Intelligent Assurance / Smart Controls

Colin Fiddes, May 2013

!@#
Context

Financial Services Strategic Forum 2

 Governance, Risk and Control context

Retrospective views of the Post global financial crisis, have Operational Challenges
global financial crisis risk, control and assurance
functions taken their eyes off the
ball?
Governance Capital |Growth | ROE
Unauthorised Trader
Risk Appetite Cost + Control
Financial Crime / Anti-money
Risk Management Laundering
Regulatory Reform
Miss-selling and Conduct Issues
Incentivisation
Customer
Major corporate events / incidents
Culture Technology

What role is played by the lines of defence in these key areas?

Does the cost of control achieve the desired level of assurance?

Financial Services Strategic Forum 3

 Defence & Assurance

Lines of Defence Levels of Assurance

An effective Risk & Control Environment

enables Delivery of the Value Proposition
Ultimate assurance providers
Set tone & expectations
in an Board | Board Committees 1
Board
Ethical, Sound, Compliant, Responsible,
Sustainable way
Specific external challenge & review
External
External audit | Regulators | Rating 2
Assurance Agencies

Verify effectiveness of design &

Independent internal verification implementation 3
3 Internal Assurance
Internal audit

Challenge & review

Promote sound practices/standards.
2 Respond to market developments
Monitor practices & policy
Risk & Control Functions 4
Reporting & communication
Risk | Compliance| Finance | Actuarial

Create & preserve wealth Establish appropriate risk &

1 Implement, execute and Business Units control environment 5
embed sound practices Operations

Financial Services Strategic Forum 4

Integrated Assurance

Financial Services Strategic Forum 5

Current challenges

Financial Services Strategic Forum 6

 Current challenges in the market place
Main drivers for Integrated Assurance

Regulatory and stakeholder
pressure for enhanced governance,
risk management and internal
control frameworks.
Market drivers
Inefficient, silod processes of
organically grown assurance
functions of 2nd and 3rd Line of
defense
Cost pressure on Financial
Institutions in an environment of
rising regulatory capital and
reducing ROE

Increased demand to demonstrate to
the different regulators how external
requirements are embedded into the
organisation (e.g. Use Test).
Integrate different assurance Better risk management at lower
functions, close gaps, eliminate costs.
overlaps and anchor risk and control
management in the business.
assurance from origination to
disclosure

Trend: Integrated Assurance

The main focus today lies on harmonization (organization, processes, terminologies) and efficient arranging of the
different assurance functions.
The objective: Implementation of a harmonized corporate governance, risk management and internal control systems
which addresses business needs and complies with legal and regulatory requirements.

What counts is assurance as a whole!

Financial Services Strategic Forum 7

 Assurance landscape
Greater expectations ...

Stakeholder
Expectations

Corporate
Governance

Regulators
(incl BCBS)

Political
(G20/FSB)

Professional
Bodies (IIA)

Capital
Markets

Financial Services Strategic Forum 8

Challenges

Financial Services Strategic Forum 9

Current challenges
Lack of harmonization of assurance functions

Board Lack of alignment of

Board committees across the
Audit Committee Risk Committee Compensation Committee
board as well as multiple,
uncoordinated reporting
to the boards
Rep Rep Rep Rep Rep

Operational risk management

R R R
Internal audit Compliance External audit Inconsistent
R
SOX/ICOFR, methodologies applied
R by assurance functions
in 2nd & 3rd line of
defense (risk inventories,
C C C C C
rating scales, etc)

Capital &
Client Banking Multiple and inconsistent
Strategic Liquidity Product Support
advisory & transactional assessments represent
Management mgmt & development processes
sales processes burden for business and
planning COO functions

R = Risks C = Controls Rep = Reporting

The main focus is on the harmonization (organizations, processes,

terminologies) and efficient execution of the various initiatives and the
provision of timely, relevant information: Risk Convergence

Financial Services Strategic Forum 10

Current challenges in the market place
Lack of harmonization of assurance functions

Tone at the Top Risk Governance posture, values, behaviours, expectations

Functional overlaps in risk and control identification, assessment, reporting and issue &
action tracking reliance v assurance
Inconsistent terminology
BoD/ExComs/Market/BU managements buy-in (glass ceiling and assurance fatigue)
Clarification of roles and accountability
Absorption of line management time for unaligned Risk & Control management efforts
The different frameworks are compliance-oriented rather than assurance/business
enabling
Efficient allocation of resources/audits
Multiple tools with similar/redundant purpose
Disproportionate control activities over control
Independence over collaboration

Financial Services Strategic Forum 11

Future state

Financial Services Strategic Forum 12

Risk Convergence
Integrated risk & control management

BoardBoard
of Directors Alignment of
committees across the
Board
Audit Committee Risk Committee Compensation Committee board as well as
integrated and
consistent reporting

Rep
Integrated reporting

Operational risk management

Internal audit Compliance R External audit
SOX/ICOFR,

Integrated
Efficient Risk & Control
scoping Mgmt framework in 2nd
and 3rd line of defense
Internal control system C
(ICS)

Integrated
assessments
Integrated assessment
& consistent
Capital &
Client Banking assessment as well as
Strategic Liquidity Product Support clear Risk & Control
advisory & transactional
management mgmt & development processes ownership in 1st line of
sales processes
planning defense (business)

R = Risks C = Controls Rep = Reporting

Financial Services Strategic Forum 13

Target outcomes/objectives

Clear Risk, control ownership

Business objectives aligned Risk & Control Environment
Enhance risk and control culture and behaviour
Focus on significant risks and key controls
Understand risk mitigation strategy - 4 Ts
Improve transparency towards overall risk picture
Clear allocation of roles and responsibilities (no overlap, no gaps): optimised
Manage duplication, cost of risk & control portfolio of control
Cost effective, risk control, processes

Financial Services Strategic Forum 14

Objectives

Financial Services Strategic Forum 15

 Overview of Ernst & Youngs Integrated Risk Assurance
methodology
Objectives and main benefits
Governance
Harmonisation of governance, risk management, risk control and audit functions what counts is
assurance as a whole!
Alignment of roles and responsibilities across different Committees (Audit, Risk and
Compensation) including linkage between the incentive system and risk management
Integrated implementation of RM/ICS requirements according to Solvency II
Pillar II
Enhanced assurance, sound risk & control environment

Risk management
Alignment of roles and responsibilities across risk assurance functions in 2nd and 3rd line of
defense to close gaps and eliminate overlaps
Harmonization of risk and control management frameworks one single framework including company
wide risk catalogue (risk universe) and risk taxonomy, uniform rating scales and integrated reporting and
issue tracking formats
Organisation wide, consistent understanding of risk & control expectations

Internal controls
Increase ownership of risk and control management in the business (first line of defense)

Reduction of granularity by focusing on the most significant risks and key controls

Reduction of total costs in risk and control operations (e.g. by eliminating overlaps)

Financial Services Strategic Forum 16

Integrated Assurance
Top 10 critical success factors for R&CC / Transformation project

Build on existing elements a tailored ! Focus on significant risk and key

! approach control management rather than
extensive documentation exercise

Strong sponsorship across the BoD and
! !
Executive Management based on a clear
business case and alignment with strategy
Multidisciplinary project team with
significant experience in risk management,
compliance, financial reporting, IT and
other related disciplines

! Early involvement of business leaders, ! Effective project and change

regional leaders and representatives from management plan/strong PMO
support functions

Close cooperation of key Risk & Control

! ! Effective alignment with other key
functions throughout entire program
initiatives

! Enabling communication and training

strategy to inform and involve key parties

Financial Services Strategic Forum 17

Smart controls

Financial Services Strategic Forum 18

Market observations

Financial Services Strategic Forum 19

Smart Control Key observations

Companies are over-controlled on compliance and financial risks

Cost + effort > assurance Companies that align risk
management with strategy
Events still occur protect and enhance
Controls are additive shareholder value
Top performing companies
Companies are not fully leveraging automated controls implemented on average twice as
many key risk capabilities as those
Significant reliance on manual in the lowest performing group
IT not leveraged
Companies in the top 20% of risk
maturity generated four times the
Companies are making limited use of continuous monitoring and level of EBITDA as those in the
data analytics bottom 20%
Effective data analytics to measure and anticipate
Financial performance is highly
correlated with the level of
integration and coordination across
Controls are not well aligned with the risks that matter
risk, control and compliance
Strategy Risk Control alignment could be better functions
Significant changes dont consider risk Effectivelyharnessing technology to
support risk management is the
greatest weakness/opportunity for
most organizations
Is a sound Risk & Control Environment a core competence and therefore a
competitive advantage?

Financial Services Strategic Forum 20 Page 20

Smart control:
A framework for transformation

Financial Services Strategic Forum 21

 Our Smart Control framework

Ernst & Young has developed a Smart Control approach that helps companies realize reductions in the cost of
controls, enable growth and keep the business safe

Key value drivers Align with strategy

Align risks to strategic and business objectives
Map controls to strategic, operational, financial and compliance risks
Reduce cost
Enhance performance
Align with Focus on margin improvement by focusing on risks that matter
strategy
Reduce cost of controls by optimization, standardization and automation
Improve levels of risk awareness and compliance
Smart Control Increase risk awareness by operationalizing risk management

Accelerate Accelerate process execution

process Reduce cost
execution Make processes nimble and sustainable to manage changing risks
Streamline controls to support faster decision-making
Improve levels of Design controls to proactively identify new risks associated or aligned with
risk awareness
and compliance major organizational initiatives
Enhance performance
Enhance scalability responding to demand peaks and troughs
Reduce time to market increase process and controls maturity

Financial Services Strategic Forum 22

 Realizing the benefits of Smart Control

Transforming the control leverage model reduces the cost of execution, rebalances the mix of control types and
increases the overall value of control activities

Control service centers

Pervasive controls Allocation of resources to various
Covers wide range of controls and locations components of a process
Leverage automation and scale
Concentrates control operation risks Current state Future state
Increased segregation of duties

Monitoring and analytics Reduction in

Leverage data analytics to monitor controls control cost
Control activities

Higher level control (above transactions)

Control transformation
Leverage existing management activities
Smart Control

Automated controls
Configured in ERP system
IT-dependent (exception and edit reports) Balanced
control mix
Require little to no human intervention

Transactional controls
Controls operating at regional or specific locations
Require significant human intervention or operations Value of the
Operates at the transaction-level activity for the
business adding
or protecting

Financial Services Strategic Forum 23

Our approach to achieving Smart
Control

Financial Services Strategic Forum 24

Our approach to Smart Control

Ernst & Youngs Smart Control approach is a well-defined work plan that leverages normative process and control models and data
analysis to help clients build a business case and implement a plan for controls transformation.

Develop strategy Design and build Run and operate

2 Create
zero-based
controls

1 Understand the
opportunity
framework
4 Embed low-cost,
effective
sustainable

3 Leverage
existing or
invest in new
operating model

technology
enablers

Create clarity, alignment and
commitment in the business
Understand the current state of the
control environment including the
proficiency of risk management
functions
Understand control cost drivers and
compare to benchmarks
Align business case to overall
enterprise strategy
Create a business case and
execution plan
Design a zero-based controls
framework aligned to process
objectives
Evaluate technology enablers and
integrate into existing technology
infrastructure
Create a functional operating model
Execute new control capabilities
applying a cost-effective
operating model
Document revised control model
Execute, monitor and remediate new
controls
Measure return on investment

Zero-based controls framework a single, global, streamlined set of controls aligned to risks that matter, leveraging
technology and implementing continuous monitoring capabilities

Financial Services Strategic Forum 25

Key questions

Financial Services Strategic Forum 26

Key Questions

What is the cost of risk, control and assurance activities?

Arethe responsibilities and expectations for control and assurance clearly articulated in
Board level, frameworks, policies, mandates?

Does management intelligently interrogate and challenge control activities in accordance

with Risk appetite and tolerance expectations?

Is the portfolio of controls responsive to the risk being taken and assumed?

Financial Services Strategic Forum 27

Appendix
The current state of your control environment

Financial Services Strategic Forum 28

 Attributes of your control environment

Rating
1 Strongly disagree
5 Strongly agree
Attributes of your control environment 1 2 3 4 5
Controls spend

Amount spent on control design, execution and monitoring is visible

Controls are aligned with risk tolerances
Automated controls are fully leveraged
Preventive and detective controls are properly balanced
Ownership (responsibility) for each control is defined
Controls are standardized across business units
Entity-level and monitoring controls exist and are reliable
Control redundancies are minimal
Accountability for risk

Board and management are structured to provide effective oversight and management of risk
Communication to stakeholders is consistent and effective
The assignment of responsibilities for risk and control activities is timely and consistent

The organization is effective in leveraging technology

Elements assessed below 3 (agree) may be indicative of an opportunity for improvement to confirm your control environment is well designed, understood and
operating effectively. Leading control environments affirm agreement to strong agreement with each of the elements presented in this questionnaire.

Financial Services Strategic Forum 29

 Attributes of your control environment

Rating
1 Strongly disagree
5 Strongly agree
Attributes of your control environment 1 2 3 4 5
Process execution
Internal controls make process execution more effective
Metrics and reporting are used to monitor process effectiveness

Processes and initiatives directly support strategic objectives

Processes are standardized throughout business

Policies and operating procedures are periodically reviewed and updated

Resources and competencies are sufficient to support process objectives

Information technology is used to make processes more efficient

Accountability with strategy
Risks taken are aligned to your business strategies and objectives

Risk management activities are integrated with planning and execution

Your acceptable level of risk is defined and communicated

Change management is employed and tracked to support new strategies

Your enterprise risk management plan is robust and well communicated

Metrics and reporting are used to monitor strategic initiatives

Strategic plans and initiatives are documented and communicated

Elements assessed below 3 (agree) may be indicative of an opportunity for improvement to confirm your control environment is well designed, understood and operating effectively.
Leading control environments affirm agreement to strong agreement with each of the elements presented in this questionnaire.

Financial Services Strategic Forum 30

Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & Young
Ernst & Young is a global leader in assurance,
tax, transaction and advisory services.
Worldwide, our 167,000 people are united by
our shared values and an unwavering
commitment to quality. We make a difference
by helping our people, our clients and our wider
communities achieve potential.
For more information, please visit www.ey.com.
Contacts:
Colin Fiddes - Director:
Advisory Services: Financial Services Risk
E: colin.fiddes@za.ey.com
Trevor Rorbye - Director:
Advisory Services: Financial Services Sector Leader
E: trevor.rorbye@za.ey.com
Celestine Munda Director:
Advisory Services: Risk
E: celestine.munda@za.ey.com

2013 Ernst & Young - all rights reserved.

Proprietary and confidential. Do not distribute
without written permission.

Financial Services Strategic Forum 31