Streamlining the Annual Risk Assessment Process

Risk Assessments Are
Common F

ERM Framework

Information - Common risk a
Risk Mgmt. - Common criteri

Internal to Operational R
Audit - Defined risk an

Financial Technology
Reporting
Controls (FRC) - Common techn
management
Compliance
- Consolidated is
Investment - Programs are c
Controls
management

Reporting

- Issues compare
- Reporting of iss

e Now Developed in a
Framework

and control language
ia for issue prioritization and presented top issues
Risk Committee (ORC)
nd issue heat maps

nology platform (OpenPages) for issues
ssue reporting on a single system
consolidated onto OpenPages for issue

ed across programs and business areas
sues more transparent across enterprise

Magnitude of OccurrenceWe Use A Standardize
Heat M

Freque

ed Risk Assessment
Map

ency

Revised Risk Asses
Planning

Update the Assess
Audit Universe Inherent Risk

Update Auditable Units to Assess Inherent Risk
reflect changes in within each Auditable Unit,
considering factors such as
business processes, IT
Infrastructure, products, financial, operational,
fraud, regulatory and
etc. reputational impacts.

Key Factors in Determining the Audit Plan:
• Inherent risk of each Auditable Unit and the corresp

− High Inherent Risk (18 months)
− Medium Inherent Risk (3 Years)
− Low Inherent Risk (4 Years)

• Significant changes (recently implemented or planne
technologies

• Recurring projects – in alignment with external audit

• Management requests – requested audits or adviso

ssment and Annual
g Process

Review Audit
Transformation Plan

Programs Determine Auditable
Units and
Assess the impact of
significant transformation transformation
programs on applicable programs to include in

Auditable Units and the Audit Plan.
identify programs to
include in the Audit Plan.

ponding Coverage Cycle

ed) to strategies, processes, people, regulations or

tor expectations or regulatory requirements
ory projects

Internal Audit N
Compliance Ris

• Office of Compliance assesses compliance pro
compliance program derived from the U.S. Fe

• Internal Audit fully leverages effective program
risk assessments

E (effective)

• Basic foundation in place; and
• Element is reasonably designed to achieve compliance
• Consistent with appropriate industry practices or legal

D (developing)

• Basic foundation in place but scope of coverage not ye
• Element needs to evolve and grow to be more consiste

expectations; or
• New or emerging risk requires heightened compliance

I (inadequate)

• Basic foundation not in place or clearly ineffective; or
• Element inconsistent with appropriate industry practice

Now Leverages
sk Assessments

ograms against elements of an effective
ederal Sentencing Guidelines on Organizations
ms and partially leverages developing program

e; and
/ regulatory expectations

et adequate; or
ent with appropriate industry practices or legal / regulatory
attention

es or legal / regulatory expectations

Compliance Program Ef

Line of Business 1

Program
Process/Area 1
Process/Areas 2
Process/Areas 3

Program
Process/Areas 4
Process/Areas 5
Process/Area 6
Element
High Level Responsibility  E  E  E  E  E  E

Risk Assessment E D E D D E
E E E E D D
Written Policies & E D E D D D
Procedures

Training & Education

Monitoring & Testing E D D D D E

Response & Prevention E D E D D E

Enforcement & Discipline  D  D  D  D  D  E

Reporting E E E E E E

Regulatory Exam, Inquiry

& Relationship E E E E E E

Management

ffectiveness Assessment

Line of Business 2 Line of Business 3

Process/Area 7
Process/Area 8
Process/Area 9
Process/Area 10
Process Area 11
Process/Area 12
Process/Area 13
Process/Area 14
Process/Area 15
Office of Compliance

E E E  E E E E E E E
E

E E E  E E E E D E E
D

D D E  E E E E D E D
D

D D E  E E E E D E D
D

E D E  E D E E D E D
D

E E E  E E E E D E E
E

E E E  E E E E E E E
E

E E E  E E E E E E E
D

E E E  E E E E E E E
E

 E = Effective  D = Developing  I = Inadequate

Audit Univers

We use all available data to
product lines, services, ope

se Validation

o validate legal entities,
erational functions, etc.

Updated Risk
Resou

• New team member training
• Consistent tools and templates to sh
• Providing “pre-read” client document

follow-up activities

 Risk Assessment – Meeting and E-m
 Risk Assessment Interview Guide
 Risk Assessment Questionnaire
 Inherent Risk Rating Heat Map
 Audit Proposal Template
 Office-Wide Training

k Assessment
urces

horten preparation and learning curves
ts to shorten meetings and the need for

mail Templates

Risk Assessments
Distinct Co

• Refresh & Engagement Pro
• Confirmations
• Post Audit Updates
• Continuous Monitoring Upd

s Now Have Four
omponents

oposal Documents

dates

Risk Assessm

o For AUs requiring audit activi
o No need to start from scratch
o More streamlined than our “tr
o Leverage risk partner activity
o Meet only with “the right” lev
o Business Auditors responsibl

applications (internal, mobile,
business models
o IT Auditors “consult” with bus
o Risk assessment data is upd

ment Refreshes

ity within the next 12 months
h
raditional risk assessment”
y
vel of management
le for identifying key technology
, or externally hosted) and critical

siness auditors freeing up IT capacity
dated in common repository

Engagement Prop

Risk Assessment Refr
“Engagement Pr

• Provides consistent audit act
• Audit or project name, why r
• High level scope including bu
• Develop estimate of required

hours)
• IT and DA team members ar

scope and hours – no “guess
• Timing is discussed in advan

agreement

posal Documents

reshes now require an
roposal Document”

tivity recommendations
required and/or important
usiness, IT and DA related efforts
d resources (business, IT, and DA

re involved in determination of
s work”
nce with clients for upfront

Risk Assessmen

Risk Assessment Confirm
requiring a Risk A

• AUs requiring audit activity beyo
• Auditors leverage risk partner ac
• Auditors utilize a “Risk Assessm

o Sent to key stakeholders for
o Finalized during meetings wi
o Leverages data from recent

12 months (Post Audit Updat
o Leverages input from periodi

meetings (Continuous Monito

nt Confirmations

mations are used for AU’s not
Assessment Refresh

ond the next 12 months
ctivity
ment Questionnaire”
review and update
ith key stakeholders
audit services completed in previous
tes)
ic Internal Audit/senior management
oring)

Risk Assessment P

• Risk assessment updates are
or project engagement

• Goal is to document risk asse
and not lose critical informati

• Data is input into common to

Post Audit Updates

e now required after each audit

essment knowledge “real time”
ion over time
ool and shared with risk partners

Risk Assessmen
Monitoring

• IA participates in over 30 risk man
• IA has routine senior managemen
• Goal is to document “real time” em
• Data is leveraged in risk assessm

Corporate Functions Natio

• Asset Class Risk Review • Ban
• Asset Liability Committee • Nat
• Enterprise Disclosure Committee • Nat
• Enterprise Risk Council • Nat
• Finance Council • SEC
• Information Security Policy Review Board
• Investment Risk Committee Prop
• IT Leadership Team
• Liquidity Working Group • CAT
• Office of Ethics Semi-annual Update • Com
• Operational Risk Committee • Cor
• Risk and Capital Modeling Committee • Nat
• P&C
• P&C
• P&C
• Per

nt - Continuous

g Updates

nagement committees

nt/client meetings

merging risk

ment refreshes and confirmations

onwide Financial

nk Risk Committee
tionwide Financial Litigation Review
tionwide Financial Pre-Disclosure
tionwide Financial Risk Committee
C Pay to Play

perty & Casualty

T Risk Committee
mmercial Lines Transformation
rporate/P&C Pre-Disclosure
tionwide Growth Solutions Risk Committee
C Litigation Review
C Product Risk Committee
C Risk Committee
rsonal Lines Transformation Project

Organizing Risk

Risk Assessments are now o
type for ease and c

k Assessments

organized by group and
consistent use

Organizing is what you
do before you do
something, so that

when you do it, it is not
all mixed up.
-A. A. Milne

Where We

e are Going

Risk Ve

• Our goal is to measure
risk velocity (how quickly
and how severe it could
become)
• Use as a factor in
determining priority and
timing of audit activity

Velocity

Risk Velocity an
Assessments will Dr

Project X - April 1

Greater than
$10M

Magnitude Per Occurrence G$r1e0atK;erLtMehsaasngnituGrdeaeterothfanOccuGrrerateernthcane$1M; Less than
$10M

$100K; Less
than $1M

than $100K

Less than $10K

Less than 1 occurrence 1 occurrence in 10 years 1 oFccruerreqncueepenr yceayr 2 to 10 occurrences per Greater than 10
in 10 years year occurrences per year
Frequency

nd Real Time Risk
rive Audit Plan Activity

Project X - July 1

Greater than
$10M

Magnitude Per Occurrence Greaterurrenthance

$1M; Less than
$10M
Greaterde othanf Occ

$100K; Less
than $1M
$10K;MLessagnitu
Greater than
than $100K

Less than $10K

Less than 1 occurrence 1 occurrence in 10 years 1 occurrence per year 2 to 10 occurrences per Greater than 10
in 10 years year occurrences per year
Frequency

Frequency

We Will Focus on To
and Enterpris

Current

Credit Risk

Line of Line of Line of
Business Business Business

123

op Down, Bottom Up
se Risk View

Future

Credit

Risk Assessment

We will continue to shorten
the “annual” risk ass

Risk Assessment Hours by Year

2015
2,500

2,000

1,500

1,000

500

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct

t Hours & Timing

n duration and impact of
sessment process

Risk Assessment Hours by Year

Nov Dec 7,000 2,500
6,000
5,000 2015
4,000 2,500
3,000
2,000
1,000

0

Hours

Using Real Time R

 Periodically monitor key
 Use technology to conti
 Periodically interview m

changes in risk profile
 Initiate updates to risk a
 Initiate formal or ad hoc

Plan

Risk Assessments

y risk indicators
inuously monitor key risk
management to identify

assessment
c changes to the Audit

Potential Approach
Key Busin

Workshops
Interviews

Surveys

hes for Assessing

ness Risks

• Workshops –Group working
sessions provide the opportunity
to aggregate multiple points of
view while validating and
prioritizing significant risks and
define proposed “risk owners”.

• Interviews –Provide more
detailed risk information than
surveys with greater analysis
through a focused one-on-one
interview process.

• Surveys –Gather candid,
preliminary input on key business
risks from professionals across
the breadth of the organization.

Building Flexibilit
Audit Planni

ty into the Annual
ing Process

Quest

tions?