The Top Four Essential Objectives to Auditing ERM Stephen E. McBride, CIA 2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA Agenda • • • • • Definition of key terms Risk management principles & process Recent financial events Risk governance roles Key areas of focus in establishing audit objectives Risk • The possibility of an event occurring that will have an impact on the achievement of objectives. Measured in terms of likelihood and impact Risk Management A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives Why Manage Risk? • Decrease the cost of financial distress • Reduce earnings volatility • Facilitate optimal investments Incorporate portfolio theory Enterprise Risk Management The application of risk management principles to all significant risks facing an organization Risk Governance Roles • Board of Directors • Management • Internal Auditors Financial Events • • • • Enron Washington Mutual Bank AIG MF Global Were these events: – risk management process failures, – implementation failures, or – both? Where to Begin • Failures? – Financial: Credit, Market, Liquidity – Operational – Strategic • Review models, assumptions, derivatives, strategies, black swan? • Top 4 objectives 1. Business Strategies and Risk Appetite • Determine approval of risk appetite • Determine understanding of business model Audit Objectives –Risk Appetite 1. Risk appetite – the entity’s risk appetite defines acceptable and undesirable risks. 2. Parameters for risk 1. Strategic – new products or initiatives 2. Financial – max acceptable loss or performance variations 3. Operating – capacity management, quality targets, environmental requirements. 2. Internal Environment • The Board of active and possesses an appropriate degree of expertise • Chief Risk Officer communication • Management risk council reporting to the Board • Management’s risk appetite is aligned throughout the organization Ethics • Determine methods for ensuring the Code of Conduct is communicated and complied with across the organization • Ensure results are properly communicated • Determine whether executives comply with discretionary expenditures policies Follow the Money • Determine how management is rewarded for performance 3. Event identification • Management identifies potential events • Techniques are used to look at both the past and the future • Event identification is robust • Management understands how events relate to one another 4. Control Activities • Management indentifies control activities need to ensure risk responses are carried out properly • Policies are implemented consistently • Conditions are investigated and appropriate corrective action taken • General and application controls are implemented Volume of Exceptions • Determine the volume of policy or internal control exceptions • Determine steps taken for corrective action Conclusion • Determining the control framework and management practices in these areas will help determine risk culture • Risk culture is the primary indicator of an organization’s risk management oversight and its likelihood of continued long term success