enterprise risk management and risk based internal...

© 2015 Grant Thornton. All rights reserved.

Enterprise Risk Management

and Risk Based Internal Audit Grant Thornton Recommended Methodology

Nasser Barakat

Partner

Grant Thornton – Business Risk

Services


Risk Scope of

Definition


What is risk?

A range of possible

negative events that

could take place in an

uncertain environment.

Each of these events

could have a

significant impact on

the organisation and

its goals.


Risk is anything that will

prevent you from achieving

your business objectives….


Risk

Work unit assets

(resources)

Management

processes

Work unit

objectives

The organisation's

objectives


Control Broadly

Defined


Control

… is broadly defined as ‘the

combination of many factors

which support people in their

efforts to achieve their

business objectives’.


Linking risks, controls and objectives

Risk

Business/Quality Objectives

Control Desired end

results/outcomes


Linking risks, controls and objectives

Desired end

results/outcomes


What is Risk

Management?


Risk management


Risk management

… represents the diversity of

actions management takes

in order to mitigate some or

all of the business risks.


Risk management alternatives

TERMINATE Avoiding risk

TREAT Reducing the impact

and/or probability of

risk assurance

TOLERATE Retaining risk

(acceptance)

TRANSFER Passing on risk

Risk Mitigation

Technique

Transfer Activity

e.g. subcontracting

Transfer Responsibility

e.g. insurance


Components of risks

Adequately

controlled Insured Accepted

R I S K


GT methodology for the

implementation of an enterprise

risk management system and

risk based internal audit


CRSA Control and Risk

Self Assessment


CRSA

Is a process in which staff collectively

Identify business uncertainties in

their area of responsibility

Assess their control activities

Develop actions for improvements

under the guidance of risk

management.


Sta

ge

3

Sta

ge

2

Workshop:

Identify and access risks and controls

Workshop:

Building a risk and control matrix

Development of compliance tests

Management sign-off

Testing (by both I.A.

and business unit)

Reports on the test results

Reports on CRSA

Sta

ge

1

Senior management

and the board

Internal audit report

Develop and conduct

substantive tests

Sta

ge

4

Sta

ge

5

Internal and external

loss data


The CRSA workshop

The following risk/control matrix,

lists some of the operational risks

and controls related to a bank’s

International Brokerage function


The CRSA workshop


Components of risks

R I S K

Working

gap

Actual gap

Acceptable

gap

Adequately

controlled Insured


Risk Based

Internal Audit


What is RBIA?

The Institute of Internal Auditors defines

Risk Based Internal Auditing (RBIA) as a

methodology that:

1. Links internal auditing to an organisation’s overall risk

management framework

2. Allows internal audit to provide assurance to the

board that risk management processes are managing

risk effectively in relation to the risk appetite.


Traditional approach versus risk based

IA approach

Traditional internal audit approach Risk based internal audit approach

Audit plan based on the audit cycle (time duration) Audit plan based on the results of the business units

risk evaluation. Risky areas are covered first and

more frequently

Important Risks might not be covered in the audit program

Provides assurance that Important risks are being

managed properly

Focus on deficiencies in controls and cases of non

compliance with P&P

Focus on risks that are not properly controlled and/or

overly controlled

An understanding of business unit operations is built

through time consuming process mapping exercises

and might rely on outdated P&P manuals.

In depth understanding of the business unit operations

through risk assessment workshops and with the

participation of the business unit management.


Traditional approach versus risk based

IA approach

Traditional internal audit approach Risk based internal audit approach

Internal audit resources are spread over all business

units/activities

More efficient use of internal audit resources by

concentrating on risky units/areas

Disagreement with the business unit management over the

action plans leading to delays in implementation

Facilitate consensus with line management on the needed

action plans thus improving timely and effective

implementation of corrective measures

Disagreement with the business unit management on the

importance of the findings raised by internal audit

The importance of risks is established during the risk

assessment phase and in agreement between internal

audit the business unit management

Subjective internal audit ratings; they mainly rely on the

auditor’s judgment on the importance of the findings.

More objective ratings (findings are classified in

accordance with pre-agreed risk importance criteria).


Internal Audit

Rating Policy


Rating matrix

Key

controls

working

Within

acceptable

gap

1% – 20%

above

acceptable

20% – 40%

above

acceptable

>40%

above

acceptable

All A A B+ B

Up to 80% B B C+ C

50% – 80% C C D D

20% – 50% D D D

<20% D D


Conclusion

Grant Thornton methodology

Allows for the identification, assessment and

monitoring of all types of risks

Moves the responsibility of control

monitoring/improvement to line management

Allows for the quantification of ‘GAP’ in the

control environment


Conclusion

Facilitates agreement with business units

on implementation of recommendations

Concentrate audit efforts and resources

on ‘high risk’ areas

Provide assurance on whether risks are

properly mitigated


Grant Thornton recommended three lines of

defence framework

Second Line of defence –

Risk management and

compliance

Control

environment

Monitoring

activities

Risk

assessment

Information and

communication

Control

activities

First Line of

defence –

Lines of

business and

committees

Third Line of defence –

Internal audit


Questions

and Feedback

enterprise risk management and risk based internal...

Documents