You are on page 1of 15

Advisory

GRC Examples

[Date] This report contains 16 pages 84225789.doc

Table of Contents

II. II. III. IV. V. VI. VII. VIII.

Example Guiding Principles Three Lines of Defense Example Taxonomy Example Attribute Matrix for Risk Assessment Example Flowchart Process Documentation Example Process Hierarchy Enterprise Risk Management (ERM) Reporting PMO Example Project Financials Dashboard Used for a Project at [CLIENT NAME]

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Guiding Principles


Shown below is an example of guiding principles, which have been used as a foundation and applied to a risk and control project.

Theme 1
Common Language

Example Guiding Principles


One view of risk, a common language drives effective risk management actions and decisions.
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Risk Content

Risk information takes into consideration constituencies (e.g., board, management, customers, regulators, rating agencies), aligns strategic objectives and drives business

Risk Management Structure Risk Management Process

Vertical risk management structure with independence and clear accountability through three lines of defense (e.g., first line: business owners; second line: standard setters; third line: assurance provider).

Thorough and sustainable wide-ranging risk management process that is efficient and integrated/consistent. Process to include risk identification, quantification, management 4 and reporting across current and emerging risks. Shown below are the Three Lines of Defense, which will provide a structure by which to organize the risk management roles and responsibilities of the company

The first line of defense (risk content ownership) includes the risk owners, who is accountable for managing risk content Risk Culture Risk-savvy culture with risk management competency embedded in the business and The second line of defense (risk process ownership / certain monitoring) includes the standard-setters and manages and provides guidance around the risk and 5 operating philosophy. management program Competency The third line of defense (risk process and content monitoring) helps provide assurance over the effectiveness of the risk management process.

Three Lines of Defense

Proactive Risk Management

Continuously improving risk management process that is forward-looking, proactive, and continues to identify trends/opportunities for advancement.

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Taxonomy
Shown below is an example of risk taxonomy developed to provide a common language and set of guidelines to help identity and assess risks to the overall risk program.

Example Risk Category

Example Risk Sub-Categories

Example Risk Category

Example Risk Sub-Categories

Strategic Risks

Innovation; expansion of business segments; build new business infrastructure, real estate, globalization and emerging markets

Legal & Compliance Risks**

SEC (Sarbanes-Oxley, broker-dealer & investment advisor requirements), NYSE, federal and state tax authorities, lobby registration, and consumer compliance

Credit Risks*

Wholesale/Commercial, Retail, Securitization, Trading and Equity

People Risks**

Talent acquisition and retention, skills, competence, compliance with firm policies/procedures

Market Risks*

Working capital, liquidity, interest rate

Governance**

Succession planning, strategic focus, board and/or committee oversight

Operational Risks*

People, process, systems, external events such as privacy, data protection, change management (mgt), document mgt, 3rd Party mgt, model risk, and new product risk

External Environment Risks**

Changes in the business environment/market, competitor activity, international

*Basel II Risk Categories ** Operational Risk Sub-Categories

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Attribute Matrix for Risk Assessment


Shown below is an example attribute matrix used to help rationalize the risk assessments and identify areas for convergence (Pages 1-5).

No.

Topic Objective / Content

Function

Internal Audit

SOX

Compliance

Business Continuity

Difference Spectrum

Concept

What is the objective of the risk assessment?

- To prepare the riskbased internal audit plan that is validated by executive management - Risk-based plan evolves as risks in the organization evolve.

The Financial Statements are reviewed to determine which lines should be in scope for the annual SOX Assessment.

- Allocate resources appropriately - The risk assessment must address issues that come up in the regulatory environment and reassess risk level to overall process in cases where the risks carry from the prior year - Determine the best cost benefit approach.

Validate recovery priority and dependencies for each business function in the firm.

Audience End DeliverableTarget Audience Board and Management (Audit Committee, etc.) Reporting of risk information (i) Is RA shared with others? (ii) If so, name dept - Business entities that are exposed to compliance risks - Compliance function and team - Audit Committee. - Regulators - Business entities that are exposed to compliance risks - usually at the business / process owner level - Management Risk Committee. Chief Compliance Officer (CCO) Business Area Continuity Plans; Business Area planners and coordinators; Business Area leadership / EMT; IT Continuity Services (e.g., drives technical recovery priorities)

Primary Audience

Audit Committee

The Risk assessment is used by the SOX Group, verified by Controller and discussed with external auditor.

Distribution (secondary audience)

- Management Risk Committee - business owners

The RA is primarily used by the Internal Audit Department, but it is shared with the controllers and external auditor for input.

See above; including Corporate Business Continuity

Approver of End Deliverable Inputs

- Audit Committee - Senior management does NOT approve assessment they provide input and support only. Parties providing input (i) Department name / self (ii) Position/Level (iii) 3rd party (pls specify) - EMT and direct reports - Audit staff talks to middle management to get input on areas that may need to be looked at or to get better understanding of the business process - Internal audit has their own view on the risks

Validated with Controller and external auditor.

Manager of business function; formal signoff process.

Parties providing input

Controllers, external auditors

- CCO will provide certain risks that are required objectives for that year - Compliance publications - SEC mandates - Results from exams.

All business functions in the Firm

Macro versus Micro Audit: top-down Others:??

Three lines of defense

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Attribute Matrix for Risk Assessment


No. Topic Function Internal Audit SOX Compliance Business Continuity Difference Spectrum Concept

before talking to business leaders.

Type of Information Collected

1. Company's business plan is presented for the upcoming year 2. Discussions / interviews on how to achieve business objectives 3. Concerns on compliance are brought into the discussion 4. Things that audit is aware of b/c of experience ("hot spots") are also brought to the discussion.

See Risk Assessment Previously submitted Lines evaluated on various attributes

- Compliance standards may dictate the format and content of deliverables - Information that is needed includes management review, sign-off, segregation of duties evidence.

For each business function: recovery time objective; recovery point objective; dependencies (applications, vendors, locations, number of staff, vital records)

Other roles involved in risk assessment process Process

- Outside consultants work product - Audit reports - SOX information

See item 3; including Corporate Business Continuity Macro RA: Audit -- level 2 / 3 Compliance -- level 3/4 SOX -- N / A BCP -- ?? Micro RA: Process / function -specific for all Range varies from assessment done "internally" (e.g. SOX) to mostly in business (e.g. Business Continuity). Audit and Compliance in middle with Audit closer to the business than Compliance.

Team / Function / Area being assessed

Management Risk Committee and direct reports of business support areas

All areas

- Depends on the content and the regulatory requirements of the current year. The assessment may cross several business units and levels.

All business functions in the Firm

Three lines of defense

Parties performing risk assessment

Parties performing RA (i) How many members (ii) Their positions/levels (ii) Their roles in RA

Each focuses on different business support areas and then are split by business entities

2 members of Internal Controls perform the Risk Assessment

CCO generally performs the RA

Corporate Business Continuity in partnership with Business Continuity Coordinators, and planners.

Three lines of defense

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Attribute Matrix for Risk Assessment


No. Topic Function Internal Audit SOX Compliance - CCO's set initial risk focus based on industry knowledge, trends, and parties providing input - Conduct interviews, review documentation, and perform a walkthrough of day-to-day processes - Discussions usually take place with level 2 or 3 personnel. - High / Med / Low - 3 types: Inherent risk, control risk, total risk (based on COSO model) - Combined criteria to rank risks based on likelihood and probability - Standards (sources of information?) with Compliance are used in developing priority risks - Materiality based on the business entity - mostly subjective and open to discussion w/in the group - Determine impact and likelihood for both inherent and control risk. Qualitative - Risks are largely reputational and regulatory - Annual training on techniques Business Continuity Difference Spectrum Macro versus Micro level risk assessments Audit: interviewbased SOX: internal with external validation BCP: business Compliance:??? All high / medium / low except BCP (recovery times?) Criteria different (see below #13) Concept

10

Risk Assessment Process

How RA is performed (i) Steps taken (ii) Interviews (iii) Work sessions

- Largely interviews: who is chosen and the type of content depends on prior years' risk assessments, internal audit plan, and input from audit staff

Review of Financial Statement Lines and evaluation of each line. Primarily done by ICU with validation by Controllers and AUDITOR.

Formal project plan, training, assessment criteria (EIC); data collection (Paragon); signoff; reporting

11

Method of Risk Categorization

Risk Ranking Criteria (probability vs. impact) (risk directions) (High /Med/Low)

12

Risk Assessment Criteria

Assessment measures used (Timeliness, Quality, Materiality)

- High / Med / Low - 3 types: Control risk, inherent risk, total risk - Team effort / discussion - Team concludes on 10-12 key risks areas (themes) to the organization. RA (excluding IT audits: - Materiality is based on the legal entity and has huge basis on determining priority - Complexity - External Compliance - Reputation - Fraud - Business owners provide input on scale. Mostly qualitative - Quantitative risk assessments give "false sense of security" - Financial risk areas have some quantitative analysis

See Risk Assessment Previously submitted.

Recovery times are tiered based on an area's overall impact (EIC) to the Firm. Quantified based on an Enterprise Impact Chart - Criticality based on Financial statement loss Customer service Regulatory / legal / compliance Reputational Workforce.

Common language

-Size and composition - Loss - Routine / non-routine - Transactions - Account type - Complexities - Loss exposure - Contingent liability - Related party - Changes.

Little consistency A few terms overlap: Materiality / loss Complexity Compliance / regulatory Ranges from Qualitative to Quantitative in the following order: Compliance --> Audit --> SOX --> BCP Risks are aggregated but are they at the same level? Analysis is kept at gross (inherent) versus residual Common language Common language

13

Risk Assessment Techniques

Quantitative / Qualitative

Both

Quantitative

14

Risk Aggregation Basis

15

Analysis Conducted

Risk Aggregation Technique used (are detailed risks rolled into summary risks?) Analysis conducted (e.g. controllable vs. uncontrollable, discrete vs. ongoing, risk

Yes, themes (confirm?)

Yes

- There are sublevels of risk related to the summary risks defined in the risk assessment - Assessment is based on how the current controls are performing (gross v. residual)

Yes

- [Year] focus was on inherent risk - Controls are not well understood within the organization - Timing is key to determining what will go

Yes; interrelationships such as one critical application or vendor supporting many business functions, etc.

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Attribute Matrix for Risk Assessment


No. Topic Function interrelationships, Gross vs., residual etc) Internal Audit SOX Compliance Business Continuity Difference Spectrum Concept

into the audit plan and Internal Audit tries not to focus on one specific area RTO's and RPO's are incorporated into BC plans; assist in priortizing recovery resources during an event; critical vendors drive vendor recovery reviews (NASD); RTO's and RPO's set technical recovery priorities and planning.

16

Actions to Manage Risk

Actions to manage risk (i) Are they documented? Where? (ii) Are they assessed?

- Controls are not well understood and there are not many efficient control areas in the organization - Build a risk based audit plan that will help business owners monitor and mitigate their risks.

From here, each line is broken down into the inputs to that line. The activities within each line are reviewed for risks and related controls. Controls are documented in FCM by busines areas and signed off quarterly.

- Business owners are assigned once the risk assessment is complete

Macro: ownership is at level 2 Micro: ownership is assigned

17

Quantification of Results (KPI, KRI)

Are any risk quantification methods used? (e.g. KRI, KPI etc)

- Only KPI may be the number resources allocated to managing risk

- Actions have been initiated to develop KPI / KRI - For example, inventory of key rules and regulations, the frequency of review, etc. - The risk assessment with action plans, which are agreed to by the business owners

EIC

In-process

Output End Deliverable from RA (e.g. risk profile, Internal Audit plan, etc) Enterprise summaries; updated BC plan RTO's; critical application listing; critical vendor listing; gap summaries See other document

18

End Deliverable (sample) Documentation of Risk Assessment Process (sample) Other

Risk-based Internal Audit Plan

Financial Statement Risk Analysis

19

Provided

20

Frequency of Risk Assessment

Frequency RA is performed

annual

Annual

annual

Annual from time of completion BIA update was the first re-validation of data; a four month window was provided to the business to complete.

Annual Macro:

21

Duration

Duration (time taken) to perform RA (weeks, mths)

Begins in Q1

3-4 weeks

starts in 1st quarter to the end of January / early February

Audit / Compliance 2 months in time for April audit committee SOX / BCP ???

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Attribute Matrix for Risk Assessment


No. Topic Function Internal Audit SOX Compliance Business Continuity Difference Spectrum Audit / Compliance similar timeframes (April - Mar calendar) SOX later in year due year-end BCP every two years due year-end Concept

22

Dates when Risk Assessment is performed

Date/s when RA is performed (month)

- Q1 to speak with key business owners

Commences when Financials for current year are completed

1st quarter CCO has done initial discussions with business and research in regulations in mid-January

Annual from time of completion

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Process Flow Documentation


Shown below is an example of process flow documentation, which was used to document the testing process and identify areas for convergence.

Level 1
Planning
1 Set Up And Maintenance Of Audit Universe

Internal Audit 1.1 Level 1 Overview


2 Conduct Risk Assessment 3 Develop Annual Risk Based Audit Plan

Level 3
Internal Audit Level 3 Planning 1.3.1.a Setting Up An Auditable Entity (1 Of 2)
4 Set Up Audit 5 Develop Audit Program 6 Conduct Testing 7 Identify Issues 8 Obtain Management Action Plan

Testing

Level 2
Issue Management
Internal Audit GRC Committee
11 Review Action Plan Remediation

Internal Audit 1.2 Level 2 Planning


13 Develop And Issue Consolidated Reporting 1 Are Changes To Auditable Entity (AE) List Required? Y 2 Is This An Integrated Audit? N

ASAP

9 Develop Audit Report

10 7 Close Audit Set-up Auditable Entity

12 Close Issue

6 Department Wide Project?

8 Is This A Special Project (SP)?

11 Is This A Continuous Audit (CA)? Y 12 Do You Already Have A Continuous Audit AE? Y 13 Set Up Audit Within CA AE For New CA

14 Is This An International Investigation ? Y 15 Do You Have An International Investigation For That Country? Y 16 Set Up Audit Within SI For That Country

1.A

Y 3 Are You 10 Predominantly Approve Responsible? Plan N

Y 9 Do You Already Have A Special Project AE? N

General Auditor And Audit Planning Board

17 Set Up Auditable Entity Of SI For That Country

Y 10 Set Up Audit Within SP AE For New SP

APOs / Designees

4 Has The AE 11 Already Been Set Set Up? Up Shell Audit


9 Review Plan

Y 5 Create Audit Within The Auditable Entity 12


Schedule Audits

C 6 Conduct Universe Item Legal Entity Risk Assessment 8 Develop Annual Risk Based Audit Plan

Audit Plan Owners

1 Are Changes To Auditable Entity (AE) Item Required?

2 Set Up AE In GRC

4 Conduct Auditable Entity Assessment LE

3 Associate Process To Auditable Entity

5 Is This A Legal Entity Or International Entity?

Int

7 Conduct Universe Item Country Significance Risk Assessment N

13 Plan Resources

Convergence Opportunity

Level 1: Highest level of the flow articulating key phases of work (such as planning, assessment, testing, and reporting) and key steps in the phases for each of the functions. Steps where convergence opportunities exist would be called out for reference purposes. Level 2: Each key phase is broken down to introduce positions involved in executing steps in the phase. Steps will include key decisions taken by staff in these positions.

Convergence Opportunity

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Process Flow Documentation

Level 3: Each phase is broken down to its lowest step as performed. The narrative to the process documentation will go into further detail but not down to a point and click level, that is covered under the technical user guidance. GRC screens used by staff at each step can be documented.

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

Example Process Hierarchy


Shown below is a sample process hierarchy which details the multi-level decomposition from mega process to process, sub-process and product.

Process Hierarchy

Risk Library

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

ERM Reporting
Risk Assessment Reporting Process Chart Shown below is an example of a risk assessment process once the areas of convergence have been identified and the direct lines and frequency of reporting are established.

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

ERM Reporting
Dashboard Report Shown below is an example of an enterprise risk management dashboard report presented to senior management and / or the Board.

[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].

You might also like