Presented By: Mohamed Samir ,CRMA,CICA,CIPA,CFC Head of Internal Audit Mashreq Bank- Qatar
Nov 26 -28, 2012
Why ERM is important
COSO FRAMEWORK Corporate Governance mandates
Internal Audit proactive role
October 16, 2001 Issue: Off-Balance Sheet Accounting and Financial Reporting Fraud Impact: $3 billion in undisclosed losses
June 20, 2002 Issue: Financial Reporting Fraud Impact: $9 billion in unreported expenses
September, 2003 Issue: Financial Reporting Fraud and inappropriate consolidation Impact: $1.6 millions in overstated earnings
March 28, 2002 Issue: Financial Reporting Fraud and embezzlement Impact: $2.5 billion of hidden debt
Today’s organizations are concerned about: Risk Management Corporate Governance Internal Control IA Assurance (and Consulting)
ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
Why ERM Is Important Underlying principles: â—‹
Every entity, whether for-profit or not, exists to realize value for its stakeholders.
Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.
Why ERM Is Important ERM supports value creation by enabling management to: â€˘
Deal effectively with potential future events that create uncertainty.
Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
Why ERM Is Important
Enterprise Risk Management â€” Integrated Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.
The ERM Framework Entity objectives can be viewed in the context of four categories: • • • •
Strategic Operations Reporting Compliance
The ERM Framework ERM considers activities at all levels of the organization: • •
Enterprise-level Division or subsidiary • Business unit processes
ERM Evolving…… From RM Risk as individual hazards Risk identification and assessment Focus son all Risks
To ERM Risk in the context of business strategy Risk “portfolio” development Focus on critical risks
Risk with no owners
Defined risk responsibilities
Haphazard risk quantification
Monitoring and measurement
Risk is not my responsibility
Risk is everyone’s responsibility
The ERM Framework Enterprise risk management requires an entity to take a portfolio view of risk.
The ERM Framework ď‚ž
Management considers how individual risks interrelate.
Management develops a portfolio view from two perspectives:
- Business unit level - Entity level
The ERM Framework The eight components of the framework are interrelated â€Ś
Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur.
Establishes the entity’s risk culture.
Considers all other aspects of how the organization’s actions may affect its risk culture.
Objective Setting •
Is applied when management considers risks strategy in the setting of objectives.
Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept.
Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
Event Identification â€˘
Differentiates risks and opportunities.
Events that may have a negative impact represent risks.
Events that may have a positive impact represent natural offsets opportunities), which management channels back to strategy setting.
Event Identification â€˘
Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.
Addresses how internal and external factors combine and interact to influence the risk profile.
Risk Assessment â€˘
Allows an entity to understand the extent to which potential events might impact objectives.
Assesses risks from two perspectives: - Likelihood - Impact
Is used to assess risks and is normally also used to measure the related objectives.
Risk Assessment â€˘
Employs a combination of both qualitative and quantitative risk assessment methodologies.
Assesses risk on both an inherent and a residual basis.
Risk Response •
Identifies and evaluates possible responses to risk.
Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.
Selects and executes response based on evaluation of the portfolio of risks and responses.
Control Activities •
Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.
Occur throughout the organization, at all levels and in all functions.
Include application and general information technology controls.
Information & Communication ď‚ž
Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.
Communication occurs in a broader sense, flowing down, across, and up the organization.
Monitoring Effectiveness of the other ERM components is monitored through: •
Ongoing monitoring activities.
A combination of the two.
Internal Control A strong system of internal control is essential to effective enterprise risk management.
Relationship to Internal Control — Integrated Framework •
Expands and elaborates on elements of internal control as set out in COSO’s “control framework.”
Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control.
Expands the control framework’s “Financial Reporting” and “Risk Assessment.”
ERM Roles & Responsibilities
The board of directors
Management Oversight & Periodic Review
Accountability for risks
Updates - Changes
in business objectives - Changes in systems - Changes in processes
Risk Analysis Risk Assessment
Share or Transfer It
Diversify or Avoid It
Source: Business Risk Assessment. 1998 â€“ The Institute of Internal Auditors
Risk Identification Cycle
DETERMINE RISK APPETITE
Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value.
Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
DETERMINE RISK APPETITE Key questions: •
What risks will the organization not accept? (e.g. environmental or quality compromises)
What risks will the organization take on new initiatives? (e.g. new product lines)
What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)
IDENTIFY RISK RESPONSES
Quantification of risk exposure
Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance)
Residual risk (unmitigated risk – e.g. shrinkage)
Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances)
Flowcharts of processes with key controls noted
Narratives of business objectives linked to operational risks and responses
List of key risks to be monitored or used
Management understanding of key business risk responsibility and communication of assignments
Collect and display information
Perform analysis - Risks are being properly addressed - Controls are working to mitigate risks
Corporate Governance The IIA definition is : The combination of processes and structures implemented by the board to inform, direct, manage, and monitor/ oversee the activities of the organization toward the achievement of its objectives.
Corporate Governance Governance Process Is the way that the organization choose to conduct its affairs (The organization uses various legal forms, structures, strategies, and procedures) to meet its below responsibilities. Complies with society's legal and regulatory rules. Satisfies the generally accepted business norms, ethical
precepts, and social expectations of society. Provides overall benefit to society and enhance the interests of
the specific stake holders in both long& short terms. Reports fully and truthfully to its owners, regulators, other stake
holders, and general public "but not the competitors" to ensure accountability for its decisions, actions, conduct, and performance.
Corporate Governance Principles The Principles in Corporate Governance Issued By the Organization for Economic Co-operation and Development (OECD) in May 1999. The corporate governance framework should promote transparent
and efficient markets, be consistent with the rule of law and clearly articulate the division of responsibilities among different supervisory, regulatory and enforcement authorities. The corporate governance framework should protect and facilitate
the exercise of shareholders’ rights. The corporate governance framework should ensure the equitable
treatment of all shareholders, including minority and foreign shareholders. All shareholders should have the opportunity to obtain effective redress for violation of their rights .
Corporate Governance Principles The corporate governance framework should recognize the rights
of stakeholders established by law or through mutual agreements and encourage active cooperation between corporations and stakeholders in creating wealth, jobs, and the sustainability of financially sound enterprises. The corporate governance framework should ensure that timely
and accurate disclosure is made on all material matters regarding the corporation, including the financial situation, performance, ownership, and governance of the company. The corporate governance framework should ensure the strategic
guidance of the company, the effective monitoring of management by the board, and the board’s accountability to the company and the shareholders.
Setting the Scene – Corporate Governance & Risk Management From a corporate Governance perspective, a primary responsibility of the board is to look after the interests of the shareholders.
The board also needs to be on the alert for any conflict that may arise between the interests of management to assume risks and the interests the company’s shareholders. This kind of conflict of interest is often referred to in the academic literature as an ‘agency Risk’ conflict of interest can easily happen if , for example , executives are rewarded with options that they can cash in if the share price of the company rises above a certain level for a short time.
Setting the Scene – Corporate Governance & Risk Management Such arrangement gives management an incentive to push the share
price up . For example, management might encourage business lines to earn short-term rewards in exchange for assuming long-term risks. By the time the chickens come home to roost , managers may well have picked up their bonuses or even changed jobs. This all explains why it is becoming difficult to draw a line between
corporate Governance and Risk management , and we can see some clear effects of this at an organizational level. For example, over the last few years , many corporation have created the role of Chief Risk Officer CRO . A key duty of the new CRO is often to act as a senior member of the management committee and attend board meeting regularly. The board and the management committee look to the CRO to integrate corporate Governance responsibilities with the risk function’s existing market, credit, operational and business risk responsibilities.
True Risk Governance The primary responsibility of the board is to ensure that: It develop a clear understanding of the bank’s business strategy and the
fundamental risks and rewards that this implies. The board also needs to make sure that risks are made transparent to
managers and to stakeholders through adequate internal & external disclosure & must characterize an appropriate “Risk Appetite” for the firm. In order to fulfill its risk Governance the board must ensure that the bank
has put in place an effective risk management program that is consistent with these fundamental strategic and risk appetite choices; And it must make sure that there are effective procedures ,polices,
methodologies and infrastructure are in place for identifying , assessing and managing all types of risks, i.e. business risk, operational risk, market risk, liquidity risk and credit risk.
True Risk Governance An effective board will also establish strong ethical standards. The board has a critical responsibility to make sure that the way staff are
rewarded and compensated and is aligned with the shareholders’ interests. The Board should ensure that the information it obtains about risk
management is accurate and reliable. Directors should demonstrate healthy skepticism and require information from a cross section of knowledgeable and reliable sources , such as the CEO , Senior management , and internal and external auditors. Directors should be prepared to ask tough questions, and they should
make themselves able to understand the answers. The duty of the board is not , however, to undertake risk management on
a day-to-day basis , but to make sure that all the mechanisms used to delegate risk management decisions are functioning properly.
Committees and Risk Limits The Committees help to translate the overall risk appetite of the bank , approved by the board , into a set of limits that flow down through the bankâ€™s executives officers and business divisions. All banks ,for example, should have a credit â€“ risk management committee to keep an eye on credit-risk reporting , as well as a system of credit-risk limits.
Audit Committee of the BOD The role of the Audit Committee of the board is critical to the board’s
oversight of the bank. The audit committee is responsible not only for the accuracy of the
bank’s financial and regulatory reporting , but also for ensuring that the bank complies with minimum or best-practice standards, such as regulatory ,legal , compliance and risk management activities. And also to be satisfied that the company adequately addressed the risk the FS may be materially misstated Audit committee member are now required to be financially literate , so
that they can carry out their duties. The audit committee duties involves in overseeing the quality of the
process that underpin financial reporting , regulatory , compliance , internal control and risk management. The audit committee members should be a right mix of knowledge,
judgment, independence , integrity ,and commitment. In most banks , a nonexecutive directors leads the audit committee.
Risk Management Committee of the BOD The scope and objectives of RMC are as follows: To learn A. The challenges in the organization B. Best practices and international standards The Risk Committee of the Board must receive presentations and other information to understand the significant risks to which the organization is exposed.
To understand the risks and to establish the risk tolerance to learn, understand and approve significant risk management principles recommended by management. To ensures that business is conducted in accordance with the laws, regulations and adopted codes of the countries in which the organization operates. And there is zero tolerance for failure to identify and escalate breaches of these obligations
Risk Management Committee of the BOD To approve Risk management policies to ensure policies and procedures are in place to identify, evaluate, measure and manage the significant risks to which the organization is exposed. To oversee The Risk Management Department to review and approve the mandates of the Risk Management Department and the Chief Risk Officer at least annually, To ensure that the Risk Management Department has adequate
resources and independence to perform its responsibilities. To review and approve the Risk Management Department budget and
resource plan & To assess the adequacy of the plan. To confirm the appointment and dismissal of the Chief Risk Officer. To assess the effectiveness of the Risk Management Department and
Chief Risk Officer.
Risk Management Committee of the BOD To discuss with the Chief Risk Officer risk issues and the relationship
and interaction between the Risk Management Department and senior management ,the internal audit division, the external auditors and the supervisors. To Monitor To obtain reasonable assurance that the risk management policies for
significant risks are effective and efficient. To review significant exposures to risks. To review the exceptions to risk principles. To conduct investigations.
To inform the Board About the risk impact of any strategic decision About the risks, and whether these risks are over the risk appetite of the
Roles and responsibilities in practice Example: Market Risk Authorities Delegation Risk committee of the BOD Delegates Authority to Senior Risk Committee
Senior Risk Committee
Senior Risk Committee
Delegates Authority to CRO Chief Risk Officer
CRO holds Reserve (say 10%);delegates Risk to Heads of Business
Delegates to Business Unit Manager
Approves market –risk tolerance each year
Step 1 : Approves market-risk tolerance , stress and performance limits each year , review business unit mandates and new business initiatives. Step 2 : Delegate authority to the CRO and holds in reserves ; additional authority approved by the risk committee of the BOD.
Responsible for independent monitoring of limits.
Share responsibility for risk of all trading activities Responsible for risk and performance of the business , must ensure limits are delegated to traders
Best Practices Open communication between the Audit Committee and the Risk
Committee. The Chair of the Audit Committee is good to be a member of the Risk
Committee. Or be entitled to receive notice of and attend as an observer each meeting of the Risk Committee and; Receive the materials for each meeting of the Risk Committee. The Chair of the Risk Committee is good to be a member of the Audit
Committee ; Or be entitled to receive notice of and attend as an observer each meeting of the Audit Committee and Receive the materials for each meeting of the Audit Committee. No member of the Committee may be an officer or retired officer. Every member of the Risk Committee is good to be independent of the
Best Practices The Committee meets regularly without management present. Every member of the Risk Committee should have an understanding of
issues related to risk management or related business experience Every member of the Risk Committee should enhance their familiarity
with risk management issues by participating in educational programs. The Risk Committee should meet at least four times annually Or more
frequently as circumstances dictate. The Risk Committee should meet separately with the head of the risk
management department at each regularly-scheduled meeting and other members of management.
Internal Auditors ď‚ž
Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance.
Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements
Internal auditors can add Proactive value ď‚ž
Reviewing critical control systems and risk management processes.
Performing an effectiveness review of management's risk assessments and the internal controls.
Providing advice in the design and improvement of control systems and risk mitigation strategies.
Internal auditors can add Proactive value
Implementing a risk-based approach to planning and executing the internal audit process.
Ensuring that internal auditing’s resources are directed at those areas most important to the organization.
Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.
Internal auditors can add Proactive value ď‚ž
Facilitating ERM workshops.
Defining risk tolerances where none have been identified, based on internal auditing's experience, judgment, and consultation with management.
2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually.
2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems.
2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.
Internal Audit & Corporate Governance The internal audit activity must assess and make appropriate recommendations for improving the Governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization;
Ensuring effective organizational performance management and
accountability; Communicating risk and control information to appropriate areas of
the organization; Coordinating the activities of and communicating information
among the board ,external and internal auditors and management.