Streamlining the Annual Risk Assessment Process

Streamlining the A
Assessment Proce

Presenter: Gregory Jordan, CPA, C
Senior Vice President, Chief Audit E
Nationwide Insurance

Annual Risk
ess

CIA, CRMA, FLMI
Executive

Gregory Jordan, CPA

• Chief Audit Executive, Nationw
Insurance

• Board Member of the IIA Centr
Chapter

• Committee Member of the IIA
Development Committee

• Over 30 yrs of industry experie
• Served in several Business an

leadership roles since joining N
2001
• 11 yrs with Ernst & Young and
Midland Life Insurance Compa
• Graduate of The Ohio State U

• [email protected]

A, CIA, CRMA, FLMI

wide

ral Ohio

Exam

ence
nd Finance
Nationwide in

d 6 yrs with
any/Swiss Re
University

Today’s Learnin

• Creating an annual pla
• Developing a standard

audit planning approac
• Reducing "peak" times

planning effort through
• Formalizing internal au

procedures for the ann
• Learning a new approa

assessments titled "Ri
Confirmations"

ng Opportunities

anning road map
dized and consistent
ch
s by spreading annual
hout the year
udit policies and
nual planning process
ach for certain risk
isk Assessment

About Na

ationwide









The Catalyst

t for Change





Risk Management

Historical Model

Board/Senior Mgmt Oversight
Board/Senior Management Oversight

AudAituditFinance RiskIT CoEmORtmCheittreeOsRtihsekr
CCmotememittCeemteCe omCmmittteeee Cmtee

ERM InInteterrnnaall FLRegCal CoFminpaliannccee IRM Privacy
AAuuddiitt LOetghaelr
Risk
Etc.

Other Notes SAS Notes Access
dbase dbase dbase

BusinesBs usinessBusinesBs usiness
BUUnit UBnUit UBnUit BUUnit

• Redundancies and inefficiencies
• Varying lines of communication
• Lack of single data structure/database
• Multiple approaches for risk & control

reports

Had to be Aligned

Targeted Model

Board/Senior Mgmt Oversight
Board/Senior Management Oversight

AudAituditFinance RiskIT CoEmORtmCheittreeCOsRmtihsteekre
CCmotememittCeemteCe omCmmittteeee

ERM InInteterrnnaall FLRegCal CoFminpaliannccee IRM PLOreivtghaaeclry, ,
AAuuddiitt Etc.
Risk

Common Data Structure
Common Technology
Common Risk & Control Processes

BusinessBusinessBusinessBusiness
UBnUit UBnUit BUUnit UBnUit

• Common approach to identifying
risks/controls and managing issues

• Coordination among functions
• Clear roles and responsibilities
• Common data structure/database
• Comprehensive risk & control reports

Regulatory Risk Now Has

50+ State Unclaimed Consumer S
Property Regulators Financial
Protection
50+ State Bureau
Attorneys General

U.S.
Department
of Treasury

Internal
Revenue
Service

U.S.
Department of Labor

Municipal Securities
Rulemaking Board

Occupational E.E.O.C.
Safety &
Health

Administration

50+ State Securities
Departments

* Slide denotes primary regulators only

s a Year-Round Impact

SEC Commodity Futures
Trading Commission

Financial Industry 50+ State
Regulatory Insurance
Authority Departments
(FINRA)

Department of
Justice

Federal
Trade
Commission

Health and
Human
Services

Office of
Foreign Assets

Control

50+ State Office of Federal
Mortgage Comptroller of Reserve
Regulators
Currency

Best Practices Are Dr
Duration a

riving Toward Shorter
and Timing

The Value of a S
Assessmen

Streamlined Risk
nt Process

IIA Pulse of I

“In today’s fast-p
environments, intern
audit at the speed o

developing the
continuously align o

coverage to addre
and avoid dama

Internal Audit

paced operating
nal auditors need to
of risk. That means
e capability to
or realign their audit
ess emerging risks
aging surprises.”

We Control Risk Ass

 Required by the Standards –
do it

 Allows Internal Audit to unde
might impact the business

 Provides a foundation for de
managed

 Assesses risks from two per
likelihood

 Provides a basis for manage
management activities

 Drives audit activities

sessment Processes

– But no one tells us HOW to
erstand which potential events
etermining how risks should be
rspectives: impact and
ement to evaluate risk

Adding Value
Assess

Source: PWC State o
Professio

through Risk
sments

of the Internal Audit
on 2015

Focusing on Risk is

Source: PWC State o
Professio

a Value Add Activity

of the Internal Audit
on 2015

Where W

We Were

Our Historical A
Process R

Audit Audit
Committee Universe
Meeting Updates
•IA presents
draft audit plan
for approval

December January February March April May June

Audit Universe Au
Completeness Ca
Review •De

Risk Assessment Refresh for Coverage
AUs
•Perform thorough RA of AUs identified for
Audit Plan coverage in following year
Risk Assessment Confirmations AUs
•Complete confirmations for all AUs where
refresh is not required

Annual Planning
Roadmap

Aggregation of Review Audit Plan Audit
Audit Plan with OCEO, SVPs, etc. Committee
Recommendation •Review draft plan with Meeting
Materials Business/IT •IA presents
Management draft audit plan
for approval

July August September October November December

Leadership Forecast Next
Team Audit Plan Year
Calibration •Complete
•Determination of draft schedule
Audit Plan

udit Universe and Audit Plan
alibration
evelop draft Audit Plan

The Federal Reser

Changes to O

• Nationwide subject to overs
Reserve Bank (FRB)

• Internal Audit (IA) is a main
• FRB expects a consistent ri

robust documentation and d
other risk management part
• The FRB raised the bar on I
more comprehensive and “s
• The FRB expects real time
as risk changes throughout
• The FRB’s goal is to rely on
audit efforts - “avoid duplica

rve Bank Required
Our Process

sight from the Federal

focus of the FRB
isk assessment process,
demonstrated leverage with
tners
IA’s risk assessment to be
stand alone”
updates to risk assessments
the year
n IA risk assessments and
ation of efforts”

Risk Assessment

 Risk assessment hours increased d
complexity, desire for end-to-end pro

7,000 Risk Assessmen
6,000
5,000 4,181
4,000 2012
3,000 4,181
2,000
1,000

0
Hours

t Hours (by Year)

dramatically due to Nationwide’s
ocess review and FRB expectations

nt Hours by Year

5,166 6,400

2013 2014
5,166 6,400

Risk Assessment

 The impact of risk assessments wa
complete audit activity in line with i

t Hours (by Year)

as profound on our ability to
increased FRB audit cycle times

Risk Assessme
Process

• Develop a consistent repeatable
• Align risk assessment efforts with

o Concentrate on Auditable Units
the next 12 months

o Create efficiencies through confi
for 12+ months

• Reduce “peaks” in process by sp
• Define calendar process view to

o Better forecast of risk assessme
o Client meetings for Audit Plan re
o Earlier development of Audit Pla

• Define policies and procedures o

ent Streamlining
s Goals

process
h cycle time

(AU) which required activity within

irmation of AU’s with activity not due

preading activity throughout year
provide:

ent time
eview
an and scheduling

outlining annual planning process

Risk Assessmen

Content

 Combine top-down, bottom-up a
 Based on a normalized taxonom
 Risk universe should be mutual

exhaustive
 Risk Management partners (e.g

a complimentary risk universe a
 Risk rankings should not be con

approximate importance
 Methodology needs a common

(e.g. quantitative or qualitative s
 Results should be continually va
 Risk assessments should clearl

nt Streamlining
t Goals

and enterprise-wide view
my common to our industry
lly exclusive and collectively

g. ERM, Compliance) should have
and risk assessment methodology
nsidered absolute but provide

scale to facilitate risk discussions
scales)
alidated with stakeholders
ly prioritize audit activities

Where W

We Are

Nationwide’s Risk Ma

1st Line of Defense Line Of Business
Management
Risk Ownership

2nd Line of Defense Selected Risk &
Control Functions
Risk Control & Monitoring (not exhaustive)

M

3rd Line of Defense Assurance & Validation

Risk Management
Assurance

anagement Structure

BOD
C-Suite

ABC

ERM Credit Risk Investment
Market Risk IT Risk Risk

Compliance

Internal Audit