Date post: | 12-Feb-2017 |
Category: |
Documents |
Upload: | greg-saunders-sirm-crp-iccp |
View: | 78 times |
Download: | 0 times |
Rock art (C.Zwick)
Emerging risks and assuranceAugust 2012 Greg Saunders
www.environment.gov.au
Today’s presentation
Risk management and assurance; Moving from a risk to an issue; Visibility and emerging risk; Innovation and opportunity; Integration and your three lines of defence; GRC functions, keeping them relevant; and Questions
www.environment.gov.au
Risk management and assurance Risk management plan approved and endorsed by
board or executive. (Plan updated annually);
Consider key risks and emerging risks in the process;
Assurance processes clearly defined;
A clear understanding of expectations - CEO directive;
Risk management roles clearly defined;
Clear KPI’s in duty statements and are measurable; and
Validation of risk management process.
www.environment.gov.au
Moving from a risk to an issue When can you move a risk from a risk register;
Are controls able to be enhanced to minimise risk;
High and severe risk can be managed – business as usual;
Refresh your risk register with ability to move well controlled risks to BAU;
Ensure some form of ongoing oversight of control effectiveness; and
Always remember that risk is about uncertainty.
www.environment.gov.au
Visibility
Integrated data capture or not; Complexity of organisation; Maturity of risk management program; Understanding of risk terminology Relativity of risk registers; and Integration of risk registers to identify key
risks.
www.environment.gov.au
Emerging risk
In isolation how is low and medium level risk managed;
What are the thresholds for escalation for an organisation;
How do you integrate emerging risk as a key risk consideration;
Who should be the “risk owner” of emerging risk; and
How do you treat emerging risk.
www.environment.gov.au
Innovation and opportunity Constant review of your RM program provides
endless opportunity;
Refresh your methodology – new idea’s and new approaches;
Empower emerging leaders to own risk;
Question the value of reporting formats – what do decision makers really want; and
Never lose sight of what is risk – use it to reinforce and maintain relevance.
www.environment.gov.au
Governance Risk and Compliance
They should not exist in isolation;
Are integral to a successful control framework;
All have a key role to play in successful organisations;
Components are not more important than each other;
Focus may change dependent on organisational concerns; and
Well executed, provide the foundation for the three lines of defence.
www.environment.gov.au
Your 3 lines of defence
Boa
rd –
Exe
cutiv
e –
Aud
it C
omm
ittee
1st Business Operations:
2nd Oversight Functions:
3rd Independent Assurance
An established risk and control environment
Strategic management, policy and procedure, functional oversight
Provide independent challenge and assurance
First LevelBusiness Operations
Second LevelOversight Functions
Third LevelInternal Audit, External Audit, Other Assurance Providers
www.environment.gov.au
Integration and your 3 lines of defence
How well established is your risk and control environment?;
Is there clear direction from a strategic and operational perspective to ensure a clear basis for functional oversight?;
Independent challenge is good –ensure that you take advantage of and use audit functions in a business improvement capacity;
Look at your governance arrangements – strategic direction comes from executive, policy / procedure should clearly reflect an operational slant and challenge and assurance keeps it all relative.
www.environment.gov.au
Emerging trends in managing risk
Clearly defining how you measure the effectiveness the risk management function.
Risk assurance – your program is in place and appears to be working – who is validating?
Technology – single platform to manage whole of enterprise risk.
Using risk failure to identify business improvement processes.
www.environment.gov.au
Some lessons Inclusive and informative policy for GRC functions;
Have in place frameworks which provides for input at all levels of an organisation;
Listen to all staff– they are the barometer;
Dictionary of risk language with clear and simple explanation;
Hold the program accountable and establish a clear and logical governance structure; and
Simplicity is the key to clear understanding of risk management.