Audit Committee Institute Sponsored by KPMG The audit committee and risk management Is the board of directors adequately overseeing management's process for identifying and monitoring key business risks? What risks has the company accepted, and through what process are they being managed? Is Enterprise Risk Management (ERM) being used to manage the company's key business risks and opportunities with the intent of maximising shareholder value? Introduction "Risk in itself is not bad. What is bad is risk that is mismanaged, misunderstood, mispriced, or unintended." Suzanne Labarge, Chief Risk Officer, Royal Bank of Canada As business leaders seek new ways to build shareholder value, they are discovering a connection between value management and risk management. ERM has emerged as one of the important means of identifying the critical risks faced by an organisation in the realms of strategy, finance, reputation, human capital, marketing, operations, information technology and commerce. The ERM process manages and optimises the risk portfolio so that financial rewards are realised. Enterprise risk management is not an obligation created merely for governance purposes. Business risks that are not managed have clear consequences for a company, such as shareholder wealth erosion, exposure to the success and sustainability of the company, and exposure to the financial consequences of unexpected events. ERM provides business with tools and methodologies for monitoring the processes in place to identify key risks facing an organisation, ensuring that those risks are being managed, and reporting the organisation's risk management activities to stakeholders. Emerging ERM model Early models of risk management saw the discipline as a disparate set of specialist functions such as treasury, insurance, loss prevention, safety management and internal audit. The new models are clearly linked to an organisation's business strategy, encompassing an organisation's vision, mission, and objectives; its process for defining operational imperatives; and its philosophies, policies, plans and initiatives for growth and development. Emerging models, such as the one outlined below can provide an organisation with new action steps it may use to enhance business decision-making and, potentially, shareholder, value.
2 The audit committee and risk management The emerging models of ERM view the function as an integrated and holistic process. All parts of the business entity are subjected to the processes of risk identification, assessment and control. All manner of risks that could threaten the objectives of the organisation are considered. The reporting and measurement of risk is undertaken using common tools and methodologies, no matter what type of risk is under the microscope of the board and its executive team. Risk management is viewed as a dynamic process that recognises the fluid nature of risk in the modern business environment. Although an organisation's own ERM processes will evolve in a unique way over time, there are a number of recognised practices that the audit committee should expect to see in any corporate risk management process. The audit committee and risk management Although the ultimate accountability for risk management performance remains with the board of directors, boards are increasingly looking to board committees to provide assurance regarding the status of the organisation's risk management processes. For those organisations that have a complex and high risk profile it would be prudent to constitute a board risk committee for oversight of ERM. Many organisations elect to use their audit committee to provide assurance to the board that risk management processes are active, credible and effective. In view of the varying degrees to which the board may assign authority to the audit committee for risk management, it is important that there is a clear and unambiguous mandate for the audit committee's role regarding risk management oversight. The audit committee's responsibilities for ERM should be reflected in its charter. Some members of audit committees may find the topic of ERM an unfamiliar one, given its recent emergence and additional focus on non-financial risks. Faced with a report containing information about ERM processes that largely fall outside of conventional accounting and financial control frameworks, members of audit committees can be forgiven for feeling a little bewildered by the complex and evolutionary nature of enterprise risk management programmes. So what should audit committees look for in a company's enterprise risk management endeavours? An audit committee member can look for the indications set out below of the status of ERM in the company. Risk strategy Aligning ERM resources and actions with the business strategy are necessary to maximise effectiveness. Both the board and senior management must understand strategic-level risks and related systems of control. Risk management should always be on the board and audit committee agenda, and a formal risk and control review should be performed annually. Management must be able to demonstrate direction and intent in its application of ERM techniques. The company's tolerance limits for variance in performance need to be stated. Management's attitude towards risk-taking and its appetite for risk ought to be reflected in a documented risk policy framework. An indication of management's intentions and objectives with ERM must be stated. Is it to guarantee that a specific strategy is achieved? Is it to contain losses and variances? Is the intent of the ERM programme to strengthen the competitiveness of operations?
The audit committee and risk management 3 Structure and accountability Once an organisation understands its risk strategy and adopts it as a board initiative, organisational resources need to be put in place to ensure that the company can respond appropriately. For example, a well-defined risk structure will nominate resources for risk assessments, where management is able to assess risks across the organisation's divisions, regions, functions and hierarchy. The audit committee needs to be satisfied that there is appropriate commitment by management to the process of ERM. Many managers feel that they know their risks and already take adequate steps to deal with them, albeit on an unstructured basis. So the audit committee needs to look for signs of commitment by management to a structured and formalised process of ERM. Upholding normal operational processes alone will not do. All conceivable types of risk must be confronted with the tools and methodologies of ERM - strategic, competitive, political, reputation, social, environmental, technical, people, marketing, economic, legal and operational risks. Every business unit, function and process of the enterprise must be subjected to the ERM initiative. Management's commitment can be interpreted in part from its perceived energy levels associated with the development of ERM processes. Look out for the speed with which risks are identified and assessed across the organisation; action plans put into place and internal audit plans aligned to control information arising from risk assessments. Also consider the company's commitment to risk management committees and forums. Examine the resources allocated to enterprise risk management in terms of time, capital and manpower. The quality of reports supplied to the audit committee will reflect management's commitment to ERM processes. The audit committee should also consider the extent to which the executive management team commits the company to ERM. This is revealed in a number of ways. For example, first the board charter should commit the directors to the intent to identify, assess and manage risks on a formal and structured basis. Second, a risk policy statement should be published that decrees management's risk strategy. Third, a framework for ERM must be evident. The framework should reflect the architecture of the ERM process and its integration with other organisational processes. Risk identification and assessment The audit committee should closely scrutinise the risk register that results from management's processes of risk identification and assessment. The register should detail the key risks facing the objectives of the organisation. A risk register should reflect a balanced view of risks across the business spectrum, weighted in ranking according to the degree of threat and likelihood of the risk. A risk register that has a bias towards a particular area of risk such as insurance or finance should be questioned. Risk identification should not be tackled in a random or freeform manner. There are a number of methodologies available for this purpose, and some assurance should be evident that a structured methodology has been used to profile the company's risks. Risk identification should take an enterprise-wide view of the risk spectrum. This implies that the resultant risk register should reflect a balanced, thorough and credible profile of key risks. It should reflect the reality of the company's risk profile with no preconceived bias or weighting towards a particular category of risk. Non-core activities and assets must be included. The risks facing all business units, processes, regions, services, brands, customers, changes, timing issues and suppliers need to be incorporated.
4 The audit committee and risk management A risk register can take any number of forms but should record at least a description of each risk, the associated business process and objective, with a description of probable implications. The likelihood of the risk occurring and its potential impact should be quantified on a consistent basis. It is important for management to indicate the current controls and interventions for the identified risks. A desired level of control can be indicated, but invariably an action plan for every key risk is required in order to improve the degree of risk protection or enhance the opportunities arising from the risk in question. Risk-based controls Controls are easily recognisable for risks at an operational level. Such controls may include a variety of policies, procedures, authority frameworks, insurance portfolios and loss prevention resources. The effectiveness of these controls is normally verified by a series of audit plans. The controls of business and strategic risk exposures are not so readily definable. Particular effort on the part of management will be required to define the mitigation of high level business risks. Aspects of strategy such as ability to liquidate, strategic flexibility and portfolio diversification may be deemed as the relevant controls for certain key risks. Yet these too should be subjected to a planned process of examining the appropriateness and effectiveness of such controls. The audit committee should look for a so-called 'combined assurance plan' that aims to verify the appropriateness and effectiveness of key controls, mitigations and interventions for key risks. The combined assurance plan should outline a process of audits and reviews that would take place in line with the risk priorities of the company. The providers of assurance are chosen according to the nature of the risk in question, and are drawn from management, internal audit, specialists and independent professionals. Risk management techniques that are designed to operate at the time of a loss should also be evident in management's control environment. These will include crisis management plans that aim to sustain stakeholder confidence in the event of a widely publicised incident. Business continuity plans are expected for key IT risks, and their principles are also widely applied to supply chain and business process risks. Financial contingencies such as insurance, self-insurance and hedging arrangements also form an important part of a typical control framework, details of which should be reflected in the ERM reporting process. It is useful to indicate which risks are currently insured, uninsured, self-insured or uninsurable. Insurance in itself is not a control, but rather is aimed at limiting the extent of certain potential losses. Other financial solutions to risk should be explored by management, especially for risks that have a high financial impact (e.g. bad debts, currency exchange rates). There are numerous financial contingencies open to management, and assurance should be provided that all relevant financial alternatives to mitigate risk have been considered. For example, the company can deliberately retain the financial consequences of risk. This can be done on an unstructured basis, such as exposing the income statement to the outcomes of risk. Alternatively, the cost of risks can be retained on a structured basis through provisions, contingency policies and captive insurance facilities. Certain risks manifest themselves as volatile income streams or cost fluctuations. Management may find these unacceptable and seek to smooth the pattern of financial consequences. This can be achieved through the purchase of financial instruments, intrinsic hedging or external hedging. Risks may also warrant the use of financial derivatives, bond instruments (such as catastrophe bonds, contingent debt) or equity instruments such as contingent equity, catastrophe equity or put options.
The audit committee and risk management 5 Measuring and monitoring Measuring and monitoring to enhance value should be an ongoing means of understanding and reporting on the status and impact of risks. A strong process for capturing information and reporting it to the board and the audit committee is essential to an ERM approach. Measuring and monitoring activities could include using performance measures, tracking risk management investment and costs, and use of technology to assess key business indicators. The changing and dynamic nature of risk means that the management team must have a risk monitoring mechanism that is alert to change in the organisation. Change has a number of implications for ERM. First, change will require a company to re-examine its risk register on a frequent basis. Experience shows that most corporate risk profiles change materially at least quarterly. Second, distinct changes will require the application of risk management techniques. Such changes may include acquisitions, procurement legalities, new initiatives such as customer relationship management, new product launches, new projects, strategy execution and changes to activity and value chains. Third, change will invariably necessitate some adjustments to a company's risk management strategy, and management needs to keep its ERM policy framework updated. Aside from the various endeavours of management to identify and monitor risk, the audit committee can contribute to these processes by being alert to indicators contributing to the company's risk profile. By understanding the business environment and the pressures the organisation and its management are facing, the audit committee can evaluate whether risks are being identified and mitigated. Such an approach enables the committee to exercise its responsibilities in an active rather than reactive manner. Some examples of risk indicators for the audit committee are listed below. To facilitate identifying risk indicators, the company's senior executives should regularly report to the audit committee and board of directors to keep them informed of the risks and exposures facing the company. In addition, the committee should be briefed on the company's strategic objectives, procedures for achieving them, and evaluations of the progress toward meeting them. The committee should also seek the observations of the internal and external auditors, and draw upon its members' own business experience. Risk indicators The following are examples of risk indicators: Inappropriate 'tone at the top'. Frequent organisational changes. High turnover of senior management. Lack of succession plans. Inexperienced management. Lack of management oversight. Management override. Autocratic management. Untimely reporting and responses to audit committee enquiries. Excessive or inappropriate performance-based remuneration. Unrealistic earnings expectations by the investment community. Over-ambitious growth goals. Unusually rapid growth. Unusual trends or results. Lack of transparency in the business model. Exposure to rapid technological changes. Industry downturns. Interest rate and currency exposures. Overly complex organisational structures or transactions. Late surprises. Ongoing or prior investigations by regulators or others. Cash flow problems. Poor financial position. Continuous loss-making operations.
6 The audit committee and risk management Risk portfolio A 'risk portfolio' represents the range and degree of business risks appropriate for the company at any given time. Processes must determine whether the risk portfolio is consistent with the expectations of the board and senior management. An appropriate level of risk can help to achieve corporate objectives. Risk optimisation involves evaluating and adjusting the risk response currently being made by the company. When benchmarked against risk appetite, an optimisation model can identify where the best investment into risk treatment can be achieved. Risk reporting Internal risk reporting is one of the most powerful mechanisms for implementing ERM processes, and the audit committee would do well to question the degree to which this takes place. Management's reporting of risk matters would normally be incorporated into existing performance-based reporting processes. Risk information that should be tabled at management meetings would include any change to the current status of key risks, the performance of key controls and the value of losses and variances related to the risks of the company. The value of internal reporting is that it develops accountability for risk management and enforces the mechanisms for implementing defined ERM processes. Specific reports should be generated for the board of directors, which would be channelled through the audit committee for review. Reviews Notwithstanding the above, the board is required draw its own conclusions in respect of the risks of the company and the effectiveness of ERM measures. The audit committee can assist this diagnosis by asking probing questions such as the following: Is ERM always on the board agenda? Has ERM education been provided at the board level? Is there clear ownership of risk management oversight by the board? Has management created a high-level risk strategy and policy aligned with strategic objectives? Has a risk management framework been established with clear reporting lines and assignment of responsibilities? Does the company have a common risk culture, including the use of common risk language and concepts? Are communications about risk using appropriate channels and technology? Are ERM activities embedded into ongoing business processes? Are appropriate measurements and monitoring of risks being performed? Have key performance indicators and critical success factors related to risk been identified and success measures for the risk strategy established?
The audit committee and risk management 7 ERM Integrated Framework In 2001, the Committee of Sponsoring Organisations (COSO) initiated a project to develop a framework that would be readily usable for managements and audit committees to evaluate and improve their organisation's ERM. In September 2004, the ERM Integrated Framework was released by COSO. This framework expands on internal control, providing a more robust and extensive focus on the broader subject of ERM. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, audit committees and boards may decide to look to this ERM framework both to satisfy their internal control needs and move towards a fuller risk management process. Information technology risk analysis Historically, corporate governance has had compliance and financial focus, however, demands and expectations of business leaders and audit committees is changing. As technology is a key enabler in modern business, the focus on the specialist area of Information technology (IT) governance is increasing. One of the key functions of audit committees is ensuring that business risks are appropriately managed. It is clear in our modern world that risks associated with the use of IT need particular attention. The problem is that in this fast changing space, many audit committees don't know the right questions to ask. To assist audit committees ask the right questions, the diagram below sets out the context and definition of good IT governance. The diagram makes it clear that IT governance forms part of overall good corporate governance. The principles are the same, and audit committees should be challenging the business to demonstrate how value is being released from IT, whilst at the same time managing the business risks that arise from using IT. The 'spokes' of the 'wheel' below outline some of the important IT processes that should be in place to ensure that risks are managed while achieving value from IT. IT Governance Organisational Structure IT Portfolio management & project management Business Process Efficiencies Info Security Governance Release value from IT IT Legislative Compliance (CoSo, King II, SOx, Basel II) Link to Internal & External IT Audit IT Key Performance Measurements & Benchmarking Business Continuity Management IT Resource Management
8 The audit committee and risk management Monitoring Information & Communication Control Environment Control framework Having identified and analysed the risks threatening the company's ability to achieve its objectives, the company is in a position to determine how those risks should be managed, mitigated and optimised. This is achieved through the implementation of an effective framework of internal controls. Critical to the control framework is the control environment that provides the foundation for all other components of the framework. It encompasses the overall attitude, awareness and actions of management regarding controls and their importance in the company. The controls themselves include the policies and procedures that help ensure that the necessary actions are taken to address the risks. The control framework needs to be monitored to assess its performance over time. Information systems are vital to ensure that everyone has the information they need on a timely basis to enable them to carry out their control responsibilities. An effective framework of control provides shareholders, boards, managers and employees with: reasonable assurance of reliable financial and non-financial reporting and regulatory compliance; the board's delegation of authorities; a basis for achieving the company's objectives; a means to reduce the risk of asset loss; an ability to monitor progress towards achieving goals and reduce the likelihood of unpleasant surprises along the way; and a way to promote efficiency and help the company to adapt to changing customer, economic and competitive environments. Controls are most effective when they are viewed by everyone as an integral part of, rather than an addition to, the daily operations of a company. While everyone in a company has some responsibility for control and risk management, the chief executive officer is ultimately responsible to the board of directors for the control framework and should assume ownership of it. The board conducts an oversight role. Management's responsibility for the financial reporting control environment was highlighted in the SOx. In terms of Section 404 of SOx, management must: accept responsibility for effectiveness of internal control over financial reporting (ICOFR); evaluate the effectiveness of ICOFR using a suitable control criteria (e.g. COSO); support the evaluation with sufficient evidence, including documentation; and present a written assessment regarding the effectiveness of ICOFR. Further CEOs and CFOs are required to certify in relation to internal controls that they have: designed controls effectively; evaluated the effectiveness of controls in the last 90 days; disclosed to the auditor and the audit committee all significant deficiencies in design or operation of internal controls; revealed to the auditor and the audit committee any fraud that involves management or other employees that have a significant role in internal ñontrols; and indicated whether there have been any significant changes in the control environment during the period.
The audit committee and risk management 9 Internal auditors have the ability to make an important contribution to the ongoing effectiveness of the control framework through testing and recommending improvements but they do not have responsibility for establishing or maintaining the control framework. External auditors also have the ability to contribute to the improvement of the control framework, including the control environment, through making recommendations for improvement and providing advice as requested on specific control issues. However, they are not responsible for the effectiveness of, nor are they a part of, the company's control system. However, external auditors are often asked to report on internal controls. In Section 404 of SOx, for example, auditors are required to attest to, and report on, the assessment made by management on internal controls as well as expressing an opinion on the operating effectiveness of the internal controls over financial reporting. The audit committee and the control framework Since the audit committee has an ongoing responsibility to assess the effectiveness of the control framework, it gathers information from management and also from internal and external audit as part of the assessment process. This should involve the audit committee challenging and testing management and the internal and external auditors on the framework and any assessments they may have made. To do this effectively requires audit committee members to have a very clear understanding of the control framework. Clearly, it is inappropriate for the audit committee to rely solely on written representations from management. The committee should receive regular briefings from management and others on how compliance with codes of conduct, regulations, policies and other relevant procedures is being achieved. The audit committee should also be briefed on how management is embedding a culture that is committed to ethical and lawful behaviour. While such a culture does not of itself guarantee that a company will achieve its goals and operate efficiently and effectively, the lack of such a culture provides greater opportunities for error or for improprieties to occur. At the very worst, questionable values and unethical or risky behaviour can jeopardise a company's viability. Yet few issues cause as much confusion and concern as ethics. Codes of Ethics and/or Codes of Conduct are often useful tools in articulating the standards and values of the company and the kinds of conduct that are regarded as acceptable or unacceptable in specific situations. As the board is the ultimate custodian of the company's ethics or value systems if it fails to give leadership in this area, it must understand it leaves a vacuum that others may not fill. Regardless of how the board has formulated its approach to ethics, every organisation has an explicit or implicit ethical stance that is communicated to employees by the actions and attitudes of management and by the values implicit in reward, recognition and recruitment policies and practices, and dayto-day decision-making. It is therefore important that the audit committee understands, and influences the nature of the culture in which the organisation operates, because it has implications for the type and extent of material that is presented to the committee and the way in which it is presented.
kpmg.ru Contact us: Audit Committee Institute in Russia Boris Lvov Corporate Governance, Performance and Compliance Tel: +7 937 4477 E-Mail: aci@kpmg.ru This text is an unaccredited and adapted by KPMG in Russia and the CIS version of The audit committee and risk management text, prepared by Audit Committee Institute sponsored by KPMG. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2009 ZAO KPMG, a company incorporated under the Laws of the Russian Federation and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.