2015 IA Presentation_G Fisher_V2.1

Demystifying Combined AssuranceCreating a Well-rounded Risk Profile to Assess the Adequacy of your Assurance Coverage

Grant FisherGeneral Manager: Group Audit and Risk Management, Bridgestone South Africa

5 March 2015

Outline

1 Introduction

2 Obtaining a Multi-dimensional View of Risk

3 Your Key Role Players in Combined Assurance

4 How Many Lines of Defense are Enough?

5 Mapping Assurance Providers to Risks, Controls, and Objectives

6 Gap Analysis: Strengthening the Risk Net

7 Discussion Time and Case Study

2

1 Introduction

If you can't explain it simply, you don't understand it well enough.

Albert Einstein

Read more at http://www.brainyquote.com/quotes/quotes/a/alberteins383803.html#kzhdHCJcMuFL7BS1.99

3

http://www.brainyquote.com/quotes/authors/a/albert_einstein.html

1 Introduction (cont.)

4

I am convinced that a simple profit-seeking business will never thrive, but a business that contributes to its society and country will be forever profitable.

Shojiro Ishibashi, Founder

The essence of sustainability

60 years before the first King report, Bridgestone was promoting principles of good governance (even though the term did not yet exist).


5

The World of Assurance and Good Governance

In the past 20 years, we have seen a fundamental change in the role of business in society. This is particularly meaningful in the context of a new South Africa.

King I (1994)

• Introduced the concept of good governance

• Focused on the role of the Board

• Recommended Affirmative Action

King II (2002)

• Promoted the roles of Internal Audit and Risk Management

• Stressed the importance of sound financial reporting

• Recommended “ non-financial reporting”

King III (2009)

• Promoted the roles of Internal Audit and Risk Management further

• Recommended Integrated Sustainability Reporting

• Introduced the concept of Combined Assurance


6

Who’s involved?

Aspect Western Capitalism A New Compassionate Capitalism

Time horizon Short-term focus Considers short, medium and long-term

Value Creation Returns to Shareholders Value for Stakeholders

Mission Profit motive above all else Concern for people, planet, and profit

Annual Reporting Financial Reporting Integrated Sustainability Reporting

Internal AuditRisk

Forensics

TransformationGovern

ance

Secretarial

LegalInsuranc

e

Compliance

CSRSQE

Security

The World of Assurance and Good Governance (cont.)

What has changed?


7

Why Combined Assurance?

It started with the King Report on Governance (King III):

The audit committee should ensure that a combined assurance model is applied to provide a co-ordinated approach to all assurance activities

Potential Benefits

• Focus on key risks• Identify gaps• Reduce operational disruptions• Track remedial actions• Improve reporting to the Board• Support Integrated Report


8

Combined Assurance means better Risk Management and better Governance*

* but only if we want it to...

Picture from www.edf.az Picture from www.mypharmacare.ca

2 Obtaining a Multi-dimensional View of Risk

9

Ask yourself the following:

• Do we know what our risks are?

• Do we really know what our risks are?

• What are our biggest risks, and how do we measure them?

• How do we get our assurance?

• Who are we really relying on?

• If we know our risks, why do bad things still happen?

• Do we just tick the boxes?

(Think about Enron. ABIL. Are they that different to us?)

http://jeffreyhill.typepad.com/english/2009/03/cartoon-fiddling-while-rome-burns.html

2 Obtaining a Multi-dimensional View of Risk (cont.)

10

How we do it at Bridgestone South Africa

Risk Profile

Risk Forum & Internal Audit

Incident Reports

Global Risks

• Incorporate global risks and classification systems

• Learn from local and global incidents, accidents and disasters

• Lead risk forum and conduct interviews (cross-functional team)

• Incorporate internal audit experience

• Consider other methods (PESTEL, SWOT, etc.)

• Leverage data analytics (planned)


11

Elements of our Risk Framework

RISK FRAMEWORK

POLICIES AND

STANDARDS

RISK MANAGEMENT

(NORMAL CONDITIONS)

BUSINESS CONTINUITY

MANAGEMENT

INCIDENT REPORTING

CRISIS MANAGEME

NT

• Appetite• Tolerance• Capacity• Risk Criteria• Classification

• All Risk Categories

• Incidents• Accidents• Emergencies

• Emergency Planning

• Task Force Establishment

• COSO ERM

• Risk Register


12

Categories of our Top 10 Risks

• Regulatory Compliance

Our first financial risk is at #17 (Bad Debt), so then:

• Is Internal Audit really risk-based?

• Who is giving us the real assurance?

It cannot be the traditional world of financial audit.

(And it doesn’t help to get assurance on the wrong risks!)

Category Qty

Regulatory Compliance 2

Emergency Planning 1

Transformation 2

Operations 1

Quality 3

Ethics 1


13

Establishing your Strategic Position (where do you fit in?)

Supply Chain [CORE] Administrative [SUPPORT]

Corporate Social Responsibility (CSR)

Enterprise Risk Management (ERM)

Planning Purchasing Production Logistics Sales Marketing Finance HR IT SQE

Internal Audit

Compliance


14

What are we trying to achieve?

22 CSR Focus Points Global Reporting Initiative (GRI) Requirements

Fundamental CSR Activities• Stable Profits• Compliance• Business Continuity• Stakeholder Communication

Economic Impact• Financial Results (for shareholders)• Impact on other Stakeholders

- Staff compensation - Employee benefits - Community investments - Donations - Returns to providers of capital - Tax paid - Local procurement - Local recruitment - Infrastructure development

CSR through Business Activities• Quality Products and Services• Technological Innovation• Customer Research• Fair Business Practice• Fair and CSR Procurement• Timely Disclosure

CSR through Environmental Activities• Conservation through Products• Conservation through Supply Chain• Social Activities

Environmental Impact (materials, energy, water, etc.)

CSR from a Social Standpoint• Job Satisfaction• Workplace Safety• Diversity• Human Rights• Social Activities and Volunteering

Social Impact• Labour Practices• Human Rights• Society • Product Responsibility


15

What do we care about?

The way we look at value has changed. And new accounting standards reflect this. [For accounting value to reflect economic value, goodwill must be stated at Fair Market Value (IFRS)]

Now accountants have to look to the future to establish value

And internal auditors have to look to the future to establish risk

Yet neither has a crystal ball...

Picture from www.wired.com

Value Perspective Definition Time Frame

Economic NPV (Expected Future Income Flows) Future

Accounting Assets – Liabilities Past


16

Value theory of Risk

Anything that can destroy Value (or potential value)

Activities undertaken to protect Value

Co-ordinating of activities to protect Value

Or

Integrating and aligning assurance processes in a company to maximise risk and governance oversight and control efficiencies, and optimise overall assurance to the audit and risk committee, considering the company’s risk appetite. (King III)

Or

“Internal due diligence on an ongoing basis” (IRMSA)


17

It takes a King to Govern

One of the best

Governance Codes

in the World,

And yet...


18

Corruption Perceptions Index 2013

South Africa’s biggest risk! [IRMSA Risk Report 2015]

P.S. What’s Botswana got that we haven’t?


19

Another definition of Risk

Any obstacle to getting what we want

If you’re not thinking CSR, you’re not thinking risk


20

Know your Universe

HR

Legal

Compliance

EthicsContracts

Security

Finance

IT

Wellness

Disaster

Safety

Quality

Environment

Business

http://www.bridgestone.co.za/



21

Develop some detail (but don’t get lost in it)

#Broad Risk Category

Sub-categoryRisk

#Risk Name

Key Person

1 Human Capital

Skills Maintenance 30 Skills Shortage

Jane

Industrial Relations - Unfair Dismissal

Labour Market Activity 23 Labour Unrest

Compensation Framework

29 Staff Compensation

Employee Relations

- Employee Scandal

47Family Relationships

Recruitment 45Fraudulent Applications

Staff Morale14 Restructuring

- Division of Labour




22

Document thoroughly [extract from risk register]

P.S. What’s missing? Causes or contributing factors (there should be a control for every cause)

2014 Rank

Risk #

Date Risk Name Risk Description

Map to CSR

Objective

BSJ Risk Category

COSO Risk Category

Likelihood

(Pre-control)

Impact (Pre-control)

Inherent Risk

Existing Controls and/or Mitigation

Measures

Likelihood (Post-control)

Impact (Post-control)

Residual Risk

Risk Response

Action Plan

Action by date

Person Responsible

Risk O

wner

BCP Indicator

Progress to Plan / Follow-up Status

1 00126-Nov-

13

Non-compliance with Competitions Act

A violation of the Competitions Act results in severe penalties (i.r.o. price fixing, market allocation, resale price maintenance, market power, collusion, etc.)

128

03 Legal

Compliance

4 5 IVCompetition Compliance Training Manual (on Intranet)

3 5 IVReduce

- Policy on anti-cartel activity (in-progress per BSJ instruction) - On-line compliance training

31-

12-

2013

RSLegal

No

- Policy approved by the Board (Dec 2013) - Compliance Training rolled out to sales and marketing staff (Sep 2014)

2 00226-Nov-

13

Terrorism or related catastrophe

An unforseen act of terrorism or sabotage has a profound effect on the business

1317

07 Disaster

Strategic

1 5 IV

- Security on site - Risk Control Policy - Emergency Planning and Procedures (BSAF Plants) - SASRIA cover is in place for Max T against terrorism provided it is politically motivated (NASRIA in Namibia)

1 5 IVTBD

- Enhance and/or standardise contingency planning systems and procedures (at group level), giving special consideration to second-round effects (beyond initial financial impacts) - Consider outsourcing the management of catastrophes

TBD

CT

CSR / SQE

Yes

Note: Terrorist threat exists in Mozambique, but no SASRIA cover equivalent there



3 Your Key Role Players in Combined Assurance

23

Who are we relying on?

From the point of view of a multi-national...

Internal (Local) Group-Global External

Operating Management J-SOX Auditors External Audit

Group Audit and Risk TQM Auditors Corporate Lawyers

Legal / Secretarial Internal Auditing Consulting Engineers

CSR / SQE Business Continuity Insurers

Human Resources B-BBEE Verification Agency

Finance ISO Certification

Information Technology Labour Relations Consultants

Technical OEM Auditors (e.g. BMW)

Fire Protection Inspectors

Safety Inspectors

Forensic Consultants

3 Your Key Role Players in Combined Assurance (cont.)

24

Should we be relying on them?

Internal Assurers

• Highly Skilled, but not Independent

Group-Global

• Skilled and Independent, but limited Local Knowledge

External Assurers

• Skilled, Relatively Independent, and Accredited, but Costly


25

Special Case: J-SOX (Mutual Assurance)

The Group CEO (Global) performs a group assessment based on internal control confirmation statements submitted by each group company, and submits an internal control statement based on the assessment results to the Prime Minister of Japan. Each Group Company conducts their own control self-assessment.

Assurance is provided on the following control types:

• Entity Level Controls

• Financial Closing and Reporting Controls

• Business Process Controls

• IT General Controls

BSJ places reliance on our self-assessment.

We place reliance on their independent validation.


26


27

And for JSE-Listed Companies...

• Who gives you assurance on your integrated report?

• Are traditional auditors the right people?

• Do they have the right credentials?

• Is the report really integrated?

• Do we create value over time...?

On the other hand...

• Is independent assurance even possible?

• Are we taking assurance too far?

• Should we stop with Internal Audit?

• You cannot guarantee sustainability [King III vs JSE] Picture from www.pgsadvisors.com

4 How many Lines of Defense are Enough?

28

According to the IIA…

4 How many Lines of Defense are Enough? (cont.)

29

Line 1

• Risk and Control Owners [Management]

Line 2

• Risk Management Process Owners [e.g. Risk Management / Risk Forum]

Line 3

• Assurance Providers on Risk Management Process [Internal Audit]

Line 4

• External Assurance Providers and Consultants

Line 5

• Board Sub-committees

In other words...


30

Developing a Model (According to IRMSA)

4. Identify and Involve Assurance Providers

• Secure commitment• Especially Internal Audit

5. Map Risks to Assurance Providers

• Describe assurance mission of each provider• Draft assurance activities to be undertaken and

frequency

6. Decide on Optimum Model

• Design blueprint• Build infrastructure (risk methodology)

1. Create Awareness

• Define what it is• Explain the benefits

2. Identify a Champion

• Chief Internal Auditor• Chief Risk Officer

3. Develop an Assurance Strategy

• Identify business objectives and risks that affect their attainment

• Prioritise risks


31

Getting Started (getting a broad overview)

Business ProcessInternal Assurance Provider

OutputExternal Assurance Provider

Output

Economic / Financial

Economic Value Added External Audit Value Added Report

Financial Results External Audit External Audit Report

Safety, Health, Environment & Quality

Legal Safety Compliance CSR / SHEQ Department Inspection Reports Consultants (BSMP) Audit / Inspection Report

Safety Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) OHSAS18001:2007 Certification

Environmental Standards CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF) ISO14001:2004 Certification

Quality Systems CSR / SHEQ Department Inspection Reports DQS GmbH (BSAF)ISO9001: 2008 and TS16949:2009 Certification

Empowerment

B-BBEE Credentials Service Provider B-BBEE Scorecard

Human Resources

Employee Satisfaction To be confirmed Employee Satisfaction Survey

Risk , Control and Governance

Internal Control Environment Group Audit and RiskInternal Audit Report to the Board

Risk Management Process Group Audit and RiskInternal Audit Report to the Board

Governance / King III Group Audit and Risk Governance Assessment Report To be confirmed Independent Statement

Sustainability Reporting CSR / SHEQ Department CSR Report External Audit Independent Assurance Report


32

Mapping by Risk

2014 Rank

Risk #

Date Risk Name Risk Description

Map to CSR Objective

BSJ Risk Category

COSO Risk Category

Likelihood (Pre-control)

Impact (Pre-control)

Inherent Risk

Existing Controls and/or Mitigation

Measures

Likelihood (Post-control)

Impact (Post-control)

Residual Risk

Risk Response

Action Plan

Action by date

Person Responsible

Risk Owner

BCP Indicator

Progress to Plan /

Follow-up Status

Supporting

Process

1st Line Assura

nce

2nd Line

Assurance

3rd Line

Assurance

External

Assurance

Assurance Gap

1001

26-Nov-13

Non-compliance with Competitions Act

A violation of the Competitions Act results in severe penalties (i.r.o. price fixing, market allocation, resale price maintenance, market power, collusion, etc.)

128

03 Legal

Compliance

4 5 IVCompetition Compliance Training Manual (on Intranet)

3 5 IV

Reduce

- Policy on anti-cartel activity (in-progress per BSJ instruction) - On-line compliance training

31-12-2013

RS

Legal

No

- Policy approved by the Board (Dec 2013) - Compliance Training rolled out to sales and marketing staff (Sep 2014)

Compliance

Training

Operating

Management

(Sales and

Marketing)

Legal / Secretar

ial

Internal Audit

Corporate

Lawyers

Legal Complia

nce Audit (A

- Z)

6005

26-Nov-13

Product Recall

Product failures result in recalls that cause reputational damage

15

09 Quality

Strategic

4 5 IV

- QA testing, manufacturing quality gates, QTR procedures - QS Procedure (Correct, updated testing procedures should be followed at all times; suspect tyres not released) - ISO9001 - Extension under liability policy

2 4 III

Accept

F Qualification audit at Brits (BSJ)[Quality Process Audit]

Ongoing

PW

Quality

Yes

Audit completed; IIP for corrective actions in progress

Quality Control

Operating

Management

(Plant)

CSR / SQE -

DQS (ISO900

1 and TS1694

9

TQM Auditors

(BSJ)

Quality Auditor / Inspecto

r or CQO

• Select high residual risks and high inherent risks

• Consider low level risks for overkill


33

A Different Perspective (public sector template)

6 Gap Analysis: Strengthening the Risk Net

34

An ongoing processAssess the

extent of Risk Coverage Assess

Assurance Providers

Identify Assurance Gaps

Identify Assurance

OverkillCompile Remedial

Action Plan

Report to Governing

Body

Track Actions

against Plan

Monitor, Update and

Improve

• Credentials• Methodologies• Independence• Business Knowledge• Cost

• Low level risks• Misunderstood risks• Duplication of effort

• Compare actual with desired levels

Gaps in coverage

Gaps in assurance provider capability

7 Discussion Time and Case Study

35

Food for Thought

The world changes in strange and unpredictable ways. Not one of the great political or economic shifts of the past 100 years was predicted with any degree of accuracy. Examples stretch from the end of the Cold War to the global financial crisis. Remember that in 1985 PW Botha warned that he would not lead white South Africa down the path of “abdication and suicide”. Ten years later Nelson Mandela celebrated his first anniversary in the Union Buildings. Most recently American officials have admitted that they did not see ISIS coming.

Therefore resist the temptation to use short-term current trends to come to fixed conclusions about (the) future – history suggests that your initial conclusions may be very wrong.

Frans Cronje, CEO: Institute of Race RelationsQuoted with permission

7 Discussion Time and Case Study (cont.)

36

Questions

Comments

Ideas?


37

Case Study: African Bank

• Record Loss: “needed 8.5 billion rand to survive”

• Seven of the eleven directors had no previous banking experience

• Share price plummeted more than 95%

• Made loans at annual interest rates as high as 60%

• “…didn’t provide enough for bad debts” – Sanlam

• Ripple effects: Moody’s lowered credit ratings on the four largest banks

• Could even bring SA closer to a ratings downgrade – Standard Bank

• Sunday Times Front Page: “F*** the poor” – Chief Risk Officer

• Charming CEO + Weak Chairman No balance of power

Sources: BusinessReport and Sunday Times


38

Case Study: African Bank (cont.)

What the company said…

ABIL Risk Management strategy is to embed a risk culture and support business units within the group

- Accountability – Risk Report financial year ended 30 September 2013

The audit Committee must ensure that the combined assurance received is appropriate to address the significant risks facing the company. The combined assurance model consists of management, the Risk committee, internal assurance providers i.e. finance, internal audit, risk and external assurance providers i.e. external auditors. The Audit committee must monitor the relationship between the external assurance providers and the company.

- Group Audit Committee Charter of ABIL and Group Subsidiaries


39

SO WHERE WERE THEY?

Thank You

40

http://www.asksotiris.com/albert-einstein-quotes/

Thank You

Thank You

41

2015 IA Presentation_G Fisher_V2.1

Documents

Transcript of 2015 IA Presentation_G Fisher_V2.1