1

BUSINESS IS

…OPPORTUNITIES MANAGEMENT

2

AS WELL AS

•WHO IS THE BAD

GUY …OR…GIRL?

…. RISKS MANAGEMENT

THE HEAD OF INTERNAL AUDIT

THE CEO

3

STEP 1: WRAP-UP

• CORPORATE OBJECTIVES (and related KPI if any)

• TOP 5 RISKS IDENTIFICATION AND ASSESSMENT

• ‘What Could Go Wrong’

• ‘Severity’ in terms of

•Impact (High, Medium and Low)

•Likelihood (High, Medium and Low)

•Velocity (Short, Medium and Long term)

• Keep also in mind the risk of fraud

4

STEP 2 : SELECT

• SHORT TERM RISKS :

• Keep only those who are very likely to occur within the next SIX

months

• TOP 5 RISKS

• Attributes validation

• Risk owner commitment and sign-off (upon validation by Group

Executive Committee and endorsement by the Board of

Directors)

5

STEP 3 : RISK MANAGEMENT

• MITIGATION FACTORS:

• Such controls as bank reconciliation or physical inventory

• RESIDUAL RISKS = inherent risks (STEP 2) – risk treatments

(mainly mitigate OR avoidance, sharing, transfer, accept)

• RISK MANAGEMENT GOVERNANCE

• RESIDUAL Risk owner commitment and sign-off (upon

validation by Group Executive Committee and endorsement by

the BoD)

6

Risk, risk management

RISK

“Risk is defined as the probability that an event will occur and adversely affect the achievement of

objectives. Risk assessment involves a dynamic and iterative process for identifying and

assessing risks to the achievement” COSO

RISK MANAGEMENT

Risk management aims at identifying, controlling and reducing risks and reporting them quarterly

before the Board of Directors.

7

Impact : “YOUR ORGANIZATION’S RISKS IN METRO

HEADLINES”?

Impact’s Level Criteria (guidance)

Low Below 10% deviation from the quantitative KPI (profit before tax or other

operational)

Medium Between 10 and 20% deviation from the quantitative KPI

High Above 20% deviation from the quantitative KPI

Any fraudulent risk starts from the first euro

Any damage to Transcom’s brand or reputation

Risk’s duration over one year

“Likelihood represents the possibility that a given event will occur, while “impact” represents its

effect.” COSO 2012 Definition

High impact High impact

8

“The courts have a clear duty to deter employees from committing serious offences of dishonesty,

in particular theft. “Higgins acted in a gross breach of trust and Ellis was not only involved in

sales but was quickly centrally involved.” An inquiry had been launched at the Orange call

centre, on the Cobalt Business Park, North Tyneside, after discrepancies were uncovered

between the number of phones being ordered and billed and the number being delivered. The

investigation showed a large number of orders had been delivered but had somehow avoided

going into the firm’s billing process. Robert Adams, prosecuting, said: “Michael Higgins was

identified as the analyst responsible in each case. “No payment was being taken for these

phones because no account had been set up with Orange. “All these transactions were

processed by Higgins, they all related to top of the range handsets and none of them was ever

paid for.”

Michael Higgins was working for Orange, in North

Tyneside, when he hatched the plot to line his pockets.

Higgins, who worked as an analyst for the firm,

managed to override an internal security system time

and time again to set up bogus sales. Newcastle Crown

Court heard a total of 1,158 handsets were stolen over a

two-year period worth £496,141, but the VAT avoided on

the sales pushed this up to almost £600,000. Now

Higgins has been locked up for three years and four

months while fellow former Orange worker Gavin Ellis,

who worked as Higgins’ ‘sales manager’ in the plot, was

jailed for 32 months. Judge Brian Forster said: “This

was planned theft over a significant period of time and

the value was substantial. “

A THIEVING call centre worker stole nearly £600,000 of

mobile phones from his firm in a nationwide scam

9

“When Higgins, 34, of Bothal Place, Pegswood, Northumberland, was interviewed by police he admitted stealing

the phones by bypassing the usual system, saying once the phones had been dispatched he would delete the

order. The court heard while Higgins spent his profits of £90,000 on clearing his debts, co-accused Ellis had

used his similarly sized share to pay off his mortgage, buy a £20,000 Ford Focus and private registration plate

and a £5,000 kitchen. Ellis, 36, of Gainford, Gateshead, had also worked for Orange but had left the firm before

the scam began. He admitted selling some of the phones on internet auction site eBay and meeting other people

to pass the handsets on. Both Higgins and Ellis pleaded guilty to conspiracy to steal between January 2006 and

January 2008. Ellis’ wife, Lynn Ellis, 31, of Gainford, Gateshead, also became embroiled in the plot and pleaded

guilty to allowing her bank accounts to be used by her husband for the transfer of criminal property, namely

£40,000 withdrawn to pay off their mortgage. She was jailed for 26 weeks, suspended for 18 months and ordered

to do 100 hours of unpaid work. Irtafa Dawood, 29, of Empire Road, Middlesex, who bought the phones from

Higgins and Ellis at knock-down prices then sold them on, was convicted by a jury of handling stolen goods. He

was jailed for two-and-a-half years. Carl Parker, 40, of Laburnum Grove, Staffordshire, who allowed his address

to be used for delivery of the phones, pleaded guilty to being concerned in the arrangement of criminal property

and was jailed for nine months, suspended for 18 months, with 150 hours of unpaid work. Malcolm Harvey, 30, of

Barningham Road, Richmond, admitted the same offence and received the same sentence. Detective Sergeant

Dave Swinburne, from North Shields CID said: “These convictions have taken place after extensive enquiries

have been carried out by officers over a two-year period the length and breadth of the country. “This

investigation established that more than 1,100 mobile phones were stolen worth nearly £600,000. "I hope today's

court case sends a clear message that such crimes will be fully investigated and those found guilty will be

brought to justice.“ He added that financial investigators will be making an application under the Proceeds of

Crime Act to recover any assets. “

ChronicleLive.co.uk November 2009

A fraud with a high impact

10

Likelihood : low, medium or high ?

Level Criteria Examples

Low Below 33 % Floods in Australia

Medium Between 33% and 66% Snow in Roma

High Above 66% Snow in Luxembourg

Medium likelihood High likelihood Low likelihood

“Likelihood represents the possibility that a given event will occur, while “impact” represents its

effect.” COSO 2012 Definition

11

Velocity

“Risk velocity refers to the pace with which the entity is expected to experience the impact of the

risk. For instance, a manufacturer of consumer electronics may be concerned about changing

customer preferences and compliance with radio frequency energy limits (…) Changes in

regulatory requirement develop much more slowly than do changes in customer preferences.”

COSO 2012 Definition

RISK VELOCITY Criteria

Short Within the next three months

Medium Between the next four and six months

Long Beyond the six months

Medium term Long term risk Short term

12

INTERNAL AUDIT

Definition

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's

operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and

improve the effectiveness of risk management, control, and governance processes.”

Source: The Institute of Internal Auditors (IIA)

Internal Audit vs. External Audit

Internal Audit External Audit

Statutory mission No Yes

Transcom employee Yes (on principle) Neither

Scope Financial statements, forecast

and budget process,

Operations,

Compliance

Financial statements only

Objectives Assess the adequacy and

effectiveness of the internal

control framework

Give an independent and

professional opinion whether

the accounts are free from any

material bias

Accountable before The Audit Committee The shareholders

13

FRAUD, INTERNAL CONTROL

Fraud

“The Institute of Internal Auditors defines fraud as: “… any illegal act characterized by deceit, concealment, or violation of

trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and

organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business

advantage.”

Internal control

“Internal control is a process, effected by an entity’s board of directors,

management, and other personnel, designed to provide reasonable assurance

regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations

• Reliability of reporting

• Compliance with applicable laws and regulations”

Source: COSO 2012

On your right, you have the COSO cube describing internal control framework

by

• Category of objectives

• Process

• Organization

14

RISK REGISTER TEMPLATE SAMPLE

RISK IMPACT LIKELIHOOD VELOCITY

SIGNIFICANCE

Trainee

illness

Low Low Long term LOW

Agent

absenteeism

Low Medium Medium

term

Medium

Tax audit High Medium Short High

15

RISK SIGNIFICANCE RATING RULE