ERM 203 – When Storming the Castle Alone Doesn’t Work: Internal Audit as Ally

Wednesday, April 18, 2012

Agenda

• Speaker introductions

• Discuss key points from RIMS & IIA joint paper – Risk Management’s perspective– Internal Audit’s perspective– Collaborative Practices & Value Realized

• ERM & IA collaboration at Whirlpool Corporation

• Q&A session

2

Risk Management and Internal Audit: Forging a Collaborative Alliance (white paper)

• RIMS and IIA joint project

• White paper including interviews with: – Cisco Systems– Hospital Corporation of America– TD Ameritrade– Whirlpool

• Highlights RIMS’ and The IIA’s recommendation for these functions to work together collaboratively

3

4

5

The Role of IA in ERM

• Core internal audit roles:– Giving assurance on the RM program– Giving assurance that risks are correctly evaluated– Evaluating risk management processes– Evaluating the reporting of key risks– Reviewing the management of key risks

6

The Role of IA in ERM• Legitimate internal audit roles (with safeguards):

– Facilitating identification and evaluation of risks– Coaching management in responding

to risks– Coordinating ERM activities– Consolidated reporting on risks– Maintaining and developing the ERM

framework– Championing establishment of ERM– Developing ERM strategy for board

approval

7

The Role of IA in ERM

• Roles IA should not undertake:– Setting the risk appetite– Imposing risk management processes– Management assurance on risks– Taking decisions on risk exposures– Implementing risk responses on management’s

behalf– Accountability for risk management

8

Risk Management and Internal Audit: Forging a Collaborative Alliance - interview questions

1. Who does Internal Audit report to (functionally and administratively)? Who does Risk Management report to? How often does each interact with the Board or a Board committee?

2. How does the risk assessment process work between and among Internal Audit and Risk Management? And how are the results of these risk assessment processes shared with management and/or the Board? What information does each of the functions provide to the other, and how is that information used?

3. Are you satisfied with the level of collaboration? If so, what do you attribute this success to? If not, what is the biggest impediment?

4. How do Internal Audit and Risk Management collaborate in your organization? What are the areas of collaboration? What is working well? What are you working on to improve the relationship? Also, what formal or informal procedures are in place to minimize duplication and overlap with other risk-related functions such as legal, health and safety, and regulatory and Sarbanes-Oxley compliance?

5. What advice do you have for Chief Audit Executives and/or Chief Risk Officers as they seek to achieve greater levels of collaboration between Internal Audit and Risk Management?

9

Collaborative Practices & Value Realized

10

• Link the audit plan and the enterprise risk assessment, and share other work products. Provides assurance that critical risks are being identified effectively.

• Share available resources wherever and whenever possible. Allows for efficient use of scarce resources (such as financial, staff, time).

• Cross-leverage each function’s respective competencies, roles and responsibilities. Provides communication depth and consistency, especially at the board and management levels.

• Assess and monitor strategic risks. Allows for deeper understanding and focused action on the most significant risks.

ABOUT WHIRLPOOL CORPORATION

World’s leading marketer and manufacturer of home appliances Approximately $18 billion in revenues 70,000+ employees worldwide 67 Manufacturing & Technology Centers World Headquarters: Southwest Michigan

11

MAKE PRODUCTS PEOPLE WANT TO OWN IN THEIR HOMES

12

CONSUMER-RELEVANT AND VALUE-CREATING INNOVATION

Consumer-relevant innovation Strong cadence to the market Build strong brands

BRAND PLATFORMBEST CONSUMER POSITION

Risk Management Whirlpool’s Risk Management Core team of 5 Reporting to the Vice President

and Treasurer Enterprise Risk Management Traditional risk management of

hazard and financial risks Business continuity program Loss Prevention and Engineering

WHIRLPOOL’S RISK MANAGEMENT FUNCTION

13

ENTERPRISE RISK MANAGEMENT PROCESS

Enterprise Risk Management is a strategic activity within Whirlpool. Our ERM process ensures that:

Risks are appropriately identified. Risks are assessed at the senior management, business, and functional unit

level. Risk mitigation is owned by business unit leaders.

Oversight: Ultimate responsibility for managing risks rests with the Chief Executive. Board of Directors oversees the overall risk management process through its

Audit Committee. The success of risk management is determined by:

Identifying the right risks and events driving them. Quantifying and ranking risks. Developing risk management plans which reduce the impact of and help the

company prepare for risk events.

14

ENTERPRISE RISK PROGRESS TIMELINE

20112008 2009

An Ongoing Process Since 2007

Identified unique regional risks and 2011 mitigation plans

Conducted emerging risk survey at the regional level…aggregated results

Included Duration and Detectability in new risk assessments

Identified Trade Partner and Competitor risk factors

Coordinate with Internal Auditmonthly and during annualemerging risk identification

ERM – Incorporated into Internal Controls course of WHR University

WHR University – Instructor lead courses developed and taught for Finance Group

Incorporated ERM into the CAPEX Process

System shared with Internal Audit, hosts and reports ERM

Interviews with risk owners and direct reports in cooperation with Internal Audit

Detailed risk assessmentscompleted for Strategicand Financial Level Risks

Qualitative and quantitativemetrics included where warranted

Critical events and root causesidentified

Benchmark ERM Maturity

ERM presented to S&P

Coordinate with Internal Audit

Detailed risk assessmentscompleted for Operationaland Compliance Level Risks

Velocity metric introduced

Regions identify top risks,mitigation and controls

Coordinate with Internal Auditmonthly and during annualemerging risk identification

2010

Annually: Risk Map Repositioned, Risk Owners’ Mitigation Plans ConfirmedAnnually: Risk Map Repositioned, Risk Owners’ Mitigation Plans Confirmed

15

ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL

Annual risk assessment process is

used by both Internal

Audit and Risk

Management

16

Risk Categories Level/Representative Risks

Control Source

Good Rules

Good Decisions

1

2

3

4

5

ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL

Risks are rated, ranked and

assigned to one of five categories

17

ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL

Key Risks are owned by its

executive committee and

projects and actions to achieve

mitigation goals and objectives

are ongoing

18

WHIRLPOOL’S INTERNAL AUDIT FUNCTION

IA reports to the CFO & Audit Committee

Represented in all regions globally

Core team of ~60 Auditors

KPMG FTE’s utilized Core Competency

includes Talent management: Rotation into

business Financial

Leadership Development Program

AuditCommitteeAdministrative

Reporting Relationship

FunctionalReporting

Relationship

Internal Audit

19

AUDIT PLAN AND DEVELOPMENT PROCESS

Quantitative and qualitative assessment of all Whirlpool functions and locations

Approach considers internal and external changes in the business environment, Whirlpool’s strategy and key objectives

VP Internal Audit and IA Management team gathered input from Senior Executives, including regional CFO’s and management from various functional areas

Integrated risk assessment process with Enterprise Risk Management and the Compliance & Ethics Office

Reviewed risk assessment and IA Plan with Ernst & Young Reviewed IA Plan with Executive Committee & Global Finance Leadership

Team (GFLT) Audit Committee approves annual plan

20

•

INCORPORATING TECHNOLOGY

ERM PROCESS EMBEDDED WITHIN

INTERNAL AUDIT SYSTEM

21

Collaboration Monthly meetings between

IA and RM RM receives IA reports Annually interview senior

leaders WHR University ‘Risk and

Controls’ course RM utilizes IA software

system

Benefits Collaborative effort Identify emerging risks

earlier Optimize and leverage

efforts Common language Shared IT software

ENTERPRISE RISK MANAGEMENT

22

Q & A

23