Canada Post

Page 1 | FMI November 24, 2016| Second Line of defence | Canada Post

Second Line Of Defence -Internal Audit Reviews

A Pragmatic Approach

Page 2 FMI November 24, 2016| Second Line of Defence| Canada Post

• Origin is unclear other than “line of defence” in military planning and sport.• Gained prominence about a decade ago when adopted by the former UK

Financial Services Authority.• Became a preferred model for operational risk in the UK financial sector.• Endorsed by the IIA and Institute of Directors (Jan 2013).• There are many variations of what the model looks like and what each line

represents.

*Sources: Mitchell Morley. Understanding the Three Lines of Defence. http://www.inconsult.com.au/understanding-the-three-lines-of-defence/; Institute of Internal Auditors. Governance of Risk: Three Lines of Defence. https://www.iia.org.uk/threelines

The Three Lines of Defence Model: Its Origin

Page 3 FMI November 24, 2016| Second Line of Defence| Canada Post

• Model: Simplify complex functions and relationships; rarely perfect; tailor to context.

• LOD proposes a collaborative relationship between functions that manage risk; multi-pronged, yet integrated.

• Generally defined as:

• First line – functions that own and manage risks (operational management).

• Second line – functions that oversee or specialise in risk management and compliance.

• Third line – functions that provide independent assurance.

*Sources: Mitchell Morley. Understanding the Three Lines of Defence. http://www.inconsult.com.au/understanding-the-three-lines-of-defence/; Institute of Internal Auditors. Governance of Risk: Three Lines of Defence. https://www.iia.org.uk/threelines

The Three Lines of Defence (‘LOD’) Model: What is it?

Page 4 FMI November 24, 2016| Second Line of Defence| Canada Post

IIA 2013 Position Paper – Effective Risk Management

Management: Risk owners Some Independence Greater Independence

IIA Position Paper, Jan 2013

Page 5 FMI November 24, 2016| Second Line of Defence| Canada Post

• For critical second line functions, CAE must evaluate effectiveness. Scope of evaluation driven by risk and/or extent of reliance to be placed.

• CAE may identify gaps, conflicts, or duplication of efforts and should work with stakeholders to recommend enhancements.

• Outcomes may include collaborating between areas to reduce overlap and segregating responsibilities to properly maintain independence and objectivity.

• Second lines are subject to internal audit activity and should therefore be included as part of the audit universe.

Additional IIA Guidance

Page 6 FMI November 24, 2016| Second Line of Defence| Canada Post

The Three Lines of Defence Model: The Challenge

Define and assign specific roles & responsibilities to:

• Coordinate effectively and efficiently among the groups.

• Aim for neither gaps nor unnecessary duplications of coverage.

• Ensure understanding by each group of the boundaries of their responsibilities and how their positions fit into the organization’s overall risk and control structure.

3rd Line

2nd Line

1st Line

Internal Auditor

Page 7 FMI November 24, 2016| Second Line of Defence| Canada Post

Internal Audit’s Tailored Approach

Page 8 FMI November 24, 2016| Second Line of Defence| Canada Post

1. Review relevant guidance.

2. Socialize the model.

3. Create risk coverage map.

4. Validate with executive management.

5. Conduct reviews of critical second lines.

6. Align with ERM.

7. Develop scorecard and recommendations.

7 Step Approach .... in Progress

In P

rogr

ess

Page 9 FMI November 24, 2016| Second Line of Defence| Canada Post

• IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control.

• Ernst & Young. Maximizing Value from Your Lines of Defense: A Pragmatic Approach to Establishing and Optimizing Your LOD Model.

• International Professional Practices Framework – Supplemental Guidance Practice Guide.

Step 1: Review Relevant Guidance

Page 10 FMI November 24, 2016| Second Line of Defence| Canada Post

• Clear definition of risk appetite from the Board and executive management.

• Standard language for identifying, evaluating, measuring and reporting risk.

• Standardized ERM process, risk register linked to business objectives and value drivers.

• Risk owners assigned to each risk.• Responsibility for coordinating and reporting all risk, control and

assurance activities assigned to one function.

Effective LOD starts with a solid foundation ….

we needed to tailor ....

Page 11 FMI November 24, 2016| Second Line of Defence| Canada Post

• Simplicity of the model is its best attribute.

• Shared this 1 page picture with ~ 20 senior executives and Audit Committee.

• Understood in 5 minutes; recognized value in coordinating.

Step 2: Socialized the model

Questions about second lines:

• How do you define them? • What risks do they mitigate? • How do they do their work? • Are they coordinated?• What are they accountable

for?

Page 12 FMI November 24, 2016| Second Line of Defence| Canada Post

• All functions responsible for:

• Identifying, assessing, controlling and managing risks – risk owners.

• Design and operation of controls to mitigate risks.

• Certification of the design and effectiveness of the internal controls over financial reporting.

First Line

Page 13 FMI November 24, 2016| Second Line of Defence| Canada Post

• IIA: Second line consists of separately established risk, control, and compliance oversight functions that ensure properly designed processes and controls are in place within the first line and are operating effectively.

• Identify type of key activity performed by each function:

• control testing,• key performance indicators/scorecards,• monitoring & reporting,• audits,• continuous improvement.

• Identify and validate the resource levels being committed to these functions.

• Identify the risks that each second line function mitigates.

Second Line

Page 14 FMI November 24, 2016| Second Line of Defence| Canada Post

• Examples of Canada Post Finance first and second lines of defence:

• First lines of defence:• Pension services,• Customer billing collection,• Corporate Treasurer.

• Second lines of defence:• ICFR oversight,• Finance - Enterprise Transformation – Finance Decision Support and

Corporate Investment involved in the gating process,• Corporate budget,• Sourcing management.

Second Line

Page 15 FMI November 24, 2016| Second Line of Defence| Canada Post

• Internal Audit,

• External auditors,

• Regulators.

Third Line

Page 16 FMI November 24, 2016| Second Line of Defence| Canada Post

Step 3: Create a Risk Coverage Map

Source: Ernst & Young. Maximizing Value from Your Lines of Defense: A Pragmatic Approach to Establishing and Optimizing Your LOD Model

X X

Page 17 FMI November 24, 2016| Second Line of Defence| Canada Post

Step 3: Create a Risk Coverage Map

Risk Second Line of DefenceFinance Corporate Services

There is a risk that: ICFR

O

vers

ight

Sour

cing

Heal

th a

nd

Safe

ty

Capi

tal

Inve

stm

ent

Lega

l

There is a material misstatement in the financial statements or other external financial reporting. 3

Financial resources are not managed effectively. 20 7

Health and safety of employee is not protected. 25

The Corporation is not in compliance with regulations.

Legal rights and obligations are not clear, well understood, enforced or properly allocated resulting in legal and business consequences. 20

Illustrative Only

Page 18 FMI November 24, 2016| Second Line of Defence| Canada Post

• Meet with the Management Executive Committee and Debrief Audit Committee:

• Present and validate the three lines of defence model and risk grid with Management.

• Present the three lines of defence model and risk grid in “First 100 Days Report” with Audit Committee.

• Discuss the role of Internal Audit in providing assurance in the effectiveness of the first and second lines of defence.

• Feedback:

• Had not looked at second lines as being part of a broader system.

• See value in coordination and maximizing value of full system.

• Would like to be more precise about accountabilities of each second line.

• LOD vocabulary now being used in Executive meetings.

Step 4: Validate with Executive Management

Page 19 FMI November 24, 2016| Second Line of Defence| Canada Post

• Inherent “fuzziness” in responsibility, authority and accountability between first and second lines.

• Value add for Management - reduction of “grey area” between first and second lines.

• Leverage the monitoring, reporting and control testing already being done in the organization.

• IA can either place reliance or may conclude that given risk, coverage by second line is sufficient.

• Increased focused on areas of high risk for IA.

• Avoiding duplication and improve coordination.

Step 5: Conduct Reviews of Critical Second Lines

Page 20 FMI November 24, 2016| Second Line of Defence| Canada Post

Responsibility – the obligation to perform.

Authority – the right to direct and exact performance from others, including the right to prescribe the means and methods by which the work will be done.

Accountability - the duty to report on performance to one’s superior and substantiate it.

Internal Auditor Definitions

Page 21 FMI November 24, 2016| Second Line of Defence| Canada Post

Review Approach - The CoCo Model of Internal Control

CICA

Action

A team performs tasks, guided by an understanding of their purpose and supported by capability. The team will need a sense of commitment and alignment to perform the tasks well over time. The team monitors their performance and the environment to learn about how to do the task better and about changes to be made.

For CPC context, selected the CoCo framework of internal control.

ResponsibilityAuthorityAccountability

Page 22 FMI November 24, 2016| Second Line of Defence| Canada Post

• Emphasizes that control involves the entire organization but begins on an individual level, with the employee.

• Three Lines of Defence is predominantly about how specific risk management duties should be assigned and coordinated.

• Includes 20 criteria for effective control in four areas of an organization.

• Those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives.

• Thought by some to be more concrete and user-friendly. • Describes internal control as actions that foster the best result for an

organization.

CoCo – CICA’s Criteria of Control Framework, 1995

Page 23 FMI November 24, 2016| Second Line of Defence| Canada Post

Our Approach – Voting Workshops to Facilitate Relevant Doscussion

Strongly Agree Agree Undecided Disagree Strongly Disagree1 2 3 4 5

Our mandate and objectives are properly communicated, clear and well understood by our [second line team].

Our mandate and objectives are properly communicated, clear and well understood by [first line].

Strongly Agree Agree Undecided Disagree Strongly Disagree1 2 3 4 5

Followed up by "How do we know" to trigger identification and discussion of the control processes.

Page 24 FMI November 24, 2016| Second Line of Defence| Canada Post

• Review of the critical second lines.

• Separate workshops with first and second line.

• An analysis and summary of the results is completed.

• Key themes are developed based on survey results and discussion – focused at a minimum on responsibility, authority, accountability.

The Assessment Process: Quantitative to QualitativeEx

tern

al A

sses

smen

t

Internal Assessment

First line of defence

Seco

nd li

ne o

f def

ence

Page 25 FMI November 24, 2016| Second Line of Defence| Canada Post

Step 6: Align with ERM - Risk Impact Scale

Financial Operational Reputational

Extreme

High

Medium

Low

• Internal Audit piloted a more defined risk impact scale for risks at the Enterprise-level.

• As second line functions are in place to mitigate risks, it is important that their thresholds do not exceed those at the enterprise-level.

• Requires discussion with the Executive Team in order to manage expectations.

• Define and align escalation procedures accordingly.

Page 26 FMI November 24, 2016| Second Line of Defence| Canada Post

Risk Impact Scale – Financial

Enterprise-Level second Line (Legal ex.) Escalate to:

Extreme Revenue decline of more than $100M

Legal claims filed which have a reasonable probability of success; settlement or proceedings cost greater than $10m.

TBD

HighRevenue decline between $50M and $100M

Legal claims filed which may have merit; settlement or cost of proceedings between $500k to $10m.

TBD

MediumRevenue decline between $20M and $50M

Legal claims filed without merit but nuisance value settlement recommended between $100k and $500k.

TBD

Low Revenue decline of less than $20M Legal claims filed without merit. TBD

Illustrative Only

Page 27 FMI November 24, 2016| Second Line of Defence| Canada Post

Risk Impact Scale – Reputation

Enterprise-Level second Line (Compliance ex.) Escalate to:

ExtremeRegulator assigns Corporate or Director/Officer fines or penalties for practices and substantially limits Management’s ability to run the business.

TBD TBD

HighRegulator gives warning, directive, or summons about practices and imposes specific actions or some restrictions on running the business.

TBD TBD

Medium Regulator documents concerns about practices and imposes new reporting requirements. TBD TBD

Low Regulator informally expresses concerns about practices but with no present intent to enforce. TBD TBD

Illustrative Only

Page 28 FMI November 24, 2016| Second Line of Defence| Canada Post

• Where opportunities for improvement are identified, these will be provided to the Senior Executive accountable for the second line.

• Where significant gaps have been identified, further work may be required to provide assurance, recommendations and action plans to be followed up.

• Anticipate a scorecard approach for summarizing results across all second line of defence reviews.

• Overall objective is strong coordination, effective field coverage and collective understanding of how positions fit into the organization’s overall risk and control structure.

Step 7: Develop Scorecard and Recommendations