Streamlining the Annual Risk
Assessment Process
Presenter: Gregory Jordan, CPA, CIA, CRMA, FLMI
Senior Vice President, Chief Audit Executive
Gregory Jordan, CPA, CIA, CRMA, FLMI
• Chief Audit Executive, Nationwide
Insurance
• Board Member of the IIA Central Ohio
Chapter
• Committee Member of the IIA Exam
Development Committee
• Over 30 yrs of industry experience
• Served in several Business and Finance
leadership roles since joining Nationwide in
2001
• 11 yrs with Ernst & Young and 6 yrs with
Midland Life Insurance Company/Swiss Re
• Graduate of The Ohio State University
Today’s Learning Opportunities
• Creating an annual planning road map
• Developing a standardized and consistent
audit planning approach
• Reducing "peak" times by spreading annual
planning effort throughout the year
• Formalizing internal audit policies and
procedures for the annual planning process
• Learning a new approach for certain risk
assessments titled "Risk Assessment
Confirmations"
Risk Management Had to be Aligned
Common Risk & Control Processes Common Data Structure
Common Technology
Targeted Model
Business Unit Business Unit Business Unit Business UnitBU BU BU BU Business Unit Business Unit Business Unit Business Unit BUBoard/Senior Management Oversight
Audit
Committee CommitteeRisk CommitteesOther
Board/Senior Mgmt Oversight
Internal Audit Risk
Legal Finance Other
Internal Audit FRC IRM Privacy Legal Etc.
Historical Model
Finance Cmtee ERC Audit Cmtee ERM IT Cmtee Other Risk Cmtee BU BU BU SAS Other Notes dbase Notesdbase Access dbase Compliance
• Common approach to identifying
risks/controls and managing issues
• Coordination among functions
• Clear roles and responsibilities
• Common data structure/database
• Comprehensive risk & control reports
• Redundancies and inefficiencies
• Varying lines of communication
• Lack of single data structure/database
• Multiple approaches for risk & control
reports
Internal Audit Risk
Legal Finance Other
Internal Audit FRC IRM Privacy, Legal, Etc. ERM Compliance
Board/Senior Management Oversight
Audit
Committee CommitteeRisk CommitteesOther
Board/Senior Mgmt Oversight Finance Cmtee ERC Audit Cmtee IT Cmtee Other Risk Cmtee
Regulatory Risk Now Has a Year-Round Impact
50+ State Attorneys General Department of Justice Office of Comptroller of Currency U.S. Department of Labor Financial Industry Regulatory Authority (FINRA) Federal Trade Commission U.S. Department of Treasury 50+ State Insurance Departments 50+ State Mortgage Regulators 50+ State Securities Departments Occupational Safety & Health Administration Consumer Financial Protection Bureau SEC E.E.O.C. Office of Foreign Assets Control Internal Revenue Service Health and Human Services Commodity Futures Trading Commission Federal Reserve Municipal Securities Rulemaking Board 50+ State Unclaimed Property RegulatorsBest Practices Are Driving Toward Shorter
Duration and Timing
The Value of a Streamlined Risk
Assessment Process
IIA Pulse of Internal Audit
“In today’s fast-paced operating
environments, internal auditors need to
audit at the speed of risk. That means
developing the capability to
continuously align or realign their audit
coverage to address emerging risks
We Control Risk Assessment Processes
Required by the Standards – But no one tells us HOW to
do it
Allows Internal Audit to understand which potential events
might impact the business
Provides a foundation for determining how risks should be
managed
Assesses risks from two perspectives: impact and
likelihood
Provides a basis for management to evaluate risk
management activities
Source: PWC State of the Internal Audit Profession 2015
Adding Value through Risk
Assessments
Focusing on Risk is a Value Add Activity
Source: PWC State of the Internal Audit Profession 2015
Our Historical Annual Planning
Process Roadmap
December January February March April May June July August September October November December
Audit Committee Meeting
•IA presents draft audit plan for approval Audit Universe Completeness Review Audit Universe Updates
Risk Assessment Refresh for Coverage AUs
•Perform thorough RA of AUs identified for Audit Plan coverage in following year
Risk Assessment Confirmations AUs
•Complete confirmations for all AUs where refresh is not required
Audit Universe and Audit Plan Calibration
•Develop draft Audit Plan
Aggregation of Audit Plan Recommendation Materials
Review Audit Plan with OCEO, SVPs, etc.
•Review draft plan with Business/IT
Management
Leadership Team Audit Plan Calibration
•Determination of
Audit Plan Forecast Next
Year •Complete draft schedule Audit Committee Meeting •IA presents draft audit plan for approval
The Federal Reserve Bank Required
Changes to Our Process
• Nationwide subject to oversight from the Federal
Reserve Bank (FRB)
• Internal Audit (IA) is a main focus of the FRB
• FRB expects a consistent risk assessment process,
robust documentation and demonstrated leverage with
other risk management partners
• The FRB raised the bar on IA’s risk assessment to be
more comprehensive and “stand alone”
• The FRB expects real time updates to risk assessments
as risk changes throughout the year
• The FRB’s goal is to rely on IA risk assessments and
audit efforts - “avoid duplication of efforts”
Risk Assessment Hours (by Year)
Risk assessment hours increased dramatically due to Nationwide’s
complexity, desire for end-to-end process review and FRB expectations
2012 2013 2014 Hours 4,181 5,166 6,400 4,181 5,166 6,400 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000
Risk Assessment Hours (by Year)
The impact of risk assessments was profound on our ability to
Risk Assessment Streamlining
Process Goals
• Develop a consistent repeatable process
• Align risk assessment efforts with cycle time
o
Concentrate on Auditable Units (AU) which required activity within
the next 12 months
o
Create efficiencies through confirmation of AU’s with activity not due
for 12+ months
• Reduce “peaks” in process by spreading activity throughout year
• Define calendar process view to provide:
o
Better forecast of risk assessment time
o
Client meetings for Audit Plan review
o
Earlier development of Audit Plan and scheduling
Combine top-down, bottom-up and enterprise-wide view
Based on a normalized taxonomy common to our industry
Risk universe should be mutually exclusive and collectively
exhaustive
Risk Management partners (e.g. ERM, Compliance) should have
a complimentary risk universe and risk assessment methodology
Risk rankings should not be considered absolute but provide
approximate importance
Methodology needs a common scale to facilitate risk discussions
(e.g. quantitative or qualitative scales)
Results should be continually validated with stakeholders
Risk assessments should clearly prioritize audit activities
Risk Assessment Streamlining
Content Goals
Nationwide’s Risk Management Structure
Assurance & Validation
Internal Audit
Selected Risk & Control Functions
(not exhaustive)
ERM
Credit Risk
Investment
Risk
Market Risk
IT Risk
Compliance
1st Line of Defense
Risk Ownership
2nd Line of Defense
Risk Control & Monitoring
3rd Line of Defense
Risk Management Assurance BOD C-Suite Line Of Business Management A B CRisk Assessments Are Now Developed in a
Common Framework
Framework
-
Common risk and control language
-
Common criteria for issue prioritization and presented top issues
to Operational Risk Committee (ORC)
-
Defined risk and issue heat maps
Technology
-
Common technology platform (OpenPages) for issues
management
-
Consolidated issue reporting on a single system
-
Programs are consolidated onto OpenPages for issue
management
Reporting
-
Issues compared across programs and business areas
-
Reporting of issues more transparent across enterprise
ERM
Information
Risk Mgmt.
Internal
Audit
Financial Reporting Controls (FRC)Compliance
Investment
Controls
We Use A Standardized Risk Assessment
Heat Map
M a gni tude of O c c ur re nc e FrequencyUpdate the Audit Universe Assess Inherent Risk Review Transformation Programs
Audit
Plan
Assess Inherent Risk within each Auditable Unit, considering factors such as
financial, operational, fraud, regulatory and reputational impacts. Update Auditable Units to
reflect changes in business processes, IT Infrastructure, products,
etc.
Assess the impact of significant transformation
programs on applicable Auditable Units and identify programs to include in the Audit Plan.
Determine Auditable Units and transformation programs to include in
the Audit Plan.
Revised Risk Assessment and Annual
Planning Process
Key Factors in Determining the Audit Plan:
• Inherent risk of each Auditable Unit and the corresponding Coverage Cycle − High Inherent Risk (18 months)
− Medium Inherent Risk (3 Years) − Low Inherent Risk (4 Years)
• Significant changes (recently implemented or planned) to strategies, processes, people, regulations or technologies
• Recurring projects – in alignment with external auditor expectations or regulatory requirements • Management requests – requested audits or advisory projects
Internal Audit Now Leverages
Compliance Risk Assessments
• Office of Compliance assesses compliance programs against elements of an effective
compliance program derived from the U.S. Federal Sentencing Guidelines on Organizations
• Internal Audit fully leverages effective programs and partially leverages developing program
risk assessments
(effective)
• Basic foundation in place; and
• Element is reasonably designed to achieve compliance; and
• Consistent with appropriate industry practices or legal / regulatory expectations (developing)
• Basic foundation in place but scope of coverage not yet adequate; or
• Element needs to evolve and grow to be more consistent with appropriate industry practices or legal / regulatory expectations; or
• New or emerging risk requires heightened compliance attention
(inadequate)
• Basic foundation not in place or clearly ineffective; or
• Element inconsistent with appropriate industry practices or legal / regulatory expectations
E
D
Compliance Program Effectiveness Assessment
E = Effective D = Developing I = Inadequate
Pr
o
g
ra
m
Line of Business 1 Line of Business 2 Line of Business 3
Element Proc es s /A rea 1 P roc es s /A reas 2 P roc es s /A reas 3 P roc es s /A reas 4 P roc es s /A reas 5 P roc es s /A rea 6 P roc es s /A rea 7 P roc es s /A rea 8 P roc es s /A rea 9 P roc es s /A rea 10 P roc es s A rea 11 P roc es s /A rea 12 P roc es s /A rea 13 P roc es s /A rea 14 P roc es s /A rea 15 O ff ice o f C o m p li an ce
High Level Responsibility E E E E E E E E
E E E E E E E E
Risk Assessment E D E D D E E E
D E E E E D E E
Written Policies &
Procedures E E E E D D D E
D E E E E D E D
Training & Education E D E D D D D E
D E E E E D E D
Monitoring & Testing E D D D D E D E
D E D E E D E D
Response & Prevention E D E D D E E E
E E E E E D E E
Enforcement & Discipline D D D D D E E E
E E E E E E E E
Reporting E E E E E E E E
D E E E E E E E
Regulatory Exam, Inquiry & Relationship Management E E E E E E E E E E E E E E E E Pr o g ra m
Audit Universe Validation
We use all available data to validate legal entities,
product lines, services, operational functions, etc.
Updated Risk Assessment
Resources
•
New team member training
•
Consistent tools and templates to shorten preparation and learning curves
•
Providing “pre-read” client documents to shorten meetings and the need for
follow-up activities
Risk Assessment – Meeting and E-mail Templates
Risk Assessment Interview Guide
Risk Assessment Questionnaire
Inherent Risk Rating Heat Map
Audit Proposal Template
Risk Assessments Now Have Four
Distinct Components
• Refresh & Engagement Proposal Documents
• Confirmations
• Post Audit Updates
Risk Assessment Refreshes
o
For AUs requiring audit activity within the next 12 months
o
No need to start from scratch
o
More streamlined than our “traditional risk assessment”
o
Leverage risk partner activity
o
Meet only with “the right” level of management
o
Business Auditors responsible for identifying key technology
applications (internal, mobile, or externally hosted) and critical
business models
o
IT Auditors “consult” with business auditors freeing up IT capacity
o
Risk assessment data is updated in common repository
Engagement Proposal Documents
Risk Assessment Refreshes now require an
“Engagement Proposal Document”
•
Provides consistent audit activity recommendations
•
Audit or project name, why required and/or important
•
High level scope including business, IT and DA related efforts
•
Develop estimate of required resources (business, IT, and DA
hours)
•
IT and DA team members are involved in determination of
scope and hours – no “guess work”
•
Timing is discussed in advance with clients for upfront
agreement
Risk Assessment Confirmations
Risk Assessment Confirmations are used for AU’s not
requiring a Risk Assessment Refresh
•
AUs requiring audit activity beyond the next 12 months
•
Auditors leverage risk partner activity
•
Auditors utilize a “Risk Assessment Questionnaire”
o
Sent to key stakeholders for review and update
o
Finalized during meetings with key stakeholders
o
Leverages data from recent audit services completed in previous
12 months (Post Audit Updates)
o
Leverages input from periodic Internal Audit/senior management
meetings (Continuous Monitoring)
Risk Assessment Post Audit Updates
• Risk assessment updates are now required after each audit
or project engagement
• Goal is to document risk assessment knowledge “real time”
and not lose critical information over time
Risk Assessment - Continuous
Monitoring Updates
•
IA participates in over 30 risk management committees
•
IA has routine senior management/client meetings
•
Goal is to document “real time” emerging risk
•
Data is leveraged in risk assessment refreshes and confirmations
Corporate Functions
• Asset Class Risk Review • Asset Liability Committee
• Enterprise Disclosure Committee • Enterprise Risk Council
• Finance Council
• Information Security Policy Review Board • Investment Risk Committee
• IT Leadership Team • Liquidity Working Group
• Office of Ethics Semi-annual Update • Operational Risk Committee
• Risk and Capital Modeling Committee
Nationwide Financial
• Bank Risk Committee
• Nationwide Financial Litigation Review • Nationwide Financial Pre-Disclosure • Nationwide Financial Risk Committee • SEC Pay to Play
Property & Casualty
• CAT Risk Committee
• Commercial Lines Transformation • Corporate/P&C Pre-Disclosure
• Nationwide Growth Solutions Risk Committee • P&C Litigation Review
• P&C Product Risk Committee • P&C Risk Committee
Organizing Risk Assessments
Risk Assessments are now organized by group and
type for ease and consistent use
Organizing is what you
do before you do
something, so that
when you do it, it is not
all mixed up.
-A. A. Milne
Risk Velocity
• Our goal is to measure
risk velocity (how quickly
and how severe it could
become)
• Use as a factor in
determining priority and
timing of audit activity
Greater than 10 occurrences per year 2 to 10 occurrences per
year 1 occurrence per year
1 occurrence in 10 years Less than 1 occurrence
in 10 years G reat er t han $100K ; Le s s than $1M G reat er t han $10K ; Le s s than $10 0K Les s t h an $10K M ag n it u d e P er O c cu rr en ce G reat er t han $10M G reat er t han $1M ; Les s t ha n $10M Frequency Greater than 10 occurrences per year 2 to 10 occurrences per
year 1 occurrence per year
1 occurrence in 10 years Less than 1 occurrence
in 10 years G reat er t han $100K ; Le s s than $1M G reat er t han $10K ; Le s s than $10 0K Les s t h an $10K M ag n it u d e P er O c cu rr en ce G reat er t han $10M G reat er t han $1M ; Les s t ha n $10M Frequency
Risk Velocity and Real Time Risk
Assessments will Drive Audit Plan Activity
Frequency M a gni tude of O c c ur re nc e Greater than 10 occurrences per year 2 to 10 occurrences per
year 1 occurrence per year
1 occurrence in 10 years Less than 1 occurrence
in 10 years G reat er t han $100K ; Le s s than $1M G reat er t han $10K ; Le s s than $10 0K Les s t h an $10K M ag n it u d e P er O c cu rr en ce G reat er t han $10M G reat er t han $1M ; Les s t ha n $10M Frequency Greater than 10 occurrences per year 2 to 10 occurrences per
year 1 occurrence per year
1 occurrence in 10 years Less than 1 occurrence
in 10 years G reat er t han $100K ; Le s s than $1M G reat er t han $10K ; Le s s than $10 0K Les s t h an $10K M ag n it u d e P er O c cu rr en ce G reat er t han $10M G reat er t han $1M ; Les s t ha n $10M Frequency Frequency M a gni tude of O c c ur re nc e
Project X - April 1
Project X - July 1
We Will Focus on Top Down, Bottom Up
and Enterprise Risk View
Current
Credit Risk
Line of
Business
1
Line of
Business
2
Line of
Business
3
Future
Credit
Risk Assessment Hours & Timing
0 500 1,000 1,500 2,000 2,500Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Risk Assessment Hours by Year
2015 2015 Hours 2,500 2,500 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000
