initiatives,

and day-to-day operating practices. Risk

management deals with determining the

organisation’s risk appetite, and then

identifying and mitigating risks to

appropriately balance the risk

portfolio.

Compliance is the set of

practices that deals with

adhering to mandated

requirements such as

laws, regulations, and

voluntary

requirements

resulting from

standards, policies,

procedures and

contractual

arrangements. The legal

and compliance

departments play a major

role to protect the

organisation against the risk of

non compliance.

Resilience ensures the ongoing business

continuity, while security ensures the

confidentiality, the integrity and the

availability of the operations, the systems

and the information.

Quality management has the responsibility

to establish a Quality Management System

(QMS) based on an operational framework,

composed of processes and procedures,

compliant with the ISO standards.

The third line of defence consists of audit

and assurance functions, which are

performed by internal audit, the external

audit and the regulators. Internal audit

provides reasonable assurance that the

required controls to mitigate risks are

effectively designed and operated. Internal

audit should report to the highest level

within the organisation to strengthen its

objectivity and confirm its independence. A

close and continuous link should be

established with the Audit Committee.

Risk, Control and reporting

fragmentation

The multiplication of the internal control

actors increases complexity,

creates a duplication of effort

and may reduce the

effectiveness of the internal

control. At a given

moment, the key players

may be confident

someone else takes care

of a specific risk or

control, without

investing the required

level of expertise to

mitigate the risks.

Consequently, the control,

risk, and compliance

activities should be

coordinated.

Organisational fragmentation: As different

policies, risks events, measurements are

defined, the organisation ends up with

different policies, duplication of effort,

difficulty of predicting risk, and lack of

transparency.

Information fragmentation: Local process

implementation and optimisation of specific

solutions further isolate information within

systems, resulting in a lack of information

integrity and a limited integrating view of

enterprise risks

Page 2: Your risk, control and governance advisor. White paper€¦ · Your risk, control and governance advisor. White paper • Adequate project management to attain the defined goals

Your risk, control and

governance advisor.

White paper

Entity fragmentation: Policies and risks are

generally defined and measured at the local

level, without proper consideration of their

impact on the global, multinational,

national, or regional decision making levels.

The interdependencies of the risks

associated with the multitude of

jurisdictions, countries, and markets are

usually not considered.

Initiative fragmentation: The multiplication

of the risk and control key players within

the organisation increases the number of

separate and non coordinated initiatives

concerning financial reporting, security

issues, information privacy, record

retention, business regulations,

environmental standards, occupational

safety, etc.

Each player is developing analogous risk and

control models customised to their specific

needs and reporting axes. Organisations

finally end up with several similar

approaches which are delivering managing

reports, providing diverse or even

conflicting recommendations. Like in

Babylon, management and board members

get confused due to these different risk

languages.

The integrated GRC model as a

solution

GRC is a system of people, processes and

technology that enables an organisation to:

• Understand and prioritise

stakeholder expectations;

• Set business objectives congruent

with the risks;

• Operate within internal, social,

ethical, legal and contractual

boundaries;

• Provide relevant, reliable,

transparent and timely information

to the stakeholders;

• Enable the measurement of the

performance and the conformance

of the organisation.

The GRC model consists of several

interrelated components:

� The model starts with the

identification and the description of

the business universe. The

organisation’s main products and

services, customer groups and

distribution channels are defined. The

major business processes representing

the core value-chain processes and the

support processes are represented.

And finally the strategic objectives are

established.

� The foundation of the GRC model is

based on risk and controls categories

also called assurance map. It lists

universally accepted risks and controls

which serve as the base for the

establishment of the organisation’s

risks and controls. Risks categories are

those universally accepted risks which

are critical to the organisation’s

business objectives. For these risks,

impact and likelihood are estimated.

The universally accepted controls used

to mitigate the risk categories are

defined as controls categories.

� Risk management identifies, analyses,

evaluates and mitigates risk by

applying the risk categories to the

business universe. Risk and control

self-assessment may be performed at

management level to identify the key

risks. An event database keeps track of

all risk events which have occurred

within the organisation. The

monitoring and the review of the risk

management generate improvement

action which is integrated into the

action plan.

� Internal control management applies

the control categories to the specific

business processes to manage the

above identified process risks.

Adequate control activities are

designed and implemented. The

assessment of the design and

operational effectiveness of these

implemented controls results in

corrective and improvement action,

which is also integrated into the global

action plan.

� The audit department uses the risk and

control categories to build up the audit

plan. The different audit assignments

will independently assess the adequacy

and the effectiveness of the

implemented controls to mitigate the

identified risks. An audit opinion will be

rendered and recommendations are

formulated. The accepted action is

included in the global action plan.

Subsequently, the GRC action plan contains

the whole action set which corrects and

enhances the global risk and control

management within the organisation.

Appropriate action selection, prioritisation

and follow-up are required to ensure that

the action contributing most to the

improvement of the control and risk

environment is executed first.

Implementing the GRC model

A set of requirements condition the

successful implementation of the GRC

model:

• Support of the top management,

which is directly interested by the

benefits of a global risk and control

approach;

• Cooperation between the different

management, control, risk and

audit functions within the

organisation;

• A definition of the business

universe consisting of the strategic

objectives, the business

products/services definition, and

the description of the enterprise

business model in terms of core

and support processes;

• A stepwise implementation

ensuring a phased roll out of the

model;

“The board will use multiple

sources to gain reliable

assurance. Assurance from

management is fundamental

and should be

complemented by the

provision of objective

assurance from internal audit

and other third parties”

IIA Assurance Maps Practice

Advisory 2050-2

Integration does not mean unification.

Integration means applying a common

vocabulary, approach and infrastructure

to the GRC processes. All the risk,

control and assurance functions are

updating a common information system,

the GRC repository, while keeping their

unique contribution. The GRC repository

is key for a coordinated and holistic risk

and control management and reporting.

Page 3: Your risk, control and governance advisor. White paper€¦ · Your risk, control and governance advisor. White paper • Adequate project management to attain the defined goals

Your risk, control and

governance advisor.

White paper

• Adequate project management to

attain the defined goals.

Key roles and accountabilities

The board has the oversight of the GRC

system and should

• Set business objectives and ensure

they are congruent with values and

risks;

• Be knowledgeable about the

design and the operation of the

GRC model;

• Obtain regular assurance the

system is effective;

The management must undertake the

implementation and the follow-up of the

GRC system.

• Design, implement and operate an

efficient GRC system;

• Communicate transparently with

stakeholders about the GRC’s

efficiency;

• Evaluate and optimise the

effectiveness and the efficiency of

the GRC system.

Audit should provide assurance to the

board and the management that

• Risks are appropriately identified,

evaluated, managed and

monitored;

• The GRC system is effectively

designed to mitigate risks;

• The GRC system is operating

effectively.

• The other risk and assurance

providers are functioning

effectively.

As a best practice, a GRC steering committee

is set up to manage the GRC global structure

and to coordinate the different key players.

Impact of the GRC model

The Global Risk and Control approach

impacts the organisation and implies good

coordination through:

• The integration of the GRC

disciplines which act as a backbone

for the management of enterprise

risks and controls;

• The integration of the GRC

activities ensuring common action

to achieve the strategic objectives;

• The GRC integration with the

business, by aligning the risk and

control activities on common

business processes;

• The distribution of adequate GRC

information to all levels of the

organisation;

• The adjustment of the mechanism

to the exposed risks, the costs of

the controls and the size of the

organisation.

Benefits of the GRC model

GRC brings multiple benefits to the

organisation:

• Reducing costs as redundant activities

are streamlined;

• Reducing the impact of risk events due

to the global risk and control approach;

• More effective improvement action

through an integrated and coordinated

risk and control action plan;

• Optimising competencies and scarce

resources;

• Increased quality of risk based

information for strategic planning;

• Enhanced board and management trust

resulting from an integrated oversight

and reporting on risks and controls,

increasing stakeholder’s confidence.

Monique Garsoux, Board member IIA Belgium

Patrick Soenen, Qualified Audit Partners

“Organizations will benefit from

a streamlined approach, which

ensures the information is

available to management about

the risks they face and how the

risks are being addressed. The

mapping is done across the

organization to understand

where the overall risk and

assurance roles and

accountabilities reside. The aim

is to ensure that there is a

comprehensive risk and

assurance process with no

duplicated effort or potential

gaps”.

IIA Assurance Maps Practice

Advisory 2050-2