Internal Audit to Risk ManagementA risky migration?Terry CunningtonDirector, Risk AssuranceDeputy President IIA-UKSummary of presentation Integrating internal audit and operational risk - advantages and disadvantages LIFFE risk management framework Roles and responsibilities for risk management - how does internal audit fit in? Defining operational risk and risk management? Opportunities for internal audit arising from the Combined Code and Turnbull Migration of internal audit to embrace risk management Internal audit skill set going forwardWhat is operational risk?The threat of an adverse event or action occurring, which may: lead to failure to respond to unforseen circumstances impact our stakeholders prevent opportunities being exploited impact the achievement of corporate goals result directly or indirectly in losses of any kindWhat is risk management?Transfer risk to a third party Reduce impact should it occur Reduce likelihood of a risk event occurring Take the right risks Avoid the risk altogether Accept the riskWho is responsible for risk management? Operational Risk Specialist Functions Management Audit Committee Board Internal AuditIdentify riskEvaluate riskManage riskTake riskOwn riskInsuranceSecurityBusinesscontinuityHealth &safetyRisk strategyRisk frameworkMonitor andco-ordinateRisk reportingIndependentauditsAssuranceOpinionProactive advice and supportFacilitate improvementsRisk Management ResponsibilitiesManagement Specialist risk Corporate risk Internal audit hands-on hands-off Facilitates CRSA and/or multi-disciplinary risk workshops Proactive risk advice, support and training Centre of expertise on risk processes Facilitates improvements in risk management Develops risk management strategy Promotes risk awareness Provides risk management framework and reporting Operational Risk - Typical Functions Hands on risk management (including risk transfer) Internal Audit Promotes risk awareness Proactive risk advice and support Centre of excellence on risk management and control Facilitates improvements in risk management and control Provides assurance Provides independent opinions Risk based audits Focuses audits on areas of riskIntegrating IA and operational riskAdvantages: Link risk profiling / reporting with audit process Not compromise objectivity Easier to recruit and retain high quality staff Avoid unnecessary duplication Overlap between risk based audit and operational risk Risk based audit - prevention rather than cureIntegrating IA and operational riskDisadvantages: Cultural non-acceptance Customer confusion Priorities for resources Hands-on risk management Audit independenceRisk reporting and corporate governanceThe directors should, at least annually, conduct a review at of the effectiveness of the groups system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk managementTheCombinedCodePrinciples of good governance and code of best practiceTurnbull - Some key points Prime responsibility of management Profit is the reward for successful risk taking Continuous monitoring essential Embedding risk management and control Link between risk management and control Objective assurance from internal auditInternal audit opportunities post Turnbull Raise the profile of Internal Audit Holistic rather than cyclical approach Scope should cover all activities of the business Independent opinion on risk management and control Well placed to provide / co-ordinate assurance to directors Backwater to mainstream Failure to deliver reliable opinions Extinction or minor role for internal audit Substitution by operational risk or consultants Failure to change approach and skills base Greater board expectations Complacency Threats to internal audit post TurnbullHow internal audit can meet the challenge Change internaI audit skills base Give proactive advice - prevention is better than cure Position internal audit in risk management framework Seize the opportunity to co-ordinate assurance Cover the risks that matter across the business Holistic approach to auditing and reporting Facilitate risk management strategy Dynamic planning and flexible responseLIFFE Risk Management FrameworkRiskmanagementstrategyDefines RiskRoles & ResponsibilitiesRisk OwnershipRisk AppetiteCentres on Risk ProfileunderpinsCorporateRiskProfileCorporateRiskProfileCorporateRiskProfileRisk basedaudits orother responseAuditsConsultancyWorkshopProactive advicedrivesCorporateriskprofileInherent RisksMitigating ControlsResidual RisksCo-ordinates assuranceMonitoringReporting / OpinionOwnership / ActionsCorporate Risk Profile - Inherent RisksInherentrisksSystemsPersonnelStrategic & competitiveBusiness changeFinancial ReputationalLegal & regulatoryCorporate goalsMarket operationsPremisesCorporate Risk ProfileBUSINESS CHANGEaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaRisk CoverageaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaResidual RisksaaaaaaaaaaaaaaaaaaaaaaaInability to cope with the nature and volume of business changeXYZInherent RisksProjects not delivered on time, to budget or to the required qualityABCOpinionUSQuantified inrelative termsImpact ProbCorporate risk profile - summaryRisk categoryBusiness ChangeStrategic & compReputationalPersonnelFinancialSystemsMarket OperationsLevel of riskCommentaryaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaResidual Risk Action PlanRespXYZXYZABCNOPMilestoneDec 97Mar 98Jun 98Jan 98Oct 97Feb 98Action Planned to Mitigate RiskaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaOpinionSUPSResidual RisksaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaProbability of risk event occurringImpact of risk event occurringTransfer riskor contingencyplanManage byimprovingcontrols - if costjustifiedCease activityunless rewardshigh - managecloselyAccept riskLowHighHighManagement of residual risksMigrating IA to embrace operational risk Change IA skills base Innovate or die Obtain buy - inWhere are you now? Risk based audit? Positioning CredibilityWhere do you want to be? Positioning Meet board needs re. Turnbull? What operational risk functions?How do you get there? Establish credibility Establish business case Obtain mandateSkill set for IA going forward Customer focus Mind set / profile Wider business experience Facilitation skills Less is more Staff developmentI survivedthe migration