Page 1

Presented By: Mohamed Samir ,CRMA,CICA,CIPA,CFC Head of Internal Audit Mashreq Bank- Qatar

Nov 26 -28, 2012

Why ERM is important

COSO FRAMEWORK Corporate Governance mandates

Internal Audit proactive role

Major scandals

October 16, 2001 Issue: Off-Balance Sheet Accounting and Financial Reporting Fraud Impact: $3 billion in undisclosed losses

June 20, 2002 Issue: Financial Reporting Fraud Impact: $9 billion in unreported expenses

September, 2003 Issue: Financial Reporting Fraud and inappropriate consolidation Impact: $1.6 millions in overstated earnings

March 28, 2002 Issue: Financial Reporting Fraud and embezzlement Impact: $2.5 billion of hidden debt

Today’s organizations are concerned about: Risk Management  Corporate Governance  Internal Control  IA Assurance (and Consulting) 

ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

Why ERM Is Important Underlying principles: â—‹

Every entity, whether for-profit or not, exists to realize value for its stakeholders.


Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.

Why ERM Is Important ERM supports value creation by enabling management to: •

Deal effectively with potential future events that create uncertainty.


Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.

Why ERM Is Important

Enterprise Risk Management — Integrated Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.

The ERM Framework Entity objectives can be viewed in the context of four categories: • • • •

Strategic Operations Reporting Compliance

The ERM Framework ERM considers activities at all levels of the organization: • •

Enterprise-level Division or subsidiary • Business unit processes

ERM Evolving…… From RM Risk as individual hazards Risk identification and assessment Focus son all Risks

To ERM Risk in the context of business strategy Risk “portfolio” development Focus on critical risks

Risk mitigation

Risk Optimization

Risk Limits

Risk Strategy

Risk with no owners

Defined risk responsibilities

Haphazard risk quantification

Monitoring and measurement

Risk is not my responsibility

Risk is everyone’s responsibility

The ERM Framework Enterprise risk management requires an entity to take a portfolio view of risk.

The ERM Framework ď‚ž

Management considers how individual risks interrelate.


Management develops a portfolio view from two perspectives:

- Business unit level - Entity level

The ERM Framework The eight components of the framework are interrelated ‌

Internal Environment 

Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur.

Establishes the entity’s risk culture.

Considers all other aspects of how the organization’s actions may affect its risk culture.

Objective Setting •

Is applied when management considers risks strategy in the setting of objectives.

Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept.

Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.

Event Identification •

Differentiates risks and opportunities.


Events that may have a negative impact represent risks.


Events that may have a positive impact represent natural offsets opportunities), which management channels back to strategy setting.

Event Identification •

Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.


Addresses how internal and external factors combine and interact to influence the risk profile.

Risk Assessment •

Allows an entity to understand the extent to which potential events might impact objectives.


Assesses risks from two perspectives: - Likelihood - Impact


Is used to assess risks and is normally also used to measure the related objectives.

Risk Assessment •

Employs a combination of both qualitative and quantitative risk assessment methodologies.


Assesses risk on both an inherent and a residual basis.

Risk Response •

Identifies and evaluates possible responses to risk.

Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.

Selects and executes response based on evaluation of the portfolio of risks and responses.

Control Activities •

Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.

Occur throughout the organization, at all levels and in all functions.

Include application and general information technology controls.

Information & Communication ď‚ž

Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.


Communication occurs in a broader sense, flowing down, across, and up the organization.

Monitoring Effectiveness of the other ERM components is monitored through: •

Ongoing monitoring activities.

Separate evaluations.

A combination of the two.

Internal Control A strong system of internal control is essential to effective enterprise risk management.

Relationship to Internal Control — Integrated Framework •

Expands and elaborates on elements of internal control as set out in COSO’s “control framework.”

Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control.

Expands the control framework’s “Financial Reporting” and “Risk Assessment.”

ERM Roles & Responsibilities 


The board of directors

Risk officers

Internal auditors

Management Oversight & Periodic Review 

Accountability for risks


Updates - Changes

in business objectives - Changes in systems - Changes in processes

Risk Analysis Risk Assessment

Risk Management

Risk Monitoring


Control It

Process Level


Share or Transfer It

Activity Level


Diversify or Avoid It

Entity Level

Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors

Risk Identification Cycle


Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value.

Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).


What risks will the organization not accept? (e.g. environmental or quality compromises)

What risks will the organization take on new initiatives? (e.g. new product lines)

What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)


Quantification of risk exposure

Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance)

Residual risk (unmitigated risk – e.g. shrinkage)

Communicate Results 

Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances)

Flowcharts of processes with key controls noted

Narratives of business objectives linked to operational risks and responses

List of key risks to be monitored or used

Management understanding of key business risk responsibility and communication of assignments

Monitor ď‚ž

Collect and display information


Perform analysis - Risks are being properly addressed - Controls are working to mitigate risks

Corporate Governance The IIA definition is : The combination of processes and structures implemented by the board to inform, direct, manage, and monitor/ oversee the activities of the organization toward the achievement of its objectives.

Corporate Governance Governance Process Is the way that the organization choose to conduct its affairs (The organization uses various legal forms, structures, strategies, and procedures) to meet its below responsibilities.  Complies with society's legal and regulatory rules.  Satisfies the generally accepted business norms, ethical

precepts, and social expectations of society.  Provides overall benefit to society and enhance the interests of

the specific stake holders in both long& short terms.  Reports fully and truthfully to its owners, regulators, other stake

holders, and general public "but not the competitors" to ensure accountability for its decisions, actions, conduct, and performance.

Corporate Governance Principles The Principles in Corporate Governance Issued By the Organization for Economic Co-operation and Development (OECD) in May 1999.  The corporate governance framework should promote transparent

and efficient markets, be consistent with the rule of law and clearly articulate the division of responsibilities among different supervisory, regulatory and enforcement authorities.  The corporate governance framework should protect and facilitate

the exercise of shareholders’ rights.  The corporate governance framework should ensure the equitable

treatment of all shareholders, including minority and foreign shareholders. All shareholders should have the opportunity to obtain effective redress for violation of their rights .

Corporate Governance Principles  The corporate governance framework should recognize the rights

of stakeholders established by law or through mutual agreements and encourage active cooperation between corporations and stakeholders in creating wealth, jobs, and the sustainability of financially sound enterprises.  The corporate governance framework should ensure that timely

and accurate disclosure is made on all material matters regarding the corporation, including the financial situation, performance, ownership, and governance of the company.  The corporate governance framework should ensure the strategic

guidance of the company, the effective monitoring of management by the board, and the board’s accountability to the company and the shareholders.

Setting the Scene – Corporate Governance & Risk Management From a corporate Governance perspective, a primary responsibility of the board is to look after the interests of the shareholders.

The board also needs to be on the alert for any conflict that may arise between the interests of management to assume risks and the interests the company’s shareholders. This kind of conflict of interest is often referred to in the academic literature as an ‘agency Risk’ conflict of interest can easily happen if , for example , executives are rewarded with options that they can cash in if the share price of the company rises above a certain level for a short time.

Setting the Scene – Corporate Governance & Risk Management  Such arrangement gives management an incentive to push the share

price up . For example, management might encourage business lines to earn short-term rewards in exchange for assuming long-term risks. By the time the chickens come home to roost , managers may well have picked up their bonuses or even changed jobs.  This all explains why it is becoming difficult to draw a line between

corporate Governance and Risk management , and we can see some clear effects of this at an organizational level. For example, over the last few years , many corporation have created the role of Chief Risk Officer CRO . A key duty of the new CRO is often to act as a senior member of the management committee and attend board meeting regularly. The board and the management committee look to the CRO to integrate corporate Governance responsibilities with the risk function’s existing market, credit, operational and business risk responsibilities.

True Risk Governance The primary responsibility of the board is to ensure that:  It develop a clear understanding of the bank’s business strategy and the

fundamental risks and rewards that this implies.  The board also needs to make sure that risks are made transparent to

managers and to stakeholders through adequate internal & external disclosure & must characterize an appropriate “Risk Appetite” for the firm.  In order to fulfill its risk Governance the board must ensure that the bank

has put in place an effective risk management program that is consistent with these fundamental strategic and risk appetite choices;  And it must make sure that there are effective procedures ,polices,

methodologies and infrastructure are in place for identifying , assessing and managing all types of risks, i.e. business risk, operational risk, market risk, liquidity risk and credit risk.

True Risk Governance  An effective board will also establish strong ethical standards.  The board has a critical responsibility to make sure that the way staff are

rewarded and compensated and is aligned with the shareholders’ interests.  The Board should ensure that the information it obtains about risk

management is accurate and reliable. Directors should demonstrate healthy skepticism and require information from a cross section of knowledgeable and reliable sources , such as the CEO , Senior management , and internal and external auditors.  Directors should be prepared to ask tough questions, and they should

make themselves able to understand the answers.  The duty of the board is not , however, to undertake risk management on

a day-to-day basis , but to make sure that all the mechanisms used to delegate risk management decisions are functioning properly.

Committees and Risk Limits The Committees help to translate the overall risk appetite of the bank , approved by the board , into a set of limits that flow down through the bank’s executives officers and business divisions. All banks ,for example, should have a credit – risk management committee to keep an eye on credit-risk reporting , as well as a system of credit-risk limits.

Audit Committee of the BOD  The role of the Audit Committee of the board is critical to the board’s

oversight of the bank.  The audit committee is responsible not only for the accuracy of the

bank’s financial and regulatory reporting , but also for ensuring that the bank complies with minimum or best-practice standards, such as regulatory ,legal , compliance and risk management activities. And also to be satisfied that the company adequately addressed the risk the FS may be materially misstated  Audit committee member are now required to be financially literate , so

that they can carry out their duties.  The audit committee duties involves in overseeing the quality of the

process that underpin financial reporting , regulatory , compliance , internal control and risk management.  The audit committee members should be a right mix of knowledge,

judgment, independence , integrity ,and commitment.  In most banks , a nonexecutive directors leads the audit committee.

Risk Management Committee of the BOD The scope and objectives of RMC are as follows: To learn A. The challenges in the organization B. Best practices and international standards The Risk Committee of the Board must receive presentations and other information to understand the significant risks to which the organization is exposed.

To understand the risks and to establish the risk tolerance to learn, understand and approve significant risk management principles recommended by management. To ensures that business is conducted in accordance with the laws, regulations and adopted codes of the countries in which the organization operates. And there is zero tolerance for failure to identify and escalate breaches of these obligations

Risk Management Committee of the BOD To approve Risk management policies to ensure policies and procedures are in place to identify, evaluate, measure and manage the significant risks to which the organization is exposed. To oversee The Risk Management Department to review and approve the mandates of the Risk Management Department and the Chief Risk Officer at least annually,  To ensure that the Risk Management Department has adequate

resources and independence to perform its responsibilities.  To review and approve the Risk Management Department budget and

resource plan & To assess the adequacy of the plan.  To confirm the appointment and dismissal of the Chief Risk Officer.  To assess the effectiveness of the Risk Management Department and

Chief Risk Officer.

Risk Management Committee of the BOD  To discuss with the Chief Risk Officer risk issues and the relationship

and interaction between the Risk Management Department and senior management ,the internal audit division, the external auditors and the supervisors. To Monitor  To obtain reasonable assurance that the risk management policies for

significant risks are effective and efficient.  To review significant exposures to risks.  To review the exceptions to risk principles.  To conduct investigations.

To inform the Board  About the risk impact of any strategic decision  About the risks, and whether these risks are over the risk appetite of the


Roles and responsibilities in practice Example: Market Risk Authorities Delegation  Risk committee of the BOD Delegates Authority to Senior Risk Committee

 Senior Risk Committee

 Senior Risk Committee

Delegates Authority to CRO  Chief Risk Officer

CRO holds Reserve (say 10%);delegates Risk to Heads of Business

Delegates to Business Unit Manager

Approves market –risk tolerance each year

Step 1 : Approves market-risk tolerance , stress and performance limits each year , review business unit mandates and new business initiatives. Step 2 : Delegate authority to the CRO and holds in reserves ; additional authority approved by the risk committee of the BOD.

Responsible for independent monitoring of limits.

Share responsibility for risk of all trading activities Responsible for risk and performance of the business , must ensure limits are delegated to traders

Best Practices  Open communication between the Audit Committee and the Risk

Committee.  The Chair of the Audit Committee is good to be a member of the Risk

Committee. Or be entitled to receive notice of and attend as an observer each meeting of the Risk Committee and; Receive the materials for each meeting of the Risk Committee.  The Chair of the Risk Committee is good to be a member of the Audit

Committee ; Or be entitled to receive notice of and attend as an observer each meeting of the Audit Committee and Receive the materials for each meeting of the Audit Committee.  No member of the Committee may be an officer or retired officer.  Every member of the Risk Committee is good to be independent of the


Best Practices  The Committee meets regularly without management present.  Every member of the Risk Committee should have an understanding of

issues related to risk management or related business experience  Every member of the Risk Committee should enhance their familiarity

with risk management issues by participating in educational programs.  The Risk Committee should meet at least four times annually Or more

frequently as circumstances dictate.  The Risk Committee should meet separately with the head of the risk

management department at each regularly-scheduled meeting and other members of management.

Internal Auditors ď‚ž

Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance.


Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements

Internal auditors can add Proactive value ď‚ž

Reviewing critical control systems and risk management processes.


Performing an effectiveness review of management's risk assessments and the internal controls.


Providing advice in the design and improvement of control systems and risk mitigation strategies.

Internal auditors can add Proactive value 

Implementing a risk-based approach to planning and executing the internal audit process.

Ensuring that internal auditing’s resources are directed at those areas most important to the organization.

Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.

Internal auditors can add Proactive value ď‚ž

Facilitating ERM workshops.


Defining risk tolerances where none have been identified, based on internal auditing's experience, judgment, and consultation with management.

IIA Standards 

2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually.

2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems.

2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.

Internal Audit & Corporate Governance The internal audit activity must assess and make appropriate recommendations for improving the Governance process in its accomplishment of the following objectives:  Promoting appropriate ethics and values within the organization;

 Ensuring effective organizational performance management and

accountability;  Communicating risk and control information to appropriate areas of

the organization;  Coordinating the activities of and communicating information

among the board ,external and internal auditors and management.

Thanks Q&A