Embed Size (px)
Citation preview
Internal Auditors’ Workshop
“Audits as a Risk Management Tool”
A Presentation by Duncan O. Ogutu – Chief Risk Officer
1
Your name;
Department/Function/Process and role; and
Expectations from the workshop
2
Highly interactive session;
Global thinking with local application; and
3
Capital Planning and Execution
Effective delivery of current projects
Geothermal expansion
Capital planning and execution processes
CP1
CP3
CP2
Regulatory Management
Improve single buyer model
Steer deregulation process
Build a regulatory structure in KenGen’s organisation
RG1
RG3
RG2
Operational Excellence
OP1
OP3
Reduce operational and overhead costs
Optimise main-tenance practices
OP2
Improve operational processes and structure
Organisational Health
OG1 Performance management
OG2 Promotion and succession planning
OG3 Structure and Governance
OG4 Annual planning and budget
OG5 Innovation and continuous improvement
Organisational effectiveness from improved processes, structure and culture
OG6
Information Technology
Vision:
To be the market leader in the provision of reliable, safe, quality and
competitively priced electric energy in the Eastern Africa region
Strategic pillars
+3000MW
by 2018
4
• Specific expected objectives
• Clarity of risk and the risk management process ;
• Clarity on the role audit & audit process;
• Link between Audit & Risk Management
• Auditors role in risk management process
• Commitment towards a consistent risk consciousness
Objectives
Internal
Control
(mitigation
measures
Risk
Management
6
Overview of risk management; Risk Management Process
Overview of Audit
Audit vs Risk Management
7
Overview of Risk Management
8
© 2011 Deloitte & Touche
“The potential for loss or harm – or the diminished opportunity for gain - caused by
factors that can adversely affect the achievement of a company‟s objectives”
Risk is the aggregate effect of uncertain events and outcomes on the achievement of objectives
10
Objectives: A goal or end result that is to be achieved;
Uncertainty: Unknown, indefinite or unclear;
Events: A happening, inside or outside an KenGen (naturally or man-made);
Outcomes: Results of and contingent upon events (financial or not, tangible or
not); and
Effects: Consequences of outcomes on the achievement of objectives (favourable
or not)
11
Objective
Uncertain Events
Good
Bad
Uncertain Outcomes
Desirable
Undesirable
Uncertain Effects
Favorable
Unfavorable
12
© 2011 Deloitte & Touche
“Mechanism that creates stability in the organization by enabling the identification,
prioritization, mitigation and measurement of the implications of each decision”
Key elements of ERM include:
Adopting consistent and effective risk governance;
Standardizing the risk management process;
Aggregating and integrating a view of all risks; and
Relating risks to business objectives.
14
15
Enterprise: A purposeful undertaking that requires boldness.
Risk: The potential for loss, harm or sub-optimization of gain.
Management: Directing and controlling people, entities and resources for the
purpose of coordinating and harmonizing them towards accomplishing a goal i.e.,
protect existing assets and create future growth.
16
External
factors
External
factors
Identify
risks
Assess &
measure
risks Respond
to risks
Design & test controls
Sustain &
continuously
improve
Governance
Process
Tech
nolo
gy
P
eop
le Develop &
deploy
strategies
Monitor,
assure &
escalate Risk intelligence
to create &
preserve value
Introduction;
Before the Three Lines: Risk Management Oversight and Strategy-Setting
The First Line of Defense: Operational/Process Management
The Second Line of Defense: Risk Management and Compliance
Functions
The Third Line of Defense: Internal Audit, External Auditors, Regulators,
and Other External bodies;
Coordinating The Three Lines of Defense
17
In twenty-first century businesses, it’s not uncommon to find diverse
teams of internal auditors, enterprise risk management specialists,
compliance officers, internal control specialists, quality
inspectors/assessors, fraud investigators, and other risk and control
professionals working together to help their organizations manage
risk.
The Three Lines of Defense model distinguishes among three groups
(or lines) involved in effective risk management:
†Functions that own and manage risks (1st Line):
†Functions that oversee risks (2nd Line); and
†Functions that provide independent assurance (3rd Line)
18
Operational managers own and manage risks. They implementing
corrective actions to address process and control deficiencies.
Maintain effective internal controls and for executing risk and
control procedures on a day-to-day basis.
Identifies, assesses, controls, and mitigates risks, guiding the
development and implementation of internal policies and
procedures
Design and implement detailed procedures that serve as controls and
supervise execution of those procedures by their employees.
Serves as the first line of defense because controls are designed into
systems and processes under their guidance of operational
management.
There should be adequate managerial and supervisory controls in
place to ensure compliance and to highlight control breakdown,
inadequate processes, and unexpected events.
19
In a perfect world, only one line of defense would be needed to
assure effective risk management. In the real world, however, a
single line of defense often can prove inadequate. Management
establishes various risk management and compliance functions to
help build and/or monitor the first line-of-defense controls.
The responsibilities of these functions vary on their specific nature,
but can include:
†Supporting management policies, defining roles and
responsibilities, and setting goals for implementation.
†Providing risk management frameworks, Identifying known and
emerging issues.
†Identifying shifts in the organization’s implicit risk appetite.
20
Assisting management in developing processes and controls to
manage risks and issues.
†Providing guidance and training on risk management processes.
†Facilitating and monitoring implementation of effective risk
management practices by operational management.
†Alerting operational management to emerging issues and
changing regulatory and risk scenarios.
†Monitoring the adequacy and effectiveness of internal control,
accuracy and completeness of reporting, compliance with laws
and regulations, and timely remediation of deficiencies.
21
Internal auditors provide the governing body and senior
management with comprehensive assurance based on the highest
level of independence and objectivity within the organization.
This high level of independence is not available in the second line of
defense.
Internal audit provides assurance on the effectiveness of governance,
risk management, and internal controls, including the manner in
which the first and second lines of defense achieve risk management
and control objectives.
The scope of this assurance, which is reported to senior management
and to the governing body, usually covers:
22
FIRST LINE OF DEFENSE SECOND LINE OF
DEFENSE
THIRD LINE OF
DEFENSE
Risk Owners/Managers Risk
Control/Compliance
Risk Assurance
Operating management Limited independence
Reports primarily to
management
Internal audit
Greater independence
Reports to governing
body
23
24
25
26
The Risk Management Process
27
At the end of the session the participant will understand how to;
Identify risk;
Measure risk;
Select a risk response;
Develop mitigating strategies;
Report on risk; and
Sustain the risk management process.
28
Level 2 – Risk Management Capabilities
29
30
Governance: Board roles and responsibilities, internal audit and risk management
functions, tone at the top, risk management policies such as risk appetite and tolerance,
the code of ethics, and delegation of authority.
People: This pillar focuses on management capabilities and related risks such as having
the right number of people, with the right training and awareness.
Process: Includes core operational and infrastructure business processes necessary to
run the business in an efficient manner, and create and protect value.
Technology: This pillar establishes capable systems to analyze and communicate risk
information throughout the organization and enable risk intelligent decision-making
and timely response
Competition Security Attacks
Identify
risks
Assess &
measure
risks Respond
to risks
Design &
test controls
Sustain &
continuously
improve
Governance
Process
Tec
hn
olog
y
Peop
le
Develop &
deploy
strategies
Monitor,
assure &
escalate Risk intelligence
to create &
preserve value
Level 3 – Risk Management Steps
31
32
Strategies to ensure:
Revenue growth sustained;
Asset efficiency maximised;
Operating margins managed; and
Stakeholder expectations met.
Strategic objectives need to be cascaded throughout the
organization.
How is this being done at KenGen ?
How does it tie in to the G2G Transformation Strategy?
33
© 2011 Deloitte & Touche 34
• Internal and external risks that can compromise achievement of KenGen‟s objectives.
• Risks to both future growth objectives and existing assets.
• Consider scenarios and chain of events rather than isolated incidents.
35
KenGen risk categories:
Governance;
Strategy and planning;
Operations and infrastructure;
Finance;
Compliance; and
Reporting.
36
37
Define the risk factors to be used as a basis for risk ranking:
Impact factors: financial, stakeholders, reputation, legal/regulatory, speed of
onset;
Vulnerability factors: Control effectiveness, speed of response, complexity, rate
of change and external factors.
Impact and vulnerability can be assessed in terms of high, medium/moderate, and
low.
38
Risk is a function of
impact and Vulnerability,
and the consideration of controls in place.
RISK = Impact x likelihood
Consider the existing controls to
mitigate the identified risks.
Therefore
Controls do not always completely
eliminate the risks, therefore, the
remaining risk after considering
controls is referred to as Residual Risk
Residual Risk = Impact x Vulnerability
or (likelihood – Controls)
Vulnerability The
extent to which an
event is likely to
occur considering
the existing
controls.
Impact
The effect that a
risk will have in the
organisations
should it
materialise.
Inherent Risk
Lack of understanding of the
system functionality
resulting in inaccurate and
incomplete reporting
information.
Existing Controls
• System training
• Qualified personnel
• User reference guide
• Helpdesk support
Residual Risk
Considering the controls, the
likelihood of the risk occurring
becomes low, thus the residual
risk (vulnerability) rating is low.
Example
39
40
Avoid risk
Divest, prohibit, stop, screen or eliminate the risk event.
Certain
project activities may have too much associated risk and as
such a decision is taken not to enter into or continue with the
activities.
Manage risk Reduce the risk impact, risk vulnerabilityor both in a cost
effective manner, so that the risk exposure is reduced.
Transfer risk
Reduce risk likelihood or impact by transferring or
otherwise
sharing a portion of the risk.
Accept risk
Risk mitigation or risk management resources are not
allocated
to the risk.
41
Risk Category Risk Response
Very High Manage/Avoid/ Enhance Risk Mitigation
High Manage/Avoid/Enhance Risk Mitigation
Medium Transfer/ Monitor/ Measure for Cumulative Impact
Low Accept/ Retain/ Redeploy Resources
42
KenGen
43
