1 / 90

INTERNAL AUDIT CONFERENCE INTERNAL AUDIT & RISK ENVIRONMENTS Presentation by: KIMEU, Jones Musyoki

ICPAK. INTERNAL AUDIT CONFERENCE INTERNAL AUDIT & RISK ENVIRONMENTS Presentation by: KIMEU, Jones Musyoki. Mombasa Continental Beach Resort Wednesday 20 th August, 2014. Introduction. Background MBA (For Executives) BCom. (Hons) CPAK CISA FCCA

goodson
Download Presentation

INTERNAL AUDIT CONFERENCE INTERNAL AUDIT & RISK ENVIRONMENTS Presentation by: KIMEU, Jones Musyoki

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ICPAK INTERNAL AUDIT CONFERENCE INTERNAL AUDIT & RISK ENVIRONMENTS Presentation by: KIMEU, Jones Musyoki Mombasa Continental Beach Resort Wednesday 20th August, 2014

  2. Introduction Background • MBA (For Executives) • BCom. (Hons) • CPAK • CISA • FCCA • Over 15 years experience in Risk Management, Audit, Consultancy in risk, internal controls, IT audits and Corporate Governance KIMEU, Jones Musyoki +254 722 607157 Jones_kimeu@yahoo.com

  3. CONTENT • Introduction • The Context • Internal and external risks environments. • Factors affecting a firms risk appetite and tolerance. • Integrated risk management.

  4. INTRODUCTION The possibility that an event will occur and adversely affect the achievement of objectives • Committee of Sponsoring Organizations (COSO) Enterprise Risk Management Framework The chance of something happening that will have an impact upon objectives • AS/NZS 4360:1999, Risk Management Events that may have a positive impact represent opportunities

  5. INTRODUCTION • Risks can be defined as real or potential events which reduce the likelihood of achieving strategic and operational objectives • Risk identification is the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern.

  6. CONTEXT: In today's world, change and uncertainty are constants... Dynamic IT Industry Security of confidential Information Reputation All Risk types Transparency & Accountability Fire Bad press reports Labour strikes

  7. Cloning Deteriorating safety standards Ageing infrastructures Tele- medicine Endocrine disruptors Stress at work Media risks Food contaminants Contingent Business Interruption Dirty bombs Cyber risks Indoor pollution Alcohol Implants Toxic mold Spread of Diseases - EBOLA RSI Drinking water quality Mega Tsunami Space weather Intercontinental data transmission Resistance to antibiotics Botox CO2 trading Electrosmog Business ethics Loss of reputation Invasion of privacy Off-shore & internet markets Power system break Customised drugs Organised crime Privatisation Caldera erruption Pervasive computing Nanotechnology Bogus parts LANDSCAPE OF EMERGING RISKS

  8. CONTEXT • People – fraud, vandalism, human error, strikes, miscommunication, riots etc • Systems – machine breakdown, internal control deficiencies, obsolescence etc • Externalfactors – suppliers, customers, natural perils (earthquakes, floods) etc

  9. ROLE OF INTERNAL AUDIT • Independent appraisal of the policies, processes, and controls relating to risk management framework and reporting to all levels of management • The Role of Internal Audit in Risk Management is important but one that can also present significant challenges- source IIA

  10. IIA

  11. ROLE OF AUDIT AS A CATALYST Risk based surveys

  12. BEST PRACTICE – Risk Based Internal Audits (RBIA)

  13. RISK UNIVERSE INTERNAL AND EXERNAL RISKS

  14. RISK UNIVERSE Definition: All risk types and categories across all business lines, functions, geographical locations and legal entities that could affect an organization.

  15. ESTABLISH THE CONTEXT External Environment

  16. RISK UNIVERSE (Cont.)

  17. RISK UNIVERSE (Cont.) A company focused on ERM constantly assesses risk factors to ensure they reflect business realities – both quantifiable or non-quantifiable risks or Financial & Non-financial risks Operational Environmental Business & Strategic Liquidity Market Health Reputational Law Changes Corporate Funding People Mkt factor sensitivity Contagion risk Industry Changes Non-Compliance Unethical behavior Process Volume Risk Collateral Requirements Collateral Requirements Chronic diseases Risk Framework Demand Changes Financial Reporting Crisis Management Mkt Liquidity Environmental Impact Pandemics Contingency funding Contingency funding System Quality of Health care Investment Performance Environmental Positioning Association Risk Political Risk External Risk of unsuccessful performance due to potential threats, actions or events adversely affecting the organization’s ability to achieve objectives Potential negative publicity regarding business practice, regardless of validity Risk of loss and associated harm due to the company’s interaction with the environment Risk of failure od market intermediaries Risk of loss from inadequate or failed internal processes, people, financial reporting, systems or external events Ability to generate/obtain sufficient cash in a timely manner to meet demands as they arise Potential loss arising from adverse movements in external market valuables Framework Definitions

  18. RISKS AT 3 LEVELS 1. Strategic/Corporate Level Risk - Strategic alignment, Governance, Culture, Funding, etc. 2. Business Level - Organization (structure / Segregation of duties, Infrastructure, Competence, Staff attitudes, etc. 3. Transaction Level - P2P, Treasury Management, Financial Reporting, etc.

  19. STRATEGIC /CORPORATE RISKS • Organization structure • Resource Allocation • Governance • Reputation

  20. STRATEGIC RISKS (Cont.) Organization structure • Organization charts and reporting lines • Authority and Responsibility • Segregation of duties (SOD)

  21. STRATEGIC RISKS (Cont.) Resource Allocation • Budgeting and planning • Goal /Objective setting • Timelines • Metrics & Measurement

  22. STRATEGIC RISKS (Cont.) Governance • Culture • Ethical behavior • Board effectiveness • Succession planning • Tone at the top

  23. STRATEGIC RISKS (Cont.) Reputation • Image and Branding • Stakeholder Relations

  24. FINANCE RISK • Finance/Budget Management • Financial Reporting • Internal Controls • Accounting

  25. FINANCE RISK (Cont.) Finance/Budget Management • Cash forecast • Liquidity • Cash flow Management • Analytics Financial Reporting • Financial Statement close process

  26. FINANCE RISK (Cont.) Internal Controls • Transaction management (Initiation, approval, recording and custody) Accounting • Application of accounting regulations, rules and procedures

  27. OPERATIONAL RISK • Infrastructure • People • Process • Technology

  28. OPERATIONAL RISK (Cont.) Infrastructure • Capability • Office Space • Assets • Tools • Physical Security • Business Continuity

  29. OPERATIONAL RISK (Cont.) People • Leadership – board /management expertise • HR – responsibility & accountability • Health & Safety • Risk-reward alignment • Performance Management • Empowerment • Mindset • Buy-in--consensus • Balance between revenue driven and control driven • Competitor pressure • Communication • Sustaining vigilance

  30. OPERATIONAL RISKS - PEOPLE Supports or undermines strategy • …..alignment <within/out> of attitude, goals • …..strong ERM • …….within risk appetite • ……scandals and collapses People Risk

  31. OPERATIONAL RISK (Cont.) Process • Fraud • Policies and Procedures • Outsourcing • Third Party Fraud • Business processes

  32. OPERATIONAL RISK (Cont.) Technology • Integrity • Accuracy • Availability /Timeliness • Relevance • Restricted Access

  33. COMPLIANCE RISKS • Regulatory risks • Contractual commitments (contract) • Policies and procedures • Code of Business Conduct

  34. ENVIRONMENTAL RISKS • Economic: Such as; Donor Support, Skilled Labor supply, Forex Fluctuations • Natural Environment: • Political: Will, priorities & political stability • Social: demographics, attitudes, tastes and preferences • Technological (IT Risk): Eg. Innovations

  35. TECHNOLOGICAL (IT) RISKS

  36. TEAM EXERCISE • Identify common risks affecting your organization and your industry • Classify these risks - strategic, business, operational

  37. FACTORS AFFECTING A FIRMS RISK APPETITE AND TOLERANCE

  38. RISK APPETITE Definition: Risk appetite can be defined as the amount of risk on a broad level, that an organization is willing to take on in pursuit of value. Or other words the total impact of risk an organization is prepared to accept in the pursuit of its strategic objectives. • It goes to the heart of an organization, how it does business, perception by stakeholders (employees, customers, regulators, rating agencies etc):

  39. RISK APPETITE The following factors influence Risk Appetite of an organization; • The external environment • People • Business systems and policies NB/ Risk appetites vary from organization to organization, business units and risk types {For instance a banks lending to a mature market will differ with an emerging market}.

  40. RISK APPETITE • From another perspective, smaller losses incurred as a consequence of fraudulent activity (such as cybercrime) can have a more adverse impact on a bank reputation than much higher lending losses incurred in the normal course of business. • Consequently financial institutions set a much lower risk appetite for fraudulent or unethical practices which could damage reputation.

  41. RISK APPETITE Ways to measure risk appetite; • Simple qualitative {reputational, management effort and regulatory compliance}measures (such as defining risk categories and setting target levels) • Based on the above, develop complex quantitative models of economic capital and earnings volatility {capital adequacy, target debt rating, earnings volatility, credit rating etc}. Conclusion: Provides a cornerstone for the organization’s Risk Management framework

  42. RISK APPETITE - CHARACTERISTICS A well defined Risk Appetite should have the following characteristics; • Reflective of strategy, including objectives, business plans and stakeholder expectations; • Reflective of all aspects of the business • Acknowledge a willingness and capacity to take on risks • Is documented as a formal risk appetite statement

  43. RISK APPETITE - CHARACTERISTICS 5. Considers the skills, resources and technology required to monitor and manage the risk exposure in the context if risk appetite. 6. Is inclusive of a tolerance for loss or negative events that can be reasonably quantified • Is periodically review and reconsidered with reference to evolving industry and market conditions • Has been approved by the board

  44. RISK APPETITE RATING (Example)

  45. RISK TOLERANCE Definition: Risk Tolerance: • The degree of variability in investment returns that an individual is willing to withstand. • An important component in investing. • An individual should have a realistic understanding of his or her ability and willingness to stomach large swings in the value of his or her investments. • Investors who take on too much risk may panic and sell at the wrong time

  46. RISK TOLERANCE - Cont. The factors affecting Risk Tolerance (assess using risk tolerance questionnaires) include; • Review worst-case returns for different asset classes historically in order to get an idea of how much money one would feel comfortable losing if his or her investments have a bad year or bad series of years. • The time horizon that one has to invest, future earning capacity, and • the presence of other assets such as a home, pension, social security or inheritance{In general, one can take greater risk with investable assets when there are other, more stable sources of funds available}.

  47. RISK TOLERANCE • Your investment time frame: cliché is what we'll refer to as ‘age-based’ investment risk tolerance. When will the capital be needed? If the time horizon is relatively short, risk tolerance should shift to be more conservative. • Your Risk capital: Money available to invest or trade that will not affect your lifestyle if lost (liquid capital). • Your Investment experience: Aim to get some experience under your belt before committing too much capital. Always remember the old cliché and strive for preservation of capital.

  48. RISK TOLERANCE • Your investment objectives: If you are saving for your retirement, how much risk do you really want to take with those funds? • The actual investment your are considering: Different investments carry different levels of risk. All investments involve a degree of risk and returns can never be guaranteed so it is important to choose investments that suit your circumstances

  49. RISK TOLERANCE Illustration of a range of investment types and their associated risks

  50. INTEGRATION:RISK LANGUAGE & CULTURE

More Related