Upload
phamdan
View
217
Download
1
Embed Size (px)
Citation preview
Canada Post
Page 1 | FMI November 24, 2016| Second Line of defence | Canada Post
Second Line Of Defence -Internal Audit Reviews
A Pragmatic Approach
Page 2 FMI November 24, 2016| Second Line of Defence| Canada Post
• Origin is unclear other than “line of defence” in military planning and sport.• Gained prominence about a decade ago when adopted by the former UK
Financial Services Authority.• Became a preferred model for operational risk in the UK financial sector.• Endorsed by the IIA and Institute of Directors (Jan 2013).• There are many variations of what the model looks like and what each line
represents.
*Sources: Mitchell Morley. Understanding the Three Lines of Defence. http://www.inconsult.com.au/understanding-the-three-lines-of-defence/; Institute of Internal Auditors. Governance of Risk: Three Lines of Defence. https://www.iia.org.uk/threelines
The Three Lines of Defence Model: Its Origin
Page 3 FMI November 24, 2016| Second Line of Defence| Canada Post
• Model: Simplify complex functions and relationships; rarely perfect; tailor to context.
• LOD proposes a collaborative relationship between functions that manage risk; multi-pronged, yet integrated.
• Generally defined as:
• First line – functions that own and manage risks (operational management).
• Second line – functions that oversee or specialise in risk management and compliance.
• Third line – functions that provide independent assurance.
*Sources: Mitchell Morley. Understanding the Three Lines of Defence. http://www.inconsult.com.au/understanding-the-three-lines-of-defence/; Institute of Internal Auditors. Governance of Risk: Three Lines of Defence. https://www.iia.org.uk/threelines
The Three Lines of Defence (‘LOD’) Model: What is it?
Page 4 FMI November 24, 2016| Second Line of Defence| Canada Post
IIA 2013 Position Paper – Effective Risk Management
Management: Risk owners Some Independence Greater Independence
IIA Position Paper, Jan 2013
Page 5 FMI November 24, 2016| Second Line of Defence| Canada Post
• For critical second line functions, CAE must evaluate effectiveness. Scope of evaluation driven by risk and/or extent of reliance to be placed.
• CAE may identify gaps, conflicts, or duplication of efforts and should work with stakeholders to recommend enhancements.
• Outcomes may include collaborating between areas to reduce overlap and segregating responsibilities to properly maintain independence and objectivity.
• Second lines are subject to internal audit activity and should therefore be included as part of the audit universe.
Additional IIA Guidance
Page 6 FMI November 24, 2016| Second Line of Defence| Canada Post
The Three Lines of Defence Model: The Challenge
Define and assign specific roles & responsibilities to:
• Coordinate effectively and efficiently among the groups.
• Aim for neither gaps nor unnecessary duplications of coverage.
• Ensure understanding by each group of the boundaries of their responsibilities and how their positions fit into the organization’s overall risk and control structure.
3rd Line
2nd Line
1st Line
Internal Auditor
Page 7 FMI November 24, 2016| Second Line of Defence| Canada Post
Internal Audit’s Tailored Approach
Page 8 FMI November 24, 2016| Second Line of Defence| Canada Post
1. Review relevant guidance.
2. Socialize the model.
3. Create risk coverage map.
4. Validate with executive management.
5. Conduct reviews of critical second lines.
6. Align with ERM.
7. Develop scorecard and recommendations.
7 Step Approach .... in Progress
In P
rogr
ess
Page 9 FMI November 24, 2016| Second Line of Defence| Canada Post
• IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control.
• Ernst & Young. Maximizing Value from Your Lines of Defense: A Pragmatic Approach to Establishing and Optimizing Your LOD Model.
• International Professional Practices Framework – Supplemental Guidance Practice Guide.
Step 1: Review Relevant Guidance
Page 10 FMI November 24, 2016| Second Line of Defence| Canada Post
• Clear definition of risk appetite from the Board and executive management.
• Standard language for identifying, evaluating, measuring and reporting risk.
• Standardized ERM process, risk register linked to business objectives and value drivers.
• Risk owners assigned to each risk.• Responsibility for coordinating and reporting all risk, control and
assurance activities assigned to one function.
Effective LOD starts with a solid foundation ….
we needed to tailor ....
Page 11 FMI November 24, 2016| Second Line of Defence| Canada Post
• Simplicity of the model is its best attribute.
• Shared this 1 page picture with ~ 20 senior executives and Audit Committee.
• Understood in 5 minutes; recognized value in coordinating.
Step 2: Socialized the model
Questions about second lines:
• How do you define them? • What risks do they mitigate? • How do they do their work? • Are they coordinated?• What are they accountable
for?
Page 12 FMI November 24, 2016| Second Line of Defence| Canada Post
• All functions responsible for:
• Identifying, assessing, controlling and managing risks – risk owners.
• Design and operation of controls to mitigate risks.
• Certification of the design and effectiveness of the internal controls over financial reporting.
First Line
Page 13 FMI November 24, 2016| Second Line of Defence| Canada Post
• IIA: Second line consists of separately established risk, control, and compliance oversight functions that ensure properly designed processes and controls are in place within the first line and are operating effectively.
• Identify type of key activity performed by each function:
• control testing,• key performance indicators/scorecards,• monitoring & reporting,• audits,• continuous improvement.
• Identify and validate the resource levels being committed to these functions.
• Identify the risks that each second line function mitigates.
Second Line
Page 14 FMI November 24, 2016| Second Line of Defence| Canada Post
• Examples of Canada Post Finance first and second lines of defence:
• First lines of defence:• Pension services,• Customer billing collection,• Corporate Treasurer.
• Second lines of defence:• ICFR oversight,• Finance - Enterprise Transformation – Finance Decision Support and
Corporate Investment involved in the gating process,• Corporate budget,• Sourcing management.
Second Line
Page 15 FMI November 24, 2016| Second Line of Defence| Canada Post
• Internal Audit,
• External auditors,
• Regulators.
Third Line
Page 16 FMI November 24, 2016| Second Line of Defence| Canada Post
Step 3: Create a Risk Coverage Map
Source: Ernst & Young. Maximizing Value from Your Lines of Defense: A Pragmatic Approach to Establishing and Optimizing Your LOD Model
X X
Page 17 FMI November 24, 2016| Second Line of Defence| Canada Post
Step 3: Create a Risk Coverage Map
Risk Second Line of DefenceFinance Corporate Services
There is a risk that: ICFR
O
vers
ight
Sour
cing
Heal
th a
nd
Safe
ty
Capi
tal
Inve
stm
ent
Lega
l
There is a material misstatement in the financial statements or other external financial reporting. 3
Financial resources are not managed effectively. 20 7
Health and safety of employee is not protected. 25
The Corporation is not in compliance with regulations.
Legal rights and obligations are not clear, well understood, enforced or properly allocated resulting in legal and business consequences. 20
Illustrative Only
Page 18 FMI November 24, 2016| Second Line of Defence| Canada Post
• Meet with the Management Executive Committee and Debrief Audit Committee:
• Present and validate the three lines of defence model and risk grid with Management.
• Present the three lines of defence model and risk grid in “First 100 Days Report” with Audit Committee.
• Discuss the role of Internal Audit in providing assurance in the effectiveness of the first and second lines of defence.
• Feedback:
• Had not looked at second lines as being part of a broader system.
• See value in coordination and maximizing value of full system.
• Would like to be more precise about accountabilities of each second line.
• LOD vocabulary now being used in Executive meetings.
Step 4: Validate with Executive Management
Page 19 FMI November 24, 2016| Second Line of Defence| Canada Post
• Inherent “fuzziness” in responsibility, authority and accountability between first and second lines.
• Value add for Management - reduction of “grey area” between first and second lines.
• Leverage the monitoring, reporting and control testing already being done in the organization.
• IA can either place reliance or may conclude that given risk, coverage by second line is sufficient.
• Increased focused on areas of high risk for IA.
• Avoiding duplication and improve coordination.
Step 5: Conduct Reviews of Critical Second Lines
Page 20 FMI November 24, 2016| Second Line of Defence| Canada Post
Responsibility – the obligation to perform.
Authority – the right to direct and exact performance from others, including the right to prescribe the means and methods by which the work will be done.
Accountability - the duty to report on performance to one’s superior and substantiate it.
Internal Auditor Definitions
Page 21 FMI November 24, 2016| Second Line of Defence| Canada Post
Review Approach - The CoCo Model of Internal Control
CICA
Action
A team performs tasks, guided by an understanding of their purpose and supported by capability. The team will need a sense of commitment and alignment to perform the tasks well over time. The team monitors their performance and the environment to learn about how to do the task better and about changes to be made.
For CPC context, selected the CoCo framework of internal control.
ResponsibilityAuthorityAccountability
Page 22 FMI November 24, 2016| Second Line of Defence| Canada Post
• Emphasizes that control involves the entire organization but begins on an individual level, with the employee.
• Three Lines of Defence is predominantly about how specific risk management duties should be assigned and coordinated.
• Includes 20 criteria for effective control in four areas of an organization.
• Those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives.
• Thought by some to be more concrete and user-friendly. • Describes internal control as actions that foster the best result for an
organization.
CoCo – CICA’s Criteria of Control Framework, 1995
Page 23 FMI November 24, 2016| Second Line of Defence| Canada Post
Our Approach – Voting Workshops to Facilitate Relevant Doscussion
Strongly Agree Agree Undecided Disagree Strongly Disagree1 2 3 4 5
Our mandate and objectives are properly communicated, clear and well understood by our [second line team].
Our mandate and objectives are properly communicated, clear and well understood by [first line].
Strongly Agree Agree Undecided Disagree Strongly Disagree1 2 3 4 5
Followed up by "How do we know" to trigger identification and discussion of the control processes.
Page 24 FMI November 24, 2016| Second Line of Defence| Canada Post
• Review of the critical second lines.
• Separate workshops with first and second line.
• An analysis and summary of the results is completed.
• Key themes are developed based on survey results and discussion – focused at a minimum on responsibility, authority, accountability.
The Assessment Process: Quantitative to QualitativeEx
tern
al A
sses
smen
t
Internal Assessment
First line of defence
Seco
nd li
ne o
f def
ence
Page 25 FMI November 24, 2016| Second Line of Defence| Canada Post
Step 6: Align with ERM - Risk Impact Scale
Financial Operational Reputational
Extreme
High
Medium
Low
• Internal Audit piloted a more defined risk impact scale for risks at the Enterprise-level.
• As second line functions are in place to mitigate risks, it is important that their thresholds do not exceed those at the enterprise-level.
• Requires discussion with the Executive Team in order to manage expectations.
• Define and align escalation procedures accordingly.
Page 26 FMI November 24, 2016| Second Line of Defence| Canada Post
Risk Impact Scale – Financial
Enterprise-Level second Line (Legal ex.) Escalate to:
Extreme Revenue decline of more than $100M
Legal claims filed which have a reasonable probability of success; settlement or proceedings cost greater than $10m.
TBD
HighRevenue decline between $50M and $100M
Legal claims filed which may have merit; settlement or cost of proceedings between $500k to $10m.
TBD
MediumRevenue decline between $20M and $50M
Legal claims filed without merit but nuisance value settlement recommended between $100k and $500k.
TBD
Low Revenue decline of less than $20M Legal claims filed without merit. TBD
Illustrative Only
Page 27 FMI November 24, 2016| Second Line of Defence| Canada Post
Risk Impact Scale – Reputation
Enterprise-Level second Line (Compliance ex.) Escalate to:
ExtremeRegulator assigns Corporate or Director/Officer fines or penalties for practices and substantially limits Management’s ability to run the business.
TBD TBD
HighRegulator gives warning, directive, or summons about practices and imposes specific actions or some restrictions on running the business.
TBD TBD
Medium Regulator documents concerns about practices and imposes new reporting requirements. TBD TBD
Low Regulator informally expresses concerns about practices but with no present intent to enforce. TBD TBD
Illustrative Only
Page 28 FMI November 24, 2016| Second Line of Defence| Canada Post
• Where opportunities for improvement are identified, these will be provided to the Senior Executive accountable for the second line.
• Where significant gaps have been identified, further work may be required to provide assurance, recommendations and action plans to be followed up.
• Anticipate a scorecard approach for summarizing results across all second line of defence reviews.
• Overall objective is strong coordination, effective field coverage and collective understanding of how positions fit into the organization’s overall risk and control structure.
Step 7: Develop Scorecard and Recommendations