Enterprise Risk Management and Risk Based Internal Audit Grant Thornton Recommended Methodology Nasser Barakat Partner Grant Thornton – Business Risk Services

© 2015 Grant Thornton. All rights reserved.

Risk Scope of Definition

© 2015 Grant Thornton. All rights reserved.

What is risk?

A range of possible negative events that could take place in an uncertain environment.

© 2015 Grant Thornton. All rights reserved.

Each of these events could have a significant impact on the organisation and its goals.

Risk is anything that will prevent you from achieving your business objectives….

© 2015 Grant Thornton. All rights reserved.

Risk

Work unit assets (resources)

Management processes

Work unit objectives

The organisation's objectives © 2015 Grant Thornton. All rights reserved.

Control Broadly Defined

© 2015 Grant Thornton. All rights reserved.

Control

… is broadly defined as ‘the combination of many factors which support people in their efforts to achieve their business objectives’.

© 2015 Grant Thornton. All rights reserved.

Linking risks, controls and objectives

Risk

Business/Quality Objectives

Control

© 2015 Grant Thornton. All rights reserved.

Desired end results/outcomes

Linking risks, controls and objectives

Desired end results/outcomes © 2015 Grant Thornton. All rights reserved.

Linking risks, controls and objectives

Desired end results/outcomes © 2015 Grant Thornton. All rights reserved.

What is Risk Management?

© 2015 Grant Thornton. All rights reserved.

Risk management

© 2015 Grant Thornton. All rights reserved.

Risk management

© 2015 Grant Thornton. All rights reserved.

Risk management

… represents the diversity of actions management takes in order to mitigate some or all of the business risks.

© 2015 Grant Thornton. All rights reserved.

Risk management alternatives

Risk Mitigation Technique

TERMINATE

TREAT

TOLERATE

TRANSFER

Avoiding risk

Reducing the impact and/or probability of risk assurance

Retaining risk (acceptance)

Passing on risk

Transfer Activity e.g. subcontracting

Transfer Responsibility e.g. insurance

© 2015 Grant Thornton. All rights reserved.

Risk management alternatives

Risk Mitigation Technique

TERMINATE

TREAT

TOLERATE

TRANSFER

Avoiding risk

Reducing the impact and/or probability of risk assurance

Retaining risk (acceptance)

Passing on risk

Transfer Activity e.g. subcontracting

Transfer Responsibility e.g. insurance

© 2015 Grant Thornton. All rights reserved.

Components of risks

RISK

Adequately controlled

© 2015 Grant Thornton. All rights reserved.

Accepted

Insured

GT methodology for the implementation of an enterprise risk management system and risk based internal audit

© 2015 Grant Thornton. All rights reserved.

CRSA Control and Risk Self Assessment

© 2015 Grant Thornton. All rights reserved.

CRSA

Is a process in which staff collectively  Identify business uncertainties in their area of responsibility  Assess their control activities  Develop actions for improvements under the guidance of risk management.

© 2015 Grant Thornton. All rights reserved.

Workshop: Identify and access risks and controls

Senior management and the board

Stage 1

Reports on CRSA

Reports on the test results

Stage 3

Management sign-off

© 2015 Grant Thornton. All rights reserved.

Testing (by both I.A. and business unit)

Stage 5

Stage 2

Development of compliance tests

Internal audit report

Stage 4

Workshop: Building a risk and control matrix

Develop and conduct substantive tests

Internal and external loss data

The CRSA workshop

The following risk/control matrix, lists some of the operational risks and controls related to a bank’s International Brokerage function

© 2015 Grant Thornton. All rights reserved.

The CRSA workshop

© 2015 Grant Thornton. All rights reserved.

Components of risks

RISK

Adequately controlled

Acceptable gap

Working gap Actual gap © 2015 Grant Thornton. All rights reserved.

Insured

Risk Based Internal Audit

© 2015 Grant Thornton. All rights reserved.

What is RBIA?

The Institute of Internal Auditors defines Risk Based Internal Auditing (RBIA) as a methodology that: 1. Links internal auditing to an organisation’s overall risk management framework 2. Allows internal audit to provide assurance to the board that risk management processes are managing risk effectively in relation to the risk appetite.

© 2015 Grant Thornton. All rights reserved.

Traditional approach versus risk based IA approach

Traditional internal audit approach

Risk based internal audit approach

Audit plan based on the audit cycle (time duration)

Audit plan based on the results of the business units risk evaluation. Risky areas are covered first and more frequently

Important Risks might not be covered in the audit program

Provides assurance that Important risks are being managed properly

Focus on deficiencies in controls and cases of non compliance with P&P

Focus on risks that are not properly controlled and/or overly controlled

An understanding of business unit operations is built through time consuming process mapping exercises and might rely on outdated P&P manuals.

In depth understanding of the business unit operations through risk assessment workshops and with the participation of the business unit management.

© 2015 Grant Thornton. All rights reserved.

Traditional approach versus risk based IA approach

Traditional internal audit approach

Risk based internal audit approach

Internal audit resources are spread over all business units/activities

More efficient use of internal audit resources by concentrating on risky units/areas

Disagreement with the business unit management over the action plans leading to delays in implementation

Facilitate consensus with line management on the needed action plans thus improving timely and effective implementation of corrective measures

Disagreement with the business unit management on the importance of the findings raised by internal audit

The importance of risks is established during the risk assessment phase and in agreement between internal audit the business unit management

Subjective internal audit ratings; they mainly rely on the auditor’s judgment on the importance of the findings.

More objective ratings (findings are classified in accordance with pre-agreed risk importance criteria).

© 2015 Grant Thornton. All rights reserved.

Internal Audit Rating Policy

© 2015 Grant Thornton. All rights reserved.

Rating matrix

Key controls working

Within acceptable gap

1% – 20% above acceptable

20% – 40% above acceptable

>40% above acceptable

All

A

A

B+

B

Up to 80%

B

B

C+

C

50% – 80%

C

C

D

D

D

D

D

D

D

20% – 50%