Streamlining the Annual Risk Assessment Process

Streamlining the Annual Risk Assessment Process Presenter: Gregory Jordan, CPA, CIA, CRMA, FLMI Senior Vice President, Chief Audit Executive Nationwide Insurance

Gregory Jordan, CPA, CIA, CRMA, FLMI Chief Audit Executive, Nationwide Insurance Board Member of the IIA Central Ohio Chapter Committee Member of the IIA Exam Development Committee Over 30 yrs of industry experience Served in several Business and Finance leadership roles since joining Nationwide in 2001 11 yrs with Ernst & Young and 6 yrs with Midland Life Insurance Company/Swiss Re Graduate of The Ohio State University jordang3@nationwide.com

Today s Learning Opportunities Creating an annual planning road map Developing a standardized and consistent audit planning approach Reducing "peak" times by spreading annual planning effort throughout the year Formalizing internal audit policies and procedures for the annual planning process Learning a new approach for certain risk assessments titled "Risk Assessment Confirmations"

About Nationwide

The Catalyst for Change

Risk Management Had to be Aligned Historical Model Board/Senior Mgmt Oversight Board/Senior Management Oversight Audit AuditFinance RiskIT Other Other Committee Cmtee Committee Committees ERC Risk Cmtee Cmtee Cmtee Targeted Model Board/Senior Mgmt Oversight Board/Senior Management Oversight Audit AuditFinance RiskIT Other Other Committee Cmtee Committee Committees ERC Risk Cmtee Cmtee Cmtee ERM Risk Internal Privacy Internal Legal Audit FRC Compliance Finance IRM Legal Other Etc. ERM Risk Internal Internal Legal Audit FRC Compliance Privacy, Finance IRM Other Legal, Etc. Common Data Structure Common Technology Other Notes dbase SAS Notes dbase Access dbase Common Risk & Control Processes Business Business Business Business BU Unit Unit BU Unit BU BU Unit Redundancies and inefficiencies Varying lines of communication Lack of single data structure/database Multiple approaches for risk & control reports Business Business Business Business Unit BU Unit BU BU Unit Unit BU Common approach to identifying risks/controls and managing issues Coordination among functions Clear roles and responsibilities Common data structure/database Comprehensive risk & control reports

Regulatory Risk Now Has a Year-Round Impact 50+ State Unclaimed Property Regulators 50+ State Attorneys General Consumer Financial Protection Bureau SEC Financial Industry Regulatory Authority (FINRA) Commodity Futures Trading Commission 50+ State Insurance Departments U.S. Department of Treasury Department of Justice U.S. Department of Labor Internal Revenue Service Health and Human Services Federal Trade Commission Occupational Safety & Health Administration Municipal Securities Rulemaking Board E.E.O.C. 50+ State Securities Departments 50+ State Mortgage Regulators Office of Comptroller of Currency Office of Foreign Assets Control Federal Reserve * Slide denotes primary regulators only

Best Practices Are Driving Toward Shorter Duration and Timing

The Value of a Streamlined Risk Assessment Process

IIA Pulse of Internal Audit In today s fast-paced operating environments, internal auditors need to audit at the speed of risk. That means developing the capability to continuously align or realign their audit coverage to address emerging risks and avoid damaging surprises.

We Control Risk Assessment Processes Required by the Standards But no one tells us HOW to do it Allows Internal Audit to understand which potential events might impact the business Provides a foundation for determining how risks should be managed Assesses risks from two perspectives: impact and likelihood Provides a basis for management to evaluate risk management activities Drives audit activities

Adding Value through Risk Assessments Source: PWC State of the Internal Audit Profession 2015

Focusing on Risk is a Value Add Activity Source: PWC State of the Internal Audit Profession 2015

Where We Were

Our Historical Annual Planning Process Roadmap Audit Committee Meeting IA presents draft audit plan for approval Audit Universe Updates Aggregation of Audit Plan Recommendation Materials Review Audit Plan with OCEO, SVPs, etc. Review draft plan with Business/IT Management Audit Committee Meeting IA presents draft audit plan for approval December January February March April May June July August September October November December Audit Universe Completeness Review Risk Assessment Refresh for Coverage AUs Perform thorough RA of AUs identified for Audit Plan coverage in following year Risk Assessment Confirmations AUs Complete confirmations for all AUs where refresh is not required Audit Universe and Audit Plan Calibration Develop draft Audit Plan Leadership Team Audit Plan Calibration Determination of Audit Plan Forecast Next Year Complete draft schedule

The Federal Reserve Bank Required Changes to Our Process Nationwide subject to oversight from the Federal Reserve Bank (FRB) Internal Audit (IA) is a main focus of the FRB FRB expects a consistent risk assessment process, robust documentation and demonstrated leverage with other risk management partners The FRB raised the bar on IA s risk assessment to be more comprehensive and stand alone The FRB expects real time updates to risk assessments as risk changes throughout the year The FRB s goal is to rely on IA risk assessments and audit efforts - avoid duplication of efforts

Risk Assessment Hours (by Year) Risk assessment hours increased dramatically due to Nationwide s complexity, desire for end-to-end process review and FRB expectations 7,000 6,000 5,000 4,000 Risk Assessment Hours by Year 3,000 2,000 4,181 5,166 6,400 1,000 0 2012 2013 2014 Hours 4,181 5,166 6,400

Risk Assessment Hours (by Year) The impact of risk assessments was profound on our ability to complete audit activity in line with increased FRB audit cycle times

Risk Assessment Streamlining Process Goals Develop a consistent repeatable process Align risk assessment efforts with cycle time o Concentrate on Auditable Units (AU) which required activity within the next 12 months o Create efficiencies through confirmation of AU s with activity not due for 12+ months Reduce peaks in process by spreading activity throughout year Define calendar process view to provide: o Better forecast of risk assessment time o Client meetings for Audit Plan review o Earlier development of Audit Plan and scheduling Define policies and procedures outlining annual planning process

Risk Assessment Streamlining Content Goals Combine top-down, bottom-up and enterprise-wide view Based on a normalized taxonomy common to our industry Risk universe should be mutually exclusive and collectively exhaustive Risk Management partners (e.g. ERM, Compliance) should have a complimentary risk universe and risk assessment methodology Risk rankings should not be considered absolute but provide approximate importance Methodology needs a common scale to facilitate risk discussions (e.g. quantitative or qualitative scales) Results should be continually validated with stakeholders Risk assessments should clearly prioritize audit activities

Where We Are

Nationwide s Risk Management Structure BOD C-Suite 1st Line of Defense Risk Ownership Line Of Business Management A B C 2nd Line of Defense Risk Control & Monitoring Selected Risk & Control Functions (not exhaustive) ERM Credit Risk Investment Risk Market Risk IT Risk Compliance 3rd Line of Defense Risk Management Assurance Assurance & Validation Internal Audit

Risk Assessments Are Now Developed in a Common Framework ERM Information Risk Mgmt. Internal Audit Financial Reporting Controls (FRC) Compliance Investment Controls Framework - Common risk and control language - Common criteria for issue prioritization and presented top issues to Operational Risk Committee (ORC) - Defined risk and issue heat maps Technology - Common technology platform (OpenPages) for issues management - Consolidated issue reporting on a single system - Programs are consolidated onto OpenPages for issue management Reporting - Issues compared across programs and business areas - Reporting of issues more transparent across enterprise

We Use A Standardized Risk Assessment Heat Map Magnitude of Occurrence Frequency

Revised Risk Assessment and Annual Planning Process Update the Audit Universe Assess Inherent Risk Review Transformation Programs Audit Plan Update Auditable Units to reflect changes in business processes, IT Infrastructure, products, etc. Assess Inherent Risk within each Auditable Unit, considering factors such as financial, operational, fraud, regulatory and reputational impacts. Assess the impact of significant transformation programs on applicable Auditable Units and identify programs to include in the Audit Plan. Determine Auditable Units and transformation programs to include in the Audit Plan. Key Factors in Determining the Audit Plan: Inherent risk of each Auditable Unit and the corresponding Coverage Cycle High Inherent Risk (18 months) Medium Inherent Risk (3 Years) Low Inherent Risk (4 Years) Significant changes (recently implemented or planned) to strategies, processes, people, regulations or technologies Recurring projects in alignment with external auditor expectations or regulatory requirements Management requests requested audits or advisory projects

Internal Audit Now Leverages Compliance Risk Assessments Office of Compliance assesses compliance programs against elements of an effective compliance program derived from the U.S. Federal Sentencing Guidelines on Organizations Internal Audit fully leverages effective programs and partially leverages developing program risk assessments E D I (effective) Basic foundation in place; and Element is reasonably designed to achieve compliance; and Consistent with appropriate industry practices or legal / regulatory expectations (developing) Basic foundation in place but scope of coverage not yet adequate; or Element needs to evolve and grow to be more consistent with appropriate industry practices or legal / regulatory expectations; or New or emerging risk requires heightened compliance attention (inadequate) Basic foundation not in place or clearly ineffective; or Element inconsistent with appropriate industry practices or legal / regulatory expectations

Compliance Program Effectiveness Assessment Line of Business 1 Line of Business 2 Line of Business 3 Element Program Process/Area 1 Process/Areas 2 Process/Areas 3 Program Process/Areas 4 Process/Areas 5 Process/Area 6 Process/Area 7 Process/Area 8 Process/Area 9 Process/Area 10 Process Area 11 Process/Area 12 Process/Area 13 Process/Area 14 Process/Area 15 Office of Compliance High Level Responsibility E E E E E E E E Risk Assessment E D E D D E E E E D E E E E E E E E E E E D E E Written Policies & Procedures E E E E D D D E D E E E E D E D Training & Education E D E D D D D E Monitoring & Testing E D D D D E D E Response & Prevention E D E D D E E E Enforcement & Discipline D D D D D E E E Reporting E E E E E E E E D D E E D E E E E D E D E D E E D E D E E E E D E E E E E E E E E E E E E E E E Regulatory Exam, Inquiry & Relationship Management E E E E E E E E E E E E E E E E E = Effective D = Developing I = Inadequate

Audit Universe Validation We use all available data to validate legal entities, product lines, services, operational functions, etc.

Updated Risk Assessment Resources New team member training Consistent tools and templates to shorten preparation and learning curves Providing pre-read client documents to shorten meetings and the need for follow-up activities Risk Assessment Meeting and E-mail Templates Risk Assessment Interview Guide Risk Assessment Questionnaire Inherent Risk Rating Heat Map Audit Proposal Template Office-Wide Training

Risk Assessments Now Have Four Distinct Components Refresh & Engagement Proposal Documents Confirmations Post Audit Updates Continuous Monitoring Updates

Risk Assessment Refreshes o For AUs requiring audit activity within the next 12 months o No need to start from scratch o More streamlined than our traditional risk assessment o Leverage risk partner activity o Meet only with the right level of management o Business Auditors responsible for identifying key technology applications (internal, mobile, or externally hosted) and critical business models o IT Auditors consult with business auditors freeing up IT capacity o Risk assessment data is updated in common repository

Engagement Proposal Documents Risk Assessment Refreshes now require an Engagement Proposal Document Provides consistent audit activity recommendations Audit or project name, why required and/or important High level scope including business, IT and DA related efforts Develop estimate of required resources (business, IT, and DA hours) IT and DA team members are involved in determination of scope and hours no guess work Timing is discussed in advance with clients for upfront agreement

Risk Assessment Confirmations Risk Assessment Confirmations are used for AU s not requiring a Risk Assessment Refresh AUs requiring audit activity beyond the next 12 months Auditors leverage risk partner activity Auditors utilize a Risk Assessment Questionnaire o Sent to key stakeholders for review and update o Finalized during meetings with key stakeholders o Leverages data from recent audit services completed in previous 12 months (Post Audit Updates) o Leverages input from periodic Internal Audit/senior management meetings (Continuous Monitoring)

Risk Assessment Post Audit Updates Risk assessment updates are now required after each audit or project engagement Goal is to document risk assessment knowledge real time and not lose critical information over time Data is input into common tool and shared with risk partners

Risk Assessment - Continuous Monitoring Updates IA participates in over 30 risk management committees IA has routine senior management/client meetings Goal is to document real time emerging risk Data is leveraged in risk assessment refreshes and confirmations Corporate Functions Asset Class Risk Review Asset Liability Committee Enterprise Disclosure Committee Enterprise Risk Council Finance Council Information Security Policy Review Board Investment Risk Committee IT Leadership Team Liquidity Working Group Office of Ethics Semi-annual Update Operational Risk Committee Risk and Capital Modeling Committee Nationwide Financial Bank Risk Committee Nationwide Financial Litigation Review Nationwide Financial Pre-Disclosure Nationwide Financial Risk Committee SEC Pay to Play Property & Casualty CAT Risk Committee Commercial Lines Transformation Corporate/P&C Pre-Disclosure Nationwide Growth Solutions Risk Committee P&C Litigation Review P&C Product Risk Committee P&C Risk Committee Personal Lines Transformation Project

Organizing Risk Assessments Risk Assessments are now organized by group and type for ease and consistent use Organizing is what you do before you do something, so that when you do it, it is not all mixed up. -A. A. Milne

Where We are Going

Our goal is to measure risk velocity (how quickly and how severe it could become) Use as a factor in determining priority and timing of audit activity Risk Velocity

Risk Velocity and Real Time Risk Assessments will Drive Audit Plan Activity Project X - July 1 Greater than $10M Greater than $10M Project X - April 1 Magnitude Per Occurrence Greater than $1M; Less than $10M Magnitude of Occurrence Greater than $100K; Less than $1M Greater than $10K; Less than $100K Magnitude Per Occurrence Greater than $1M; Less than $10M Magnitude of Occurrence Greater than $100K; Less than $1M Greater than $10K; Less than $100K Less than $10K Less than 1 occurrence in 10 years 1 occurrence in 10 years 1 occurrence per year Frequency Frequency 2 to 10 occurrences per year Greater than 10 occurrences per year Less than $10K Less than 1 occurrence in 10 years 1 occurrence in 10 years 1 occurrence per year Frequency Frequency 2 to 10 occurrences per year Greater than 10 occurrences per year

We Will Focus on Top Down, Bottom Up and Enterprise Risk View Current Credit Risk Future Line of Business 1 Line of Business 2 Line of Business 3 Credit

Risk Assessment Hours & Timing We will continue to shorten duration and impact of the annual risk assessment process 2,500 Risk Assessment Hours by Year 2015 2,000 1,500 1,000 500 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Risk Assessment Hours by Year 7,000 6,000 5,000 4,000 3,000 2,000 1,000 2,500 0 2015 Hours 2,500

Using Real Time Risk Assessments Periodically monitor key risk indicators Use technology to continuously monitor key risk Periodically interview management to identify changes in risk profile Initiate updates to risk assessment Initiate formal or ad hoc changes to the Audit Plan

Potential Approaches for Assessing Key Business Risks Workshops Interviews Surveys Workshops Group working sessions provide the opportunity to aggregate multiple points of view while validating and prioritizing significant risks and define proposed risk owners. Interviews Provide more detailed risk information than surveys with greater analysis through a focused one-on-one interview process. Surveys Gather candid, preliminary input on key business risks from professionals across the breadth of the organization.

Building Flexibility into the Annual Audit Planning Process

Questions?