Providing assurance and addressing stakeholders' expectations

Risk management in the Public Sector

Soledad Llamas Tutor

Internal Audit Manager at Canal de Isabel II, Madrid, Spain

Chair of the Cooperation Committee ECIIA_EUROSAI

IAS Conference 2018 - "Internal Audit: Embracing the challenges of the future"

6 November 2018

GESTIÓN DE RIESGOS

PIT STOP F1GOAL: Change the wheels and make adjustments in less than 2 sec.

Risks:

Forget some element.

Stall the car.

No coordination.

Grease in the pit lane.

Bad comunication between the workers and the pilot.

What is the probability? How many times has previously happened?Is it possible to happen again?

What is the impact?How many seconds do we lose if it happens?

Likelihood

Impact

GESTIÓN DE RIESGOSRisk: Bad comunication between theworkers and the pilot

Probability: HighImpact: Very high

Control: Lollipop Man

Risk: Stall the car Probability: Low

Impact: Very highControl: Starter man

Risk: Grease in the pit laneProbability: Very high

Impact: LowControl: Cleaning

IMPACT

LIK

ELIH

OO

D

Risk: Bad comunication between the workers and the pilot.

Risk: Creek the car .

Risk: Grease in the pit lane. Risk: Grease in the pit lane.

Risk: Bad comunication between the workers and the pilot.

Risk: Stall the car.

Risk: Bad comunication between the workers and the pilot.

Risk: Stall the car.

Risk: Grease in the pit lane.

GESTIÓN DE RIESGOS

Risk management

in the Public Sector

1. Risks

Identify risks.

Emerging risks

2. Evaluation

Define common rules to assess risks.

Evaluate likelihood and impact of risks.

Indicators. KRI.

3. Controls

1Identify Risk

1. Risks. Identify the risks.

COSO. ERM

IIA

Inside company (whistleblowing)

Evaluation of incentives to workers

Possible removal of controls

1. Risks. Identify the risks.

Examples Lack of control to prevent the dividing of a public contract into several smaller ones.

The absence of code of conduct.

Lack of agility in the public procurement process.

Excessive staff turnover.

Lack of back up for key staff.

Lack of rotation of personnel in sensitive posts.

Inadequate management of access control systems.

Very difficult to achieve objectives.

Low salaries in relation to the market.

How often do we attend a congress for another sector?

How often do we review our risk catalogue?

When was the last time we added a new risk?

1. Risks. Emerging Risk.

2Evaluation

2. Evaluation. Define common rules to assess risks.

Impact Likelihood

How significant could the effects be if it

happens?

The probability of ithappening

1 - Low 2 - Moderate 3 - Likely 4 – Very likely

<20% 21% - 50% 51% - 90% > 90%

It could happen, but it is very unlikely

It could happenThe probability of

occurrence is greater than it not happening

You could almost saywith certainty that it will

happen

Examples

2. Evaluation. Define common rules to assess risks.

Likelihood:

2. Evaluation. Define common rules to assess risks. Examples

Impact

1 - Low 2 - Moderate 3 - Severe 4 – Very severe

Finance – Reduction of EBITDA <3% 3%-5% 6%- 10% > 10%

Strategic/Reputational

Low impact on reputationModerate impact on

reputationImportant impact Very important impact

Lack of/problems with the drinking water

Affects fewer than 1.000 people

Affects between 1.000 and 3.000 people

Affects between 3.000 and 5.000 people

Affects more than 5.000 people

Loss of water

< 2.000 m3 < 5.000 m3 > 2.000 m3 < 10.000 > 5.000 m3 >10.000 m3

News in media: press, internet

Local mediaSome news in local and

national press and tvNational media International media

Risk: Lack of agility in the public procurement process.

ExamplesKRI

KRI. Likelihood:- Nº of contracts with processing time greater than XX days.- (%) Number of contracts with processing time greater than XX days / Total number of contracts.

2. Evaluation. KRI. Key Risk indicators.

KRI. Impact: € for public procurement in one year.

Risk: Lack of agility in the public procurement process.

ExamplesKRI

2. Evaluation. KRI. Key Risk indicators.

KRI. Likelihood:- Nº of contracts with processing time greater than XX days.- (%) Number of contracts with processing time greater than XX days / Total number of contracts

Type KRI 1 2 3 4 KRI value

LikelihoodNº of contracts with processing time greater than XX days

20 40 100 500 YY

Likelihood(%) Number of contracts with processing time greater than XX days / Total number of contracts

5 10 15 20 ZZ

Risk value

Risk: Lack of agility in the public procurement process.

ExamplesKRI

KRI. Impact: € for public procurement in one year.

2. Evaluation. KRI. Key Risk indicators.

Type KRI 1 2 3 4 KRI value

Impact€ for public procurement in one year

20 150 300 500 XXXX

Risk value

3Controls

Define controls.

Evaluate the design and effectiveness of controls.

3. Controls.

4Conclusions

RISK

KRI

Likelihood

Impact

CONTROLS

Design

Effectiveness

PROCESS IN THE RISK MANAGEMENT

What is the percentage of Public Entities in Europe

with Risk Department?

More than 60%

Between 40% - 60%

Between 20% - 40%

Less than 20%

Don’t know

What is the percentage of Public Entities in Europe

with Risk Department?

0

10

20

30

40

50

60

70

80

90

100

47

53

YES

NO

27

Título del capítulo

www.canaldeisabelsegunda.es

sltutor@canaldeisabelsegunda.es

Thank you for your attention

IAS Conference 2018 - "Internal Audit: Embracing the challenges of the future"