PIC EU-28 Conference Paris, 26 – 27 November 2015 PIC An EU Approach Assurance Maps An Introductory workshop Nathan Paget United Kingdom
PIC An EU approach PIC – EU 28 Conference 2015 Definitions Risk - The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Internal Control - Any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Assurance - The internal audit activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. 2
PIC An EU approach PIC – EU 28 Conference 2015 Business objectives and the link to assurance maps Business Objectives Framework of Internal Control 3 2 nd Line Assurance 3 rd Line Assurance 1st Line Assurance Ownership & Management Monitor and review Independent Assurance Management at various levels Board / Audit Committee / Governing group
PIC An EU approach PIC – EU 28 Conference 2015 Assurance Maps 4 Assurance:Why it is important Provides:‘Confidence’ / ‘evidence’ / ‘ownership’ To:Managers / Directors / Members/ Partners / Stakeholders / Public Over:That which needs to be done is being done in an effective and proper manner to achieve the outcomes desired. That risks are effectively managed.
PIC An EU approach PIC – EU 28 Conference 2015 Assurance Map – WHY? Providing : A complete picture of the services being delivered, the activities undertaken, the level of associated risk. A complete picture of the types of assurance available and obtained. Enabling: Identification of any potential areas where assurance activities are not present or are insufficient (i.e. assurance gaps). Identification of any areas where assurance is duplicated, repeated or excessive when compared with the value of the activity being undertaken. Allowing: Better understanding of risk exposure. Direction of proportionate assurance provision (and efficiencies). Evidencing of collective assurance the Annual Governance Statement. Better focus of efforts by the Audit Committee. 5
PIC An EU approach PIC – EU 28 Conference 2015 Business objectives and the link to assurance maps Business Objectives Framework of Internal Control 6 2 nd Line Assurance 3 rd Line Assurance 1st Line Assurance Ownership & Management Monitor and review Independent Assurance Management at various levels Board / Audit Committee / Governing group
PIC An EU approach PIC – EU 28 Conference st line of Assurance Good policy and performance data, Monitoring statistics, Risk registers, Reports on the routine system controls and other management information. 7
PIC An EU approach PIC – EU 28 Conference nd Line of Assurance Compliance assessments or reviews carried out to determine that policy or quality arrangements are being met in line with expectations for specific areas of risk across the organisation; Portfolio Management Strategic planning, Investment appraisal and project and programme management. 8
PIC An EU approach PIC – EU 28 Conference rd Line of Assurance This relates to independent and more objective assurance and focuses on the role of internal audit. Internal audit will place reliance upon assurance mechanisms in the first and second lines of defence, where possible, to enable it to direct its resources most effectively, on areas of highest risk or where there are gaps or weaknesses in other assurance arrangements. It may also take assurance from other independent assurance providers operating in the third line, such as those provided by independent regulators, for example. Other sources of independent assurance available include external system accreditation reviews/certification (e.g. ISO/Risk Management Accreditation Document Sets), European Commission/European Court of Auditors and Treasury/Cabinet Office/Parliamentary scrutiny processes. 9
PIC An EU approach PIC – EU 28 Conference 2015 Assurance Map - Approaches 10 3 rd Line2 nd Line1 st LineRiskObjective Business Objectives RiskControl RiskControl
PIC An EU approach PIC – EU 28 Conference 2015 Assurance Map – Control and assurance connections 11 Control Environment Risk Assessment Control Activities Information Communication Monitoring ASSURANCE MAPS
PIC An EU approach PIC – EU 28 Conference 2015 Control Environment 1 st Line2 nd Line3 rd Line All lines of Assurance should be expected to demonstrate through their directives, actions, and behaviour the importance of integrity and ethical values. Leads by example in implementing values, a philosophy and an operating style for the organization. Implements ethics-related objectives, programs and activities. Designs and implements processes to evaluate the performance of individuals and teams against expected standards of conduct. Specific members of the 2nd Line may be requested to support compliance hotlines, investigate potential breaches, or perform other specific duties related to integrity and ethical values. Assesses the state of the organization’s ethical climate and the effectiveness of its strategies, tactics, communications, and other processes in achieving the desired level of legal and ethical compliance. Evaluates the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs and activities. Provides assurance that ethics programs achieve stated objectives, key risks are effectively managed and controls continue to operate effectively. Provides consulting services to help the organization establish a robust ethics program and improve its effectiveness to the desired performance level. 12
PIC An EU approach PIC – EU 28 Conference 2015 Assurance and Risk 13 This is a direct output from the risk management process: Assurance provided that controls are effective in the case where inherently high / extreme risks are mitigated to a lower residual classification. Assurance provided that actions are progressing where risk is both inherently and residually high / extreme. Assurance over the management of risk where our appetite to the risk is low. Those business risks that, if realised, could fundamentally affect the way in which the organisation exists or conducts its business. These risks will have a detrimental effect on the organisations achievement of its key business objectives. The risk realisation will lead to material failure, loss or lost opportunity ASSURANCE RISK The main operational risks associated with the key business activities and processes that if realised would increase the likelihood of a strategic risk realising. Key business activities and processes on which the organisation is reliant for successful execution of its strategies.
PIC An EU approach PIC – EU 28 Conference 2015 DEFRA CASE STUDY 4 Strategic Priorities – supported by lower level activities. Growing the rural economy. Protecting the Environment. Protect / respond on Animal Health. Protect / respond on Plant Health. 14
PIC An EU approach PIC – EU 28 Conference 2015 Defra Example 15
PIC An EU approach PIC – EU 28 Conference 2015 Animal Health 16
PIC An EU approach PIC – EU 28 Conference 2015 Managing a disease outbreak 17
PIC An EU approach PIC – EU 28 Conference 2015 Reporting 18
PIC An EU approach PIC – EU 28 Conference 2015 Outline implementation approach 19
PIC An EU approach PIC – EU 28 Conference 2015 Further References HMT Orange Book – Assurance Maps CoSo / IIA Guidance on Assurance Maps and CoSo 20
PIC An EU approach PIC – EU 28 Conference 2015 Questions Any questions??????? 21