integrated assurance across the three lines of defence · •increase ownership responsibility in...
TRANSCRIPT
@ComplianceWeek | #CWE2017
Speaker Panel
Valeria LocatelliAudit DirectorM&G Investments
Liv WatsonSr. Director of Strategic Customer InitiativesWorkiva, Inc.
Do you currently use (any form of) integrated assurance in your company?
1. Yes, and we have an integrated report to the Board2. Yes, but each assurance provider reports independently3. No, but we are aware what other functions are planning4. No, and we have little visibility with each other5. Not sure
@ComplianceWeek | #CW2017
Polling Question 1
• No agreed upon definition and minimum standards
• In simple terms, it means combining two or more assurance plans (e.g. audit, risk, compliance) to show the collective assurance coverage of risks and controls across the organisation
• It is a tool to support a joined-up risk management approach
• It requires aligning the various assurance activities over the key risks and core business activities
@ComplianceWeek | #CW2017
What is Integrated Assurance?
• IPPF Performance Standard 2050 (Coordination and Reliance): The chief audit executive should share information, coordinate activities and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication of efforts.
• Financial crisis: Exposed weaknesses in boardroom practice; risk and its assurance was disjoined. Multiple uncoordinated activities across assurance providers generates ‘risk fatigue’ and uses assurance resources in a sub-optimal way. Instead, a coordinated approach leads to a common view of the key risks across the organisation, and how well controlled they are.
• Proliferation of specialist assurance functions: In response to regulatory risk, e.g. ABC, GDPR, which increases the risk of duplication and of taking up a lot of management time with independent assurance activities.
@ComplianceWeek | #CW2017
Why It Matters
• Common and consistent view of risks and controls
• Provides an aggregated view of risk assurance – ‘one truth’
• Can be seen as a method to accumulate data and facts pertaining to specific process from various areas and perspective
• Increased efficiency and resource utilisation across assurance providers
• Minimises the risk of gaps, silo-working and disjointed risk management
• Promotes working beyond functional boundaries
@ComplianceWeek | #CW2017
Key Benefits
• What are the critical activities/risks/controls?
• Is the risk taxonomy common across the organization and assurance functions?
• Is the level of maturity of the assurance providers consistent?
• Who are the key stakeholders and beneficiaries of the integrated assurance activities?
@ComplianceWeek | #CW2017
Things to Consider
ExampleofKeyriskAreas
AssuranceCoverageMapping
1st LineofDefence 2nd Linedefence 3rd lineofdefence
Management Finance Legal Risk Compliance Audit
StrategicRiskCustomerneedsPolitical&RegulatoryOperationalRiskFinancialControlLegal&ComplianceInformationalTechnology
Health&Safety
@ComplianceWeek | #CW2017
Assurance Coverage Mapping
• Harmonization of Risk and Control Framework – one single framework (risk universe, risk taxonomy, rating scales, formats)
• Harness collective risk intelligence across business functions
• Eliminate overlaps = minimising duplication of efforts
• Increase ownership responsibility in first line of defence of risk & Controls
• Alignment of roles and responsibilty across different committees
• Integrated implementation of new projects – regulatory changes, new systems
• Focus on key risk while integrating assurance
@ComplianceWeek | #CW2017
Best Practices
Presented by:Liv Watson Sr. Director Workiva, Inc [NYSE: WK]
Integrated Assurance Across the Three Lines of Defence
@ComplianceWeek | #CWE2017
Key Learning Objective
Integrated Assurance Across the Three Lines of Defence Requires Good Data Governance
Compliance Week Europe 2017 - Amsterdam
⦁ IDC estimates that by 2020 business transactions on the internet (both B2B and B2C) will reach 450 billion per day. ⦁ IDC estimates that the volume of business data worldwide, across all companies,
doubles every 1.2 years. ⦁Walmart handles more than 1 million customer transactions every hour, which is
imported into databases estimated to contain more than 2.5 petabytes of data. ⦁The largest AT&T database boasts titles including the largest volume of data in one
unique database (312 terabytes) and the second largest number of rows in a unique database (1.9 trillion), which comprises AT&T’s extensive calling records. ⦁ IDC estimates that poor data can cost businesses 20-35% of their operating revenue.
Source: www.waterfordtechnologies.com/big-data-interesting-facts/
Dilemmas - II
Time to Rethink Integrated Assurance
The costs keep growing, while complexity is starting to
outpace human understanding.
Compliance Week Europe 2017 - Amsterdam
Introducing SSOT-MVOTs Data Architecture
A sound data strategy requires that the data contained in a company’s single source of truth (SSOT) is of high quality, granular and that multiple versions of the truth (MVOTs) are carefully controlled and derived from the same SSOT.
GOOD GOVERNANCE, GOOD DATA
Continues Audit Data
Continuous Risk
Monitoring and
Assessment
ContinuousControl
Monitoring
Time to Rethink Integrated Assurance
Assume that all data will be consumed using an electronic
"machine understandable"reporting framework rather
than a document-based digital one.
Key Take Away
The overall condition of data assets is directly dependent on the company’s ability to align
people, processes, lines of business, and technologies. It requires that all of these things
work together to produce the desired outcomes that make data fit for its business purpose.
DISCUSSION
@ComplianceWeek | #CW2017
Valeria LocatelliAudit DirectorM&G Investments
Liv WatsonSr. Director of Strategic Customer InitiativesWorkiva, Inc.