aa205 revision notes

8/2/2019 AA205 Revision Notes

http://slidepdf.com/reader/full/aa205-revision-notes 1/32

AY 2008/2009: Year 3 Semester 1

AA205 Revision Notes



Seminar 1: Introduction

CERM Executive Summary

COSO ERM capabilities:

1. Aligning risk appetite and strategy- Considers risks appetite in evaluating fit with strategic alternatives, then sets objectives

aligned with selected strategy in developing mechanisms to manage the related risks

2. Enhancing risk response decisions

- Identify and select: Avoidance, Reduction, Sharing and Acceptance

3. Reducing operational surprises and losses

- Capability to identify potential events, assess risks, and establish responses

4. Identifying and managing multiple and cross-enterprise risks

5. Seizing opportunities

- Considers opportunities, which are channelled back to strategy and objectives

6. Improving deployment of capital

- Helps assess overall capital needs and thus enhance capital allocation

7. Supports sustainable growth

- Integration of risks management in decision making process and strategic planning

ERM helps an entity get to where it wants to go and avoid pitfalls and surprises along the way

Components of ERM

1. Internal Environment

2. Objective Setting

3. Risk Identification

4. Risk Assessment5. Risk Responses

6. Control activities

7. Information and communication

8. Monitoring

Relationships between components and objectives:



To determine the effectiveness of ERM, we need to ascertain that the right components are present and

functioning properly. For that to happen, there can be no material weakness and risks needs to be brought

within appetite

Limitations of ERM:

1. Human Judgement can be faulty (Decisions to consider costs and benefits)

2. Human failures such as simple mistakes

3. Controls can be circumvented by collusions

CERM Chapter 1: Definitions

Entities exist to provide value for stakeholders. All entities face uncertainty, and the challenge for

management is to determine how much uncertainty the entity is prepared to accept as it strives to grow

stakeholders value

Globalisation, Technology, Restructurings, Changing Markets, Competitions and Regulations are all

sources of uncertainty

Value is maximised when management sets strategy and objectives to strike an optimal balance between

growth and return goals and related risks

ERM can be applied in strategy setting, in which management considers risks related to alternative

strategies, assisting them in evaluating and selecting the strategy and objectives

Considers inter-related risks from an entity-level portfolio perspective. Risks for individual units of the

entity may be within risks tolerances, but taken together may exceed the risk appetite of the entity as a

whole

ERM enables management to make informed risks-based decisions, but the particular decision does notdetermine the effectiveness of ERM

Seminar 2: Corporate governance and Internal Environment

CERM Chapter 2: Internal Environment

Internal Environment encompasses the tone of an organisation, influencing the risk consciousness of its

people, and is the basis of other components of ERM

Components of Internal Environment:

1. Risk Management Philosophy- Shared beliefs and attitudes characterising how the entity considers risks in things it does

- Reflected in virtually everything management does in running the entity: Policy statements,

oral and written communications, and decision making

- Ideally, philosophy is well developed, understood and embraced by everyone

2. Risk Appetite

- The amount of risks, on broad level, an entity is willing to accept in pursuit of its goals



- Reflects risk philosophy, which in turn influences the entity culture and operations

- Qualitative: High, Moderate, Low

- Quantitative: Balance goals for growth and return with risks

3. Board of Directors

- Appointed by shareholders to govern the company- Should possess appropriate degree of management, technical, and other expertise, coupled

with the mind-set necessary for oversight responsibilities

- Should be a fair representation of both management and shareholders‟ interest- balance of

internal and independent directors

- Plays a key role in driving corporate governance, and ultimately, the internal environment

4. Integrity and Ethical values

- Top management to set the tone on ethics, their actions embedded in corporate culture

- Ethical behaviour a by-product of corporate culture, the unwritten rules of conduct. Culture,

in turn, is shaped by behaviours

- Individuals may engage in dishonest, illegal and unethical acts simply because the entity

provides them with the strong incentives to do so e.g. undue pressure on results

5. Commitment to competence

- Management decides how well tasks need to be accomplished, weighing the entity‟s strategy

and objectives against plans for their implementation and achievement

- Trade-off between competencies and costs often exists

6. Organisational structure

- Provides the framework to plan, execute, control and monitor activities

- Defines key areas of authority and responsibilities and establish lines of reporting e.g. IAshould be permitted access to top management

7. Assignment of authority and responsibility

- Degree to which individuals and teams are authorised and encouraged to use initiative to

address issues and solve problems

- To strike a balance between delegation and reporting, the former more flexible but more

susceptible to risks; the latter vice versa

8. Human resource standards

- Practices pertaining to hiring, orientation, training, evaluating, counselling, promoting,

compensating, and taking remedial actions

- Sends message regarding expected level of integrity, ethics and competence

- Disciplinary actions send a message that violations of expected behaviours is not tolerated



Tutorial

Matters covered in Corporate Governance 2005:

1. Board matters: Conduct of affairs, composition and guidance, chairman and CEO, board

membership, board performance, access to information

2. Remuneration matters

3. Accountability and audit

4. Communications to shareholders

5. Disclosure of corporate governance arrangements

ERM affects only the personnel in an entity. Melding Corporate Governance with ERM, Directors, Senior

Management, Internal and External auditors, and risk owners must work interdependently

Speculation: Selecting investments with higher risks in order to profit from anticipated price movement

Hedging: Making an investment to reduce the adverse price movements in an asset. Normally, a hedge

consists of taking an offsetting position in a related security

Sophisticated investors use a combination of speculation investments and hedging strategy to limit

potential losses

Seminar 3 and 5: Objective setting and Event identification

CERM Chapter 3: Objective Setting

Steps in setting objectives:

1. In considering alternative ways to achieve strategic objectives, management identifies risks

associated with a range of strategy choices and considers their implications2. The right objectives (entity-level) that support and aligned with the selected strategy are then

established

3. Entity-level objectives are linked and integrated to more specific activities objectives such as for

sales, production and engineering

4. Critical success factors are set to help management identify measurement criteria for performance

Categories of objectives

1. Strategic: High level goals, aligned with and supports entity‟s mission

2. Operations: Effective and efficient use of resources

3.

Reporting: Reliability of entity‟s reporting, including internal and external, financial and non-financial information

4. Compliance: Compliance with applicable laws and regulations

Achieving reporting and compliance objectives is largely within the entity‟s control, while strategic and

operations objectives is not solely within the entity‟s contr ol e.g. outperformed



There is a relationship between an entity‟s risk appetite and strategy. Usually a number of different

strategies can be designed to achieve the desired outcome. ERM helps management select a strategy that

is consistent with its risk appetite

Differences between risk appetite and tolerances:

Appetite: Amount of risks willing to accept in pursuit of mission/strategy

Tolerance: Acceptable level of variation relative to the achievement of a specific objective, best

measured in the same units as those objectives

Performance measures are used to ensure that results will be within established risk tolerances e.g. target

on-time delivery at 98%, with acceptable variation in range of 97%-100%

Operating within risk tolerances provides management with greater assurance that entity remains within

its risk appetite, which in turn, provides higher degree of comfort that objectives are met

CERM Chapter 4: Event Identification

Management identifies potential events that, if they occur, will affect the entity, and determines whether

they represent opportunities or risks

Events may be driven by external or internal factors:

External factors and events (PEST, P5F) Internal factors and events

Economic:

Price movement, capital availability, barriers toentry, new competitiors

Infrastructure:

Increasing capital to preventive measures,improving customer satisfaction

Natural Environment

Floods, fire, earthquakes etc

Personnel:

Workplace infrastructure, fraudulent activities, loss

of available personnelPolitical:

Political agendas, laws and regulations, tax rates

Process:

Process execution errors, inefficiency, customer

dissatisfaction, loss of repeat business

Social:Changing demographics, social mores, family

structures, terrorism activity

Technology:Security breaches, potential system downtime

Technological:New means to electronic commerce, expanded

availability to data

Note: Events can be identified at entity level or activity level

Event identification techniques look to both the past and future:

Past: Focuses on past events and considers trends e.g. payment default histories

Future: Focuses on future exposures e.g. changing demographics

Event identification techniques:

1. Event inventories: Detailed listing of events common to companies in industry

2. Internal analysis: Part of routine business planning cycle e.g. via staff meetings



3. Escalation or threshold trigger: Alert management to areas of concern by comparing current

transactions or events with predefined criteria

4. Facilitated workshops and interviews: Management, staff and other stakeholders

5. Process flow analyses e.g. BPA

6. Leading event indicators: Monitoring date correlated to events, entities indentifies the events that

could give rise to events e.g. monitoring payment patterns enables potential to default bemitigated by timely action

7. Loss event data methodologies: Past individual lost events to identify trends and root causes

Events can be interdependent- one event can trigger another. It‟s important to understand how events

relate to one another so as to determine where best to direct risks management efforts

Event categories are useful:

Develop an understanding of relationships between events

Consider the completeness of event identification

Tutorial

Relationship between objectives and missions:

Implications of clients‟ risk management for external auditors:

Understand client‟s control environment

Sets financial statement expectations

Assess risk of material misstatements

Assess viability of clients

Anticipate clients‟ needs

Entity'smission/vision

Strategic andrelated

objectives

Critical successfactors

Keyperformance

indicators

Feedback: Areobjectives

met?



2 frameworks for identifying events:

1. Entity level: Entity level business Model-> Business Objectives

Usefulness: Considers both external and internal perspective in identifying risks

Disadvantage: Does not look at individual process, may not be in-depth enough, does not

consider which objectives are threatened



2. Process level: Business Process Analysis-> Process objectives

Usefulness

Value chain analysis: Analyses the contribution of individual activities in a business to the overall

level of customer value Considers all supports of a business process e.g. inputs, outputs, systems

Linked specifically to process objectives

Weaknesses

May be too narrowly viewed i.e. lacks linked to strategic objectives

Does not consider effect of other business process on the one analysed



Readings

Point with risks management is not to eliminate risks, but to manage it to an appropriate level- not too

high and not too low. No risks, no reward!

Emergent risks arise from actions taken in multiple areas of the company that by themselves, do not

increase risk (may even reduce it), but combined, they can dramatically increase it. For example, need for

rare metal to develop product:

Purchasing: Hedge by entering long term contracts to purchase metals at locked-price

R&D: Develop new products that do not require the rare metals

Result: New products that no longer require the rare metal committed to purchasing

6 dimensions of risk

1. Likelihood of a relevant trend or event

2. Magnitude of the effects of trend or event

3. Degree of uncertainty in estimating event likelihood4. Degree of uncertainty in estimating event magnitude

5. The ability to influence event likelihood

6. The ability to influence event magnitude



Short comings of ERM

Ability to collect all relevant data needed to manage risks internally and externally

Ability to employ analytical tools that address not only historical data, but can project risks and

impact for events that have never previously occurred

Ability to identify a chain of events that may follow an initial loss event and accurately projectthe impact of „ripple‟ effects emanating that event

Seminar 6 and 9: Qualitative and Quantitative Risk Assessment

CERM Chapter 5: Risk Assessment

Risk assessment allows an entity to consider the extent to which events have an impact on objectives.

Management assess events from 2 perspectives- likelihood and impact- and normally uses a combination

of qualitative and quantitative methods

Inherent risks: Absence of any actions management might take to alter likelihood and impact

Residual risks: After risks responses have been developed

Consideration when assessing risks

1. Time horizon used to assess risks should be consistent with the time horizon of related strategy

and objective. Management needs to be cognizant of objectives with longer timeframe and not

ignore risks that may be further out

2. Impacts should be measured in the same terms that the objective is measured in

3. Certain risks may have slight impacts on their own, but when combined with related risks, it can

become more significant

4. An objective may be affected by several events; an event may also threaten several objectives

5. Perceptions of risks may be different

- Ground level thinks it‟s serious

- High level may think less so (understand the mechanism e.g. hedging in place)

Estimates of likelihood and impact made by using

Internal data: E.g. existing risk registers, company websites, workshops, surveys

External data: E.g. news, credit agencies, analysts report, competitors‟ websites

Assessinherent risks

Identify riskresponses

Assessresidual risks



Assessment techniques

Qualitative Quantitative

Uses words (e.g. high, low) to describe magnitude

of event and its likelihood

Typically bring more precision and are used in

more complex and sophisticated activities to

supplement qualitative techniques

Subjected to biases and can be highly influenced byperceptions

1. Overconfidence: Mitigated by evidence2. Framing biases

- Positively framed questions: Risk adverse

- Negatively framed: Risk seeking

Disadvantages:1. Require higher degree of effort, rigor and

expertise2. Highly dependent on the quality of the

supporting data and assumptions

3. More relevant to risks with a known

history and frequency of variability

Used to provide quick snapshots relatively quickly

and inexpensively or when risks do not lend

themselves to quantification

Simplicity of qualitative risk assessment represents

an inherent risks that quantification method canaddress

Tends to be more accurate and more objective

Provides a basis of comparison with past and forcomparison with others (benchmark)

E.g. “GroupSystem” technology enables real time,

rapid data collection in face-to-face and remote

“risk storm” sessions

E.g. Benchmarking, probabilistic models, and non-

probabilistic models

PwC Lecture: Qualitative Risk Analysis

6 key elements of effective Corporate Governance Framework:

1. Board structure and composition

2. Board operation and effectiveness3. Strategy, Planning and Monitoring

4. Robust Risk Management and compliance processes

5. Transparency and Disclosure

6. Corporate citizenship (Social, ethics and environment)



Process risks are often not given enough emphasis- they may snowball to something serious

Relating strategy, objectives, appetite and tolerance:

Risk categories are identified by considering key drivers and stakeholders, business objectives and current

processes. Breaking risks into categories help ensure the full spectrum of risks is considered. Common

categories:

1. Business and strategic risks

2. Operational risks

3. Financial risks



Qualitative risk measurement scale- Likelihood

Qualitative risk measurement scales- Impact



Seminar 7: Risk Response

CERM Chapter 6: Risk Response

4 main kinds of risks responses:

1. Avoidance: Exiting the activities that give rise to the risk 2. Reduction: Action is taken to reduce likelihood, impact, or both

3. Sharing: Reduce likelihood or impact by transferring a portion of risks e.g. hedging

4. Acceptance: No action is taken to affect response and likelihood

In determining risk response, management should consider things such as:

1. Assessing the effect on risk likelihood and impact i.e. which response options align with entity‟s

risk tolerances

2. Cost and benefits of response

3. Possible opportunities to achieve objectives

As such, the risk response chosen may not always be the one that result in least amount of risk

Sometimes a combination of responses can be used to address a single risk. Conversely, sometimes one

response can affect multiple risks

Recognise that some level of residual risk will always exist, not only because resources are limited, but

also because future uncertainty and limitations inherent in all activities

Tutorial

The TRAP response to risks: Terminate, Reduce, Accept, Pass

If a particular response is unable to bring us down to within appetite, we can carry out responses in a

series of steps or concurrently

Decisions should take account of the need to consider carefully rare but severe risks that may warrant risk

treatment actions that are not justifiable on strictly economic grounds

One should always determine the cause of the risk before deciding on a response- to treat where the

problem comes from!

In coming up with responses, are there any risks that will be invoked which:

Threatens the objective it is trying to protect?

Threaten other business objectives?

Other consideration

Acceptability: Acceptable by relevant stakeholders?

Administrative efficiency: Is it easy to implement?

Compatibility: Is it compatible with others that may be adopted?



Continuity: Short term or long term effect?

Regulatory: Does the treatment breach any regulatory requirements?

Risk creation: Does the treatment introduce more tisks?

Economic, social and environmental: Any effects?

Cost benefit considerations:

Seminar 8: Control activities

CERM Chapter 7: Control activities

While controls are generally established to ensure risks responses are appropriately carried out with

respect to certain objectives, sometimes control activities themselves are the risk response

Includes Approvals, Authorisations, Verifications, Reconciliations, Reviews of Operating Performance,

Security of Assets, and Segregation of Duties

In some instances, a single control activity addresses multiple risk responses. In others, multiple control

activities are needed for one risk response

Selection of controls should include consideration of their relevance and appropriateness to the risk response and related objectives

Categories of controls: Preventive, Detective, Manual, Computer, Monitoring, IT dependent,

Complementary



Types of control activities:

Top-level reviews: Reviews actual performance against budgets, forecasts, prior periods and

competitors

Information processing: Check accuracy, completeness, and authorisation or transactions

Physical controls: Physically secured and periodically counted

Performance indicators: Relating different sets of data, together with analyses of the relationships

and investigative and corrective actions

Segregation of duties: Duties divided to reduce risk of error or fraud

Controls over information Systems can be separated into 2 main kinds:

1. General controls: Apply to many if not all application systems and help ensure their continued,

proper operation

2. Application controls: Computerised steps within application software to control processing, focus

directly on completeness, accuracy, authorisation and validity

General Controls Application Controls

Information Technology Management

- Steering committee to provide oversight

Balancing control activities

- Detect data capture errors by reconciling amountsentered

Information Technology Infrastructure

- Controls applied to installation, configuration,

integration and maintenance

Check digits

- Validate data by calculations

Security Management

- Logical access controls such as passwords

Predefined data listing

- Provide user with predefined lists of acceptable

data e.g. vendor lists

Software acquisition and development

- Manage change, including acceptance testing,stress testing and project risks assessment

Data reasonableness test

- Compare data with a present or learned pattern of reasonableness

Logic tests- Include use of range limits or value or

alphanumeric tests

Tutorial

Information Processing Objectives Definition

Completeness All transactions that occur are processed once and only once

Accuracy Transactions are recorded at the correct amount in the

appropriate amount and proper periodValidity Only authorised economic events that actually occurred areentered

Restricted Access Data protected against unauthorised amendments and access.

Physical assets are appropriately restricted to authorisedpersonnel. Can be difficult to achieve other 3 objectives

without this



Seminar 10: IT Governance and Risk Management

COBIT 4.1 Executive Summary and Framework



Why the need to have a control framework for IT governance

Increasing realisation of importance of information to success of enterprise

To heighten the understanding of IT to leverage it for competitive advantage

The Control Objectives for Information and related Technology (COBIT)‟s characteristics

1. Business-focused

2. Process-oriented

3. Controls-based

4. Measurement-driven

1. Business-Focused



Information criteria IT resources

Effectiveness

Relevant information in a timely, correct,consistent and usable manner

Applications

Automated user system and manual procedures toprocess information

Efficiency

Productive and economical use of resources

Information

Data used by business

IntegrityIn accordance with business values

InfrastructureTechnology and facilitates that enable processing

of applications

AvailabilityAvailable for processes; Safeguarded

PeoplePersonnel required: Internal, contract, outsourced

Compliance

With laws, regulations and contractual obligations

ReliabilityAppropriate information to exercise fiduciary and

governance responsibilities

2. Process- Oriented

The IT activities in a generic process that can be separated into 4 interrelated domains

1. Plan and Organise (PO)

- Provides direction to solution delivery (AI) and service delivery (DS)

- Identifies the way IT can best contribute to achievement of business objectives

2. Acquire and Implementation (AI)

- Provides solutions

- IT solutions developed or acquired, as well as implemented and integrated into process

3. Deliver and Support (DS)

- Receives the solutions and makes them usable for end users- Actual delivery of required services

4. Monitor and Evaluate (ME)

- Monitors all processes to ensure that the direction provided is followed

- Regularly assess IT processes quality and compliance with control requirements

Across these domains, COBIT identifies 34 IT processes

3. Controls-Based

In addition to control objectives for each domain (PO, AI, DS and ME), each process has generic control

requirements identified by PCn. They should be considered together to have a complete picture of controlrequirements.

PC1 Process Goals and Objectives

PC2 Process Ownership- Roles and responsibilities of owners

PC3 Process Repeatability- Repeatable and produce consistent results

PC4 Roles and Responsibilities- Assign and communicate ambiguous roles

PC5 Policy, Plans and Procedures- Documentation, Reviews, Maintenance and Reviews



PC6 Process Performance Improvement

Controls applied to all IT are known as general controls, which is necessary for reliance to be placed on

application controls

General Controls Application Controls

System Development

Change Management

Security

Computer Operations

Completeness

Accuracy

Validity

Authorisation

Segregation of Duties

Boundaries of Business, General and Application Controls

4. Measurement-Driven

Goals are defined at 3 levels:

1. IT goals define what the businesses expects from IT

2. Process goals define what the IT process must deliver to support the IT objectives

3. Activity goals define what needs to happen inside the process to achieve the performance

Metrics are defined as two different types

1. Key Goal Indicators (KGI) indicate whether goals have been met. These can be measured only

after the fact, and therefore, are “lag indicators”

2. Key Performance Indicators (KPI) indicate whether goals are likely to be met. They can be

measured before the outcome is clear, and therefore, are “lead indicators”



Relationships between Goals

Possible Outcome Measures

Tutorial

2 Factor Authorisation (2FA)

What you know (Password)

What you have (Password generating Token)

What you are (Biometrics)-> 3FA

Seminar 11: Information and Communication

CERM Chapter 8: Information and Communication

Financial information is used for developing financial statements for reporting purposes, and also for

operating decisions, such as in monitoring performance and allocating resources (e.g. variance reports,

budgets)

A challenge organisation faces is in establishing an information system infrastructure to source, capture,

process, analyse, and report relevant information

Information systems can be formal and informal. Conversations with customers, suppliers and regulators

can provide critical information. Attendance in seminars can also provide valuable information



Strategic and Integrated System

As enterprises become more collaborative with customers‟ and suppliers‟, the division between

an entity‟s information systems architecture and that of external parties is increasingly blurred

Information systems are increasingly integrated into other aspects of operations (e.g. ERP); this

allows real time sharing of information among departments

Historical data Present data

To track actual performance against

targets, plans and expectations

To identify correlations and trends, and to

forecast future performance

To determine whether entity is remaining

within established risk tolerances

Real-time view to identify variations from

expectations

Information Quality is defined as:

1. Content is appropriate- Is it at the right level of detail?

2. Information is timely- Is it there when required?3. Information is current- Is it the latest available?

4. Information is accurate- Is the data correct?

5. Information is accessible- Is it easy to obtain by those who need it?

Communication should effectively convey

Importance and relevance of effective ERM

Entity‟s objectives

Entity‟s risk appetite and risk tolerances

A common risk-language

The roles and responsibilities of personnel in effecting and supporting the components of ERM

Internal Communications External Communications

Personnel should know how their activities

relate to the work of others

Front-line employees are often in best

position to recognise problems as they arise

Must have open communications channels

and a willingness to listen

Both normal reporting line, and channel

that directs to the chief internal auditor or

legal counsel

Personnel to understand there‟s no reprisalfor reporting relevant information

Code of conduct, employee training

sessions, etc

Customers and suppliers can provide

highly significant inputs

Open communications about risk appetite

and tolerances especially to others in thesupply chain. This helps align risk

philosophies with external parties

Communication to stakeholders, regulators,

financial analysts help them understand thecircumstances and risk the entity faces

Means of communications: Policy manuals, memoranda, e-mails, bulletin boards etc, but nothing speaks

louder than action!



Seminar 12: Monitoring

CERM 9: Monitoring

An entity‟s ERM changes over time. Risk responses that were once effective may become irrelevant;

control activities may become less effective, or entity‟s ob jectives may change. There is a need for

constant monitoring

Monitoring can be done in two main ways: Ongoing activities and Separate evaluations. The greater the

degree and effectiveness of ongoing monitoring, the less need for separate evaluations

Ongoing monitoring Separate evaluations

Performed on a real-time basis, reacts

dynamically to changing conditions, and is

ingrained in the entity

Done in the ordinary course of running the

business

Stems from regular management activities,

such as variance analysis, comparisons of

information, and reviewing reports

Take a fresh look from time to time, focus

directly on ERM‟s effectiveness

Often due to trigger points such as changein management or economy

Usually takes place after something goes

wrong, and can be done by 3rd party

Methodology: Checklists, questionnaires, and flowchart techniques

Readings: Role of IA in ERM

Core IA roles in regard to ERM Legitimate IA roles with safeguards Roles IA should NOT undertake

Giving assurance on risk

management processes

Giving assurance that risks

are correctly evaluated

Evaluating risk management

processes

Evaluating the reporting of

key risks

Reviewing the management

of key risks

Consulting Roles

Facilitating identification and

evaluation of risks

Coaching management in

responding to risks

Coordinating ERM activities

Consolidating the reporting on

risks

Maintaining and developing the

ERM framework

Championing the establishment

of ERM

Developing risk management

strategy for board approval

Setting the risk appetite

Imposing risk management

processes

Taking decisions on risk

responses Implementing risk

responses on

management‟s behalf

Accountability for risk

management

Internal audit can take on consulting services so long it has no role in actually managing risks- to protectobjectivity and independence. Safeguarding conditions are as follow:

1. Should be clear that management remains responsible for risk management

2. Nature of IA‟s responsibilities should be documented in charter and approved by AC

3. IA should not manage any of the risks on behalf of management

4. IA should provide advice, challenge and support to management‟s decision making, as opposed

to taking risk management decisions themselves



5. IA cannot give objective assurance on any part of the ERM for which it is responsible for

developing. Such assurance should be provided by other suitably qualified parties

6. Any work beyond assurance activities should be recognised as a consulting engagement and

relevant standards followed

Reading: Control Self-Assessment

CSA

Unique because internal controls evaluations are performed by operational employees as opposed

to internal or independent auditors

This forces employees to think about control and conditions to improvement

It instils a sense of ownership upon these employees

Can be facilitated by IT such as “GroupSystems”, which can also bypass problems such as lack

of autonomy and groupthink

Advantages Weaknesses

Superior to traditional control evaluations

techniques in the evaluation of techniques

in evaluating “Soft controls”, such ascontrols over effectiveness of

communications, corporate culture, ethics

and integrity of management, and controls

designed to drive customer satisfaction

Strengthen control environment by making

participants realise that internal control is

everyone‟s responsibilities

Conclusions from facilitated team are

typically superior to the results of traditional questionnaire evaluations

May not be suitable for all cultures. Some

employees may fear the consequences of

their negative inputs

Seminar 13: Implementation issues in ERM

CERM Chapter 11: Limitations of ERM

3 distinct concepts must be recognised

1. Risks relate to the future, which is inherently uncertain

- No one can predict the future with certainty

2. ERM can help ensure that management and board is aware of the extent to which the entity is

moving toward achievement of those objectives

- Certain events are outside management‟s controls

3. ERM cannot provide absolute assurance with respect to any of the objective categories

- No process will always do what it is intended to do



Weakness Description

Judgment Effectiveness of ERM is limited by the realities of human frailty in making

business decisions

Breakdowns Personnel may misunderstand instructions, and judgmental mistakes may break

down even the well-designed ERM

Collusion Collusive activities of 2 or more individuals can result in ERM failures, which

cannot be detected by the ERM processCost versus Benefit Due to resource constraints, entities must consider the relative costs and benefits

of decisions

In a competitive industry, it is important to find the right balance in having theright amount of controls. Too much may reduce the competitiveness (e.g.

loaning systems too cumbersome), while too little may increase risks.

Management override Manager with criminal intent may still override the ERM to enhance financial

condition or compliance status.Not to be confused with managerial intervention, which represents actions

departed from the prescribed policies for legitimate purposes

Readings: Success factors for ERM

Success Factors Challenges

1. Focus on Strategy and Business Objectives Do we have strong support from Top Management?

2. Think broadly about the expansive range of

risks facing your organisation

- Many risks are related. Without

understanding them and managing

them in concert, the interplay and

ability to offset some risks may bemissed

Do we have sufficient resources for ERM?

3. Recognise that ERM is a Multi-Year Journey How do we maintain the stamina needed for ERM?



Benefits of ERM

1. Can reduce a bank‟s overall risk profile, which lowers the cost of capital

2. Enables capital to be allocated more appropriately for long-term growth

3. Lead to higher stock valuation and increased shareholder returns

Integrating BSC and ERM framework



Seminar 14: Fraud and Ethics

Readings

Unethical behaviours may not be fraudulent (illegal), but fraudulent activities are definitely unethical

The fraud triangle links the 3 conditions that fraud experts say are always present when fraud occurs. Onecan probably prevent fraud by eliminating one of them. It may be more practical and efficient to eliminate

the „Incentives‟ and „Rationalisation‟.

Branch Description

Opportunity Sealing the cracks and gaps

Most effective, but most difficult way to prevent fraud

Requires anticipation through continuous assessment of possible fraud

schemes, and to implement appropriate preventive control activitiesIncentives/Pressure Protect good people from committing bad acts

Can nullify fraud risk if perpetrator believes that he or she will be detected

and punished

Most powerful motivations derives from the pressure to avoid a loss

Individuals generally do not commit fraud without some form of

incentive/pressure, such as the need to maintain employment, securepromotion, or impress the boss with strong performance

Rationalisation What would their mother say?

Fraudsters generally do not think of themselves as bad people when they

are committing the fraud

They often rationalise by assuring themselves that they will make it up the

next quarter or that they are not hurting anyone. Some may even think thecompany owes them something.

Cynics view is that one with powerful pressure and opportunity will find a

way to rationalise their actions



Effective fraud risk management consists of:

1. Fraud monitoring through detective control activities

2. Contemporaneous management review

3. After-the-facts fraud auditing

Seminar 15: Business Continuity Management

Readings

Business Continuity Management

A holistic management process that identifies potential impacts that threaten an organisation and

provides a framework for building resilience and the capability for an effective response that

safeguards the interest of its key stakeholders, reputation, brand and value creating activities

Frequency of manmade and natural disasters has increased in recent years

Impacts of disasters on businesses have increased thanks to technological advances, progressing

globalisation, and the extension of supply chain Although technology remains very important to businesses, connectivity exacerbates the negative

impact of a prolonged business interruption

BC planning require a cross-company perspective and can‟t be owned by solely the IT

department

Risk assessment: Impact, Likelihood and Time

BCM is a subset of ERM

ERM BCM

Risk management strategies (Avoidance, Reduction

etc) are formulated before an event, or risk occurs

Strategies and tactics focus on the processes that

occur after an event. The objectives of those

processes are to restore the business to normaloperations as efficiently and effectively as possible

Business benefits of BCM

To differentiate their service-delivery or product-delivery resilience to potential customers

Thorough business impact analyses can expose business inefficiencies

Retaining customers following a disaster is less expensive than acquiring new customers

Successful crisis management experiences can boost morale and help prevent employee turnover

following a disaster

Difficulty in implementing BCM

Vividness bias: Prevents individuals from thinking about troubling matters and major risks unless

those issues play out, intensively and repeatedly, before their eyes

Competing priorities: Many companies resist BCM when more immediate and visible demands

occupy them

Lack of standards: New discipline that has undergone dramatic evolutions in recent years



Business Continuity Institute (BCI) Good Practice Guidelines:

Understanding the organisation

- Including business impact analysis to determine:

o Critical business functions

o Maximum tolerable period of disruption

o Recovery time objective

Determining BCM strategy

- Resources required, Implementation time line etc

Developing and implementing BCM response

- Monitoring by Business Continuity Team, Media arrangement, Communication with

stakeholders

Exercising, maintaining, and reviewing BCM arrangements

- Review to refresh the relevance of risks and threats identified; Test runs to ensure the

viability of BCM

Embedding BCM in the organisation‟s culture

- Communications with employees, Obtain feedback, Observations

- Deliver through formal training sessions

aa205 revision notes

Documents