Aligning Assurance Activities .

1. Aligning Assurance Activities. The Audit Committees' Oversight Role 18 November 2008 Gillian Russell

2. 1st Line of Defence 2nd Line of Defence 3rd Line of Defence BusinessLines Audit Functions Compliance & Legal Business control activities Operational Risk Management Security, Investigations etc Traditional Approach to Risk Assurance • The traditional approach is to operate within a three lines of defence framework with the roles and responsibilities for risk assurance separately defined for operational risk, compliance and internal audit • Common Issues with the Traditional Approach: • There is an increased likelihood of gaps in and/or duplication of risk assurance activities within organisations as there’s no single point of coverage assessment. This often generates significant additional costs and can also negatively impact business revenues through repeated disruption. • Due to increased levels of regulation and senior management control responsibilities, the size and scale of individual functions has increased, typically built up in a relatively siloed basis. • Lack of single point of risk assurance planning makes it difficult to align risk assurance strategy with the desired tolerances and board strategy of the organisation. • Lack of alignment in risk assurance activities can lead to mixed communications with external parties such as external auditors and regulators, which could lead to rework and damage to reputation. The Audit Committees' Oversight Role

3. Areas of Potential Functional Overlap • There are a number of candidate processes across the functions that provide the potential for alignment through Audit Committee initiatives ORM Compliance Internal Audit Potential Overlaps Processes Process System People Often policy management including policy creation, distribution, maintenance and attestation is siloed within each of the functions Policy Management Monitoring/Assurance There is often duplication of monitoring across ORM, Compliance and Internal Audit. Information for assurance is often created more than once and not leveraged across the functions Risk Assessment Risk assessments are often made by all three areas and are neither coordinated nor feed from one another. Can be difficult to compare like with like Governance & Reporting Often multiple and/or unclear reporting lines with risk and control related reports presented with different messages / using different languages to different audiences. Issue Management There are often separate systems for documenting and tracking issues for each function reducing the ease of coordination between functions in ensuring risks are addressed Investigations Corporate special investigations, audit investigations and compliance investigations are often around similar matters yet no clear ownership or common process and systems Regulatory Relationship Mgmt There can be multiple reporting lines and relationships into regulators across finance, risk and compliance. Can be difficult to obtain a central view Regulatory Projects Many regulatory developments require expert input from many of the risk and control functions. Often these groups approach this is a silo fashion including training and awareness of regulatory landscape The Audit Committees' Oversight Role

4. 1st Line of Defence 2nd Line of Defence 3rd Line of Defence Business Lines Audit Functions Compliance & Legal Business control activities Operational Risk Management Security, Investigations etc • Increased scrutiny of risk assurance activities within the organisation and frustration with recurring issues emerging • Desire to align assurance activities to strategy and business objectives to get the most value out of investment in this area • Demand for more of a coherent ‘top down’ view of risk assurance and improved reporting of emerging issues Audit Committee, Board & Governance • ORM • Consolidation and linkage of roles and responsibilities with compliance. • Development of single risk assessment process and systems in alliance with compliance. • Business • Embedding of risk and compliance culture within the organisation • Increased responsibility/accountability for risk management and control • Embedding of risk and compliance controls, automated KRIs and risk data collection into the day to day operations • Alignment of business plans to the risk appetite of the organisation. • Capital efficiency playing greater roll in defining business strategy. • Increase of controls self assessment and business attestation processes • Rationalisation of the number of controls • Internal Audit • More ‘top down’ approach to planning • Risk based approach involving leverage of information from the 2nd line of defence • Increased reliance on/ testing of 2nd line of defence activities • More sophisticated responses e.g. continuous monitoring of control effectiveness • ‘BAU’ audit testing integrated with external audit activity KRIs and loss data captured by the business highlight risk hotspots and thus reducing the labour intensiveness required in the risk assessment and monitoring process Reduced staffing requirement for risk assessment and assurance through leveraging the 2nd line risk assessments, reporting and review activity Reduced staffing requirement for monitoring through adoption of a more risk based approach Reduced staffing requirement for risk assessment through alignment of risk assessment processes • Compliance • Consolidation and linkage of roles and responsibilities with ORM. • Development of single risk assessment process and systems in alliance with ORM. Compliance take on more of an advisory role Developing the Risk Assurance Model • Organisations are starting to review more holistically, the roles and responsibilities of the risk assurance functions The Audit Committees' Oversight Role

5. Member of Deloitte Touche Tohmatsu