Integrated Assurance Across the Three Lines of Defence

@ComplianceWeek | #CW2017

@ComplianceWeek | #CWE2017

Speaker Panel

Valeria LocatelliAudit DirectorM&G Investments

Liv WatsonSr. Director of Strategic Customer InitiativesWorkiva, Inc.

Do you currently use (any form of) integrated assurance in your company?

1. Yes, and we have an integrated report to the Board2. Yes, but each assurance provider reports independently3. No, but we are aware what other functions are planning4. No, and we have little visibility with each other5. Not sure

@ComplianceWeek | #CW2017

Polling Question 1

@ComplianceWeek | #CW2017

Integrated AssuranceValeria Locatelli, Audit Director, M&G

@ComplianceWeek | #CW2017

• No agreed upon definition and minimum standards

• In simple terms, it means combining two or more assurance plans (e.g. audit, risk, compliance) to show the collective assurance coverage of risks and controls across the organisation

• It is a tool to support a joined-up risk management approach

• It requires aligning the various assurance activities over the key risks and core business activities

@ComplianceWeek | #CW2017

What is Integrated Assurance?

• IPPF Performance Standard 2050 (Coordination and Reliance): The chief audit executive should share information, coordinate activities and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication of efforts.

• Financial crisis: Exposed weaknesses in boardroom practice; risk and its assurance was disjoined. Multiple uncoordinated activities across assurance providers generates ‘risk fatigue’ and uses assurance resources in a sub-optimal way. Instead, a coordinated approach leads to a common view of the key risks across the organisation, and how well controlled they are.

• Proliferation of specialist assurance functions: In response to regulatory risk, e.g. ABC, GDPR, which increases the risk of duplication and of taking up a lot of management time with independent assurance activities.

@ComplianceWeek | #CW2017

Why It Matters

• Common and consistent view of risks and controls

• Provides an aggregated view of risk assurance – ‘one truth’

• Can be seen as a method to accumulate data and facts pertaining to specific process from various areas and perspective

• Increased efficiency and resource utilisation across assurance providers

• Minimises the risk of gaps, silo-working and disjointed risk management

• Promotes working beyond functional boundaries

@ComplianceWeek | #CW2017

Key Benefits

• What are the critical activities/risks/controls?

• Is the risk taxonomy common across the organization and assurance functions?

• Is the level of maturity of the assurance providers consistent?

• Who are the key stakeholders and beneficiaries of the integrated assurance activities?

@ComplianceWeek | #CW2017

Things to Consider

ExampleofKeyriskAreas

AssuranceCoverageMapping

1st LineofDefence 2nd Linedefence 3rd lineofdefence

Management Finance Legal Risk Compliance Audit

StrategicRiskCustomerneedsPolitical&RegulatoryOperationalRiskFinancialControlLegal&ComplianceInformationalTechnology

Health&Safety

@ComplianceWeek | #CW2017

Assurance Coverage Mapping

• Harmonization of Risk and Control Framework – one single framework (risk universe, risk taxonomy, rating scales, formats)

• Harness collective risk intelligence across business functions

• Eliminate overlaps = minimising duplication of efforts

• Increase ownership responsibility in first line of defence of risk & Controls

• Alignment of roles and responsibilty across different committees

• Integrated implementation of new projects – regulatory changes, new systems

• Focus on key risk while integrating assurance

@ComplianceWeek | #CW2017

Best Practices

Presented by:Liv Watson Sr. Director Workiva, Inc [NYSE: WK]

Integrated Assurance Across the Three Lines of Defence

Compliance Week Europe 2017 - Amsterdam

@ComplianceWeek | #CWE2017

Key Learning Objective

Integrated Assurance Across the Three Lines of Defence Requires Good Data Governance

Compliance Dilemmas

Compliance Week Europe 2017 - Amsterdam

Dilemmas - I

Compliance Week Europe 2017 - Amsterdam

⦁ IDC estimates that by 2020 business transactions on the internet (both B2B and B2C) will reach 450 billion per day. ⦁ IDC estimates that the volume of business data worldwide, across all companies,

doubles every 1.2 years. ⦁Walmart handles more than 1 million customer transactions every hour, which is

imported into databases estimated to contain more than 2.5 petabytes of data. ⦁The largest AT&T database boasts titles including the largest volume of data in one

unique database (312 terabytes) and the second largest number of rows in a unique database (1.9 trillion), which comprises AT&T’s extensive calling records. ⦁ IDC estimates that poor data can cost businesses 20-35% of their operating revenue.

Source: www.waterfordtechnologies.com/big-data-interesting-facts/

Dilemmas - II

Compliance Week Europe 2017 - Amsterdam

Dilemmas - III

Time to Rethink Integrated Assurance

The costs keep growing, while complexity is starting to

outpace human understanding.

Rethink Integrated Assurance Across the Three Lines of Defence with Good Data Governance

Compliance Week Europe 2017 - Amsterdam

Introducing SSOT-MVOTs Data Architecture

A sound data strategy requires that the data contained in a company’s single source of truth (SSOT) is of high quality, granular and that multiple versions of the truth (MVOTs) are carefully controlled and derived from the same SSOT.

GOOD GOVERNANCE, GOOD DATA

Continues Audit Data

Continuous Risk

Monitoring and

Assessment

ContinuousControl

Monitoring

Time to Rethink Integrated Assurance

Assume that all data will be consumed using an electronic

"machine understandable"reporting framework rather

than a document-based digital one.

Key Take Away

The overall condition of data assets is directly dependent on the company’s ability to align

people, processes, lines of business, and technologies. It requires that all of these things

work together to produce the desired outcomes that make data fit for its business purpose.

DISCUSSION

@ComplianceWeek | #CW2017

Valeria LocatelliAudit DirectorM&G Investments

Liv WatsonSr. Director of Strategic Customer InitiativesWorkiva, Inc.

Thank you!

Your feedback is much appreciated! Please remember to complete the feedback survey, available in

the conference app and at the registration desk.

@ComplianceWeek | #CWE2017