grc examples
TRANSCRIPT
Advisory
GRC Examples
[Date]This report contains 15 pages
document.doc
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Table of Contents
II. Example Guiding Principles
II. Three Lines of Defense
III. Example Taxonomy
IV. Example Attribute Matrix for Risk Assessment’
V. Example Flowchart Process Documentation
VI. Example Process Hierarchy
VII. Enterprise Risk Management (ERM) Reporting
VIII. PMO – Example Project Financials Dashboard Used for a Project at [CLIENT NAME]
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Guiding Principles
Shown below is an example of guiding principles, which have been used as a foundation and applied to a risk and control project.
One view of risk, a common language drives effective risk management actions and decisions.
Risk information takes into consideration constituencies (e.g., board, management, customers, regulators, rating agencies), aligns strategic objectives and drives business value.
Example Guiding Principles
CommonLanguage
Risk Content
1
2
Theme
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Three Lines of Defense
Shown below are the Three Lines of Defense, which will provide a structure by which to organize the risk management roles and responsibilities of the company
The first line of defense (risk content ownership) includes the risk owners, who is accountable for managing risk content The second line of defense (risk process ownership / certain monitoring) includes the standard-setters and manages and provides guidance around the risk
management program The third line of defense (risk process and content monitoring) helps provide assurance over the effectiveness of the risk management process.
RISK CONTENT OWNERSHIP
• Manage risks/ implement actions to manage and treat risk• Comply with risk management process• Implement risk management processes where applicable• Execute risk assessments and identify emerging risk
First LINE OF
DEFENSE
Bu
sine
ss
Ow
ners
Bu
sin
ess
O
wn
ers
RISK CONTENT OWNERSHIP
• Manage risks/ implement actions to manage and treat risk• Comply with risk management process• Implement risk management processes where applicable• Execute risk assessments and identify emerging risk
First LINE OF
DEFENSE
Bu
sine
ss
Ow
ners
Bu
sin
ess
O
wn
ers
RISK CONTENT OWNERSHIP
• Manage risks/ implement actions to manage and treat risk• Comply with risk management process• Implement risk management processes where applicable• Execute risk assessments and identify emerging risk
First LINE OF
DEFENSE
Bu
sine
ss
Ow
ners
Bu
sin
ess
O
wn
ers
RISK PROCESS OWNERSHIP/ CERTAIN MONITORING
• Establish policy and process for risk management• Strategic link for the enterprise in terms of risk• Provide guidance and coordination among constituencies• Identify enterprise trends, synergies, and opportunities for change• Initiate change, integration, operationalization of new events• Liaison between third line of defense and first line of defense• Oversight over certain risk areas (e.g., credit, market) and in terms
of certain enterprise objectives (e.g., compliance with regulation)
Second LINE OF
DEFENSE
Sta
nd
ard
S
ett
ers
Sta
nd
ard
S
etters
RISK PROCESS AND CONTENT MONITORING
• Liaise with senior management and/ or board• Rationalize and systematize risk assessment and governance reporting• Provide oversight on risk management content/ processes, followed by
second line of defense (as practical)• Provide assurance that risk management processes are adequate and
appropriate
Third LINE OF
DEFENSEAss
ura
nce
P
rovi
der
s
Ass
ura
nce
Pro
viders
RISK PROCESS AND CONTENT MONITORING
• Liaise with senior management and/ or board• Rationalize and systematize risk assessment and governance reporting• Provide oversight on risk management content/ processes, followed by
second line of defense (as practical)• Provide assurance that risk management processes are adequate and
appropriate
Third LINE OF
DEFENSEAss
ura
nce
P
rovi
der
s
Ass
ura
nce
Pro
viders
Risk GovernanceRisk Governance
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Taxonomy
Shown below is an example of risk taxonomy developed to provide a common language and set of guidelines to help identity and assess risks to the overall risk
program.
*Basel II Risk Categories
** Operational Risk Sub-Categories
People, process, systems, external events
such as privacy, data protection, change
management (mgt), document mgt, 3rd Party
mgt, model risk, and new product risk
Operational Risks*
Working capital, liquidity, interest rateMarket Risks*
Wholesale/Commercial, Retail, Securitization,
Trading and Equity
Credit Risks*
Innovation; expansion of business segments;
build new business – infrastructure, real
estate, globalization and emerging markets
Strategic Risks
Example Risk Sub-CategoriesExample Risk Category
Changes in the business
environment/market, competitor activity,
international
External Environment
Risks**
Succession planning, strategic focus, board
and/or committee oversight
Governance**
Talent acquisition and retention, skills,
competence, compliance with firm
policies/procedures
People Risks**
SEC (Sarbanes-Oxley, broker-dealer &
investment advisor requirements), NYSE,
federal and state tax authorities, lobby
registration, and consumer compliance
Legal & Compliance
Risks**
Example Risk Sub-CategoriesExample Risk Category
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Attribute Matrix for Risk Assessment
Shown below is an example attribute matrix used to help rationalize the risk assessments and identify areas for convergence (Pages 1-5).
No.
Topic Function Internal Audit SOX Compliance Business ContinuityDifference Spectrum
Concept
Objective / Content
1What is the objective of the risk assessment?
- To prepare the risk-based internal audit plan that is validated by executive management- Risk-based plan evolves as risks in the organization evolve.
The Financial Statements are reviewed to determine which lines should be in scope for the annual SOX Assessment.
- Allocate resources appropriately- The risk assessment must address issues that come up in the regulatory environment and reassess risk level to overall process in cases where the risks carry from the prior year- Determine the best cost benefit approach.
Validate recovery priority and dependencies for each business function in the firm.
Audience
2 Primary Audience
End Deliverable-Target Audience Board and Management (Audit Committee, etc.)
Audit Committee
The Risk assessment is used by the SOX Group, verified by Controller and discussed with external auditor.
- Business entities that are exposed to compliance risks- Compliance function and team- Audit Committee.
Business Area Continuity Plans; Business Area planners and coordinators; Business Area leadership / EMT; IT Continuity Services (e.g., drives technical recovery priorities)
3Distribution (secondary audience)
Reporting of risk information (i) Is RA shared with others?(ii) If so, name dept
- Management Risk Committee- business owners
The RA is primarily used by the Internal Audit Department, but it is shared with the controllers and external auditor for input.
- Regulators- Business entities that are exposed to compliance risks - usually at the business / process owner level- Management Risk Committee.
See above; including Corporate Business Continuity
4Approver of End Deliverable
- Audit Committee- Senior management does NOT approve assessment - they provide input and support only.
Validated with Controller and external auditor.
Chief Compliance Officer (CCO)
Manager of business function; formal signoff process.
Inputs
5 Parties providing input Parties providing input (i) Department name / self(ii) Position/Level(iii) 3rd party
- EMT and direct reports- Audit staff talks to middle management to get input on areas that may need to be looked at or to get better understanding of the business process- Internal audit has their
Controllers, external auditors
- CCO will provide certain risks that are required objectives for that year- Compliance publications- SEC mandates- Results from exams.
All business functions in the Firm
Macro versus MicroAudit: top-downOthers:??
Three lines of defense
1
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Attribute Matrix for Risk Assessment
No.
Topic Function Internal Audit SOX Compliance Business ContinuityDifference Spectrum
Concept
(pls specify)own view on the risks before talking to business leaders.
6Type of Information Collected
1. Company's business plan is presented for the upcoming year2. Discussions / interviews on how to achieve business objectives3. Concerns on compliance are brought into the discussion4. Things that audit is aware of b/c of experience ("hot spots") are also brought to the discussion.
See Risk Assessment Previously submitted - Lines evaluated on various attributes
- Compliance standards may dictate the format and content of deliverables- Information that is needed includes management review, sign-off, segregation of duties evidence.
For each business function: recovery time objective; recovery point objective; dependencies (applications, vendors, locations, number of staff, vital records)
7Other roles involved in risk assessment process
- Outside consultants work product- Audit reports- SOX information
See item 3; including Corporate Business Continuity
Process
8Team / Function / Area being assessed
Management Risk Committee and direct reports of business support areas
All areas
- Depends on the content and the regulatory requirements of the current year. The assessment may cross several business units and levels.
All business functions in the Firm
Macro RA:Audit -- level 2 / 3Compliance -- level 3 / 4SOX -- N / ABCP -- ??
Micro RA:Process / function -specific for all
Three lines of defense
9Parties performing risk assessment
Parties performing RA (i) How many members (ii) Their positions/levels(ii) Their roles in RA
Each focuses on different business support areas and then are split by business entities
2 members of Internal Controls perform the Risk Assessment
CCO generally performs the RA
Corporate Business Continuity in partnership with Business Continuity Coordinators, and planners.
Range varies from assessment done "internally" (e.g. SOX) to mostly in business (e.g. Business Continuity). Audit and Compliance in middle with Audit closer to the business than Compliance.
Three lines of defense
10 Risk Assessment Process
How RA is performed(i) Steps taken(ii) Interviews(iii) Work sessions
- Largely interviews: who is chosen and the type of content depends on prior years' risk assessments, internal audit plan, and input from audit staff
Review of Financial Statement Lines and evaluation of each line. Primarily done by ICU with validation by Controllers and AUDITOR.
- CCO's set initial risk focus based on industry knowledge, trends, and parties providing input- Conduct interviews, review documentation, and perform a walkthrough of day-to-day processes- Discussions usually take
Formal project plan, training, assessment criteria (EIC); data collection (Paragon); signoff; reporting
Macro versus Micro level risk assessments
Audit: interview-basedSOX: internal with external validationBCP: business
2
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Attribute Matrix for Risk Assessment
No.
Topic Function Internal Audit SOX Compliance Business ContinuityDifference Spectrum
Concept
place with level 2 or 3 personnel.
Compliance:???
11Method of Risk Categorization
Risk Ranking Criteria (probability vs. impact)(risk directions)(High /Med/Low)
- High / Med / Low- 3 types: Control risk, inherent risk, total risk- Team effort / discussion- Team concludes on 10-12 key risks areas (themes) to the organization.
See Risk Assessment Previously submitted.
- High / Med / Low- 3 types: Inherent risk, control risk, total risk (based on COSO model)- Combined criteria to rank risks based on likelihood and probability
Recovery times are tiered based on an area's overall impact (EIC) to the Firm.
All high / medium / low except BCP (recovery times?)
Criteria different (see below #13)
Common language
12Risk Assessment Criteria
Assessment measures used (Timeliness, Quality, Materiality)
RA (excluding IT audits: - Materiality is based on the legal entity and has huge basis on determining priority- Complexity- External Compliance- Reputation- Fraud
- Business owners provide input on scale.
-Size and composition- Loss- Routine / non-routine- Transactions- Account type- Complexities- Loss exposure- Contingent liability- Related party- Changes.
- Standards (sources of information?) with Compliance are used in developing priority risks- Materiality based on the business entity - mostly subjective and open to discussion w/in the group- Determine impact and likelihood for both inherent and control risk.
Quantified based on an Enterprise Impact Chart- Criticality based on Financial statement lossCustomer serviceRegulatory / legal / complianceReputationalWorkforce.
Little consistency
A few terms overlap:Materiality / lossComplexityCompliance / regulatory
Common language
13Risk Assessment Techniques
Quantitative / Qualitative
Mostly qualitative- Quantitative risk assessments give "false sense of security"- Financial risk areas have some quantitative analysis
Both
Qualitative - Risks are largely reputational and regulatory
- Annual training on techniques
Quantitative
Ranges from Qualitative to Quantitative in the following order:Compliance --> Audit --> SOX --> BCP
14 Risk Aggregation Basis
Risk Aggregation Technique used (are detailed risks rolled into summary risks?)
Yes, themes (confirm?) Yes
- There are sublevels of risk related to the summary risks defined in the risk assessment
Yes
Risks are aggregated but are they at the same level?
15 Analysis Conducted
Analysis conducted (e.g. controllable vs. uncontrollable, discrete vs. ongoing, risk inter-relationships, Gross vs., residual etc)
- [Year] focus was on inherent risk- Controls are not well understood within the organization- Timing is key to determining what will go into the audit plan and Internal Audit tries not to focus on one specific area
- Assessment is based on how the current controls are performing (gross v. residual)
Yes; inter-relationships such as one critical application or vendor supporting many business functions, etc.
Analysis is kept at gross (inherent) versus residual
Common language
16 Actions to Manage RiskActions to manage risk (i) Are they
- Controls are not well understood and there are not many efficient control
From here, each line is broken down into the inputs to that line. The
- Business owners are assigned once the risk assessment is complete
RTO's and RPO's are incorporated into BC plans; assist in
Macro: ownership is at level 2
3
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Attribute Matrix for Risk Assessment
No.
Topic Function Internal Audit SOX Compliance Business ContinuityDifference Spectrum
Concept
documented? Where?(ii) Are they assessed?
areas in the organization- Build a risk based audit plan that will help business owners monitor and mitigate their risks.
activities within each line are reviewed for risks and related controls. Controls are documented in FCM by busines areas and signed off quarterly.
priortizing recovery resources during an event; critical vendors drive vendor recovery reviews (NASD); RTO's and RPO's set technical recovery priorities and planning.
Micro: ownership is assigned
17Quantification of Results (KPI, KRI)
Are any risk quantification methods used? (e.g. KRI, KPI etc)
- Only KPI may be the number resources allocated to managing risk
- Actions have been initiated to develop KPI / KRI- For example, inventory of key rules and regulations, the frequency of review, etc.
EIC In-process
Output
18End Deliverable (sample)
End Deliverable from RA (e.g. risk profile, Internal Audit plan, etc)
Risk-based Internal Audit Plan
Financial Statement Risk Analysis
- The risk assessment with action plans, which are agreed to by the business owners
Enterprise summaries; updated BC plan RTO's; critical application listing; critical vendor listing; gap summaries
19Documentation of Risk Assessment Process (sample)
Provided See other document
Other
20Frequency of Risk Assessment
Frequency RA is performed
annual Annual annualAnnual from time of completion
Annual
21 Duration
Duration (time taken) to perform RA (weeks, mths)
Begins in Q1 3-4 weeksstarts in 1st quarter to the end of January / early February
BIA update was the first re-validation of data; a four month window was provided to the business to complete.
Macro:
Audit / Compliance 2 months in time for April audit committee
SOX / BCP ???
22Dates when Risk Assessment is performed
Date/s when RA is performed (month)
- Q1 to speak with key business owners
Commences when Financials for current year are completed
1st quarterCCO has done initial discussions with business and research in regulations in mid-January
Annual from time of completion
Audit / Compliance similar timeframes (April - Mar calendar)
SOX later in year due year-end
BCP every two years due year-end
4
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Process Flow Documentation
Shown below is an example of process flow documentation, which was used to document the testing process and identify areas for convergence.
Level 1: Highest level of the flow articulating key phases of work (such as planning, assessment, testing, and reporting) and key steps in the phases for each of the functions. Steps where convergence opportunities exist would be called out for reference purposes.
Level 2: Each key phase is broken down to introduce positions involved in executing steps in the phase. Steps will include key decisions taken by staff in these positions.
Internal Audit – 1.1 Level 1 Overview
Pla
nn
ing 2
Conduct Risk Assessment
Tes
tin
gIs
sue
Man
agem
ent
1Set Up And
Maintenance Of Audit Universe
3Develop Annual Risk Based Audit
Plan
5Develop Audit
Program
6Conduct Testing
7Identify Issues
8Obtain
Management Action Plan
9Develop Audit
Report
13Develop And Issue
Consolidated Reporting
11Review Action
Plan Remediation
12Close Issue
10Close Audit
4Set Up Audit
Internal Audit – 1.2 Level 2 Planning
Gen
eral
Au
dit
or
An
d A
ud
it
Pla
nn
ing
Bo
ard
Au
dit
Pla
n O
wn
ers 1
Are Changes To Auditable Entity (AE)
Item Required?
2Set Up AE In GRC
4Conduct Auditable Entity Assessment
5Is This A Legal
Entity Or International
Entity?
6Conduct Universe Item Legal Entity Risk Assessment
7Conduct Universe
Item Country Significance Risk
Assessment
8Develop Annual
Risk Based Audit Plan
12Schedule Audits
10Approve Plan
Y
N
LE
Int
N
3Associate Process To Auditable Entity
Inte
rna
l Au
dit
GR
C
Co
mm
itte
e
N
9Review Plan
C
Convergence Opportunity
C
C C
11Set Up Shell Audit
13Plan Resources
Level 1
Level 2
Level 3
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Process Flow Documentation Level 3: Each phase is broken down to its lowest step as performed. The narrative to the process documentation will go into further detail but not down to a “point and click” level, that is covered under the
technical user guidance. GRC screens used by staff at each step can be documented.
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Process Hierarchy
Shown below is a sample process hierarchy which details the multi-level decomposition from mega process to process, sub-process and product.
Process Hierarchy
Risk Library
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
ERM Reporting
Risk Assessment Reporting Process Chart
Shown below is an example of a risk assessment process once the areas of convergence have been identified and the direct lines and frequency of reporting are
established.
Board receives quarterly dashboard report
Management Risk Committee reviews and approves quarterly dashboard
Quarterly
1) Top Tier / Watch List Risks
Board receives operating committees’ review calendars
Firm Committee Chairs affirmto Management Risk Committee that all other risks have been reviewed/refreshed
ERM group updates Firm Committee Review Calendar for risks review dates of their committees
ERM group updates detailed risk reports with Risk Owner review and input for risks to which they are assigned
Annually
2) Tier 2 / Tier 3 Risks
Board receives report on new risks and adverse changes to other Tier 2 & 3 risks
Management Committee reviews and approves proposed changes to the risk profile
ERM Risk Executive proposes revisions/emerging risks to Management Committee for review and approval
ERM group meets with ERM Risk Executive to discuss emerging risks and changes to risks based on Management Risk Committee meeting discussions
Quarterly
3) All Risk Refresh / Emerging Risks
Risk Sponsor and Management Risk Committee review and approve detailed risk report and dashboard
ERM group updates dashboard report for Management Risk Committee based on activity noted in detailed risk reports
ERM group updates detailed risk reports with Risk Owner / Sponsor review and input for risks to which they are assigned
© [year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
ERM Reporting
Dashboard Report
Shown below is an example of an enterprise risk management dashboard report presented to senior management and / or the Board.
Provides insight on changes inProvides insight on changes inrisk direction since the priorrisk direction since the priorquarterquarter
The assessment uses five levels from The assessment uses five levels from ‘‘00’’(risk mitigating activities exceed (risk mitigating activities exceed requirement) to requirement) to ‘‘55’’ (risk management (risk management activities are activities are unestablishedunestablished). It assesses ). It assesses the combined appropriateness and the combined appropriateness and effectiveness of the current risk effectiveness of the current risk management processes.management processes.
Provides insight on the Provides insight on the progress of the enhancements to progress of the enhancements to current risk management processescurrent risk management processesrequired and uses three levels from required and uses three levels from ‘‘GG’’ (action is sufficient or no actions (action is sufficient or no actions in progress) to in progress) to ‘‘RR’’ (Action has not (Action has not substantially progressed or is substantially progressed or is substantially behind).substantially behind).
Internal Audit findings provide assessmentInternal Audit findings provide assessmenton related risk management processeson related risk management processes
Provides high level and notableProvides high level and notablecommentary/insight to the Risk commentary/insight to the Risk Assessment Score and the Action Assessment Score and the Action Plan Status. (e.g. implementationPlan Status. (e.g. implementationdates for actions in progress, dates for actions in progress, reasons for delays in reasons for delays in implementation, acceptance withimplementation, acceptance withcurrent risk assessment score, current risk assessment score, additional actions required to additional actions required to improve the risk assessment improve the risk assessment score)score)
Provides additional insightProvides additional insightinto the notable positive or into the notable positive or negative findings and/or negative findings and/or emerging trends of the riskemerging trends of the risk
Provides insight on status of theProvides insight on status of therisk grids from risk grids from ‘‘AA’’ (risk grid is(risk grid isoperational) to operational) to ‘‘CC’’ (risk grid is less(risk grid is lessthan substantially complete)than substantially complete)
‘‘TT’’ (Top Tier Risk)(Top Tier Risk)‘‘WW’’ (Watch List Risk)(Watch List Risk)