Drivers of GRM: SGX Listing Rule 719(1): An issuer should have a robust and effective system

of internal controls addressing the financial, operational and compliance risks; Rule 1207(10):
Opinion of the Board with the concurrence of the AC on the adequacy of the internal controls,
addressing financial, operational and compliance risks in the annual report; Principle 11

Shareholders

Regulators

Corporate Governance: set of responsibilities and practices exercised by the Board and
executive management with the goals of strategic direction, achievement of objectives,
management of risks, responsible use of resources; Performance (Value creation and Resource
Utilisation) and Conformance (Accountability and Assurance)

S
P
Board
t
Organisation: Why: Mission; What: Vision; How: Strategy; Board: Oversight role to protect
E
r
stakeholder rights and interests, approve policies, strategies & financial objectives, monitor
RCC
RM
AC
NC
RC
SG: two-tier Board, Comply or Explain Values: transparency, accountability, ethical, respect
u
management performance, oversee processes for evaluating adequacy of IC, RM, FR and
C
O
c
compliance, approve nominations to Board & key personnel, approve budgets, major funding,
1. Board's Conduct of Affairs: Effective board to lead and control the company &
P
t
work with management
investment & divestment, to create long-term business value, assume responsibility for CG;
L
CEO
u
2. Board Independence: substantial shareholder and immediate family member, or
SMART Objectives; Directors: act in good faith in interests of company, with due care and skill,
direct association for past 3 years will not be considered independent; rigorous
RM
r
avoid conflicts of interest, use powers for proper purposes
E
Exec Committee
review for > 9yrs; to reveal independent director's relation to any external
e
Board: Instil culture and approach for risk governance, Oversight of RM systems
organisation making significant transactions with company; if Chairman is directly
ERM
Processes
and IC, review key risks and mitigation plans, monitor exposure, Committees to
linked to CEO, independent directors should make up at least half of Board
Board
meet min twice/year, record minutes, report to Board on proceedings; AC: review
3. Chairman and CEO: Clear division of responsibility between board and
Matters:
adequacy & effectiveness of IC Framework, Oversee FR risk, review effectiveness
RM Process:
management
People
Board
RMC
Establish
Context
4. Board Membership: NC responsible for training and professional development of
of IA and scope, independence, objectivity of EA and appointing/removing EA and
Systematic
Board; disclosure in Annual Report on induction, orientation and training, and
approval of EAs remuneration & terms of engagement, ; RMC: advise Board on
application of
Oversight
Identify
Risks
number of listed company Board representations of Directors; avoidance of
companys overall risk tolerance, review & recommend risk strategy & policies,
mgmt. policies,
alternate Directors unless in exceptional cases, check for independence if replacing
Mgmt RMC
oversee design, implementation & monitoring of IC, review adequacy &
proceduresMonitor
and
& Review
Communicate & Consult
Independent Director
Analyse Risks
effectiveness of risk Framework, monitor implementation of risk mitigation plans,
practices;
Mgmt Control
5. Board Performance: Formal assessment of board effectiveness
advice RC on risk weightings tied to remuneration, review & approve risk
Structure
6. Access to information: Access to complete, adequate & timely information
Evaluate Risks
statements in Annual Report; Management Comm: responsible for effective
Resources
Departmental Risk
7. Remuneration Policies: Formal and transparent policies on remuneration
implementation of RM practices at functional levels, review risk assessments carried
RM Policies
Owners
8. Appropriate mix to attract, retain, and motivate directors to provide good
Treat Risks
out by Business Units, assess RM systems and tools, efficiency& effectiveness of
stewardship, key management to manage successfully: Alignment of level and
Remuner
mitigations and coverage of risk exposures
structure of remuneration with long term interests and risk policies of Company; use
ation
Control
Environment:
sets
the
tone,
influence
control
consciousness,
provide
discipline
of contractual provisions to reclaim incentives in exceptional cases
Risk: Effect of uncertainty on objectives; Different aspects, levels; reference to potential events and
Matters:
and structure, includes integrity, values (code of conduct) and competence of people,
9. Disclosure: Link between exec directors, key personnel remuneration and
consequences; Appetite: broad amount (high/moderate/low) and type of risk (category) willing to be
Incentive
management philosophy and operating style, assignment of authority and responsibility,
performance; on a named basis of directors, CEO and top 5 key personnel in 250k
accepted to pursue business objectives, achievement of clarity over risks that org wishes to assume,
bands; details of immediate family members of a director or CEO whose
organisation and development of people, attention and direction provided by Board;
basis for constant communication within stakeholders, explicit articulation of risk attitudes of senior
remuneration > 50k
Controls: actions supported by policies and procedures that, when carried out properly
management, multi-dimensional and balanced view of risk appetite; Tolerance: set by Board, Specific
10. Accountability: Present a balanced and understandable assessment of
and timely, manage or reduce risk, managers responsibility, constantly modifying risks;
max risk (%/qty) willing to be undertaken regarding each relevant risk, different expression for
performance, position and prospects
IC: process designed to provide reasonable assurance regarding the achievement of
different classes of risk at different levels (strategic, tactical, operational) of org structure, range of
11. Risk Governance, RM & IC: Responsibility of Board for governance of risk and
objectives in effectiveness & efficiency of operations, reliability of FR, compliance with
levels specific to type of risk, depends on risk capacity (ability to carry and manage risks), varying
determine nature and extent of significant risks which Company is willing to take;
laws and regulations, safeguarding assets; Preventive: proactive attempt to deter or
ensure management maintains sound system of RM and IC; assess appropriate
perspectives from desired credit rating, analyst and shareholder expectations; Risk Matrix: expressed
prevent undesirable events from occurring, emphasize quality, eg. Proper authorization
means to assist in oversight of Company's RM Framework and policies; Board to
in terms of likelihood and consequence; RM: Coordinated activities to direct and control an
comment on assurance received from CEO or CFO on true and fair view of
(general & specific), blank approvals, adequate documentation, written policies and
Accounta
organisation in relation to risks affecting the achievement of objectives; Structure, Processes,
Financial Statements and effectiveness of Company's RM & IC systems
biity &
procedures, supporting documentation; Detective: attempt to detect undesirable acts,
People; ISO 31000 5.3.4 Context: (which part of org to apply RM process) Objectives, strategies,
12. AC terms of reference: > 2 members (incl. AC Chair) to have recent and relevant
Audit
prevent losses, provide evidence for functioning of preventive controls, eg. Reviews
scope (depth and breadth), parameters of activities of organisation (time and location), consideration
accounting or related financial management expertise; review independence of EA
(budget to actual, current to prior, performance indicators, consistency and
of need to justify resources used in RM, specification of responsibilities, authorities, records to be
annually, disclose aggregate of fees paid to EA and breakdown of fees for audit and
reasonableness), analyses, variance analyses, reconciliations (identify, investigate,
kept, relationships within projects, processes, activities, risk assessment methodologies and
non-audit services, and whistleblowing policies; ex-partner of existing EA should bot
explain, correct differences), audit; Both: Asset security (physical safeguards,
evaluation methods of RM, focus on critical success factors; 2.13 Internal Context: Governance,
sit on AC within 12 mths from cessation
maintenance of records, periodic checks), segregation of duties (approval, record,
org structure, roles & accountabilities, policies, strategies, objectives, capabilities (time, resources),
13. IA: adequately resourced, independent, appropriate standing, activities
reconcile, review, check preparation & deposit, reduce risk of both errors and
perceptions & values of internal stakeholders, information systems and flows (formal & informal),
conducted according to IIA standards, effectiveness of IA to be reviewed annually
inappropriate actions, prevent collusion), Infosys (general-maintain integrity and
Sharehol
14. Fair and equitable treatment of all shareholders, protection of minority interests;
standards & guidelines adopted, form & extent of contractual relationships; Tools: Value Chain
availability of business application processing, ensure completeness and accuracy,
der
guidelines on Company engagement with shareholders and vice versa
Analysis, (SW)OT, McKinsey 7S; 2.12 External Context: include social, political, legal, regulatory,
Rights
&
access,
data,
program,
physical
security,
disaster
recovery
&
frequent
backups;
financial, technological, economic, natural, competitive environment, key divers and trends, relations,
15. Active engagement, implement proper investor relations policy to promote
Responsi
application-prevent,
detect
and
correct
errors
and
irregularities
as
transactions
flow
regular, effective and fair communication
perceptions and values of external stakeholders; Tools: SWOT, PESTLE, Porters Five Forces
bilities:
through
business
system,
end-user
computing
and
responsibility,
input,
processing
and
(Buyers, Suppliers, New Entrants, Substitutes, Industry Rivalry), Stakeholder Analysis (interest &
16. Shareholder Participation: Company should put all resolutions to vote and
Engage
output
controls,
edit
checks,
record
counts,
error
listings);
Effective
Controls:
Both
announce detailed results
power); 2.8 RM Plan: scheme within RM Framework specifying approach, procedures, practices,
ment
Preventive
&
Detective,
strong
soft
controls;
Assessment:
Establish
scope
&
plan,
assignment of responsibilities, timing & sequence of events; 2.9 Risk Owner: relevant knowledge &
consider
responsibilities
(parties
who
can
provide
meaningful
perspective
on
relevant
expertise, accountability & authority to manage the risk; 2.16 Assessment: Overall process of
Effective Governance: Design + Operations; Sound Board (4 pillars), Oversight, Management; Strong
risks), input (RM context, prior assessments, loss data, KRIs), output (specific
identification, analysis and evaluation; 2.17 Identification: Finding, recognizing, describing risk
Governance: require strong ethical base (people); Systemic Failure: Lack of regulation, deregulation,
requirements
of
stakeholders),
[1.
Identify
relevant
business
objectives
(SWOT
to
sources, events, causes, involve historical data, theoretical analysis, expert opinions, stakeholders
imperfect information in markets lead to failure of theorized market forces, lack of stakeholder
identify
critical
success
factors,
scope
covering
objectives
related
to
strategy,
needs; 2.18 Source: Element with intrinsic potential to give rise to risk; 2.19 Event: Occurrence or
involvement, internal system lapses; Lucifer Effect: situation and toxic environment may induce good
operations,
compliance,
FR)2.
Identify
events
that
could
affect
achievement
(+ve
&
change of circumstances, near miss without consequence; 2.23 Analysis: Comprehend and
persons into irrational behaviour; Broken Windows Theory: Lack of punitive action for small crimes may
-ve,
past
events,
analysts,
reviews,
surveys)3.
Determine
risk
tolerance
(same
unit
of
determine (estimate) level of risk, basis for evaluation and treatment; 2.24 Risk Criteria: Terms of
lead to bigger crimes, solves symptoms but not root causes
measure
applied
to
relevant
objective)4.
Assess
inherent
likelihood
and
impact
reference against which significance of risk is evaluated, defined at beginning of RM process (subject
Scandals: News of the World, Madoff, Lehman Brothers, Enron, AirOcean: Lack of disclosure of market(internal
and
external
data,
build
inherent
risk
map
for
comparison
against
other
risks,
to review), based on org objectives (internal & external), values & resources, can be derived from
sensitive information, acquittal of 3 independent directors convictions due to dependence on professional
concentration
of
risks
and
analysis
over
time)5.
Evaluate
portfolio
of
risks
and
standards, laws, policies, [definition & measurement of nature & type of causes and consequences,
advice, no material impact
determine
response
(compare
levels
with
risk
categories
and
thresholds
to
determine
likelihood, timeframe, view of stakeholders, cut-off point, combinations of risks]; 2.26 Evaluation:
Board Diversity: Complexity of issues, demographic of employees and customers, failure of homogenous
response
strategies,
based
on
cost/benefit,
resources
and
relative
importance
to
Compare level with risk criteria to determine acceptability or tolerance and appropriate treatment;
Boards, gender diversity correlate to company performance
objectives)6.
Assess
residual
likelihood
and
impact
(evaluate
adequacy
and
2.27 Treatment: Modify risk (identify options-accept, reduce, share, avoidassess
Challenges: 1. Market Discipline-meaningful disclosure, active engagement of shareholders, 3rd parties
effectiveness)Monitor
and
document
progress]
feasibilityprepare & implementanalyze and evaluate residual risk), possibly create new risks;
such as analysts, media serve educational role, to provide more holistic assessment of companies; 2.
Risk Register:
Control: Process, policy, device, practice, measures that modify risk; 2.29 Residual Risk: Risk
Board Competency: training to build competency (SID-SMU Directorship program, professional
Obj
Source
Risk
C
b/IC
L
b/IC
Risk
Lvl
Existing
IC
remaining after treatment, aka retained risk; 2.30 Monitoring: Continual checking, supervising,
certification, GTI), diversity to represent a range of backgrounds and expertise to enable robust and
b/IC
observing status to identify change in performance levels expected, can be applied to RM
rigorous considerations due to inherent uncertainty of risks; 3. Right values: Board and management to
H
H
H
Framework, Process, risks, controls; 2.31 Review: Determine suitability, adequacy, effectiveness of
have maintain standards and promote culture rooted in strong ethical frameworks, look to Long-term
C
a/IC
L
a/IC
Risk
Risk
Treat
subject matter to achieve objectives, can be applied throughout RM
maximisation of shareholder value rather than short-term gains, excessive risks
Lvl
Target
ment?
*Failure of Controls: Inadequate knowledge, lack of separation of duties, inappropriate access to
a/IC
assets, form over substance, override, collusion
L
L
L
L
Y/N

ERM: Process conducted by management to understand and deal with uncertainties

that could affect the orgs ability to achieve its objectives (Institute of Internal
Auditors), a process effected by the Board of Directors, management and other
personnel , applied in strategy setting and across the enterprise. It is designed to
identify potential events that may affect the entity and limit risk taken to its risk
appetite, providing reasonable assurance regarding the achievement of entity
objectives (CoSo); Difference b/w TRM: ERM collects information, analyse and
identify connections, correlations, concentrations of risk to help senior management
allocate and prioritise resources for risks that affect company strategy and mission;
Additional dimensions for risk measurement: agility (accelerators), active/inactive
status, strength of control environment)
ISO 2.14 Communicate & Consult: Continual and iterative processes that an
organisation conducts to provide share or obtain information and to engage in
dialogue with stakeholders and others regarding the management of risk,
information relating to existence, nature, form, likelihood, severity, evaluation,
acceptability, treatment or other aspects of RM; Consultation is a two-way process
of informed communication b/w org and important stakeholders (high power &
influence) prior to making a decision through influence rather than power, as an
input and not joint decision-making; Essential Elements of C&C plan include
objectives (building awareness, learning from stakeholders, influencing target
audience, increase understanding of RM process, attitudinal or behavioural shift),
participants, perspectives, communication methods, evaluation process; 2.30
Monitoring: Continual checking, supervising, critically observing or determining the
status in order to identify change from the performance level required or expected,
can be applied to RM Framework, Process, Risk or Control, involves periodic
investigation of current situation or actual for comparison with expected/required
performance, uses indicators (KRIs, SMART); 2.31 Review: Activity undertaken to
determine the suitability, adequacy and effectiveness of the subject matter to
achieve established objectives, non-routine checks, can be applied to RM
Framework, Process, Risk or Control, uses Criteria (timeliness, accuracy,
completeness etc); C&C and R&M should be continuous and dynamic, design
(CoSo Framework) and operational (implementation) effectiveness
FR RM: transaction-centric approach by implementing IC over FR, address external
factors affecting inherent risk of certain accounts, examine RMM from a strategic
lens [Objectives of FRFinancial StatementsDetermine risk profile/level of each
accountaccounts/assertions @ riskRMM: Residual Risk = inherent risk x control
risk (control risk is a function of effectiveness of design & operation of IC)]; Good
Control Environment: Segregation of Duties, training of staff, sound board,
incentivisation; FR Objectives: reliable & relevant, comply with FRS Framework &
regulations, effective & efficient operations, safeguarding of assets; Disclosure must
be transparent, consistent, simple, relevant, timely, fair & equal, complete & free
from errors, reflection of best practice; True & Fair: not defined by statute, matter of
judgement (up to court of law); Assessment of inherent risks improves efficiency of
audit process by reflecting a more detailed level of risk present within certain
operations or accounts, entity-level factors include integrity of directors and
management, management experience, unusual pressures on management, nature
of business, industry conditions, account balance & transaction class level factors
include susceptibility to misstatement, complexity, degree of judgement,
susceptibility of assets to loss/misappropriation, quality of accounting systems,
unusual or complex transactions at or near year-end, transactions not subject to
ordinary processing, payroll fraud (fictitious employees, pad labour costs); RMMF/S: Pervasively to F/S as a whole and many accounts at risk, due to ineffective
control environment, insufficient capital to continue operations, declining conditions
may create opportunities or pressures for manipulation; SSA RMM-315 Assertions:
Representations by management, explicit or otherwise, that are embodied in the
financial statements, as used by the auditor to consider the different types of
potential misstatements that may occur, including assertions about classes of
transactions and events for the period under audit (occurrence, completeness,
accuracy, cutoff, classification), assertions about account balances at period end
(existence, rights & obligations, completeness, valuation & allocation), assertions
about presentation & disclosure (occurrence, rights & obligations, completeness,
classification & understandability, accuracy & valuation); Events that may indicate
RMM: Forex fluctuations, new product, service, location, lack of internal
competency, changes in supply chain, key personnel, accounting policies, going
concern, estimations and contingent accounts; 320 Audit Materiality: Misstatements
arising from errors or fraud are considered to be material if they, individually or
aggregate, could reasonably be expected to influence the economic decisions of
users taken on the basis of the financial statements

Fraud: using deception to make dishonest personal gains and/or create loss for another, such as
misappropriation of assets, corruption, misrepresentation of information, factors include
increasing globalization and IT developments, fraud triangle; Deception: intentionally managing
verbal /non-verbal messages for the receiver to believe in a way that the sender knows is false, 5
forms-lies, equivocations, concealments, exaggerations, understatements; PCA section 5
Corruption: give or receive gratification as inducement or reward (also bribe); Truth Bias: tendency
to judge a message as truth, especially with close relationships, impairs the receivers ability to
detect deception and exposes receiver to fraud, unless faced with major deviation of behaviour;
Anti-Fraud Program: 1. Board/AC oversight, exec & line mgmt. functions, IA, compliance,
monitoring functions, 2. Prevention ,Detection, Response, 3. Fraud Risk Assessment,
communication & training, review, 4. Culture, alert; Fraud Risk Policy: Purpose, Responsibility,
Terms (constituting Fraud), Process, Confidentiality, Authority, Fraud Risk Appetite,
Acknowledgement & Approval of Policy by highest authority; Prevention: Risk Assessment, Code
of Conduct, Due Diligence, Process-specific controls, Proactive Data Analysis; Detection:
Independent & anonymous channels for reporting, whistleblowing policy, Retrospective Data
Analysis, IA; Response: Protocols for Internal Investigation, Remediation/Discipline, Enforcement
& Accountability, Disclosure
Fraud RM
Prevent, Detect, Respond, Deterrence
Tone from the top
Cultivate risk-adverse culture throughout org
Rational (mind)
Preventive, Detective, Response Controls, Education, Knowledge
Irrational (Heart)
Circumstances, Temptations, Value System
Whistleblowing Policy
Protection of Whistle blower, Anonymity
Warning Signs
Red Flags, KRIs, balance cost of monitoring
Fraud RM: [Establish Context (understand orgs internal governance, policies, key transactions &
processes, external relationships & stakeholders)Identify Fraud Risk (involve personnel from all
levels of org, Where, What, When, How, Who, pressures/ incentives/opportunities, external
influences, effects on org)Analyse (Establish & determine effectiveness of existing IC, risk level
ie. LxC)Evaluate (Compare level with risk targets, prioritise certain risks)Treat (prepare Fraud
Risk Plan, implement IC, assign responsibility to senior management, AC to oversee whole
process) Monitor & Review (changes to internal & external environment, regular update of
Fraud Risk Assessment and documentation, report changes & updates to management and Board,
revisit FRA as part of ERM, use FRA to refine & focus IA testing)Fraud Reporting (Engage key
stakeholders, establish reporting protocol & include regulatory authorities)]; Money-Laundering:
disguising the original ownership and control of proceeds from criminal conduct by making such
proceeds appear to be derived from a legitimate source, Crime of Conversion on top of Crime of
Fraud, FIs subject to abuse by launders due to nature of products & services, [Placement (funds
introduced into financial system)Layering (substantive stage where propertys ownership &
source are disguised)Integration (funds re-introduced into legitimate economy)]; Elements: act of
laundering, requisite degree of knowledge or suspicion relating to the source of funds or conduct of
client; Singapore: robust AML/CFT legislation, close partnership with business community, strict
enforcement & ongoing supervision, active international coorperation, Financial Investigation
Division of CAD, CPIB
Code of CG Principle 13 IA: The Company should (not mandatory) establish an effective internal IA function that is
adequately resourced and independent of the activities it audits, 13.1 IAs primary line of reporting should be to the
AC Chair, administratively to CEO, AC approves hiring, removal, evaluation, compensation of Head of IA, external
audit firm if IA is outsourced, IA to have unfettered access to all companys documents, records, properties and
personnel including AC 13.2 AC to ensure that IA is adequately resourced and has appropriate standing within
company, IA can be in-house, outsourced, performed by major shareholder, holding company, 13.3 IA function
should be staffed with persons with relevant qualifications and experience; Assurance: an engagement in which a
practitioner expresses a conclusion to enhance the degree of confidence of the intended users other than the
responsible party about the outcome of evaluation or measurement of a subject matter against criteria (eg.
Completeness of Assertions in F/S, reliability of systems & processes, effectiveness of governance), involves 3party relationships: practitioner, responsible party, intended users; Assurance Engagement Risk: risk that
practitioner expresses an inappropriate conclusion when the subject matter information is materially misstated,
consists of Inherent Risk (susceptibility of information to material misstatements), Control Risk (RMM after IC),
Detection Risk (practitioner may not detect misstatement that exist), practitioner will try to collect evidence to reduce
engagement risk to a acceptably low level; Assurance Report: written report containing a conclusion that conveys
the assurance obtained about the subject matter information, also consider other reporting responsibilities including
communicating with those charged with governance where it is appropriate to do so, comprises of both IA and EA;
IA: Independent, objective assurance and consulting activity designed to add value and improve an orgs
operations, helps in accomplishment of objectives by bringing in a systematic, disciplined approach to evaluate and
improve the effectiveness of RM, control and governance processes. IA can advise senior mgmt on the
development of IC, however other forms of advising and consulting should be ancillary to the basic function of IA,
which is an independent appraisal function to evaluate internal IC systems. IA is a 3 rd line of defence, check within
checks; IIA-Code of Ethics: principles and expectations governing the behaviour of individuals and organizations in
the conduct of IA, to promote an ethical culture in the profession of IA due to the foundation of trust placed in IAs
objective assurance, Principles are integrity, objectivity, confidentiality, competency, Rules of Conduct are 1.
Integrity (1.1 perform work with honesty, diligence, responsibility, 1.2 observe the law and make disclosures
expected by law and profession, 1.3 not knowingly be a party to any illegal activity or engage in acts that are
discreditable to the profession or org, 1.4 respect and contribute to the legitimate and ethical objectives of org), 2.
Objectivity (2.1 not participate in activity or relationship that may impair their unbiased assessment or result in
conflict of interest, 2.2 not accept anything that may impair their professional judgement, 2.3 disclose all material
facts known to them that may distort the reporting of activities under review if undisclosed), 3. Confidentiality (3.1 be
prudent in the use and protection of information acquired in the course of their duties, 3.2 not use information for
any personal gain or unlawful use or detrimental to the legitimate and ethical objectives of org), 4. Competency (4.1
engage in only those services for which they have the necessary knowledge, skills, experience, 4.2 perform IA
services in accordance with ISPPIA, 4.3 continually improve proficiency, effectiveness, quality of their services

Proliferation and emerging nature of Disruption Risk (internal & external, Black Swan events, Supply Chain risks due to complexity of
cross border supply chains, Costs of Switching), due to its magnitude and severity, beyond capability (ability and capacity) of routine
management approaches to resolve
Type of Risk
Normal
Speculative
Unknown
Likelihood
Low to High
Low
Very Low
Consequence
Low to High
Low to High
Very High
BCM (integral part of ERM, business imperative): Provides a Framework to develop plans and responses (BCM more of response
strategy due to unpredictableness) to ensure business resiliency and long-term survival following a serious disruptive incident,
Objectives
Prevent impact beyond org
Ensure safety of staff
Demonstrate effective & efficient governance to media, markets, SHers
Defence of reputation & brand
Protect orgs assets, value-creating activities
Min impact on key stakeholders
Meet insurance, legal, regularoty requirements
enables Business Continuity Plans (BCP) to be developed that are tailored to meet the needs of business, involves context (examine
interdependency of functions and stakeholders, internal & external operations), risk identification (sources, impacts, consequences),
analysis (L&C, existing IC), evaluation (risks beyond routine management capability to be subjected to BIA), treatment (below), M&R,
C&C, [1. Identify Business Processes (Pdn, HR, IT, Admin, Supply etc)2. Risk & Business Impact Analysis (Business impact profile,
rank severity of impact)3. Select Core Processes & Determine MAO (regulations, ability to coordinate efforts, availability of resources)
and RTO (staggered according to precedence of processes)4. Determine resources required to resume Core Processes5. Perform
Disruptive Risk Assessment (identify Disruption Risks to address, analyse and establish risk disruption profile LxC, risk level, evaluate
against criteria, select key Risks for response)6. Determine Constraints (capabilities of people, IT systems, facilities, data backup,
costing of options)Develop, Test, Plan (operational readiness & effectiveness)7. Review & Update (adequacy of plans,
enhancements to strategies, training)], possibility of secondary risks; Establishment of Response Team that is multi-disciplinary to attend
to different risk categories; 3 Concepts: Business Impact Analysis: examine and highlight critical business processes which are vulnerable
to disruption, detailed insight into extent, time frames and mechanisms of disruptive consequences associated with priority disruption
related risks, steps include [Develop BIA communication & consultation (engage & consult key stakeholders on intent of BIA, types and
collection of info required, how it will be used), Determine & confirm critical functions (identify objective critical functions which will be
subsequently prioritised based on their MAO), Resource capability & requirements (establish level of resourcing required following
disruption event to maintain minimum level of functionality, resources include people, data, facilities, IT, telecommunications, critical
infrastructure, suppliers, contractors, external parties), Dependencies between capabilities, resources, stakeholders (identify and map
relationships for review to ensure proper coordination and alignment of purposes, to achieve BCM objectives), Disruption Impacts (assess
level of impact of disruption event on each critical business function), MAO and Recovery Time objectives (determine MAO & RTO for
each critical business process and resources required for minimum operational capability), Identify alternate measures/workarounds (in
case of insufficient capability of critical functions until capability can be restored, including manual process, halting of unnecessary parts,
re-routing, outsourcing), Review & confirm current preparedness (adequacy of existing measures, with respect to identified potential
impacts)], Maximum Tolerable Period of Disruption/Maximum Acceptable Outage: Max time a system can be unavailable before its loss
will compromise the orgs objectives or survival, Recovery to Objective: duration of time within which a business process must be
restored after a disruption in order to avoid unacceptable continuity consequence, usually lower than MTPD/MAO, Disruption Treatment:
Establish Strategies (measures to stabilize situation, minimize level of org impact, reduce losses, ensure ongoing delivery of accepted
minimum level of org capability & performance, return org to long-term operationally acceptable & sustainable capability), Action &
Resources (required to execute strategies, develop people, facility, infrastructure, data, communications, process capabilities, critical
business functions), Incident Communication (channels and methods of providing information on disruption events to key stakeholders),
Plan Activation & Deployment (who, when, how to activate BCM, assess incident & evaluate against activation criteria, up to point of deescalation, stand-down and debrief, review of learning points), Documentation of BCM plan (for future reference), Maintenance (BCM
plan properly maintained for operational readiness and tested, personnel involved to be trained and information continuously updated);
Constraints: Budget, Resource availability, cost & benefit, technology, org risk appetite
SGX Listing Maual 1207(10): Require Board of Directors to provide an opinion, with concurrence of AC, on adequacy of IC, addressing
financial, operational, compliance risks; this requires assurance from IA function that IC are well designed and effective; Good IA: 3PsPosition (independent reporting, formal IA policies and charter), People (competency, exp, certification, training & training outcomes),
Process (IIA standards, formal IA method and process), strong third line of defence (people, structure, processes), sound planning, sound
education and sound reporting (riven by IIA standards), independent (not influenced by entity, undue influence), objective (free from bias);
Strength of IA is primarily dependent on AC, IA is concerned with functional independence; IA should NOT: set risk appetite, establish
RM process, assurance on risks on managements behalf, accept decisions on risk response, implement risk responses on
managements behalf, account for RM
Eg. Objective: To determine that the selection process is effective
Audit Objective (Criteria)
Procedures
Competency of selection panel (exp, knowledge, skills etc)
Documentation of Criteria
Independence of selection panel
Disclosure of relationships, signed by panel members, date of
signature
Board Diversity & Completeness criteria
Channels for dissemination (advertisements, head hunters)

Attribute
Responsible to
Relation to CEO/Mgmt
Mandate
Objective
Approach
Subject Matter
Criteria
Regulations

IA (Voluntary)
Board
Administrative only
Best Practice
Provide Assurance and/or
consultation
Risk-based
Financial & Non-financial
depend on Subject Matter
Not regulated

Out put

IA Report

EA (Mandatory)
Shareholders
None, deal with AC/Board
Companies Act, Listing Manual
Assurance
Risk-based
Financial Statements only
FRA and SSA
Approval by ACRA-Public
Accountants Oversight
Committee (PAOC)
Audit Report guided by SSA and
Companies Act, whether F/S are
true and fair