Internal Auditors’ Workshop

“Audits as a Risk Management Tool”

A Presentation by Duncan O. Ogutu – Chief Risk Officer

1

Your name;

Department/Function/Process and role; and

Expectations from the workshop

2

Highly interactive session;

Global thinking with local application; and

3

Capital Planning and Execution

Effective delivery of current projects

Geothermal expansion

Capital planning and execution processes

CP1

CP3

CP2

Regulatory Management

Improve single buyer model

Steer deregulation process

Build a regulatory structure in KenGen’s organisation

RG1

RG3

RG2

Operational Excellence

OP1

OP3

Reduce operational and overhead costs

Optimise main-tenance practices

OP2

Improve operational processes and structure

Organisational Health

OG1 Performance management

OG2 Promotion and succession planning

OG3 Structure and Governance

OG4 Annual planning and budget

OG5 Innovation and continuous improvement

Organisational effectiveness from improved processes, structure and culture

OG6

Information Technology

Vision:

To be the market leader in the provision of reliable, safe, quality and

competitively priced electric energy in the Eastern Africa region

Strategic pillars

+3000MW

by 2018

4

• Specific expected objectives

• Clarity of risk and the risk management process ;

• Clarity on the role audit & audit process;

• Link between Audit & Risk Management

• Auditors role in risk management process

• Commitment towards a consistent risk consciousness

Objectives

Internal

Control

(mitigation

measures

Risk

Management

6

Overview of risk management; Risk Management Process

Overview of Audit

Audit vs Risk Management

7

Overview of Risk Management

8

© 2011 Deloitte & Touche

“The potential for loss or harm – or the diminished opportunity for gain - caused by

factors that can adversely affect the achievement of a company‟s objectives”

Risk is the aggregate effect of uncertain events and outcomes on the achievement of objectives

10

Objectives: A goal or end result that is to be achieved;

Uncertainty: Unknown, indefinite or unclear;

Events: A happening, inside or outside an KenGen (naturally or man-made);

Outcomes: Results of and contingent upon events (financial or not, tangible or

not); and

Effects: Consequences of outcomes on the achievement of objectives (favourable

or not)

11

Objective

Uncertain Events

Good

Bad

Uncertain Outcomes

Desirable

Undesirable

Uncertain Effects

Favorable

Unfavorable

12

© 2011 Deloitte & Touche

“Mechanism that creates stability in the organization by enabling the identification,

prioritization, mitigation and measurement of the implications of each decision”

Key elements of ERM include:

Adopting consistent and effective risk governance;

Standardizing the risk management process;

Aggregating and integrating a view of all risks; and

Relating risks to business objectives.

14

15

Enterprise: A purposeful undertaking that requires boldness.

Risk: The potential for loss, harm or sub-optimization of gain.

Management: Directing and controlling people, entities and resources for the

purpose of coordinating and harmonizing them towards accomplishing a goal i.e.,

protect existing assets and create future growth.

16

External

factors

External

factors

Identify

risks

Assess &

measure

risks Respond

to risks

Design & test controls

Sustain &

continuously

improve

Governance

Process

Tech

nolo

gy

P

eop

le Develop &

deploy

strategies

Monitor,

assure &

escalate Risk intelligence

to create &

preserve value

Introduction;

Before the Three Lines: Risk Management Oversight and Strategy-Setting

The First Line of Defense: Operational/Process Management

The Second Line of Defense: Risk Management and Compliance

Functions

The Third Line of Defense: Internal Audit, External Auditors, Regulators,

and Other External bodies;

Coordinating The Three Lines of Defense

17

In twenty-first century businesses, it’s not uncommon to find diverse

teams of internal auditors, enterprise risk management specialists,

compliance officers, internal control specialists, quality

inspectors/assessors, fraud investigators, and other risk and control

professionals working together to help their organizations manage

risk.

The Three Lines of Defense model distinguishes among three groups

(or lines) involved in effective risk management:

†Functions that own and manage risks (1st Line):

†Functions that oversee risks (2nd Line); and

†Functions that provide independent assurance (3rd Line)

18

Operational managers own and manage risks. They implementing

corrective actions to address process and control deficiencies.

Maintain effective internal controls and for executing risk and

control procedures on a day-to-day basis.

Identifies, assesses, controls, and mitigates risks, guiding the

development and implementation of internal policies and

procedures

Design and implement detailed procedures that serve as controls and

supervise execution of those procedures by their employees.

Serves as the first line of defense because controls are designed into

systems and processes under their guidance of operational

management.

There should be adequate managerial and supervisory controls in

place to ensure compliance and to highlight control breakdown,

inadequate processes, and unexpected events.

19

In a perfect world, only one line of defense would be needed to

assure effective risk management. In the real world, however, a

single line of defense often can prove inadequate. Management

establishes various risk management and compliance functions to

help build and/or monitor the first line-of-defense controls.

The responsibilities of these functions vary on their specific nature,

but can include:

†Supporting management policies, defining roles and

responsibilities, and setting goals for implementation.

†Providing risk management frameworks, Identifying known and

emerging issues.

†Identifying shifts in the organization’s implicit risk appetite.

20

Assisting management in developing processes and controls to

manage risks and issues.

†Providing guidance and training on risk management processes.

†Facilitating and monitoring implementation of effective risk

management practices by operational management.

†Alerting operational management to emerging issues and

changing regulatory and risk scenarios.

†Monitoring the adequacy and effectiveness of internal control,

accuracy and completeness of reporting, compliance with laws

and regulations, and timely remediation of deficiencies.

21

Internal auditors provide the governing body and senior

management with comprehensive assurance based on the highest

level of independence and objectivity within the organization.

This high level of independence is not available in the second line of

defense.

Internal audit provides assurance on the effectiveness of governance,

risk management, and internal controls, including the manner in

which the first and second lines of defense achieve risk management

and control objectives.

The scope of this assurance, which is reported to senior management

and to the governing body, usually covers:

22

FIRST LINE OF DEFENSE SECOND LINE OF

DEFENSE

THIRD LINE OF

DEFENSE

Risk Owners/Managers Risk

Control/Compliance

Risk Assurance

Operating management Limited independence

Reports primarily to

management

Internal audit

Greater independence

Reports to governing

body

23

24

25

26

The Risk Management Process

27

At the end of the session the participant will understand how to;

Identify risk;

Measure risk;

Select a risk response;

Develop mitigating strategies;

Report on risk; and

Sustain the risk management process.

28

Level 2 – Risk Management Capabilities

29

30

Governance: Board roles and responsibilities, internal audit and risk management

functions, tone at the top, risk management policies such as risk appetite and tolerance,

the code of ethics, and delegation of authority.

People: This pillar focuses on management capabilities and related risks such as having

the right number of people, with the right training and awareness.

Process: Includes core operational and infrastructure business processes necessary to

run the business in an efficient manner, and create and protect value.

Technology: This pillar establishes capable systems to analyze and communicate risk

information throughout the organization and enable risk intelligent decision-making

and timely response

Competition Security Attacks

Identify

risks

Assess &

measure

risks Respond

to risks

Design &

test controls

Sustain &

continuously

improve

Governance

Process

Tec

hn

olog

y

Peop

le

Develop &

deploy

strategies

Monitor,

assure &

escalate Risk intelligence

to create &

preserve value

Level 3 – Risk Management Steps

31

32

Strategies to ensure:

Revenue growth sustained;

Asset efficiency maximised;

Operating margins managed; and

Stakeholder expectations met.

Strategic objectives need to be cascaded throughout the

organization.

How is this being done at KenGen ?

How does it tie in to the G2G Transformation Strategy?

33

© 2011 Deloitte & Touche 34

• Internal and external risks that can compromise achievement of KenGen‟s objectives.

• Risks to both future growth objectives and existing assets.

• Consider scenarios and chain of events rather than isolated incidents.

35

KenGen risk categories:

Governance;

Strategy and planning;

Operations and infrastructure;

Finance;

Compliance; and

Reporting.

36

37

Define the risk factors to be used as a basis for risk ranking:

Impact factors: financial, stakeholders, reputation, legal/regulatory, speed of

onset;

Vulnerability factors: Control effectiveness, speed of response, complexity, rate

of change and external factors.

Impact and vulnerability can be assessed in terms of high, medium/moderate, and

low.

38

Risk is a function of

impact and Vulnerability,

and the consideration of controls in place.

RISK = Impact x likelihood

Consider the existing controls to

mitigate the identified risks.

Therefore

Controls do not always completely

eliminate the risks, therefore, the

remaining risk after considering

controls is referred to as Residual Risk

Residual Risk = Impact x Vulnerability

or (likelihood – Controls)

Vulnerability The

extent to which an

event is likely to

occur considering

the existing

controls.

Impact

The effect that a

risk will have in the

organisations

should it

materialise.

Inherent Risk

Lack of understanding of the

system functionality

resulting in inaccurate and

incomplete reporting

information.

Existing Controls

• System training

• Qualified personnel

• User reference guide

• Helpdesk support

Residual Risk

Considering the controls, the

likelihood of the risk occurring

becomes low, thus the residual

risk (vulnerability) rating is low.

Example

39

40

Avoid risk

Divest, prohibit, stop, screen or eliminate the risk event.

Certain

project activities may have too much associated risk and as

such a decision is taken not to enter into or continue with the

activities.

Manage risk Reduce the risk impact, risk vulnerabilityor both in a cost

effective manner, so that the risk exposure is reduced.

Transfer risk

Reduce risk likelihood or impact by transferring or

otherwise

sharing a portion of the risk.

Accept risk

Risk mitigation or risk management resources are not

allocated

to the risk.

41

Risk Category Risk Response

Very High Manage/Avoid/ Enhance Risk Mitigation

High Manage/Avoid/Enhance Risk Mitigation

Medium Transfer/ Monitor/ Measure for Cumulative Impact

Low Accept/ Retain/ Redeploy Resources

42

KenGen

43