erm 203 – when storming the castle alone doesn’t work: internal audit as ally wednesday, april...
TRANSCRIPT
ERM 203 – When Storming the Castle Alone Doesn’t Work: Internal Audit as Ally
Wednesday, April 18, 2012
Agenda
• Speaker introductions
• Discuss key points from RIMS & IIA joint paper – Risk Management’s perspective– Internal Audit’s perspective– Collaborative Practices & Value Realized
• ERM & IA collaboration at Whirlpool Corporation
• Q&A session
2
Risk Management and Internal Audit: Forging a Collaborative Alliance (white paper)
• RIMS and IIA joint project
• White paper including interviews with: – Cisco Systems– Hospital Corporation of America– TD Ameritrade– Whirlpool
• Highlights RIMS’ and The IIA’s recommendation for these functions to work together collaboratively
3
4
5
The Role of IA in ERM
• Core internal audit roles:– Giving assurance on the RM program– Giving assurance that risks are correctly evaluated– Evaluating risk management processes– Evaluating the reporting of key risks– Reviewing the management of key risks
6
The Role of IA in ERM• Legitimate internal audit roles (with safeguards):
– Facilitating identification and evaluation of risks– Coaching management in responding
to risks– Coordinating ERM activities– Consolidated reporting on risks– Maintaining and developing the ERM
framework– Championing establishment of ERM– Developing ERM strategy for board
approval
7
The Role of IA in ERM
• Roles IA should not undertake:– Setting the risk appetite– Imposing risk management processes– Management assurance on risks– Taking decisions on risk exposures– Implementing risk responses on management’s
behalf– Accountability for risk management
8
Risk Management and Internal Audit: Forging a Collaborative Alliance - interview questions
1. Who does Internal Audit report to (functionally and administratively)? Who does Risk Management report to? How often does each interact with the Board or a Board committee?
2. How does the risk assessment process work between and among Internal Audit and Risk Management? And how are the results of these risk assessment processes shared with management and/or the Board? What information does each of the functions provide to the other, and how is that information used?
3. Are you satisfied with the level of collaboration? If so, what do you attribute this success to? If not, what is the biggest impediment?
4. How do Internal Audit and Risk Management collaborate in your organization? What are the areas of collaboration? What is working well? What are you working on to improve the relationship? Also, what formal or informal procedures are in place to minimize duplication and overlap with other risk-related functions such as legal, health and safety, and regulatory and Sarbanes-Oxley compliance?
5. What advice do you have for Chief Audit Executives and/or Chief Risk Officers as they seek to achieve greater levels of collaboration between Internal Audit and Risk Management?
9
Collaborative Practices & Value Realized
10
• Link the audit plan and the enterprise risk assessment, and share other work products. Provides assurance that critical risks are being identified effectively.
• Share available resources wherever and whenever possible. Allows for efficient use of scarce resources (such as financial, staff, time).
• Cross-leverage each function’s respective competencies, roles and responsibilities. Provides communication depth and consistency, especially at the board and management levels.
• Assess and monitor strategic risks. Allows for deeper understanding and focused action on the most significant risks.
ABOUT WHIRLPOOL CORPORATION
World’s leading marketer and manufacturer of home appliances Approximately $18 billion in revenues 70,000+ employees worldwide 67 Manufacturing & Technology Centers World Headquarters: Southwest Michigan
11
MAKE PRODUCTS PEOPLE WANT TO OWN IN THEIR HOMES
12
CONSUMER-RELEVANT AND VALUE-CREATING INNOVATION
Consumer-relevant innovation Strong cadence to the market Build strong brands
BRAND PLATFORMBEST CONSUMER POSITION
Risk Management Whirlpool’s Risk Management Core team of 5 Reporting to the Vice President
and Treasurer Enterprise Risk Management Traditional risk management of
hazard and financial risks Business continuity program Loss Prevention and Engineering
WHIRLPOOL’S RISK MANAGEMENT FUNCTION
13
ENTERPRISE RISK MANAGEMENT PROCESS
Enterprise Risk Management is a strategic activity within Whirlpool. Our ERM process ensures that:
Risks are appropriately identified. Risks are assessed at the senior management, business, and functional unit
level. Risk mitigation is owned by business unit leaders.
Oversight: Ultimate responsibility for managing risks rests with the Chief Executive. Board of Directors oversees the overall risk management process through its
Audit Committee. The success of risk management is determined by:
Identifying the right risks and events driving them. Quantifying and ranking risks. Developing risk management plans which reduce the impact of and help the
company prepare for risk events.
14
ENTERPRISE RISK PROGRESS TIMELINE
20112008 2009
An Ongoing Process Since 2007
Identified unique regional risks and 2011 mitigation plans
Conducted emerging risk survey at the regional level…aggregated results
Included Duration and Detectability in new risk assessments
Identified Trade Partner and Competitor risk factors
Coordinate with Internal Auditmonthly and during annualemerging risk identification
ERM – Incorporated into Internal Controls course of WHR University
WHR University – Instructor lead courses developed and taught for Finance Group
Incorporated ERM into the CAPEX Process
System shared with Internal Audit, hosts and reports ERM
Interviews with risk owners and direct reports in cooperation with Internal Audit
Detailed risk assessmentscompleted for Strategicand Financial Level Risks
Qualitative and quantitativemetrics included where warranted
Critical events and root causesidentified
Benchmark ERM Maturity
ERM presented to S&P
Coordinate with Internal Audit
Detailed risk assessmentscompleted for Operationaland Compliance Level Risks
Velocity metric introduced
Regions identify top risks,mitigation and controls
Coordinate with Internal Auditmonthly and during annualemerging risk identification
2010
Annually: Risk Map Repositioned, Risk Owners’ Mitigation Plans ConfirmedAnnually: Risk Map Repositioned, Risk Owners’ Mitigation Plans Confirmed
15
ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL
Annual risk assessment process is
used by both Internal
Audit and Risk
Management
16
Risk Categories Level/Representative Risks
Control Source
Good Rules
Good Decisions
1
2
3
4
5
ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL
Risks are rated, ranked and
assigned to one of five categories
17
ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL
Key Risks are owned by its
executive committee and
projects and actions to achieve
mitigation goals and objectives
are ongoing
18
WHIRLPOOL’S INTERNAL AUDIT FUNCTION
IA reports to the CFO & Audit Committee
Represented in all regions globally
Core team of ~60 Auditors
KPMG FTE’s utilized Core Competency
includes Talent management: Rotation into
business Financial
Leadership Development Program
AuditCommitteeAdministrative
Reporting Relationship
FunctionalReporting
Relationship
Internal Audit
19
AUDIT PLAN AND DEVELOPMENT PROCESS
Quantitative and qualitative assessment of all Whirlpool functions and locations
Approach considers internal and external changes in the business environment, Whirlpool’s strategy and key objectives
VP Internal Audit and IA Management team gathered input from Senior Executives, including regional CFO’s and management from various functional areas
Integrated risk assessment process with Enterprise Risk Management and the Compliance & Ethics Office
Reviewed risk assessment and IA Plan with Ernst & Young Reviewed IA Plan with Executive Committee & Global Finance Leadership
Team (GFLT) Audit Committee approves annual plan
20
•
INCORPORATING TECHNOLOGY
ERM PROCESS EMBEDDED WITHIN
INTERNAL AUDIT SYSTEM
21
Collaboration Monthly meetings between
IA and RM RM receives IA reports Annually interview senior
leaders WHR University ‘Risk and
Controls’ course RM utilizes IA software
system
Benefits Collaborative effort Identify emerging risks
earlier Optimize and leverage
efforts Common language Shared IT software
ENTERPRISE RISK MANAGEMENT
22
Q & A
23