Professional Documents
Culture Documents
GRC Examples
Table of Contents
Example Guiding Principles Three Lines of Defense Example Taxonomy Example Attribute Matrix for Risk Assessment Example Flowchart Process Documentation Example Process Hierarchy Enterprise Risk Management (ERM) Reporting PMO Example Project Financials Dashboard Used for a Project at [CLIENT NAME]
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Theme 1
Common Language
Risk Content
Risk information takes into consideration constituencies (e.g., board, management, customers, regulators, rating agencies), aligns strategic objectives and drives business
Vertical risk management structure with independence and clear accountability through three lines of defense (e.g., first line: business owners; second line: standard setters; third line: assurance provider).
Thorough and sustainable wide-ranging risk management process that is efficient and integrated/consistent. Process to include risk identification, quantification, management 4 and reporting across current and emerging risks. Shown below are the Three Lines of Defense, which will provide a structure by which to organize the risk management roles and responsibilities of the company
The first line of defense (risk content ownership) includes the risk owners, who is accountable for managing risk content Risk Culture Risk-savvy culture with risk management competency embedded in the business and The second line of defense (risk process ownership / certain monitoring) includes the standard-setters and manages and provides guidance around the risk and 5 operating philosophy. management program Competency The third line of defense (risk process and content monitoring) helps provide assurance over the effectiveness of the risk management process.
Continuously improving risk management process that is forward-looking, proactive, and continues to identify trends/opportunities for advancement.
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Example Taxonomy
Shown below is an example of risk taxonomy developed to provide a common language and set of guidelines to help identity and assess risks to the overall risk program.
Strategic Risks
Innovation; expansion of business segments; build new business infrastructure, real estate, globalization and emerging markets
SEC (Sarbanes-Oxley, broker-dealer & investment advisor requirements), NYSE, federal and state tax authorities, lobby registration, and consumer compliance
Credit Risks*
People Risks**
Talent acquisition and retention, skills, competence, compliance with firm policies/procedures
Market Risks*
Governance**
Operational Risks*
People, process, systems, external events such as privacy, data protection, change management (mgt), document mgt, 3rd Party mgt, model risk, and new product risk
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
No.
Function
Internal Audit
SOX
Compliance
Business Continuity
Difference Spectrum
Concept
- To prepare the riskbased internal audit plan that is validated by executive management - Risk-based plan evolves as risks in the organization evolve.
The Financial Statements are reviewed to determine which lines should be in scope for the annual SOX Assessment.
- Allocate resources appropriately - The risk assessment must address issues that come up in the regulatory environment and reassess risk level to overall process in cases where the risks carry from the prior year - Determine the best cost benefit approach.
Validate recovery priority and dependencies for each business function in the firm.
Audience End DeliverableTarget Audience Board and Management (Audit Committee, etc.) Reporting of risk information (i) Is RA shared with others? (ii) If so, name dept - Business entities that are exposed to compliance risks - Compliance function and team - Audit Committee. - Regulators - Business entities that are exposed to compliance risks - usually at the business / process owner level - Management Risk Committee. Chief Compliance Officer (CCO) Business Area Continuity Plans; Business Area planners and coordinators; Business Area leadership / EMT; IT Continuity Services (e.g., drives technical recovery priorities)
Primary Audience
Audit Committee
The Risk assessment is used by the SOX Group, verified by Controller and discussed with external auditor.
The RA is primarily used by the Internal Audit Department, but it is shared with the controllers and external auditor for input.
- Audit Committee - Senior management does NOT approve assessment they provide input and support only. Parties providing input (i) Department name / self (ii) Position/Level (iii) 3rd party (pls specify) - EMT and direct reports - Audit staff talks to middle management to get input on areas that may need to be looked at or to get better understanding of the business process - Internal audit has their own view on the risks
- CCO will provide certain risks that are required objectives for that year - Compliance publications - SEC mandates - Results from exams.
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
1. Company's business plan is presented for the upcoming year 2. Discussions / interviews on how to achieve business objectives 3. Concerns on compliance are brought into the discussion 4. Things that audit is aware of b/c of experience ("hot spots") are also brought to the discussion.
- Compliance standards may dictate the format and content of deliverables - Information that is needed includes management review, sign-off, segregation of duties evidence.
For each business function: recovery time objective; recovery point objective; dependencies (applications, vendors, locations, number of staff, vital records)
See item 3; including Corporate Business Continuity Macro RA: Audit -- level 2 / 3 Compliance -- level 3/4 SOX -- N / A BCP -- ?? Micro RA: Process / function -specific for all Range varies from assessment done "internally" (e.g. SOX) to mostly in business (e.g. Business Continuity). Audit and Compliance in middle with Audit closer to the business than Compliance.
All areas
- Depends on the content and the regulatory requirements of the current year. The assessment may cross several business units and levels.
Parties performing RA (i) How many members (ii) Their positions/levels (ii) Their roles in RA
Each focuses on different business support areas and then are split by business entities
Corporate Business Continuity in partnership with Business Continuity Coordinators, and planners.
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
10
How RA is performed (i) Steps taken (ii) Interviews (iii) Work sessions
- Largely interviews: who is chosen and the type of content depends on prior years' risk assessments, internal audit plan, and input from audit staff
Review of Financial Statement Lines and evaluation of each line. Primarily done by ICU with validation by Controllers and AUDITOR.
Formal project plan, training, assessment criteria (EIC); data collection (Paragon); signoff; reporting
11
Risk Ranking Criteria (probability vs. impact) (risk directions) (High /Med/Low)
12
- High / Med / Low - 3 types: Control risk, inherent risk, total risk - Team effort / discussion - Team concludes on 10-12 key risks areas (themes) to the organization. RA (excluding IT audits: - Materiality is based on the legal entity and has huge basis on determining priority - Complexity - External Compliance - Reputation - Fraud - Business owners provide input on scale. Mostly qualitative - Quantitative risk assessments give "false sense of security" - Financial risk areas have some quantitative analysis
Recovery times are tiered based on an area's overall impact (EIC) to the Firm. Quantified based on an Enterprise Impact Chart - Criticality based on Financial statement loss Customer service Regulatory / legal / compliance Reputational Workforce.
Common language
-Size and composition - Loss - Routine / non-routine - Transactions - Account type - Complexities - Loss exposure - Contingent liability - Related party - Changes.
Little consistency A few terms overlap: Materiality / loss Complexity Compliance / regulatory Ranges from Qualitative to Quantitative in the following order: Compliance --> Audit --> SOX --> BCP Risks are aggregated but are they at the same level? Analysis is kept at gross (inherent) versus residual Common language Common language
13
Quantitative / Qualitative
Both
Quantitative
14
15
Analysis Conducted
Risk Aggregation Technique used (are detailed risks rolled into summary risks?) Analysis conducted (e.g. controllable vs. uncontrollable, discrete vs. ongoing, risk
Yes
- There are sublevels of risk related to the summary risks defined in the risk assessment - Assessment is based on how the current controls are performing (gross v. residual)
Yes
- [Year] focus was on inherent risk - Controls are not well understood within the organization - Timing is key to determining what will go
Yes; interrelationships such as one critical application or vendor supporting many business functions, etc.
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
into the audit plan and Internal Audit tries not to focus on one specific area RTO's and RPO's are incorporated into BC plans; assist in priortizing recovery resources during an event; critical vendors drive vendor recovery reviews (NASD); RTO's and RPO's set technical recovery priorities and planning.
16
Actions to manage risk (i) Are they documented? Where? (ii) Are they assessed?
- Controls are not well understood and there are not many efficient control areas in the organization - Build a risk based audit plan that will help business owners monitor and mitigate their risks.
From here, each line is broken down into the inputs to that line. The activities within each line are reviewed for risks and related controls. Controls are documented in FCM by busines areas and signed off quarterly.
17
Are any risk quantification methods used? (e.g. KRI, KPI etc)
- Actions have been initiated to develop KPI / KRI - For example, inventory of key rules and regulations, the frequency of review, etc. - The risk assessment with action plans, which are agreed to by the business owners
EIC
In-process
Output End Deliverable from RA (e.g. risk profile, Internal Audit plan, etc) Enterprise summaries; updated BC plan RTO's; critical application listing; critical vendor listing; gap summaries See other document
18
19
Provided
20
Frequency RA is performed
annual
Annual
annual
Annual from time of completion BIA update was the first re-validation of data; a four month window was provided to the business to complete.
Annual Macro:
21
Duration
Begins in Q1
3-4 weeks
Audit / Compliance 2 months in time for April audit committee SOX / BCP ???
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
22
1st quarter CCO has done initial discussions with business and research in regulations in mid-January
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Level 1
Planning
1 Set Up And Maintenance Of Audit Universe
Level 3
Internal Audit Level 3 Planning 1.3.1.a Setting Up An Auditable Entity (1 Of 2)
4 Set Up Audit 5 Develop Audit Program 6 Conduct Testing 7 Identify Issues 8 Obtain Management Action Plan
Testing
Level 2
Issue Management
Internal Audit GRC Committee
11 Review Action Plan Remediation
ASAP
12 Close Issue
11 Is This A Continuous Audit (CA)? Y 12 Do You Already Have A Continuous Audit AE? Y 13 Set Up Audit Within CA AE For New CA
14 Is This An International Investigation ? Y 15 Do You Have An International Investigation For That Country? Y 16 Set Up Audit Within SI For That Country
1.A
APOs / Designees
C 6 Conduct Universe Item Legal Entity Risk Assessment 8 Develop Annual Risk Based Audit Plan
2 Set Up AE In GRC
Int
13 Plan Resources
Convergence Opportunity
Level 1: Highest level of the flow articulating key phases of work (such as planning, assessment, testing, and reporting) and key steps in the phases for each of the functions. Steps where convergence opportunities exist would be called out for reference purposes. Level 2: Each key phase is broken down to introduce positions involved in executing steps in the phase. Steps will include key decisions taken by staff in these positions.
Convergence Opportunity
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Level 3: Each phase is broken down to its lowest step as performed. The narrative to the process documentation will go into further detail but not down to a point and click level, that is covered under the technical user guidance. GRC screens used by staff at each step can be documented.
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
Process Hierarchy
Risk Library
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
ERM Reporting
Risk Assessment Reporting Process Chart Shown below is an example of a risk assessment process once the areas of convergence have been identified and the direct lines and frequency of reporting are established.
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].
ERM Reporting
Dashboard Report Shown below is an example of an enterprise risk management dashboard report presented to senior management and / or the Board.
[year] [legal member firm name], a [jurisdiction] [legal structure] and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. Printed in [country in which the publication has been printed].