BUSINESS IS

OPPORTUNITIES MANAGEMENT

AS WELL AS

. RISKS MANAGEMENT

WHO IS THE BAD GUY ORGIRL?

THE HEAD OF INTERNAL AUDIT

THE CEO 2

STEP 1: WRAP-UP
CORPORATE OBJECTIVES (and related KPI if any) TOP 5 RISKS IDENTIFICATION AND ASSESSMENT What Could Go Wrong

Severity in terms of
Impact (High, Medium and Low)

Likelihood (High, Medium and Low)

Velocity (Short, Medium and Long term)

Keep also in mind the risk of fraud

3

STEP 2 : SELECT
SHORT TERM RISKS : Keep only those who are very likely to occur within the next SIX months TOP 5 RISKS Attributes validation

Risk owner commitment and sign-off (upon validation by Group

Executive Committee and endorsement by the Board of Directors)
4

STEP 3 : RISK MANAGEMENT

MITIGATION FACTORS: Such controls as bank reconciliation or physical inventory RESIDUAL RISKS = inherent risks (STEP 2) risk treatments (mainly mitigate OR avoidance, sharing, transfer, accept) RISK MANAGEMENT GOVERNANCE

RESIDUAL Risk owner commitment and sign-off (upon

validation by Group Executive Committee and endorsement by the BoD)
5

Risk, risk management

RISK Risk is defined as the probability that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement COSO RISK MANAGEMENT Risk management aims at identifying, controlling and reducing risks and reporting them quarterly before the Board of Directors.

Impact : YOUR ORGANIZATIONS RISKS IN METRO HEADLINES?

High impact

High impact

Likelihood represents the possibility that a given event will occur, while impact represents its effect. COSO 2012 Definition Impacts Level Criteria (guidance)

Low
Medium High

Below 10% deviation from the quantitative KPI (profit before tax or other operational)
Between 10 and 20% deviation from the quantitative KPI Above 20% deviation from the quantitative KPI Any fraudulent risk starts from the first euro Any damage to Transcoms brand or reputation Risks duration over one year
7

A THIEVING call centre worker stole nearly 600,000 of mobile phones from his firm in a nationwide scam
Michael Higgins was working for Orange, in North Tyneside, when he hatched the plot to line his pockets. Higgins, who worked as an analyst for the firm, managed to override an internal security system time and time again to set up bogus sales. Newcastle Crown Court heard a total of 1,158 handsets were stolen over a two-year period worth 496,141, but the VAT avoided on the sales pushed this up to almost 600,000. Now Higgins has been locked up for three years and four months while fellow former Orange worker Gavin Ellis, who worked as Higgins sales manager in the plot, was jailed for 32 months. Judge Brian Forster said: This was planned theft over a significant period of time and the value was substantial.

The courts have a clear duty to deter employees from committing serious offences of dishonesty, in particular theft. Higgins acted in a gross breach of trust and Ellis was not only involved in sales but was quickly centrally involved. An inquiry had been launched at the Orange call centre, on the Cobalt Business Park, North Tyneside, after discrepancies were uncovered between the number of phones being ordered and billed and the number being delivered. The investigation showed a large number of orders had been delivered but had somehow avoided going into the firms billing process. Robert Adams, prosecuting, said: Michael Higgins was identified as the analyst responsible in each case. No payment was being taken for these phones because no account had been set up with Orange. All these transactions were processed by Higgins, they all related to top of the range handsets and none of them was ever paid for.
8

A fraud with a high impact

When Higgins, 34, of Bothal Place, Pegswood, Northumberland, was interviewed by police he admitted stealing the phones by bypassing the usual system, saying once the phones had been dispatched he would delete the order. The court heard while Higgins spent his profits of 90,000 on clearing his debts, co-accused Ellis had used his similarly sized share to pay off his mortgage, buy a 20,000 Ford Focus and private registration plate and a 5,000 kitchen. Ellis, 36, of Gainford, Gateshead, had also worked for Orange but had left the firm before the scam began. He admitted selling some of the phones on internet auction site eBay and meeting other people to pass the handsets on. Both Higgins and Ellis pleaded guilty to conspiracy to steal between January 2006 and January 2008. Ellis wife, Lynn Ellis, 31, of Gainford, Gateshead, also became embroiled in the plot and pleaded guilty to allowing her bank accounts to be used by her husband for the transfer of criminal property, namely 40,000 withdrawn to pay off their mortgage. She was jailed for 26 weeks, suspended for 18 months and ordered to do 100 hours of unpaid work. Irtafa Dawood, 29, of Empire Road, Middlesex, who bought the phones from Higgins and Ellis at knock-down prices then sold them on, was convicted by a jury of handling stolen goods. He was jailed for two-and-a-half years. Carl Parker, 40, of Laburnum Grove, Staffordshire, who allowed his address to be used for delivery of the phones, pleaded guilty to being concerned in the arrangement of criminal property and was jailed for nine months, suspended for 18 months, with 150 hours of unpaid work. Malcolm Harvey, 30, of Barningham Road, Richmond, admitted the same offence and received the same sentence. Detective Sergeant Dave Swinburne, from North Shields CID said: These convictions have taken place after extensive enquiries have been carried out by officers over a two-year period the length and breadth of the country. This investigation established that more than 1,100 mobile phones were stolen worth nearly 600,000. "I hope today's court case sends a clear message that such crimes will be fully investigated and those found guilty will be brought to justice. He added that financial investigators will be making an application under the Proceeds of Crime Act to recover any assets.

ChronicleLive.co.uk November 2009

Likelihood : low, medium or high ?

Low likelihood

Medium likelihood

High likelihood

Level Low

Criteria Below 33 %

Examples Floods in Australia

Medium
High

Between 33% and 66%

Above 66%

Snow in Roma
Snow in Luxembourg

Likelihood represents the possibility that a given event will occur, while impact represents its effect. COSO 2012 Definition
10

Velocity

Short term

Medium term

Long term risk

RISK VELOCITY Short Medium Long

Criteria Within the next three months Between the next four and six months Beyond the six months

Risk velocity refers to the pace with which the entity is expected to experience the impact of the risk. For instance, a manufacturer of consumer electronics may be concerned about changing customer preferences and compliance with radio frequency energy limits () Changes in regulatory requirement develop much more slowly than do changes in customer preferences. COSO 2012 Definition
11

INTERNAL AUDIT
Definition
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Source: The Institute of Internal Auditors (IIA)

Internal Audit vs. External Audit Internal Audit Statutory mission Transcom employee Scope No Yes (on principle) Financial statements, forecast and budget process, Operations, Compliance External Audit Yes Neither Financial statements only

Objectives

Assess the adequacy and effectiveness of the internal control framework

The Audit Committee

Give an independent and professional opinion whether the accounts are free from any material bias
The shareholders
12

Accountable before

FRAUD, INTERNAL CONTROL

Fraud
The Institute of Internal Auditors defines fraud as: any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.

Internal control
Internal control is a process, effected by an entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of reporting Compliance with applicable laws and regulations Source: COSO 2012 On your right, you have the COSO cube describing internal control framework by Category of objectives Process Organization

13

RISK REGISTER TEMPLATE SAMPLE

RISK Trainee illness Agent absenteeism Tax audit IMPACT Low Low High LIKELIHOOD Low Medium Medium VELOCITY Long term Medium term Short SIGNIFICANCE LOW Medium High

14

RISK SIGNIFICANCE RATING RULE

15