Click here to load reader
Upload
trantram
View
212
Download
0
Embed Size (px)
Citation preview
Your risk, control and
governance advisor.
White paper
“The chief audit executive
should share information
and coordinate activities
with other internal and
external providers of
assurance and consulting
services to ensure proper
coverage and minimize
duplication of efforts.”
IIA Assurance Maps
Practice Advisory 2050-2
A Global approach to Risk and Control (GRC)
This article proposes a Global Risk and Control (GRC) model, which moves away from a silo approach toward a holistic view of risk and
control across the organisation. Organisations able to effectively align risk management, control and compliance initiatives with their
strategic objectives can reduce their risks and make more valuable decisions regarding their strategy.
Corporate boards, CEOs, CFOs and other members of the senior leadership team are facing unprecedented levels of business complexity,
changing geopolitical threats, new legislation and regulations, and increasing shareholder demands. Achieving maximum performance and
ensuring full conformance in today’s complex environment require organisations more than ever to combine risk, control and compliance
management in a unique view. The present crisis illustrates that organisations did insufficiently integrate risk management and internal
control into their business management. While oversight requirements have significantly grown over the years, boards and audit
committees receive repeatedly different reporting with dissimilar views on risks from their stakeholders: executive management, risk and
control functions, and audit.
The established defence lines
A set of common control, risk and
compliance activities are executed across
business units and control functions, and
are organised as defence lines.
The primary goal is to organise these
functions within the organisation to
strengthen its defence.
Within the inner circle, the staff applies the
policies and the procedures issued by the
management, to ensure the regularity, the
security and the validity of the operations.
The internal control mechanisms are an
essential component of the successful
direction and control of the organisation.
The senior executive management should
focus on creating organisational
transparency by defining the mechanisms
an organisation uses to ensure that its
constituents follow established processes
and policies.
The second line of defence is composed of
those functions responsible for an area of
control expertise.
Internal control is a process, performed to
provide reasonable assurance regarding the
achievement of objectives in the following
areas:
• Effectiveness of operations and
efficient use of the resources;
• Reliability of financial and
operational reporting;
• Compliance with applicable laws,
regulations and internal policies.
Risk management brings a comprehensive,
systematic approach for helping the
organisation identify events and respond to
the risks challenging its most critical
objectives and related projects, initiatives,
and day-to-day operating practices. Risk
management deals with determining the
organisation’s risk appetite, and then
identifying and mitigating risks to
appropriately balance the risk
portfolio.
Compliance is the set of
practices that deals with
adhering to mandated
requirements such as
laws, regulations, and
voluntary
requirements
resulting from
standards, policies,
procedures and
contractual
arrangements. The legal
and compliance
departments play a major
role to protect the
organisation against the risk of
non compliance.
Resilience ensures the ongoing business
continuity, while security ensures the
confidentiality, the integrity and the
availability of the operations, the systems
and the information.
Quality management has the responsibility
to establish a Quality Management System
(QMS) based on an operational framework,
composed of processes and procedures,
compliant with the ISO standards.
The third line of defence consists of audit
and assurance functions, which are
performed by internal audit, the external
audit and the regulators. Internal audit
provides reasonable assurance that the
required controls to mitigate risks are
effectively designed and operated. Internal
audit should report to the highest level
within the organisation to strengthen its
objectivity and confirm its independence. A
close and continuous link should be
established with the Audit Committee.
Risk, Control and reporting
fragmentation
The multiplication of the internal control
actors increases complexity,
creates a duplication of effort
and may reduce the
effectiveness of the internal
control. At a given
moment, the key players
may be confident
someone else takes care
of a specific risk or
control, without
investing the required
level of expertise to
mitigate the risks.
Consequently, the control,
risk, and compliance
activities should be
coordinated.
Organisational fragmentation: As different
policies, risks events, measurements are
defined, the organisation ends up with
different policies, duplication of effort,
difficulty of predicting risk, and lack of
transparency.
Information fragmentation: Local process
implementation and optimisation of specific
solutions further isolate information within
systems, resulting in a lack of information
integrity and a limited integrating view of
enterprise risks
Your risk, control and
governance advisor.
White paper
Entity fragmentation: Policies and risks are
generally defined and measured at the local
level, without proper consideration of their
impact on the global, multinational,
national, or regional decision making levels.
The interdependencies of the risks
associated with the multitude of
jurisdictions, countries, and markets are
usually not considered.
Initiative fragmentation: The multiplication
of the risk and control key players within
the organisation increases the number of
separate and non coordinated initiatives
concerning financial reporting, security
issues, information privacy, record
retention, business regulations,
environmental standards, occupational
safety, etc.
Each player is developing analogous risk and
control models customised to their specific
needs and reporting axes. Organisations
finally end up with several similar
approaches which are delivering managing
reports, providing diverse or even
conflicting recommendations. Like in
Babylon, management and board members
get confused due to these different risk
languages.
The integrated GRC model as a
solution
GRC is a system of people, processes and
technology that enables an organisation to:
• Understand and prioritise
stakeholder expectations;
• Set business objectives congruent
with the risks;
• Operate within internal, social,
ethical, legal and contractual
boundaries;
• Provide relevant, reliable,
transparent and timely information
to the stakeholders;
• Enable the measurement of the
performance and the conformance
of the organisation.
The GRC model consists of several
interrelated components:
� The model starts with the
identification and the description of
the business universe. The
organisation’s main products and
services, customer groups and
distribution channels are defined. The
major business processes representing
the core value-chain processes and the
support processes are represented.
And finally the strategic objectives are
established.
� The foundation of the GRC model is
based on risk and controls categories
also called assurance map. It lists
universally accepted risks and controls
which serve as the base for the
establishment of the organisation’s
risks and controls. Risks categories are
those universally accepted risks which
are critical to the organisation’s
business objectives. For these risks,
impact and likelihood are estimated.
The universally accepted controls used
to mitigate the risk categories are
defined as controls categories.
� Risk management identifies, analyses,
evaluates and mitigates risk by
applying the risk categories to the
business universe. Risk and control
self-assessment may be performed at
management level to identify the key
risks. An event database keeps track of
all risk events which have occurred
within the organisation. The
monitoring and the review of the risk
management generate improvement
action which is integrated into the
action plan.
� Internal control management applies
the control categories to the specific
business processes to manage the
above identified process risks.
Adequate control activities are
designed and implemented. The
assessment of the design and
operational effectiveness of these
implemented controls results in
corrective and improvement action,
which is also integrated into the global
action plan.
� The audit department uses the risk and
control categories to build up the audit
plan. The different audit assignments
will independently assess the adequacy
and the effectiveness of the
implemented controls to mitigate the
identified risks. An audit opinion will be
rendered and recommendations are
formulated. The accepted action is
included in the global action plan.
Subsequently, the GRC action plan contains
the whole action set which corrects and
enhances the global risk and control
management within the organisation.
Appropriate action selection, prioritisation
and follow-up are required to ensure that
the action contributing most to the
improvement of the control and risk
environment is executed first.
Implementing the GRC model
A set of requirements condition the
successful implementation of the GRC
model:
• Support of the top management,
which is directly interested by the
benefits of a global risk and control
approach;
• Cooperation between the different
management, control, risk and
audit functions within the
organisation;
• A definition of the business
universe consisting of the strategic
objectives, the business
products/services definition, and
the description of the enterprise
business model in terms of core
and support processes;
• A stepwise implementation
ensuring a phased roll out of the
model;
“The board will use multiple
sources to gain reliable
assurance. Assurance from
management is fundamental
and should be
complemented by the
provision of objective
assurance from internal audit
and other third parties”
IIA Assurance Maps Practice
Advisory 2050-2
Integration does not mean unification.
Integration means applying a common
vocabulary, approach and infrastructure
to the GRC processes. All the risk,
control and assurance functions are
updating a common information system,
the GRC repository, while keeping their
unique contribution. The GRC repository
is key for a coordinated and holistic risk
and control management and reporting.
Your risk, control and
governance advisor.
White paper
• Adequate project management to
attain the defined goals.
Key roles and accountabilities
The board has the oversight of the GRC
system and should
• Set business objectives and ensure
they are congruent with values and
risks;
• Be knowledgeable about the
design and the operation of the
GRC model;
• Obtain regular assurance the
system is effective;
The management must undertake the
implementation and the follow-up of the
GRC system.
• Design, implement and operate an
efficient GRC system;
• Communicate transparently with
stakeholders about the GRC’s
efficiency;
• Evaluate and optimise the
effectiveness and the efficiency of
the GRC system.
Audit should provide assurance to the
board and the management that
• Risks are appropriately identified,
evaluated, managed and
monitored;
• The GRC system is effectively
designed to mitigate risks;
• The GRC system is operating
effectively.
• The other risk and assurance
providers are functioning
effectively.
As a best practice, a GRC steering committee
is set up to manage the GRC global structure
and to coordinate the different key players.
Impact of the GRC model
The Global Risk and Control approach
impacts the organisation and implies good
coordination through:
• The integration of the GRC
disciplines which act as a backbone
for the management of enterprise
risks and controls;
• The integration of the GRC
activities ensuring common action
to achieve the strategic objectives;
• The GRC integration with the
business, by aligning the risk and
control activities on common
business processes;
• The distribution of adequate GRC
information to all levels of the
organisation;
• The adjustment of the mechanism
to the exposed risks, the costs of
the controls and the size of the
organisation.
Benefits of the GRC model
GRC brings multiple benefits to the
organisation:
• Reducing costs as redundant activities
are streamlined;
• Reducing the impact of risk events due
to the global risk and control approach;
• More effective improvement action
through an integrated and coordinated
risk and control action plan;
• Optimising competencies and scarce
resources;
• Increased quality of risk based
information for strategic planning;
• Enhanced board and management trust
resulting from an integrated oversight
and reporting on risks and controls,
increasing stakeholder’s confidence.
Monique Garsoux, Board member IIA Belgium
Patrick Soenen, Qualified Audit Partners
“Organizations will benefit from
a streamlined approach, which
ensures the information is
available to management about
the risks they face and how the
risks are being addressed. The
mapping is done across the
organization to understand
where the overall risk and
assurance roles and
accountabilities reside. The aim
is to ensure that there is a
comprehensive risk and
assurance process with no
duplicated effort or potential
gaps”.
IIA Assurance Maps Practice
Advisory 2050-2