ERM 203 – When Storming the Castle Alone

ERM 203 – When Storming the Castle Alone
Doesn’t Work: Internal Audit as Ally
Wednesday, April 18, 2012
Agenda
• Speaker introductions
• Discuss key points from RIMS & IIA joint paper
– Risk Management’s perspective
– Internal Audit’s perspective
– Collaborative Practices & Value Realized
• ERM & IA collaboration at Whirlpool Corporation
• Q&A session
2
Risk Management and Internal Audit: Forging a
Collaborative Alliance (white paper)
• RIMS and IIA joint project
• White paper including interviews with:
–
–
–
–
Cisco Systems
Hospital Corporation of America
TD Ameritrade
Whirlpool
• Highlights RIMS’ and The IIA’s recommendation for these
functions to work together collaboratively
3
4
5
The Role of IA in ERM
• Core internal audit roles:
– Giving assurance on the RM program
– Giving assurance that risks are correctly evaluated
– Evaluating risk management processes
– Evaluating the reporting of key risks
– Reviewing the management of key risks
6
The Role of IA in ERM
• Legitimate internal audit roles (with safeguards):
– Facilitating identification and evaluation of risks
– Coaching management in responding
to risks
– Coordinating ERM activities
– Consolidated reporting on risks
– Maintaining and developing the ERM
framework
– Championing establishment of ERM
– Developing ERM strategy for board
approval
7
The Role of IA in ERM
• Roles IA should not undertake:
– Setting the risk appetite
– Imposing risk management processes
– Management assurance on risks
– Taking decisions on risk exposures
– Implementing risk responses on management’s
behalf
– Accountability for risk management
8
Risk Management and Internal Audit: Forging a
Collaborative Alliance - interview questions
1.
2.
3.
4.
5.
Who does Internal Audit report to (functionally and administratively)? Who does Risk
Management report to? How often does each interact with the Board or a Board
committee?
How does the risk assessment process work between and among Internal Audit and Risk
Management? And how are the results of these risk assessment processes shared with
management and/or the Board? What information does each of the functions provide to
the other, and how is that information used?
Are you satisfied with the level of collaboration? If so, what do you attribute this success
to? If not, what is the biggest impediment?
How do Internal Audit and Risk Management collaborate in your organization? What are the
areas of collaboration? What is working well? What are you working on to improve the
relationship? Also, what formal or informal procedures are in place to minimize duplication
and overlap with other risk-related functions such as legal, health and safety, and regulatory
and Sarbanes-Oxley compliance?
What advice do you have for Chief Audit Executives and/or Chief Risk Officers as they seek to
achieve greater levels of collaboration between Internal Audit and Risk Management?
9
Collaborative Practices & Value Realized
• Link the audit plan and the enterprise risk assessment, and
share other work products. Provides assurance that critical risks are being
identified effectively.
• Share available resources wherever and whenever possible.
Allows for efficient use of scarce resources (such as financial, staff, time).
• Cross-leverage each function’s respective competencies, roles
and responsibilities. Provides communication depth and consistency,
especially at the board and management levels.
• Assess and monitor strategic risks. Allows for deeper understanding and
focused action on the most significant risks.
10
ABOUT WHIRLPOOL CORPORATION





World’s leading marketer and manufacturer of home appliances
Approximately $18 billion in revenues
70,000+ employees worldwide
67 Manufacturing & Technology Centers
World Headquarters: Southwest Michigan
11
MAKE PRODUCTS PEOPLE WANT TO OWN IN THEIR HOMES
BRAND PLATFORM
BEST CONSUMER POSITION
 Consumer-relevant innovation
 Strong cadence to the market
 Build strong brands
CONSUMER-RELEVANT AND VALUE-CREATING INNOVATION
12
WHIRLPOOL’S RISK MANAGEMENT FUNCTION
 Whirlpool’s Risk Management
 Core team of 5
 Reporting to the Vice President
and Treasurer
 Enterprise Risk Management
 Traditional risk management of
hazard and financial risks
 Business continuity program
 Loss Prevention and Engineering
Risk Management
Chief Financial
Officer
Vice President
Treasurer
Risk Engineer
Director
Administrative
Risk Management
Assistant
Risk
Senior Risk
Claim
Manager
Analyst
Manager
Associate
Risk
Analyst
13
ENTERPRISE RISK MANAGEMENT PROCESS
 Enterprise Risk Management is a strategic activity within Whirlpool.
 Our ERM process ensures that:
 Risks are appropriately identified.
 Risks are assessed at the senior management, business, and functional unit
level.
 Risk mitigation is owned by business unit leaders.
 Oversight:
 Ultimate responsibility for managing risks rests with the Chief Executive.
 Board of Directors oversees the overall risk management process through its
Audit Committee.
 The success of risk management is determined by:
 Identifying the right risks and events driving them.
 Quantifying and ranking risks.
 Developing risk management plans which reduce the impact of and help the
company prepare for risk events.
14
ENTERPRISE RISK PROGRESS TIMELINE
An Ongoing Process Since 2007
2008
2009
Detailed risk assessments
completed for Strategic
and Financial Level Risks
Detailed risk assessments
completed for Operational
and Compliance Level Risks
Qualitative and quantitative
metrics included where
warranted
Velocity metric introduced
Critical events and root causes
identified
Benchmark ERM Maturity
Regions identify top risks,
mitigation and controls
Coordinate with Internal Audit
monthly and during annual
emerging risk identification
2010
Identified unique regional risks
and 2011 mitigation plans
Conducted emerging risk survey
at the regional level…aggregated
results
Included Duration and
Detectability in new risk
assessments
Identified Trade Partner and
Competitor risk factors
ERM presented to S&P
Coordinate with Internal Audit
Coordinate with Internal Audit
monthly and during annual
emerging risk identification
Annually: Risk Map Repositioned, Risk Owners’ Mitigation Plans Confirmed
2011
ERM – Incorporated into
Internal Controls course of
WHR University
WHR University – Instructor
lead courses developed and
taught for Finance Group
Incorporated ERM into the
CAPEX Process
System shared with Internal
Audit, hosts and reports
ERM
Interviews with risk owners
and direct reports in
cooperation with Internal
Audit
15
ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL
Annual risk
assessment
process is
used by both
Internal
Audit and
Risk
Management
16
ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL
Control Source
Good
Decisions
Risk Categories
Level/Representative
Risks
1
Risks are rated,
ranked and
assigned to one
of five categories
2
3
4
5
Good
Rules
Risk Category
Level/Representative Risks
1. Enterprise
• Board-level concern
2. Strategic
• CEO and executive committee–level concern
3. Financial
• Business unit and functional-level concern
4. Operational
• Business unit and functional-level concern
5. Compliance &
Reporting
• Business unit and functional-level concern
17
ENTERPRISE RISK MANAGEMENT AT WHIRLPOOL
Key Risks are
owned by its
executive
committee and
projects and
actions to
achieve
mitigation goals
and objectives
are ongoing
18
WHIRLPOOL’S INTERNAL AUDIT FUNCTION
Internal Audit
Administrative
Reporting
Relationship

Audit
Committee
Chief Financial
Officer

Functional
Reporting
Relationship

VP Internal
Audit
EMEA
Senior Manager
Administrative
Co Sourced
Assistant
KPMG
NAR Senior
Director


LAR
ASIA
Director
Senior Manager
Information
Technology
Manager
Auditors
Auditors
Auditors
Auditors
Auditors
6
23
7
11
4
IA reports to the CFO
& Audit Committee
Represented in all
regions globally
Core team of ~60
Auditors
KPMG FTE’s utilized
Core Competency
includes Talent
management:
 Rotation into
business
 Financial
Leadership
Development
Program
19
AUDIT PLAN AND DEVELOPMENT PROCESS
 Quantitative and qualitative assessment of all Whirlpool functions and
locations
 Approach considers internal and external changes in the business
environment, Whirlpool’s strategy and key objectives
 VP Internal Audit and IA Management team gathered input from Senior
Executives, including regional CFO’s and management from various
functional areas
 Integrated risk assessment process with Enterprise Risk Management and
the Compliance & Ethics Office
 Reviewed risk assessment and IA Plan with Ernst & Young
 Reviewed IA Plan with Executive Committee & Global Finance Leadership
Team (GFLT)
 Audit Committee approves annual plan
20
INCORPORATING TECHNOLOGY
•
ERM PROCESS
EMBEDDED WITHIN
INTERNAL AUDIT
SYSTEM
21
ENTERPRISE RISK MANAGEMENT
Collaboration
 Monthly meetings between
IA and RM
 RM receives IA reports
 Annually interview senior
leaders
 WHR University ‘Risk and
Controls’ course
 RM utilizes IA software
system
Benefits
 Collaborative effort
 Identify emerging risks
earlier
 Optimize and leverage
efforts
 Common language
 Shared IT software
22
Q&A
23