This document provides background information on David S K Leong and his experience in risk management and internal auditing. It discusses Leong's career history working in risk management, internal audit, and compliance roles for several large banks in Malaysia over 35 years. The document also outlines some key risk management challenges organizations often face and provides guidance on establishing an effective enterprise-wide risk management program, including integrating it with internal audit and focusing on the most significant risks.
This document provides a summary of recent developments from COSO related to internal control and risk management. It discusses the history and mission of COSO, focusing on its work updating the internal control framework in 2013 and efforts to enhance enterprise risk management. The key points are:
1) COSO was formed in 1985 and its mission is to provide frameworks and guidance on internal control, enterprise risk management, and fraud deterrence.
2) It updated its internal control framework in 2013 to reflect changes in business environments and expanded its focus beyond financial reporting to also cover operations and compliance objectives.
3) COSO has also worked to enhance enterprise risk management through a series of thought papers addressing challenges with implementation and emerging risks.
Presentation by Vincent Tophoff, IFAC Senior Technical Manager and J. Stephen McNally, Campbell Soup Company Finance Director and Comptroller at the IMA Annual Conference and Exposition, June 2014
The document discusses COSO's Enterprise Risk Management Integrated Framework, which provides guidance on establishing an effective enterprise risk management process. It defines the components of ERM, including internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. The framework is designed to help organizations effectively manage risk and support the achievement of their objectives.
Presentation by Vincent Tophoff, IFAC Senior Technical Manager, and J. Stephen McNally, Campbell Soup, on the pitfalls in current risk management and internal control practices and the new Internal Control-Integrated Framework from COSO (the Committee of Sponsoring Organizations of the Treadway Commission).
The document discusses COSO's Enterprise Risk Management framework. It defines ERM and explains why it is important for managing risks and uncertainties to achieve organizational objectives. The framework establishes eight components of ERM - internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring. It provides guidance on implementing ERM.
This document discusses integrating risk management into management accounting practices. It begins with introductions of the speakers and an overview of the learning objectives for the session, which are to inspire how risk management can benefit work rather than burden it, and to show how risk management is good management when fully embedded. The agenda includes discussing core competencies, moving from separate risk management to building it into daily work, and a case study on coal boilers and sustainability. The document emphasizes that managing risk from the beginning of objective setting and keeping operations agile helps achieve objectives and create value. It concludes with a call to fully integrate risk management in a built-in way on a daily basis.
This document provides a summary of recent developments from COSO related to internal control and risk management. It discusses the history and mission of COSO, focusing on its work updating the internal control framework in 2013 and efforts to enhance enterprise risk management. The key points are:
1) COSO was formed in 1985 and its mission is to provide frameworks and guidance on internal control, enterprise risk management, and fraud deterrence.
2) It updated its internal control framework in 2013 to reflect changes in business environments and expanded its focus beyond financial reporting to also cover operations and compliance objectives.
3) COSO has also worked to enhance enterprise risk management through a series of thought papers addressing challenges with implementation and emerging risks.
Presentation by Vincent Tophoff, IFAC Senior Technical Manager and J. Stephen McNally, Campbell Soup Company Finance Director and Comptroller at the IMA Annual Conference and Exposition, June 2014
The document discusses COSO's Enterprise Risk Management Integrated Framework, which provides guidance on establishing an effective enterprise risk management process. It defines the components of ERM, including internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. The framework is designed to help organizations effectively manage risk and support the achievement of their objectives.
Presentation by Vincent Tophoff, IFAC Senior Technical Manager, and J. Stephen McNally, Campbell Soup, on the pitfalls in current risk management and internal control practices and the new Internal Control-Integrated Framework from COSO (the Committee of Sponsoring Organizations of the Treadway Commission).
The document discusses COSO's Enterprise Risk Management framework. It defines ERM and explains why it is important for managing risks and uncertainties to achieve organizational objectives. The framework establishes eight components of ERM - internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring. It provides guidance on implementing ERM.
This document discusses integrating risk management into management accounting practices. It begins with introductions of the speakers and an overview of the learning objectives for the session, which are to inspire how risk management can benefit work rather than burden it, and to show how risk management is good management when fully embedded. The agenda includes discussing core competencies, moving from separate risk management to building it into daily work, and a case study on coal boilers and sustainability. The document emphasizes that managing risk from the beginning of objective setting and keeping operations agile helps achieve objectives and create value. It concludes with a call to fully integrate risk management in a built-in way on a daily basis.
This document outlines a risk-based audit coaching program led by Tommy Seah. The coaching will help participants understand risk identification, evaluation of internal controls, and audit techniques. It will cover the roles of internal auditors and compliance officers, the audit process, and components of internal control. The coaching uses interactive lectures, discussions, and case studies to facilitate learning. Tommy Seah is an experienced auditor and author who provides in-demand technical training to banks in Asia and Europe on topics like anti-money laundering, operational risk management, and Basel II.
This document summarizes COSO's Enterprise Risk Management - Integrated Framework. It defines ERM as a process run by an organization's board and management to identify potential events, manage risk within the organization's risk appetite, and provide assurance around achieving objectives. The framework identifies 8 components of ERM - internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring. It describes how organizations can implement ERM through risk assessments, determining risk appetite, identifying responses, and ongoing monitoring and oversight. Internal auditors can help by reviewing controls and risk processes and ensuring resources target key risk areas.
The audit concluded that Finance Canada has developed an adequate Corporate Risk Profile and established an Integrated Risk Management function in line with guidelines. Some elements of the communication strategy from the Corporate Risk Profile have not been fully implemented. The Department has identified key risks but could improve awareness of risk management practices among staff through better communication.
1) The document discusses enterprise risk management concepts and frameworks. It outlines key risks faced in healthcare such as regulatory risks, operational risks, and reputational risks.
2) An effective risk management program can help organizations avoid surprises, improve governance, and ensure objectives are met without disruptions. The document provides examples of risk organization structures and processes for identification, assessment, and response.
3) Moving forward, the organization will validate risk registers, identify top 15 risks for rigorous management, and review mitigation progress of these risks in monthly leadership meetings. A risk polarization survey will also be conducted regularly.
The document outlines an enterprise risk management (ERM) implementation approach for an organization. It includes an agenda for ERM training that covers foundational concepts, moving from a risk-by-risk approach to a portfolio view of risk, and an overview of the ERM implementation process. It also provides sample risk appetite statements, diagrams of the ERM framework and integration with strategic planning, and discusses the value of taking an ERM approach.
Presenter: Sunder Krishnan - IRDA
Risk Management Strategy
Risk Management Framework
Enhancement and Extension of risk framework across
Support to Risk Based Capital
Rating for ERM (Enterprise Risk Management)
Self Risk Management
Self Risk assessment across functions and decentralization
Facilitation process
Corroborative Risk Management
Automated Risk Management
Quantitative Risk Management tool
Embedding risk management in process, technology and trainings
This document discusses risk assessment and the role of internal auditors in risk management. It explains that the purpose of risk assessment is to identify and analyze risks to understand how they could impact objectives. Internal auditors play an important role in monitoring enterprise risk management by evaluating risks, examining controls, and recommending improvements, but they are not responsible for implementing or maintaining the risk management process. The document also provides an overview of how to conduct an organizational risk assessment, including identifying risk factors, objectives, analyzing risks, and reviewing results with management.
Audit Audit Commite And Risk ManagementManoj Agarwal
The document discusses audit, risk management, and the role of the audit committee. It provides definitions of risk, audit, and the audit committee. It outlines the classification of risks into strategic, operational, and compliance risks. It describes the expectations from effective risk management, including avoiding surprises, protecting reputation, and informed decision making. It summarizes the role of the audit committee in overseeing financial reporting, internal controls, and risk management policies.
The document provides a 10-point summary of key changes in the updated Enterprise Risk Management Framework:
1. It introduces a new structure with fewer (five) components and uses examples to emphasize points.
2. It focuses on integrating ERM with business strategy and performance to improve decision-making.
3. It emphasizes value creation and risk management's role in achieving objectives and strategy.
Proposal risk based internal audit 2013Nidhi Gupta
This document provides information on Riskpro India, which offers risk management, compliance, and audit services. It summarizes Riskpro's background, mission, value proposition, differentiators, network presence, commitment to clients, and fees. Riskpro has offices in major Indian cities and over 200 cumulative years of experience among its professionals. It aims to provide integrated risk management solutions and be the preferred GRC provider for mid-large clients. Key differentiators include its focus on risk management and ability to take on large, complex projects. Resumes of key team members are also included, demonstrating experience with international firms and across various industries.
The ROGB develops guidance materials for boards of directors and senior officers on enterprise risk oversight, not risk management. Its goal is to offer unique support for directors to support management's activities. Twelve years ago, it began publishing the 20 Questions series, which addresses important subjects for directors by posing concise and practical questions. A brief summary and recommended practices are provided for each question. In 2012, it published A Framework for Board Oversight of Enterprise Risk to support management frameworks and provide a prescriptive approach. Feedback from directors was very positive that it was a unique and usable resource, while risk managers wanted it to provide more support. The ROGB aims to support international risk oversight efforts and ensure its director materials are aligned with risk
FORUM 2013 How to embed risk management as a strategic activityFERMA
This document summarizes a presentation on embedding risk management as a strategic activity. It discusses Solvay, a global chemicals company, and FM Global, a commercial property insurer. The agenda includes examples of how companies gained advantages from risk management during disasters. It also outlines Solvay's enterprise risk management process and how executive support is needed to embed risk management. tips provided on integrating risk management in strategy and strategy in risk management. The presentation emphasizes that risk is inherent in business success when managed properly.
The document discusses risk-based auditing (RBIA) and its key concepts. RBIA requires internal audit to be strategically linked to an organization's risk management and assurance frameworks. It also discusses applying RBIA methodology to internal audit assignments and linking an organization's risk framework to the stages of RBIA. The document provides information on introducing RBIA to an organization and adapting it based on the organization's structures, processes and risk maturity.
Professional opportunities in Internal AuditManoj Agarwal
The document defines internal audit as an independent function that appraises an entity's operations and suggests improvements to strengthen governance and controls. It discusses the audit universe, scope of internal auditing, and organization lifecycle. Finally, it lists capabilities needed for internal auditors, including knowledge of standards, audit processes, and personal skills like presentation, negotiation, and time management.
Audit Committees have highly influential roles to support entity achieve its defined goals and objectives.
Through its powers, the audit committee has ability to meet both the internal and external auditor in course of its work and become only " intelligent" team to have insights of control issues affecting an entity.
Unfortunately, the audit committees in number of organization's are not competent enough to execute their roles effectively. EMAC has capacity building programs for audit committee members geared towards capacitating the committees for effective performance
This document discusses risk and risk management. It begins with an overview of risk categories and types of organizational risks. It then covers establishing the risk management process, which includes identifying risks, analyzing them, integrating risks, assessing and prioritizing risks, and treating risks. It emphasizes that risk management is an ongoing process that requires monitoring and review. It also discusses risk response options and implementing controls assurance through various lines of defense and independent assurance.
Risk based auditing focuses on inherent risks involved in activities and systems. It provides assurance that risks are managed within defined risk appetite levels set by management and boards of directors. There are three components of risk: inherent risk, control risk, and detection risk. Risk assessment involves quantifying or qualifying estimates of potential loss probabilities for defined situations and recognized threats. The risk assessment process establishes context, identifies risks, analyzes risks, evaluates and prioritizes risks, and addresses risks. Developing a risk-based audit plan considers an organization's business knowledge, transaction complexities and environments, measurement subjectivities, significant transactions and materiality levels, control environments, and overall risk assessments.
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
The webinar covers:
• The start of any Enterprise Risk Management Program
• The approach to developing a framework that will assist organizations to integrate RM into their enterprise-wide risk management systems
• The relationship between the foundations of the risk management framework and their objectives
Presenter:
This webinar was presented by M. Youssef K, an executive consultant & trainer with several qualifications. He is an accomplished expert with over 10 years’ experience in the field of risk management, project and program management, PRINCE 2, Agile, EVM, business process analysis and design, as well as operational and organizational excellence.
Link of the recorded session published on YouTube: https://youtu.be/9fO-JqENL0I
The document provides guidance for implementing a risk-based approach to anti-money laundering and counter-terrorist financing measures in the banking sector. It outlines key elements of the FATF's risk-based approach, including assessing and understanding money laundering and terrorist financing risks. It provides guidance for banking supervisors on adopting a risk-based approach to supervision. It also provides guidance for banks on conducting risk assessments and implementing risk-based controls, governance and monitoring. The document is intended to help countries, authorities and banks effectively implement a risk-based approach in line with the FATF's recommendations.
The document discusses risk management frameworks and processes. It provides:
1) An overview of risk management, including highlighting risks at the project, program, and portfolio levels.
2) A risk management framework involving establishing context, risk identification, analysis, evaluation, and treatment.
3) Details of risk governance, including risk management plans, risk registers, governance documents, and ongoing and discrete risk activities.
This document outlines a risk-based audit coaching program led by Tommy Seah. The coaching will help participants understand risk identification, evaluation of internal controls, and audit techniques. It will cover the roles of internal auditors and compliance officers, the audit process, and components of internal control. The coaching uses interactive lectures, discussions, and case studies to facilitate learning. Tommy Seah is an experienced auditor and author who provides in-demand technical training to banks in Asia and Europe on topics like anti-money laundering, operational risk management, and Basel II.
This document summarizes COSO's Enterprise Risk Management - Integrated Framework. It defines ERM as a process run by an organization's board and management to identify potential events, manage risk within the organization's risk appetite, and provide assurance around achieving objectives. The framework identifies 8 components of ERM - internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring. It describes how organizations can implement ERM through risk assessments, determining risk appetite, identifying responses, and ongoing monitoring and oversight. Internal auditors can help by reviewing controls and risk processes and ensuring resources target key risk areas.
The audit concluded that Finance Canada has developed an adequate Corporate Risk Profile and established an Integrated Risk Management function in line with guidelines. Some elements of the communication strategy from the Corporate Risk Profile have not been fully implemented. The Department has identified key risks but could improve awareness of risk management practices among staff through better communication.
1) The document discusses enterprise risk management concepts and frameworks. It outlines key risks faced in healthcare such as regulatory risks, operational risks, and reputational risks.
2) An effective risk management program can help organizations avoid surprises, improve governance, and ensure objectives are met without disruptions. The document provides examples of risk organization structures and processes for identification, assessment, and response.
3) Moving forward, the organization will validate risk registers, identify top 15 risks for rigorous management, and review mitigation progress of these risks in monthly leadership meetings. A risk polarization survey will also be conducted regularly.
The document outlines an enterprise risk management (ERM) implementation approach for an organization. It includes an agenda for ERM training that covers foundational concepts, moving from a risk-by-risk approach to a portfolio view of risk, and an overview of the ERM implementation process. It also provides sample risk appetite statements, diagrams of the ERM framework and integration with strategic planning, and discusses the value of taking an ERM approach.
Presenter: Sunder Krishnan - IRDA
Risk Management Strategy
Risk Management Framework
Enhancement and Extension of risk framework across
Support to Risk Based Capital
Rating for ERM (Enterprise Risk Management)
Self Risk Management
Self Risk assessment across functions and decentralization
Facilitation process
Corroborative Risk Management
Automated Risk Management
Quantitative Risk Management tool
Embedding risk management in process, technology and trainings
This document discusses risk assessment and the role of internal auditors in risk management. It explains that the purpose of risk assessment is to identify and analyze risks to understand how they could impact objectives. Internal auditors play an important role in monitoring enterprise risk management by evaluating risks, examining controls, and recommending improvements, but they are not responsible for implementing or maintaining the risk management process. The document also provides an overview of how to conduct an organizational risk assessment, including identifying risk factors, objectives, analyzing risks, and reviewing results with management.
Audit Audit Commite And Risk ManagementManoj Agarwal
The document discusses audit, risk management, and the role of the audit committee. It provides definitions of risk, audit, and the audit committee. It outlines the classification of risks into strategic, operational, and compliance risks. It describes the expectations from effective risk management, including avoiding surprises, protecting reputation, and informed decision making. It summarizes the role of the audit committee in overseeing financial reporting, internal controls, and risk management policies.
The document provides a 10-point summary of key changes in the updated Enterprise Risk Management Framework:
1. It introduces a new structure with fewer (five) components and uses examples to emphasize points.
2. It focuses on integrating ERM with business strategy and performance to improve decision-making.
3. It emphasizes value creation and risk management's role in achieving objectives and strategy.
Proposal risk based internal audit 2013Nidhi Gupta
This document provides information on Riskpro India, which offers risk management, compliance, and audit services. It summarizes Riskpro's background, mission, value proposition, differentiators, network presence, commitment to clients, and fees. Riskpro has offices in major Indian cities and over 200 cumulative years of experience among its professionals. It aims to provide integrated risk management solutions and be the preferred GRC provider for mid-large clients. Key differentiators include its focus on risk management and ability to take on large, complex projects. Resumes of key team members are also included, demonstrating experience with international firms and across various industries.
The ROGB develops guidance materials for boards of directors and senior officers on enterprise risk oversight, not risk management. Its goal is to offer unique support for directors to support management's activities. Twelve years ago, it began publishing the 20 Questions series, which addresses important subjects for directors by posing concise and practical questions. A brief summary and recommended practices are provided for each question. In 2012, it published A Framework for Board Oversight of Enterprise Risk to support management frameworks and provide a prescriptive approach. Feedback from directors was very positive that it was a unique and usable resource, while risk managers wanted it to provide more support. The ROGB aims to support international risk oversight efforts and ensure its director materials are aligned with risk
FORUM 2013 How to embed risk management as a strategic activityFERMA
This document summarizes a presentation on embedding risk management as a strategic activity. It discusses Solvay, a global chemicals company, and FM Global, a commercial property insurer. The agenda includes examples of how companies gained advantages from risk management during disasters. It also outlines Solvay's enterprise risk management process and how executive support is needed to embed risk management. tips provided on integrating risk management in strategy and strategy in risk management. The presentation emphasizes that risk is inherent in business success when managed properly.
The document discusses risk-based auditing (RBIA) and its key concepts. RBIA requires internal audit to be strategically linked to an organization's risk management and assurance frameworks. It also discusses applying RBIA methodology to internal audit assignments and linking an organization's risk framework to the stages of RBIA. The document provides information on introducing RBIA to an organization and adapting it based on the organization's structures, processes and risk maturity.
Professional opportunities in Internal AuditManoj Agarwal
The document defines internal audit as an independent function that appraises an entity's operations and suggests improvements to strengthen governance and controls. It discusses the audit universe, scope of internal auditing, and organization lifecycle. Finally, it lists capabilities needed for internal auditors, including knowledge of standards, audit processes, and personal skills like presentation, negotiation, and time management.
Audit Committees have highly influential roles to support entity achieve its defined goals and objectives.
Through its powers, the audit committee has ability to meet both the internal and external auditor in course of its work and become only " intelligent" team to have insights of control issues affecting an entity.
Unfortunately, the audit committees in number of organization's are not competent enough to execute their roles effectively. EMAC has capacity building programs for audit committee members geared towards capacitating the committees for effective performance
This document discusses risk and risk management. It begins with an overview of risk categories and types of organizational risks. It then covers establishing the risk management process, which includes identifying risks, analyzing them, integrating risks, assessing and prioritizing risks, and treating risks. It emphasizes that risk management is an ongoing process that requires monitoring and review. It also discusses risk response options and implementing controls assurance through various lines of defense and independent assurance.
Risk based auditing focuses on inherent risks involved in activities and systems. It provides assurance that risks are managed within defined risk appetite levels set by management and boards of directors. There are three components of risk: inherent risk, control risk, and detection risk. Risk assessment involves quantifying or qualifying estimates of potential loss probabilities for defined situations and recognized threats. The risk assessment process establishes context, identifies risks, analyzes risks, evaluates and prioritizes risks, and addresses risks. Developing a risk-based audit plan considers an organization's business knowledge, transaction complexities and environments, measurement subjectivities, significant transactions and materiality levels, control environments, and overall risk assessments.
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
The webinar covers:
• The start of any Enterprise Risk Management Program
• The approach to developing a framework that will assist organizations to integrate RM into their enterprise-wide risk management systems
• The relationship between the foundations of the risk management framework and their objectives
Presenter:
This webinar was presented by M. Youssef K, an executive consultant & trainer with several qualifications. He is an accomplished expert with over 10 years’ experience in the field of risk management, project and program management, PRINCE 2, Agile, EVM, business process analysis and design, as well as operational and organizational excellence.
Link of the recorded session published on YouTube: https://youtu.be/9fO-JqENL0I
The document provides guidance for implementing a risk-based approach to anti-money laundering and counter-terrorist financing measures in the banking sector. It outlines key elements of the FATF's risk-based approach, including assessing and understanding money laundering and terrorist financing risks. It provides guidance for banking supervisors on adopting a risk-based approach to supervision. It also provides guidance for banks on conducting risk assessments and implementing risk-based controls, governance and monitoring. The document is intended to help countries, authorities and banks effectively implement a risk-based approach in line with the FATF's recommendations.
The document discusses risk management frameworks and processes. It provides:
1) An overview of risk management, including highlighting risks at the project, program, and portfolio levels.
2) A risk management framework involving establishing context, risk identification, analysis, evaluation, and treatment.
3) Details of risk governance, including risk management plans, risk registers, governance documents, and ongoing and discrete risk activities.
This document provides an overview of a workshop on sustainability hosted by ERM and Dix & Eaton. The agenda covers opportunities and risks of sustainability, getting started with sustainability programs, determining sustainability content, communication opportunities, and the mechanics of sustainability reporting. Key topics discussed include making the business case for sustainability, stakeholder engagement, materiality assessments, and setting goals. Audience members share experiences with sustainability programs and ask questions.
Erm Presentation Bsw Approach & Methodologysteinkamps6
The document discusses enterprise risk management (ERM) and Brown Smith Wallace's (BSW) approach to ERM. It describes the components of BSW's ERM strategy, which are based on establishing an ERM structure aligned with corporate governance. The components include risk environment, communication, ERM structure/governance, risk assessment, risk mitigation, and monitoring. It then provides more details on each component and BSW's 5-phase ERM project approach.
In this presentation, Director/Principal Consulting Engineer, Damian Connelly provided a concise overview of the health and safety hazards associated with working in a process plant. The legal responsibilities of design and duties of care were explored, alongside the guidelines for safe products and systems, with a view to demonstrate the importance of safety and risk analysis in design
2012 Tax Risk Management - A Framework for implementation - DissertationLeon Jansen van Rensburg
This document presents a framework for tax risk management (TRM) implementation. It begins with background on increased governance standards and the need to include tax risk in overall risk assessments. It then discusses developing a basic TRM framework, including obtaining board approval, establishing a tax function and tax risk committee, and identifying tax risks. The document outlines steps to establish the framework, including defining tax strategy and operations. It also discusses developing a tax control framework to manage various tax risks. The conclusion recommends fully implementing the TRM framework to mitigate tax risks and uncertainties.
This document discusses internal controls and control frameworks. It provides an overview of key internal control concepts, including the importance of computer controls and security. It then summarizes three major control frameworks: COBIT, COSO, and COSO's Enterprise Risk Management (ERM) framework. For each framework, it highlights major elements and compares their approaches to internal controls.
Internal control system of jamuna bank ltd......................................Md Mir Belal
This document discusses internal control systems for Jamuna Bank Limited. It begins by defining internal control and its objectives such as ensuring efficiency, reliability of information, compliance with laws, and accountability. It then outlines key principles of internal control like separation of duties, clear responsibilities, and job rotation. The document also explains the five components of the COSO internal control framework: control environment, risk assessment, control activities, information/communication, and monitoring. Finally, it provides details on internal controls specifically for cash receipts, payments, and security at the bank.
The document discusses COSO (Committee of Sponsoring Organizations of the Treadway Commission), an internal control framework that auditors use to assess clients' internal controls. It describes the five components of COSO - control environment, risk assessment, control activities, information and communication, and monitoring. The document also discusses how COSO fits into the audit process and provides an overview of COSO 2, which incorporates enterprise risk management.
El documento describe los conceptos básicos del COSO ERM y su proceso de implementación. Explica que el COSO ERM requiere el apoyo de la alta gerencia, la preparación de un equipo líder, el desarrollo de una visión de gestión de riesgos corporativos, un diagnóstico de la situación actual, el desarrollo de un plan de implementación y la gestión del cambio. Además, detalla los componentes del COSO ERM como la filosofía de gestión de riesgos, la cultura de riesgo, el consejo
This document discusses internal controls over financial reporting (ICFR) and the COSO 2013 framework. It notes that ICFR deficiencies continue to be a frequent audit finding for the PCAOB. The document then provides examples of how the 17 principles within the 5 COSO components could be applied through specific controls related to areas like governance, the control environment, management structure and hiring practices. The controls are meant to illustrate how the COSO framework addresses ICFR. It aims to help improve existing controls or implement a more robust control system.
Internship Report on Deposit and Investment Management of Al-Arafah Islami Ba...Siyam Hossain
This chapter introduces the internship report. The report was prepared based on a three-month internship at Al-Arafah Islami Bank Limited to fulfill the requirements for a BBA degree. The report focuses on deposit and investment management at AIBL. The objectives are to understand AIBL's deposit and investment policies and strategies. The study aims to evaluate deposit and investment growth and make recommendations for improvement. Primary and secondary data was collected through observation, interviews and reviewing company documents.
In this article how risk management in banks is an important concept, what type of risks banks faces and how they curb it through risk management model is described
The document provides an overview of control self-assessment (CSA). It discusses what CSA is, its goals and benefits, how it is implemented through workshops, and how the results are reported. CSA involves employees assessing risks, controls and weaknesses within their process. Workshops are facilitated to have open discussions, develop recommendations and action plans. The results are anonymously reported to management to address issues.
internal control and control self assessmentManoj Agarwal
The document discusses internal controls and control self-assessment. It begins with definitions of internal control and internal auditing. It then outlines the COSO internal control framework, including the five components and seventeen underlying principles of internal control. The presentation agenda and a case study are also mentioned. Sample templates for evaluating internal controls against the principles are included.
Enterprise risk management frameworks help organizations manage uncertainty and introduce strategic management frameworks to address risks. These include frameworks for corporate foresight, business planning, enterprise architecture, risk management, and performance management. Futures studies techniques like horizon scanning and analyzing drivers of change can provide insights to inform risk management and strategic decision making.
Risk Management Presentation to Doyle Property Clubmarcpreston
Effective risk management for Contractors , Specialist trades, Property Developers and Homeowners.
Spending 80% of the effort to avoid problem arising rather than 80% effort sorting them after the event.
Risk management involves identifying risks, understanding their potential impacts, and taking actions to address risks. The document discusses risk management in the context of a children and young people's services department. It provides examples of past failures that demonstrate the need for effective risk management. The department has developed a new approach, including a risk register that identifies specific risks, owners, and review periods. The goal is to make risk management a core part of the organization's culture and decision-making.
This presentation provides a comprehensive plan for implementing an enterprise risk management program. It covers the costs/benefits of an ERM program, the critical knowledge, skills and abilities of a Chief Risk Officer, a risk taxonomy for insurance firms, a hypothetical organizational structure for an electric utility, a sample risk register, and other useful information.
The document provides information about an upcoming executive education short course on applied economics. It will be a 2-day workshop taught by Dr. Yeah Kim Leng, Dean of the School of Business at Malaysia University of Science and Technology. The workshop will provide senior executives and analysts with practical tools for economic analysis and help them better understand and monitor economic trends and issues. Participants will learn key economic concepts and indicators, practice data analysis, and build their own economics dashboard to enhance business planning. The interactive course uses presentations, case studies, and exercises to illustrate principles of economic analysis.
This document discusses risk management at Rolls-Royce. It defines risk and risk management, and explains why risk management is important through examples of past issues Rolls-Royce has faced. It describes Rolls-Royce's risk management framework, process, and techniques used, including bow tie analysis and risk matrices. It emphasizes the importance of planning, governance, assessment, treatment, review and culture to effective risk management.
Five lines of assurance a new paradigm in internal audit & ermDr. Zar Rdj
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes.
Five Lines of Assurance A New ERM and IA ParadigmTim Leech
The document discusses a new paradigm called "Five Lines of Assurance" for internal audit and enterprise risk management. It was created to help organizations meet escalating expectations from regulators, credit agencies, institutional investors, and others regarding risk oversight and governance. The Five Lines of Assurance model focuses on an "Objectives Register" that prioritizes key strategic objectives and potential risks. It aims to integrate risk management and assurance functions, engage boards and management, and provide optimized assurance on whether residual risks are within the organization's risk appetite. The model is presented as helping organizations demonstrate effective risk oversight, integrate risk with strategic planning, and meet emerging governance standards.
Corporates need to ensure they have the trio of Risk Management, Business Continuity Planning and Crisis Communications Plan in place for a resilient company
The document provides an overview of internal control, fraud, and revenue assurance. It discusses the concept of enterprise risk management and how it has developed over time. It describes the importance of internal control frameworks like COSO and COBIT. It also covers topics like fraud, the role and organization of internal control functions, and using a risk-based approach to auditing.
Risk management involves identifying risks, understanding their potential impacts, and taking actions to reduce threats and maximize opportunities. The document discusses risk management principles and responsibilities within an organization. It provides examples of high-profile failures that demonstrate the importance of effective risk management. The organization discussed is working to strengthen its risk management practices through improved risk identification, training, and governance.
Risk management involves identifying potential threats and opportunities and taking actions to reduce threats and maximize opportunities. The document discusses risk management principles and responsibilities within an organization. It provides examples of high profile corporate and safety failures as drivers for improved risk management. The need for risk management in children and family services is highlighted, along with lessons learned from failures in Rotherham. Implementation of a new risk management approach including a revised risk register format and clear roles is described.
Risk management involves identifying potential threats and opportunities and taking actions to reduce threats and maximize opportunities. The document discusses risk management principles and responsibilities within an organization. It provides examples of high profile corporate and safety failures as drivers for improved risk management. The need for risk management in children and young services to prevent failures is emphasized. Steps taken in Rotherham to improve risk management culture and processes are outlined, including revising policies, training, and monitoring risks at all levels of the organization.
Operational risk, or the risk of loss resulting from inadequate or failed internal processes, people, or systems, is one of the most important and crucial areas that banks and financial services firms (Firms) face today. In this modern era of cyber attacks, rogue traders, and technology failures, establishing robust and cutting-edge operational risk best practices is imperative for Firms operating around the world. This requires a systematic approach to the control of all operational risks and the establishment of an effective Enterprise Risk Management (ERM) culture.
This superior and unique operational risk training course will provide Firms with training across a wide breadth of areas pertinent to operational risk management governance. Attendees will be trained in a wide range of areas such as developing new and cutting edge internal risk control functions, developing operational efficiencies, mitigation of enterprise-wide operational risk, support and control functions, and modern risk measurement and management techniques. The highly flexible and modular nature of the training course allows Firms to customise it according to their own specific internal needs. From a high level perspective the training course will set out key steps in developing an operational risk framework, defining the scope of business, developing a risk policy, documenting an Enterprise Risk Document, and the Three Lines of Defence.
5th ME Business & IT Resilience Summit 2016 - Integration of ERM and BCM as a...Continuity and Resilience
The document summarizes a presentation given at the 5th Middle East Business & IT Resilience Summit in Dubai, UAE on integrating enterprise risk management (ERM) and business continuity management (BCM) as an independent function. The presentation discusses establishing ERM and BCM as a single independent function that reports directly to the Board of Directors. Benefits include streamlining risk assessment and treatment, leveraging BCM exercises to test ERM plans, and providing independent assurance of risk management and continuity. Challenges include overcoming cultural resistance and recruiting professionals with dual ERM and BCM expertise. The experience of Malaysia's deposit insurer was shared as a case study.
Riskpro is an Indian risk management firm with offices in several major cities. It provides integrated risk management consulting services to mid-large sized corporates and financial institutions in India. Its services include governance, risk and compliance solutions, operational risk management, information security services, and people risk management. It aims to be the preferred provider of complete GRC solutions through a hybrid delivery model and over 200 cumulative years of experience among its professionals.
Riskpro is an Indian risk management firm with offices in major cities. It aims to provide integrated risk management solutions to mid-large corporations and financial institutions in India. It offers services including Basel II/III advisory, corporate risk assessment, information security, operational risk management, and people risk management. Riskpro takes a holistic approach to risk management and uses a bottom-up model to assess people risk at various levels from an individual to an organization. It considers various behavioral and performance parameters to quantify people risk.
Riskpro is an Indian risk management firm with offices in major cities. It aims to provide integrated risk management consulting services and be the preferred provider of governance, risk, and compliance solutions. It differentiates itself by focusing on risk management, having over 200 years of cumulative experience, a hybrid delivery model, and the ability to take on large, complex projects. The document discusses Riskpro's services in areas like Basel compliance, corporate risks, information security, operational risk management, and people risk management. It provides details on their approach, challenges, and examples of parameters for modeling different types of risks.
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB
The document discusses ISO 31000 risk management standard and how it can help organizations. It provides an overview of the standard's contents including its principles, framework, and process. It describes what risk management is and how to position it in an organization. Examples are given of where risk management should be considered, such as for organizations, projects, information security, and more. The conclusion stresses that risk management is important and organizations should consider what types of risk assessments are relevant to their objectives.
This document provides guidance on developing and implementing a fraud risk assessment. It outlines a 5-step process for fraud risk assessments: 1) identify specific fraud risks, 2) analyze and assess risks, 3) present the assessment, 4) plan and implement mitigation solutions, and 5) continuously monitor. It emphasizes tailoring the assessment to an organization's needs, presenting risks in a clear and understandable way, using existing tools like audit plans and continuous monitoring to detect risks, and treating the assessment as an ongoing process rather than a one-time report. The overall goal is to implement an effective anti-fraud program through collaborative fraud risk assessment and proactive mitigation efforts.
Similar to ERM and Internal Auditing 2016 Tea Talk v2a (20)
1. IIAM ERM & IA - DSK Leong
2016
1
ERM AND INTERNAL AUDITING
INTERNAL AUDIT DIVISION
David S K Leong
BCA ,CA(NZ), CA (M), ACIB (UK), MBA
(Henley), CIA(US), CMIIA.
Brainstorming of risks and controls session in progress.
2. Brief Introduction & Background
David S K Leong
BCA ,CA(NZ), CA (M),ACIB (UK), MBA (Henley), CIA(US), CMIIA.
IIAM ERM & IA - DSK Leong
2016
2
HSBC Malaysia Bhd. (1980-2005) serving as Risk Manager, Strategic
Planner, Chief Internal Auditor & Head, Sarbanes-Oxley Project.
Kuwait Finance House (Malaysia) Bhd. (2005-11) – Chief Officer, Internal
Audit.
Bank Islam Malaysia Bhd. (2012-2014)– Chief Internal Auditor. (Senior
General Manager)
Credit Guarantee Corporation Malaysia Bhd. – Director, Internal Audit.
(Total of 35 years in banking of which 12 years as Chief Internal Auditor.)
Additional :
Member of Board of Governors, Institute of Internal Auditors, Malaysia.
Deputy Chairman, IIAM’s Research, Technical & Advisory Committee..
Examiner, Asian Institute of Chartered Bankers.
3. OIC Current Accounts/Savings, HSBC, Johor Bahru. 4 years
OIC, Trade Finance, HSBC Kuching, Sarawak -4 years.
Assistant Manager Marketing, HSBC Kuching, Sarawak - 2years
Credit Manager, HSBC, Kota Kinabalu, Sabah - 4 years
Bank Branch Manager HSBC Bank, Labuan -2.5 years
Manager Risk & Policy, HSBC Malaysia, Kuala Lumpur. -4 years
Head of Strategy, HSBC Malaysia, Kuala Lumpur -1 year
CIA, HSBC Malaysia -3 years.
IIAM ERM & IA - DSK Leong 2016 3
HSBC Work Experience 1980 - 2005
4. Risk Management Experiences
The Nightmares!
IIAM ERM & IA - DSK Leong
2016
4
No risk management !
Want to go own way (i.e. no way)!
No definition of risk. (i.e. don’t know)
Don’t know what is risk!
Uses new unproven model risk.
Ad hoc and unorganized approach/incomplete coverage.
No monitoring/follow-up of controls.
Inadequate risk staffing and skills
Excessive power/arrogance
Lack of power!
Very defensive!
Don’t want to be audited.
Any more?
5. SIMPLE SURVEY
How many don’t have Risk Management function?
How many have not audited Risk Management?
How many have audited Risk Management?
How many of these are really happy with their Risk Management
Audit?
How many are really comfortable with the Risk Management activities?
How many have Risk Management Divisions that really manage
important risks effectively?
IIAM ERM & IA - DSK Leong 2016 5
6. IIAM ERM & IA - DSK Leong
2016
Page 6
1. Your internal audit findings are challenged 70 % of the time?
2. Your internal audit findings are 95% accepted all the time?
3. Your internal audit recommendations get implemented only 50% of the time?
4. Your internal audit recommendations are implemented 90 % even before
presentation to the Board.
5. Your internal auditors’ performance and remuneration are assessed by
management.
6. Your internal auditors’ performance and remuneration are assessed by the
Board.
7. You have a higher than average attrition rate among your internal auditors
than in the organization.
8. You have several other staff requesting to join internal audit department.
HONESTLY, WHAT SITUATION ARE YOU IN?
7. IIAM ERM & IA - DSK Leong
2016
Page 7
Most Frequent Experience:
CRO says, “We have Enterprise-wide Risk
Management!” –when actually he does not even
know what is risk.
CRO says, “CIO will look after IT Risk Management.
RM don’t have the IT expertise.”
CRO says: “ We have a ERM Policy.” But on paper
and in name only but not practiced. No
development.
CRO says: “We cannot introduce ERM because
Head Office overseas should lead such an
initiative.”
8. IIAM ERM & IA - DSK Leong
2016
Page 8
1. Must be Enterprise –wide (From Top to Bottom)
2. There must not be any “Golden Boy” unit.
3. Includes All Risks (Strategic/Operational/Financial/Compliance/Governance)
4. Focuses on Key Risks. ( Not more than 30-50 Biggest Risks)
5. Integrates Across All Risk Types. (Not Siloed-approach)
6. Aggregated at the Enterprise Level (based on the Risk Appetite/HEAT Map).
7. Decision-making Required to Reduce/Treat Risk.
8. Appropriate Risk Disclosures. (Show how much shareholder value can be
damaged.)
9. Measure Value Impacts and Opportunity Impact.
10.Focuses on Main Stakeholders (Shareholders).
Source: Adapted from Jared Wade
10 Absolute Essential Features of ERM
9. IIAM ERM & IA - DSK Leong
2016
9
In other words,
Do you have these?
10. Benefits in Layman’s Language to the Company with an
Integrated Risk Framework and ERM Program
IIAM ERM & IA - DSK Leong
2016
Page 10
Risk Management becomes easy to apply. We will have substance instead of
form.
ERM gives the Board better real assurance over internal controls
All departments work on the same internationally recognized methodology.
Risk registers are easily available online to all users.
We have less work and less stress (no duplicated controls).
Each entity will know their main risks and controls. This leads to more
focused work.
Entities will pass internal audits.
Internal audits reports will be comprehensible.
Company will suffer less losses make higher profits and be competitive.
Company has more time for strategy and be more focused.
Company will have compliance with Law, regulations and policies.
11. IIAM ERM & IA - DSK Leong
2016
11
1. Must be Enterprise–wide.
1. Led by the Board and CEO. And have a Project Champion.
2. Must Involve all Risk Areas.
3. Participation and Buy-in from all material areas on Initial Risk
Universe Assessment.
4. Participation and Mind-set must be integrated into operations,
remuneration and culture.
5. Supported and complemented by Internal Audit.
6. All use common methodology and be solution oriented.
12. 2. There must not be any “Golden Boy” unit
IIAM ERM & IA - DSK Leong
2016
12
All are Included without Exception.
No “Special Treatment” even for “star performers”.
(This is exemplified by the case in Barings Bank in 1996 in which
the Bank eventually collapsed. Barings
Singapore was so profitable that Risk Management
and Internal Audit were told to go lightly on Nick
Leeson, the “Wonder Boy”. Loss:GBP860 Million.
Another tell-tale sign:
The “only expert” in complicated derivatives trading
in the 2008 Societe Generale Bank case – a
GBP3.7 Billion loss).
Enron 2004 –”The Smartest Guys in the Room.”
13. 3. Includes All Risks (Strategic/Operational/Financial/
Compliance/Governance)
Aligning All the Main Components –Making Sure We All look at the
Same Things to Achieve Corporate Objectives.
Vision,
Strategy,
Corporate
Objectives
Risk
Manage-
ment
Training/
HR
Key
Performance
Indicators
Internal
Audit
Performance
Measure-
ment
IIAM ERM & IA - DSK Leong 2016 Page 13
Achieve
Corporate
ObjectivesSTRATEGIC DIRECTION
YEARLY BUDGETS
RISK APPETITE
14. IIAM ERM & IA - DSK Leong
2016
14
Where are
your risks?
All these
have to be
coordinated!
15. IIAM ERM & IA - DSK Leong
2016
15
5. Integrates Across All Risk Types. (Not Siloed-
approach)
Definition of Risk / What is Risk?
“ The possibility of an event occurring that will have an impact
on the achievement of objectives. Risk is measured in terms of
impact and likelihood.”
IPPF Glossary
In ISO 31000-2009 – “Risk is Uncertainty Over Objectives.”
By having the same methodology, everyone speaks the same
language and allows for aggregation of the enterprise’s risk.
16. IIAM ERM & IA - DSK Leong
2016
16
4. Focuses on Key Risks. (30-50 Biggest Risks)
These should be the risks that keep you awake at night.
Once these risks are identified using a collaborative brain-storming
session for all units using a common methodology measuring risks in
terms of impact and probability.
Are All Risks Covered? The ERM method prescribes inclusion of all
major risks and measures effectiveness of their treatment. This
requires workers’ participation.
Are you having excessive procedures? Board and Management
attention followed by action are aligned on real risks; and their
treatment and the monitoring. The process will find many traditional
processes are actually redundant. Therefore SOPs can be
streamlined/processes become efficient.
Are your operations guys clueless and dissatisfied?
Implementers of ERM and workers often find more meaning in what they
do and are motivated because they now understand how to get real value
for their time. They know what and why they had to do and what auditors
will audit them on.
17. IIAM ERM & IA - DSK Leong
2016
17
Use the “HEAT MAP” tool to help disseminate risk
assessment methodology.
18. 6. Aggregated at the Enterprise Level (Set the Risk Appetite/
HEAT Map). HEAT MAP. Where the Risks are!
TABLE A:
HEAT MAP (Operations)
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-49,999
(MODERATE)
RM50,000-199,999
(MAJOR)
>RM200,000
(Catastrophic)
Key
Catastrophic/High
Low IMPACT Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6 months)
LowLIKELIHOODVeryHigh
5 5.1 5.2 5.3 5.4 5.5
VERY PROBABLE (every 6-12 Months) 4 4.1 4.2 4.3 4.4 4.5
PROBABLE (Every 1-3 years 3 3.1 3.2 3.3 3.4 3.5
UNLIKELY (Every 4-10 years 2 2.1 2.2 2.3 2.4 2.5
RARE (Every more than 10 Years) 1 1.1 1.2 1.3 1.4 1.5
2..1
2..2
2..4
2.3
2
1.3
2
1.1
1.2
2
3.1
IIAM ERM & IA - DSK Leong
2016
18
Finding 2.4 is
plotted on
Heat Map
5.4: Denotes
probability 5,
Impact of 4.
19. 7. Decision-making by Management to Reduce/Treat
Risk.
IIAM ERM & IA - DSK Leong
2016
19
Once a material risk is identified, there are 4 “T s” of Risk
Mitigation.
I. Treat (Implement Control to reduce/prevent the occurrence)
II. Transfer ( Reduce impact by transferring risk to another entity
or take out insurance/outsource.)
III. Terminate ( Abandoning /selling the business if risk impact is
deemed unbearable or cannot be controlled.)
IV. Tolerate – Accept the risk if within Risk Tolerance limits.
Action is taken is to ensure all risks accepted are within the risk appetite
(green) as shown in the following HEAT Map.
ERM is not to report risks only but to ensure correct control action is
taken.
Appraisal of performance is on action taken effectively.
20. IIAM ERM & IA - DSK Leong
2016
20
7. IMPACT OF CONTROLS ON TREATED RISKS (RESIDUAL RISK)
TABLE A:
HEAT MAP (Mill Operations)
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-49,999
(MODERATE)
RM50,000-199,999
(MAJOR)
>RM200,000
(Catastrophic)
Key
Catastrophic/High
Low IMPACT Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6 months)
LowLIKELIHOODVeryHigh
5 5.1 5.2 5.3 5.4 5.5
VERY PROBABLE (every 6-12 Months) 4 4.1 4.2 4.3 4.4 4.5
PROBABLE (Every 1-3 years 3 3.1 3.2 3.3 3.4 3.5
UNLIKELY (Every 4-10 years 2 2.1 2.2 2.3 2.4 2.5
RARE (Every more than 10 Years) 1 1.1 1.2 1.3 1.4 1.5
Inherent
Risk
Residual
Risk
21. IIAM ERM & IA - DSK Leong
2016
21
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999(MINOR)
RM10,000-49,999
(MODERATE)
RM50,000-199,999
(MAJOR)
>RM200,000
(Catastrophic)
Key Catastrophic
/High
Low IMPACT
Very High
Medium
1 2 3 4 5Low
ALMOST CERTAIN
(1-6 months)
LowLIKELIHOODVeryHigh
5 5.1 5.2 5.3 5.4 5.5
VERY PROBABLE
(every 6-12 Months)
4 4.1 4.2 4.3 4.4 4.5
PROBABLE (Every 1-
3 years
3 3.1 3.2 3.3 3.4 3.5
UNLIKELY (Every 4-
10 years
2 2.1 2.2 2.3 2.4 2.5
RARE (Every more
than 10 Years)
1 1.1 1.2 1.3 1.4 1.5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
LowLIKELIHOODVeryHigh
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
VERY PROBABLE (every 6-
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
UNLIKELY (Every 4-10
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
RARE (Every more than 10
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
LowLIKELIHOODVeryHigh
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
VERY PROBABLE (every 6-
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
UNLIKELY (Every 4-10
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
RARE (Every more than 10
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
LowLIKELIHOODVeryHigh
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
VERY PROBABLE (every 6-
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
UNLIKELY (Every 4-10
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
RARE (Every more than 10
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
LowLIKELIHOODVeryHigh
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
VERY PROBABLE (every 6-
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
UNLIKELY (Every 4-10
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
RARE (Every more than 10
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
LowLIKELIHOODVeryHigh
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
VERY PROBABLE (every 6-
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
UNLIKELY (Every 4-10
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
RARE (Every more than 10
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
OVERALL COMPANY:
HEAT MAP
<RM1000/
INSIGNIFICANT)
RM1000-9,999
(MINOR)
RM10,000-
49,999
(MODERATE)
RM50,000-
199,999
(MAJOR)
>RM200,000
(Catastrophic)
Ke
y Catastrophic/High
Low IMPACT
Very High
Medium
1 2 3 4 5
Low
ALMOST CERTAIN (1-6
months)
LowLIKELIHOODVeryHigh
5
5
.
1
5
.
2
5
.
3
5
.
4
5
.
5
VERY PROBABLE (every 6-
12 Months)
4
4
.
1
4
.
2
4
.
3
4
.
4
4
.
5
PROBABLE (Every 1-3
years
3
3
.
1
3
.
2
3
.
3
3
.
4
3
.
5
UNLIKELY (Every 4-10
years
2
2
.
1
2
.
2
2
.
3
2
.
4
2
.
5
RARE (Every more than 10
Years)
1
1
.
1
1
.
2
1
.
3
1
.
4
1
.
5
Finance
Mill Operations
Marketing
Plantations
Compliance
Human Resources
7. See One Picture of the
Aggregated Risks of Your
Company
You can see one picture or drill down into
component areas, even specific issues, because
of consistency of risk methodology.
Overall Enterprise-Wide HEAT MAP
Based on COSO ERM & IIA’s IPPF
22. PART 2.
COSO – Enterprise-wide Risk
Management.
IIAM ERM & IA - DSK Leong
2016
22
23. IIAM ERM & IA - DSK Leong
2016
23
5. Where Do We Start?
Before we even implement anything,
We have to understand the methodologies used –ERM and IIA’s IPPF.
Risk Evaluation Objectives according to IPPF Standard 2130-A1.
24. 24
It Started in 1992 with the First Internal Control COSO Cube.
26. 26
COSO/COSO ERM in 7 Different Languages!
The World’s Best Known and Only Established ERM Framework for Integrated
Control.
27. IIAM ERM & IA - DSK Leong 2016 Page 27
COSO (1) Evolved into COSO-ERM (2004)
28. ERM Re-defined / Improved:
“… a process, effected by an entity's board of directors, management
and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the
entity, and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.”
Source: “COSO Enterprise Risk Management – Integrated Framework” 2004. COSO.
IIAM ERM & IA - DSK Leong
2016
28
So why Enterprise-wide Risk Management?
29. IIAM ERM & IA - DSK Leong 2016 Page 29
1992
2004
May 2013
The Development of the Three COSO Frameworks.
The 2013 COSO Framework (17 Principles) is the Best yet.
1992 COSO
has been
replaced
NEW!
30. IIAM ERM & IA - DSK Leong
2016
Page 30
A Quick View of the Overall
Framework that should be achieved.
33. Internal control is defined as follows:
“Internal control is a process, effected by an entity’s board of
directors, management, and other personnel, designed to
provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance”
“Internal Control—Integrated Framework.”
COSO Publication May 2013
IIAM ERM & IA - DSK Leong 2016 Page 33
The Requirement is Integrated Internal Control.
Board must
lead and
sponsor!
34. “The combination of processes and structures implemented by
the Board to inform, direct, manage and monitor the activities
of the organization towards achievement of its objectives.”
IPPF Glossary
IIAM ERM & IA - DSK Leong 2016 Page 34
Definition of Governance – What the
Board is now expected to do.
35. Specimens of Internal Audit Report
based on COSO (2013) Format.
IIAM ERM & IA - DSK Leong
2016
35
36. IIAM ERM & IA - DSK Leong
2016
36
CA02 Control Activities
No review performed on audit trail report for MYSTICS
system
Criteria
The BNM Audit in 2013 has highlighted on the absence of
Policy and Procedures on the requirement to review audit
trail in MYSTIC System (Issue No. 15). FIN has since
revised the Policy and Procedures effective 19MAR14 to
incorporate periodic revision of audit trail by officer.
Section 1.1 of Audit Trail Review for MYSTIC is to guide
FIN in the preparation of Audit Trail Report where the
system administrator is responsible for the review of audit
trail every month for at least two (2) modules.
Condition
However, Audit's observation was that the review of audit
trail for MYSTIC system was not implemented / carried out
as now required under Section 1.1.
Cause
a) Guideline was not strictly followed and enforced
accordingly.
b) Unawareness of staff in-charge on the
usefulness/benefits of audit trail in monitoring activities
of MYSTIC users and preventing fraud risks.
Risk (High)
a) Non-compliance with Section 1.1 of Audit Trail Review
for MYSTICS Manual.
b) System control lapses may go undetected.
FIN must ensure that the Audit Trail
Review for MYSTICS Manual are
adhered accordingly and to report to
Risk Management Department
(RMD) on any unusual activities
under incident reporting (if any).
Management’s Response:
We have reviewed the audit trail for
the month of March 2014, April
2014, May 2014, Jun 2014 and
July 2014 and have been
concurred by FC accordingly on 2
September 2014.
Target Date:
Implemented
Person Responsible:
Zahid Muhammad, Head of
Section
Detailed Audit Finding as per Implementation Guide 2410-1
37. IIAM ERM & IA - DSK Leong
2016
37
TABLE 1: COSO 5 COMPONENTS & 17 PRINCIPLES MATRIX
CONTROL ENVIRONMENT
1. The organization demonstrates a commitment to integrity and ethical values.
Answer: Yes. Board of Directors is committed to ethical and integrity values.
2. The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control.
Answer: Yes. Board of Directors is independent and exercises oversight. New Board
members in 2014.
3. Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
Answer: Yes. Board has established reporting lines and structures. In 2013, Board has
changed the external auditors to PwC.
4. The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
Answer: FIN lost 6 experienced staff in 2013 and 2014 (including the Head of Department)
5. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
Finding IMP01: Absence of internal/manual attendance record for staff working during
public holidays
Opinion: Tightening of controls and discipline seems obvious given the nine control lapses in
this report.
RISK ASSESSMENT
6. The organization specifies objectives with sufficient clarity to enable the identification
and assessment of risks relating to objectives.
Opinion: This should be improved as staff do not seem to implement controls as they should.
7. Organization identifies risks to the achievement of its objectives across the entity and
analyzes risks as a basis for determining how the risks should be managed.
Opinion: The Identification of Risk is not adequate or systematic enough. Probably
coupled it with lack of responsibility, the control lapses occur.
8. The organization considers the potential for fraud in assessing risks to the
achievement of objectives.
Finding RA01: User ID (MYSTICS) logged in during staff's absence. (Medium Risk)
9. The organization identifies and assesses changes that could significantly impact the
system of internal control.
Answer: Yes. GST was highlighted to management.
CONTROL ACTIVITIES
10. The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
Yes: Controls are in manuals but not implemented. Hence, see findings in Principle No.12,
11. The organization selects and develops general control activities over technology to
support the achievement of objectives.
Finding CA05: No adjustments made for TPUB-i profit charged due to limitation in
Contract Financing Module (CFM-BOS) (Medium)
Finding CA08: Six (6) IDs of resigned staffs were not deactivated (Medium Risk)
12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action.
Finding CA01: Inappropriate month end closing (High Risk)
Finding CA02: No review performed on audit trail report for Mystics System (High Risk)
Finding CA03: Non-compliance with Accounting Policy -Checklist not used (High Risk)
Finding CA04: Incomprehensive updates in Manual (Medium Risk)
Finding CA06: Wrong Preparation of Accounts: Written off asset was treated as loss on
disposal of asset. (Medium Risk)
Finding CA07: Security Cabinet containing cheque book was not locked. (Medium Risk)
INFORMATION & COMMUNICATION
13. The organization obtains or generates and uses relevant, quality information to
support the functioning of internal control.
See related comments in Principle No. 16.
14. The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of internal
control.
Answer: Meetings are held with other internal parties.
15. The organization communicates with external parties regarding matters affecting the
functioning of internal control.
Answer: Yes. This is done with PwC, the external auditors.
MONITORING
16. The organization selects, develops and performs ongoing and / or separate
evaluations to ascertain whether the components of internal control are present and
functioning.
Answer: FIN will ensure the figures and information related to FIN are correct .
17. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.
Answer: Yes, CGC as a whole communicate deficiencies but implementation is hampered
by staff quality and IT issues. See CA 03, 04, 05 and Finding Other 01 (Un-reconciled
receipts).
38. IIAM ERM & IA - DSK Leong
2016
38
Risk Rating and
Type
Reported this
Audit
Maximum for
Satisfactory
Maximum for
"Needs
Improvement"
High Risk 3 2 4
Medium Risk 6 6 6
Other Department
Risk
1 NA NA
Improvement 1 NA NA
TOTAL 11
Rating the Internal Audit Consistently/No Surprise Approach..
39. IIAM ERM & IA - DSK Leong
2016
39
“The former JP Morgan Chase trader known as the “London
Whale” has broken cover to say he was not responsible for the
scandal that lost the bank $6.2bn. In a letter sent late on Monday
night to news outlets including Financial News and Bloomberg,
Bruno Iksil said he was “instructed repeatedly” by his superiors to
carry out the trading strategy that led to the losses.”
Bruno Iksil (The “London Whale”)
The Independent
Does Senior Management (and Board) really know their Risk
Appetite?
(Mr Iksil is helping the US authorities bring a case against key figures at JP Morgan, but he is
not among those being prosecuted. JP Morgan lost USD 6.2 Billion and was fined USD 1
Billion by regulators.)
Jamie Dimon, JP Morgan’s
CEO.
40. Appeals court rules company
directors liable for offences
committed during their tenure
Published: 28 September 2015
IIAM ERM & IA - DSK Leong
2016
40
The Court of Appeal today ruled that Section 122(1) of the Securities
Industry Act 1983 (SIA) – which states that when an offence has been
committed under the act by a corporate body, a director or chief
executive officer (CEO) or one purporting to act in such a capacity for
the organisation is deemed liable – does not violate the Federal
Constitution.
The decision overturned the High Court’s ruling that the section was
unconstitutional when Transmile Group Bhd’s founder and former
CEO Gan Boon Aun and its former executive director Khiuddin
Mohd challenged the validity of a charge brought against them.
–
Is your
Board
aware of
this Risk?
41. IIAM ERM & IA - DSK Leong 2016 Page 41
Implication: Making COSO-ERM Thinking the Way of
Life for Achievement of Company Objectives.
5 Components 8 Components !
Is your Board &
Management
aware of COSO?
42. Implication: Changes Required for Internal
Audit
IA is prime mover and player in ERM
IIAM ERM & IA - DSK Leong
2016
42
Professional & Proactive Internal
Audit. (IIA qualified)
Risk-Based Internal Audit (Uses
COSO 2013).
Implement International
Professional Practices Framework
(IPPF) which require IA to give
assurance on effectiveness of the
governance, risk management and
internal control systems.
43. Will IA’s Participation in ERM compromise IA’s
Independence? ANSWER – NO.
IIAM ERM & IA - DSK Leong
2016
Page 43
44. Starting ERM Risk Assessment - How to Identify Risks in
Your Division?
IIAM ERM & IA - DSK Leong
2016
Page 44
•Brainstorming (Participation by implementers)
•Delphi System (Asking Experts)
•Monte Carlo Simulation (IT Program)
46. IIAM ERM & IA - DSK Leong
2016
46
• Identification of Risk
Universe.
• Organize Brainstorming
sessions in risk areas.
• Identify risks and identify
the controls.
• Document the high &
medium risks.
• Prepare each area’s top risks
and controls.
• Institute monitoring to
ensure identified controls
are implemented /working.
• Institute regular reporting to
ERM centre.
• Review controls and update
risk registers.
• Institute annual review
by Internal Audit.
• Internal Audit to test
ERM system in internal
audits of each area.
• Aggregate and update
quarterly reporting to
Risk Committee.
• Continuous training and
annual updating of Risk
Universe.
• Integrate into Strategic
review and annual
budgeting.
• Add stress testing to
ERM.
• Establish Scope and
Objectives of ERM
Project
• Establish ERM Project
Roles and Project
Structure.
• Identify key executives.
• Conduct training for key
individuals.
• Appoint CIA and Head of
ERM/CRO.
• Establish Risk Committee.
• Identify resources for
ERM.
47. In Summary:
Benefits of Coordinating the Company with an Integrated ERM
Program and IA
IIAM ERM & IA - DSK Leong
2016
Page 47
Risk Management becomes easy to apply. We will have substance instead of
form. Collaborative Risk Management achieved.
Internal audit recommendations become understandable and implemented.
ERM gives the Board better real assurance over internal controls.
All departments work on the same internationally recognized methodology.
Risk registers are easily available online to all users. Related risks are
identified. Redundant controls are eradicated.
We have less work and less stress (no duplicated controls).
Each entity will know their main risks and controls. This leads to more
focused work and efficiency. Logical and fair internal audits.
Entities will pass internal audits. More value-add from internal audits.
Company will suffer less losses make higher profits and be competitive.
Company has more time for strategy and be more focused.
Company will have compliance with Law, regulations and policies.
For manufacturers, better safety in the operations area.
Less staff turnover – Better staff Morale.
48. Final Take Away Pointers
IIAM ERM & IA - DSK Leong
2016
48
Look at Risks using COSO/COSO ERM Frameworks
Establish with AC the Risk Appetite and COSO ((2013)/COSOERM.
Do Risk Universe Analysis using Brainstorming
Emphasize the Biggest Risks and review every three months.
Do Internal Audit Planning using the COSO (2013) Framework.
Discuss with Auditees the use of COSO (2013) Framework.
Determine/Measure Risk using risk appetite set and risk registers.
Report risks based on Criteria, Condition Impact and Cause into High
and Medium Risks,.
Establish Real Cause with Auditees to recommend action.
Hold the person/entity with responsibility/authority accountable.
Be consistent with standards of evidence (No evidence, it’s an opinion)
Write report based on COSO (2013) format.
Be consistent with ratings across the board (No exception.)
If you have any serious opinion (e.g. corruption) to share, write a
management memorandum separately to Management or Board.