risk management and the audit plan abc cipfa in the midlands audit training seminar wednesday 24th...
DESCRIPTION
Background and context - the CIPFA/SOLACE Framework Structures & Processes Standards of Conduct Service Delivery Arrangements Community Focus Risk Management and Internal Control abcTRANSCRIPT
Risk Management and the Audit Plan
CIPFA in the Midlands
Audit Training Seminar
Wednesday 24th November 2004
Tina Spiers
Introduction
Background and context What is risk management? Why is risk management important? Birmingham City Council’s approach Risk registers Mapping to the audit plan What’s next? Conclusion and questions
Background and context - theCIPFA/SOLACE Framework
Structures & Processes
Standards of Conduct
Service Delivery Arrangements
Community Focus
Risk Management and Internal Control
Background and context -CIPFA definition of Internal Audit
Service Delivery Arrangements
Internal Audit is an assurance function that primarily provides an independent and objective opinion to the organisation on the control environment comprising risk management, control and governance by evaluating its effectiveness in achieving the organisation’s objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources.
Source: 2003 Code of Practice for Internal Audit
Background and context
What has BCC done?Reviewed existing Corporate Governance arrangements Adopted the CIPFA/SOLACE framework Prepared and adopted a local Code of Corporate
Governance Identified the Strategic Director of Resources as Officer
“Corporate Governance Champion” and Deputy Leader as Member “Corporate Governance Champion”
Established a Corporate Governance Action Plan Developed the Constitution Worked on embedding Risk Management
What is risk management?
Definition:Risk management is about making the most of opportunities (making the right decisions) and about achieving objectives once those decisions are made
Source: Solace/Zurich Municipal
What is risk management?
It is a tool that can help to prioritise where resources should be targeted.
Failure to manage risk effectively may result in financial losses, disruption to services, threats to public health and safety, bad publicity or claims for compensation.
Need to ask: What are the barriers to us achieving our targets/plans? What are the worse things that could happen to us? How likely are they to happen? Are sufficient steps being taken to prevent them from
happening?
What is risk management?
RISK IDENTIFICATION
RISK ANALYSIS
PRIORITISATIONRISK MANAGEMENT
MONITORING
Why is risk management important?
Need to manage the risks identified, have clear action plans with measurable performance indicators/targets, key dates and responsible officers in place.
Need to monitor how effective the action plans are at reducing the risk impact/likelihood.
If not effective a different approach to manage the risk needs to be put in place.
BCC approach to Risk Management
Risk management strategy approved by Cabinet July 2001, updated in October 2002 and again in 2004.
Risk Champion nominated by each Directorate’s Management Team. Initial training provided to Risk Champions and some staff within Birmingham Audit by Zurich.
Head of Birmingham Audit tasked with leading on risk management - presentations done to Management Teams, facilitation at risk identification workshops. Briefings/training provided to Divisional reps. Risk management documents updated and distributed - internally and externally.
Risk Registers
Directorate risk registers produced and top 10 - 15 risks per Directorate nominated to form basis of first Corporate Risk Register.
Corporate risk management group formed - currently consists of Deputy Leader, Strategic Director of Resources, Director of Performance Improvement and the Head of Birmingham Audit. Corporate risk register updated.
Now working to develop Divisional and Service level risk registers. Also applied to projects.
Corporate Risk Register process has been altered to try to speed up the refresh process and include “issues” as well as risks.
Risk Register
Date:Date:Risk / Opportunity owner:
Date:Date:Risk / Opportunity owner:
Date:Date:Risk / Opportunity owner:
Date:Date:Risk / Opportunity owner:
Further controlproposed, an
date forimplementation
ResidualRisk
(Likelihood Impact)
Description of current controls
/mitigation in place & datewhen controls were last
reviewed and reported upon
Inherent Risk (Likelihood/
Impact)
Description of Risk / Opportunity and
Risk / Opportunity owner
No.
Counter MeasuresRisk / opportunity information
Action Plan
What further action is to be taken to control, modify, transfer or eliminate the residual risk?Who is to take this further action?When will the further action occur?
What main controls are currently in place? Who is responsible for each main control?What action is being taken relating to each main control?When was the last check of the effectiveness of the main controls in place carried out and who were the results reported to?
Description of risks that could prevent the objective being met/ opportunities that could be missed:
Target riskLikelihood/Impact
If residual risk not accepted what approach has been agreed? Control risk Modify risk Transfer risk Eliminate risk
Consequences if the risk event occurred or the opportunity is missed:
Residual risk accepted? Y / N
Residual Risk Likelihood/Impact
Objective the risk or opportunity is linked to or arises from:
Inherent Risk Likelihood/Impact
Risk Register No. & Risk owner:
Mapping to the Audit Plan
Early days yet but we are:
Using the areas highlighted on the Corporate Risk Register to identify areas for audit review.
Using Directorate risk registers to inform the audit plan and the focus of work programmes
Using risk management approach to help with areas of known vulnerability.
Auditing the risk management process too!
What’s next?
We have purchased Magique - a computerised risk management system that integrates with our audit management system (Galileo) and will help to drive the risk based plan.
Magique is being customised to suit our needs and is being tested.
We plan to pilot Magique by using it for the Corporate Risk Register and a volunteer Directorate / Division.
We will use the information from the registers and action plans to identify the key controls to be audited and to highlight where risks are severe but not being managed.
Conclusion and questions Concluding points: Stress that risk management is not new - it is good
management practice. Link in with business planning and performance
management. Keep in mind the bigger picture regarding Corporate
Governance and Assurance Statements. Internal Audit cannot ignore risk management.
Any questions?