Copyright © 2010, SAS Institute Inc. All rights reserved. 1
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Applying Lessons from the Financial Services Industry in Tax Administrations Governance Risk and Compliance Allan Russell SAS Fellow, Head of EMEA Risk Centre of Excellence
2
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Basel 2 Advanced Measurement Approach
Also, according to section 664 of original Basel Accord, In order to qualify for use of the AMA a bank must satisfy its supervisor that, at a minimum:
Its board of directors and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework;
It has an operational risk management system that is conceptually sound and is implemented with integrity; and
It has sufficient resources in the use of the approach in the major business lines as well as the control and audit areas.
Copyright © 2010, SAS Institute Inc. All rights reserved. 2
3
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Topics for Today
Challenges
Definitions
What is Risk – some common traps
Methodology
Managing Risk
4
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Challenges in Risk Management Today
Complex world
Many vectors for risk
New types of risk emerging
Threats changing and evolving
Tighter budget control
Overlaps across many areas of responsibility
Copyright © 2010, SAS Institute Inc. All rights reserved. 3
5
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Governance-Risk-Compliance
Governance
Compliance Risk
Internal Auditors
Risk Managers Compliance Officers
6
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Challenges in Risk Management Today
Complex world
Many vectors for risk
New types of risk emerging
Threats changing and evolving
Tighter budget control
Overlaps across many areas of responsibility
How to ensure a common understanding ?
How to ensure costs are appropriate ?
How to take a proactive approach ?
Copyright © 2010, SAS Institute Inc. All rights reserved. 4
7
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Some Definitions
What is a Risk ?
An undesirable incident/ event (e.g., fraud, system failure, etc.)
A measure of exposure to loss from undesirable incidents/events
Adapted from “A New Approach for Managing Operational Risk” prepared by OpRisk
Advisory and Towers Perrin.
8
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Some Definitions
Examples of Types of Risks and Causes
Underpayment
» Internal Fraud
» External Fraud
» Process Error
Overpayment
» Process Error
Reputation
» Bad case handling
Political
» Poor Policy implementation
» Budget Overrun
Copyright © 2010, SAS Institute Inc. All rights reserved. 5
9
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Some Definitions Mitigant
A Control
A Policy
Insurance
A Key Risk Indicator (KRI)
A leading indicator that risk events (crystallisation) may increase
Audit
A way of testing controls for effectiveness
Continuous Audit – Audits launched as a result of continuous monitoring of, for example, a KRI
10
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Some Definitions Risk Appetite
In theory risks can be almost eliminated – but at what cost ?
How much risk of a particular type can we tolerate ?
How much will we spend (financial and other costs) to mitigate ?
Scenario
What if ?
» Series of Events
Need to understand causes and effects
» Internally Generated
» News and Gossip
» Data Driven
Copyright © 2010, SAS Institute Inc. All rights reserved. 6
11
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Some Common Traps
What is not effective Risk Management ?
A Focus on specific threats
A Focus on individual controls
These are interesting topics but .....
Threats change very quickly – are you chasing your own tail ?
Missing the overall picture leads to ...
... imbalance in spending
... exposure to less „popular“ risks
... overall increased costs
Explicit statement of Risk Appetite used to drive behaviour throughout the organisation
12
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Methodology OpRisk Management Frameworks
A B
Definition of
Risk:
An undesirable incident/
event (e.g., fraud, system
failure, etc.)
A measure of exposure to
loss from undesirable
incidents/events
Risk
Identification:
Ask managers to identify
their major risks
Define risk “universe” and
use data
Risk
Measurement
Method:
Risk Exposure = Likelihood x Impact for
each risk type, one risk at
a time
Frequency and Severity
distributions to calculate the
cumulative loss potential
from multiple events
Adapted from “A New Approach for Managing Operational Risk” prepared by OpRisk
Advisory and Towers Perrin.
Copyright © 2010, SAS Institute Inc. All rights reserved. 7
13
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Building the Risk Management Framework
Multi-dimensional framework
Dimensional Mappings
Alignment with
business changes
Financial Information
• Out-of-box dimensions to
capture common reference
data (e.g. Organization
structure, Processes,
Products etc.)
• Auxiliary dimensions to
extend reference data
capabilities
• Define mappings
between any
dimensions
• Mappings facilitate data
capturing and reporting
• Insurance policies
• Exchange rates
• Split and Merge
capabilities to align
OpRisk environment
with business changes
(e.g. M&A, business
restructuring)
14
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
EGRC
Repository
Risk & Control
Assessment Incident
Management
GRC
Indicators
Policy
Management Scenarios
Remediation Management (Issues & Action Plans) Audit
Management
Control
Testing
Integration, Continuous Monitoring/Auditing, CAATs
Operational Systems &
Other GRC Applications
Dashboard &
Reporting
Alerts &
Escalation
Corporate Performance
Management Systems Risk Analytics &
Modelling
External
Loss Data
Elements of an Enterprise Risk Management System
External GRC Content
Providers + Consortiums
Reference Data & Libraries
Copyright © 2010, SAS Institute Inc. All rights reserved. 8
15
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Reference Data and Libraries
Example – Regulation to Process Mapping
16
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Risk and Control Assessment (RCSA)
Define a library of compliance risks
Define a library of compliance-related controls
Map compliance risks to compliance controls.
Periodically assess compliance risks and controls to identify weaknesses in the compliance environment.
Identify key compliance risks and controls to enable compliance teams to prioritize their efforts and resources.
Map compliance risks and controls to reference data and library elements such as processes, regulations, etc.
RCSA module enables compliance teams to analyze future compliance risk exposures
Copyright © 2010, SAS Institute Inc. All rights reserved. 9
17
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Mappings
Example – Map Compliance Risks and Controls to Processes
Example – Map Compliance Risks and Controls to Regulations
18
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Incident Management
Event details
Financial effect details
Recovery details
Controls that failed and resulted in the compliance incident
One or more causes of the incident
Regulatory actions and fines
Regulatory issues and warnings
Incident management provides a historic view of the compliance environment.
Copyright © 2010, SAS Institute Inc. All rights reserved. 10
19
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Consolidated Profile of the Compliance Environment
Example- Capture incidents (historic view) related to compliance risks (future exposure)
20
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
GRC Indicators and Continuous Monitoring
Enables compliance teams to define and monitor one or more indicators
Can provide early warning of potential weak spots and provide adequate time to address these before they escalate into damaging compliance breaches and incidents
Enables compliance teams to proactively manage the compliance environment and demonstrate business benefits to various stakeholders by mitigating financial or reputational damage through early, preventative action
Copyright © 2010, SAS Institute Inc. All rights reserved. 11
21
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
GRC Indicators and Continuous Monitoring
Extract data from one or more operational systems to derive the values of compliance indicators.
Define business rules associated with various levels of escalation.
Schedule the frequency of business rules execution (e.g., daily or weekly).
Define escalation actions (e.g., e-mail alerts, automatically create a new issue or update assessment scores for compliance risks or controls).
22
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Indicators Related to Compliance Risks
Example - Monitor Compliance Indicators Related to Risks
Copyright © 2010, SAS Institute Inc. All rights reserved. 12
23
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Policy Management
Enables compliance teams to define and manage the complete life cycle of all policies across the organization
Ability to link policies to related business processes, risks and controls
Example- Mapping of Policies
24
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Control Testing
Periodically review controls for adequacy and effectiveness
Control tests are critical for complying with regulations and standards
Controls can either by tested manually or through automated business rules
Customizable UI screens and workflow for control tests
Certify the controls
Copyright © 2010, SAS Institute Inc. All rights reserved. 13
25
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Control Testing
Example- Control Tests for Compliance Controls
26
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Issues and Action Plans
Document issues and action plans to remediate the issues
Ability to link issues and action plans to the relevant items
Customizable UI screens and workflow for approving issues and action plans
Copyright © 2010, SAS Institute Inc. All rights reserved. 14
27
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Issues and Action Plans
Example- Mapping of Issue and Action Plans with Compliance Indicator and Regulation
28
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Reporting and Dashboards
Reports can be
Scheduled (daily, weekly, etc.)
Ad hoc basis
Enriched using an extensive set of visualization tools such as WRS, BI Dashboard
Provides a Microsoft Office add-in
Copyright © 2010, SAS Institute Inc. All rights reserved. 15
29
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Reporting and Dashboards
Example- Compliance Dashboard
30
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Sample Dashboard View
Copyright © 2010, SAS Institute Inc. All rights reserved. 16
31
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Sample Trend Analysis
32
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Sample Heatmap (by frequency and severity)
Copyright © 2010, SAS Institute Inc. All rights reserved. 17
33
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Scenarios
Assess the potential extent and impact of future risk events
Define and manage scenario templates
A bucketed scenario template asks for the expected frequency of losses for multiple severity ranges
A rare event scenario is intended to capture information about how often an extreme event happens, and what the expected impact range is.
Define and manage distribution of scenario questionnaires
Customizable approval workflow
34
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Audit Management
Define and manage audit missions
Customizable UI screens and workflow for audit missions
Calendar view of audit missions
Perform audit tests, similar to the control testing workflow
Capture audit findings/audit points
Follow-up mitigating actions
Copyright © 2010, SAS Institute Inc. All rights reserved. 18
35
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
EGRC
Repository
Risk & Control
Assessment Incident
Management
GRC
Indicators
Policy
Management Scenarios
Remediation Management (Issues & Action Plans) Audit
Management
Control
Testing
Integration, Continuous Monitoring/Auditing, CAATs
Operational Systems &
Other GRC Applications
Dashboard &
Reporting
Alerts &
Escalation
Corporate Performance
Management Systems Risk Analytics &
Modelling
External
Loss Data
Elements of an Enterprise Risk Management System
External GRC Content
Providers + Consortiums
Reference Data & Libraries
36
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Benefits of an Enterprise Wide Risk Management Program A consistent approach to recognising and managing
Risks
Set cost of Risk mitigation in the context of the Risk Appetite
Common Understanding across multiple organisational entities – area (Corporate/Personal) or functional (Audit/Risk and Compliance)
Clear understanding of reasons for and effectiveness of Policies
Ability to respond to emerging threats in an appropriate way
Copyright © 2010, SAS Institute Inc. All rights reserved. 19
37
Company Confidential - For Internal Use Only
Copyright © 2010, SAS Institute Inc. All rights reserved.
Benefits of an Enterprise Wide Risk Management Program A consistent approach to recognising and managing
Risks
Set cost of Risk mitigation in the context of the Risk Appetite
Ability to be proactive
Scenarios and Control Tests
Ability to be Effective
Test what„s necessary and only that – no wasted effort