Regulatory assessment and compliance

1

Regulatory Assessment of Risk and Compliance
Kayode Adebiyi, FCA, MBA Nov 2019
2
Our Roadmap
Risk assessment
COSO Framework
Risk Perspectives
Methodology Regulators kit
Compliance Management system
3
Perspectives on Risk
4
(No Transcript)
5
Definition - Risk

• A risk is anything that could jeopardize the
  achievement of organizations objective.
• The probability that a particular threat will
  exploit a particular vulnerability
• The failure to take advantage of opportunities
  in order to best achieve objectives.
• A trigger for strategic direction

6
Asset, Vulnerability, Threat, Risk Control

• Asset anything has value to the organization
• Vulnerability any Weakness of Asset
• Threat any possible Danger
• Risk Vulnerability exposed to Threat
• Risk Vulnerability X Threat
• Control Countermeasure to reduce Risk

7
RISK is a moving target

• What is your risk tolerance?
• Conservative, Moderate, Aggressive
• New threats are emerging
• Be on the look out for new risks
• How do you manage risk?
• Adopt to new ways of managing risk

8
(No Transcript)
9
Risk Diagram
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
RISK FLOW
14
Threats everywhere!
15
Goal
16
Risk depends on perspective (1)
17
Risk depends on perspective (2)
18
Risk depends on perspective (3)
19
(No Transcript)
20
Flavors of Risk

• Risk includes
• Exposure to losses (hazards)
• Risk managers avoid risks
• Potential for gain (opportunities)
• Risk managers take risks

21
Why take risks?
Try to balance risks and opportunities
Risks
Opportunities
22

• Risk without the expectation of reward is suicide
• Attitude to risk
• Where do YOU sit? An old and bold pilot is
  difficult to find !

Risk Averse
Risk Neutral
Risk Seeking
23
Risk Assessment
24
Perceptions in Todays Risk Environment

• Risk profiles are increasing
• Regulatory/public scrutiny
• Expanding services increases risks
• Business change increases risk complexity
• Risk management not keeping pace
• Need for right kind of risk training
• Need for risk assessment methodologies/technology
  tools
• Stakeholders have different risk needs
• Inconsistent risk language used

Gaps in Risk Coverage
25
Risk Assessment

• Inherent Risk
• Strategic
• Operational
• Financial
• Compliance
• Reputational
• Residual Risk
• Risk after accounting for current internal
  controls

26
Example Risk Model

• Environmental Risks
• Capital Availability
• Regulatory, Political, and Legal
• Financial Markets and Shareholder Relations
• Process Risks
• Operations Risk
• Empowerment Risk
• Information Processing / Technology Risk
• Integrity Risk
• Financial Risk
• Information for Decision Making
• Operational Risk
• Financial Risk
• Strategic Risk

27
Risk does not respond to the law of gravity!
RM is an ongoing process!
28
Why Risk Assessment
29
(No Transcript)
30
Risk Assessment is a process to

• Identify significant risks
• Assess risks
• What is the likelihood of occurrence?
• What is the potential impact?
• Manage these risks through
• Avoidance
• Acceptance and Sharing (Insurance)
• Mitigate with Controls

31
Time Zero - Understand the Business?

• What is the business?
• What is the industry?
• What is the strategic plan?
• NOW, WHERE, HOW
• Who owns the business?
• Who runs the business?
• How will risk management fit??
• What is the Risk Appetite for the company or
  Project

32
Time Zero Risk Assessment Questions to be
answered

• Where do the risks come from?
• How big are they?
• What are the major contributors? (Time, Cost etc)
• What are the risks sensitive to, and how can they
  be changed?
• What level of risk does the company find
  intolerable, what is considered trivial?
• What is it worth doing to reduce the risk?
• Fundamental First steps

33
UNDERSTANDING THE COMPANY

• Companys History Background
• Capital Structure Evolution
• Promoters Group Companies
• Management Administration buildup
• Financial Soundness Debt Structure
• Risk Management Protection
• Licenses Approvals

34
IDENTIFICATION PROCESS

• General application of laws
• Sectoral applications
• Industry / Segment applications
• Geographical applications
• Number of Employees
• Transaction applications

35
Risk assessment - determining acceptable levels
of risk for your business
Companies need to pay attention to risks and have
robust processes in place
Decide how far to go with protective and
mitigating measures
Reduce risk
Identifying
Business risks
Manage risk
Consider Regulatory regimes
Assessing
Examine cost
Correctly evaluating
Recognise opportunities
36
IMPACT
MODERATE Strong Hazard Low Vulnerability HIGH Strong Hazard High Vulnerability
LOW Weak Hazard Low Vulnerability MODERATE Weak Hazard High Vulnerability
37
PROBABILITY AGAINST IMPACT OF RISK
38
Organizational Objectives
Identify Assess Risks
The Risk Assessment/ Management Process
Identify Assess Residual Risks
Action
No
Yes
39
Organizational Objectives
Identify Assess Risks
The Risk Assessment/ Management Process
Identify Assess Residual Risks
Action
No
Yes
40
Define Organizations Goals and Objectives?
Organizational Objectives
Identify Assess Risks

• Define goals and objectives in relation to
• Mission,
• Activities and processes,
• Financial reporting requirements, and
• Compliance issues

Identify Assess Residual Risks
Action
No
Yes
41
Identify and assess potential RISKs by asking
Organizational Objectives
Identify Assess Risks
What Could Go WRONG ? What must go RIGHT? How
likely is it that the risk will happen? What
will be the impact) if it happens?
Identify Assess Residual Risks
Action
No
Yes
42
What controls are in place to achieve your
objectives ?
Organizational Objectives
Identify Assess Risks

• Control Environment
• Tone at Top
• Competence
• Roles Responsibilities
• Information Communication
• Control Activities

Identify Assess Residual Risks
Action
No
Yes
43
What could still go wrong given existing controls
?
Organizational Objectives
Identify Assess Risks

• Look at your risks, and your existing controls to
  identify any gaps.

Identify Assess Residual Risks
Action
No
Yes
44
Can you live with the Residual Risk ?
Organizational Objectives
Identify Assess Risks

• Do your existing controls, provide reasonable
  assurance that you will get achieve your
  objectives?
• Something's you cant control (changes in
  government regulations, weather)
• Risk acceptance decision will depend on the
  culture of the organization

Identify Assess Residual Risks
Action
Acceptable
No
Yes
45
Action Planning
Organizational Objectives
Identify Assess Risks

• If the level of uncontrolled risk is too
  high/unacceptable then action plans are developed
  to reduce the residual risk to an acceptable
  level.

Identify Assess Residual Risks
Action
No
Yes
46
COSO Component - Risk Assessment

• External sources of risks

• Internal sources of risk

• Changes in management responsibilities
• Changes in internal information technology
• Poorly conceived business model

• Economic recessions decrease product or service
  demand
• Increase in competition
• Changes in regulation that make the business
  model unsustainable
• Changes in the reliability of source goods that
  reduce profitability

47
COSO Framework
48
8 Components of the Framework
49
The Bank Uses the COSO Framework

Monitoring
Information
Control activities
Communication
Risk Assessment
Control Environment
50
Connect
51
COSO cube 5 Integrated Components
Risk Strategies
52
Compliance Management System
53
What is compliance?

• Definition
• Certification or confirmation that the doer of an
  action meets the requirements of
• accepted practices
• Legislation
• prescribed rules and regulations
• specified standards
• the terms of a contract. 

54
Compliance Management System how a company

• Establishes its compliance responsibilities
• Ensures that responsibilities for meeting legal
  requirements and internal policies are
  incorporated into business processes
• Reviews operations to ensure responsibilities are
  carried out and legal requirements are met
• Takes corrective action

55
(No Transcript)
56
(No Transcript)
57
Compliance Risks
1. Identifying and assessing compliance risks

• y to one

3. Monitoring and reviewing the effectiveness of
your risk management procedures
2. Developing effective control measures
58
Internal Control
INTERNAL CONTROL is a process, effected by an
entitys board of directors, management, and
other personnel, designed to provide reasonable
assurance regarding the achievement of objectives
relating to
Management has a fundamental responsibility to
develop and maintain effective internal control.
59
Compliance Concepts

• Establish minimum standards of conduct
• Establish compliance objectives
• Consider acceptable level of variation
• Relate with the effect of external factors

60
Regulatory Methodology
61
Subtitle How do you eat an elephant?
62
Periodic Risk Assessments

• Efficiency
• Buy-in and Ownership
• Coordination
• Keep the risk management process simple.
• Build into existing business processes
• Complex processes feel like red tape
• Start small and build over time.
• Dont overload administrators with too many
  projects
• Additional projects and processes can be added
  over time

63
Compliance Risk Analysis

• Organizational Context
• 2. Risk Identification
• Risk Assessment
• Risk Evaluation
• 5. Risk Treatment
• 6. Monitoring, Review and Corrective Action,
• 7. Communication Throughout the Organization

64
Risk Identification

• Process Flow Analysis
• Regulatory analysis
• Responsible Officers
• Event Inventories
• Organizational History
• External Context (Stakeholder expectations)
• Events Common to Industry
• Interviews, Questionnaires, Surveys
• Facilitated Workshops
• Leading events and escalation triggers

65
COMPLIANCE TIMINGS EVALUATION
Compliance Timings Compliance Timings Compliance Timings


Fixed / Regular Fixed / Regular Event Based Event Based
66
CREATION OF COMPLIANCE STRUCTURE
Establishing Controls Standard Delegation of
Responsibility Analysis Assessment Compliance
Reporting
? ? ? ?
67
Risk Increases the More You Dont Know
All The Potential Outcomes
The Probability of Occurrence
Cost of a Undesirable Outcome
68
Said Another WayThe more you do know and
understand about the better long term risk
manager you will be.
All The Potential Outcomes
The Probability of Each Outcome Occurring
Cost of Undesirable Outcomes
69
(No Transcript)
70
Failure to manage your knowledge will involve
serious risk
71
Law firm risks
Establishing and evaluating knowledge
72
Risk comes from not knowing what youre
doing - Warren Buffett
Well, then I guess, we both are in deep trouble
14
73
Risk vs. Profitability
74
Good is good enough
75
Factors outside control
76
EODEOD
77
Albert Einsteins Theory
A X Y Z
A Success X Work Y Play Z Keeping your
mouth shut
78
Thanks for your attention !!!
kydadebiyi_at_yahoo.com 08033181225