The Top Four Essential Objectives to Auditing ERM
description
Transcript of The Top Four Essential Objectives to Auditing ERM
2011 Governance, Risk, and Compliance ConferenceAugust 29 – 31, 2011 / Orlando, FL, USA
The Top Four Essential Objectives to Auditing ERM
Stephen E. McBride, CIA
Agenda
• Definition of key terms• Risk management principles & process• Recent financial events• Risk governance roles• Key areas of focus in establishing audit
objectives
Risk
• The possibility of an event occurring that will have an impact on the achievement of objectives. Measured in terms of likelihood and impact
Risk Management
A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives
Why Manage Risk?
• Decrease the cost of financial distress• Reduce earnings volatility• Facilitate optimal investments
Incorporate portfolio theory
Enterprise Risk Management
The application of risk management principles to all significant risks facing an organization
Risk Governance Roles
• Board of Directors• Management• Internal Auditors
Financial Events
• Enron• Washington Mutual Bank• AIG• MF Global
Were these events:– risk management process failures, – implementation failures, or
– both?
Where to Begin
• Failures?– Financial: Credit, Market, Liquidity– Operational– Strategic
• Review models, assumptions, derivatives, strategies, black swan?
• Top 4 objectives
1. Business Strategies and Risk Appetite
• Determine approval of risk appetite • Determine understanding of business
model
Audit Objectives –Risk Appetite
1. Risk appetite – the entity’s risk appetite defines acceptable and undesirable risks.
2. Parameters for risk1. Strategic – new products or initiatives2. Financial – max acceptable loss or performance
variations3. Operating – capacity management, quality
targets, environmental requirements.
2. Internal Environment
• The Board of active and possesses an appropriate degree of expertise
• Chief Risk Officer communication• Management risk council reporting to the
Board• Management’s risk appetite is aligned
throughout the organization
Ethics
• Determine methods for ensuring the Code of Conduct is communicated and complied with across the organization
• Ensure results are properly communicated• Determine whether executives comply with
discretionary expenditures policies
Follow the Money
• Determine how management is rewarded for performance
3. Event identification
• Management identifies potential events• Techniques are used to look at both the past
and the future• Event identification is robust• Management understands how events relate
to one another
4. Control Activities
• Management indentifies control activities need to ensure risk responses are carried out properly
• Policies are implemented consistently• Conditions are investigated and appropriate
corrective action taken• General and application controls are
implemented
Volume of Exceptions
• Determine the volume of policy or internal control exceptions
• Determine steps taken for corrective action
Conclusion
• Determining the control framework and management practices in these areas will help determine risk culture
• Risk culture is the primary indicator of an organization’s risk management oversight and its likelihood of continued long term success