AY 2008/2009: Year 3 Semester 1

AA205 Revision Notes

Seminar 1: Introduction CERM Executive Summary COSO ERM capabilities: 1. Aligning risk appetite and strategy - Considers risks appetite in evaluating fit with strategic alternatives, then sets objectives aligned with selected strategy in developing mechanisms to manage the related risks 2. Enhancing risk response decisions - Identify and select: Avoidance, Reduction, Sharing and Acceptance 3. Reducing operational surprises and losses - Capability to identify potential events, assess risks, and establish responses 4. Identifying and managing multiple and cross-enterprise risks 5. Seizing opportunities - Considers opportunities, which are channelled back to strategy and objectives 6. Improving deployment of capital - Helps assess overall capital needs and thus enhance capital allocation 7. Supports sustainable growth - Integration of risks management in decision making process and strategic planning ERM helps an entity get to where it wants to go and avoid pitfalls and surprises along the way Components of ERM 1. 2. 3. 4. 5. 6. 7. 8. Internal Environment Objective Setting Risk Identification Risk Assessment Risk Responses Control activities Information and communication Monitoring

Relationships between components and objectives:

To determine the effectiveness of ERM, we need to ascertain that the right components are present and functioning properly. For that to happen, there can be no material weakness and risks needs to be brought within appetite Limitations of ERM: 1. Human Judgement can be faulty (Decisions to consider costs and benefits) 2. Human failures such as simple mistakes 3. Controls can be circumvented by collusions CERM Chapter 1: Definitions Entities exist to provide value for stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept as it strives to grow stakeholders value Globalisation, Technology, Restructurings, Changing Markets, Competitions and Regulations are all sources of uncertainty Value is maximised when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks ERM can be applied in strategy setting, in which management considers risks related to alternative strategies, assisting them in evaluating and selecting the strategy and objectives Considers inter-related risks from an entity-level portfolio perspective. Risks for individual units of the entity may be within risks tolerances, but taken together may exceed the risk appetite of the entity as a whole ERM enables management to make informed risks-based decisions, but the particular decision does not determine the effectiveness of ERM Seminar 2: Corporate governance and Internal Environment CERM Chapter 2: Internal Environment Internal Environment encompasses the tone of an organisation, influencing the risk consciousness of its people, and is the basis of other components of ERM Components of Internal Environment: 1. Risk Management Philosophy - Shared beliefs and attitudes characterising how the entity considers risks in things it does - Reflected in virtually everything management does in running the entity: Policy statements, oral and written communications, and decision making - Ideally, philosophy is well developed, understood and embraced by everyone 2. Risk Appetite - The amount of risks, on broad level, an entity is willing to accept in pursuit of its goals

- Reflects risk philosophy, which in turn influences the entity culture and operations - Qualitative: High, Moderate, Low - Quantitative: Balance goals for growth and return with risks 3. Board of Directors - Appointed by shareholders to govern the company - Should possess appropriate degree of management, technical, and other expertise, coupled with the mind-set necessary for oversight responsibilities - Should be a fair representation of both management and shareholders interest- balance of internal and independent directors - Plays a key role in driving corporate governance, and ultimately, the internal environment 4. Integrity and Ethical values - Top management to set the tone on ethics, their actions embedded in corporate culture - Ethical behaviour a by-product of corporate culture, the unwritten rules of conduct. Culture, in turn, is shaped by behaviours - Individuals may engage in dishonest, illegal and unethical acts simply because the entity provides them with the strong incentives to do so e.g. undue pressure on results 5. Commitment to competence - Management decides how well tasks need to be accomplished, weighing the entitys strategy and objectives against plans for their implementation and achievement - Trade-off between competencies and costs often exists 6. Organisational structure - Provides the framework to plan, execute, control and monitor activities - Defines key areas of authority and responsibilities and establish lines of reporting e.g. IA should be permitted access to top management 7. Assignment of authority and responsibility - Degree to which individuals and teams are authorised and encouraged to use initiative to address issues and solve problems - To strike a balance between delegation and reporting, the former more flexible but more susceptible to risks; the latter vice versa 8. Human resource standards - Practices pertaining to hiring, orientation, training, evaluating, counselling, promoting, compensating, and taking remedial actions - Sends message regarding expected level of integrity, ethics and competence - Disciplinary actions send a message that violations of expected behaviours is not tolerated

Tutorial Matters covered in Corporate Governance 2005: 1. Board matters: Conduct of affairs, composition and guidance, chairman and CEO, board membership, board performance, access to information 2. Remuneration matters 3. Accountability and audit 4. Communications to shareholders 5. Disclosure of corporate governance arrangements ERM affects only the personnel in an entity. Melding Corporate Governance with ERM, Directors, Senior Management, Internal and External auditors, and risk owners must work interdependently Speculation: Selecting investments with higher risks in order to profit from anticipated price movement Hedging: Making an investment to reduce the adverse price movements in an asset. Normally, a hedge consists of taking an offsetting position in a related security Sophisticated investors use a combination of speculation investments and hedging strategy to limit potential losses Seminar 3 and 5: Objective setting and Event identification CERM Chapter 3: Objective Setting Steps in setting objectives: 1. In considering alternative ways to achieve strategic objectives, management identifies risks associated with a range of strategy choices and considers their implications 2. The right objectives (entity-level) that support and aligned with the selected strategy are then established 3. Entity-level objectives are linked and integrated to more specific activities objectives such as for sales, production and engineering 4. Critical success factors are set to help management identify measurement criteria for performance Categories of objectives 1. Strategic: High level goals, aligned with and supports entitys mission 2. Operations: Effective and efficient use of resources 3. Reporting: Reliability of entitys reporting, including internal and external, financial and nonfinancial information 4. Compliance: Compliance with applicable laws and regulations Achieving reporting and compliance objectives is largely within the entitys control, while strategic and operations objectives is not solely within the entitys control e.g. outperformed

There is a relationship between an entitys risk appetite and strategy. Usually a number of different strategies can be designed to achieve the desired outcome. ERM helps management select a strategy that is consistent with its risk appetite Differences between risk appetite and tolerances: Appetite: Amount of risks willing to accept in pursuit of mission/strategy Tolerance: Acceptable level of variation relative to the achievement of a specific objective, best measured in the same units as those objectives

Performance measures are used to ensure that results will be within established risk tolerances e.g. target on-time delivery at 98%, with acceptable variation in range of 97%-100% Operating within risk tolerances provides management with greater assurance that entity remains within its risk appetite, which in turn, provides higher degree of comfort that objectives are met CERM Chapter 4: Event Identification Management identifies potential events that, if they occur, will affect the entity, and determines whether they represent opportunities or risks Events may be driven by external or internal factors: External factors and events (PEST, P5F) Economic: Price movement, capital availability, barriers to entry, new competitiors Natural Environment Floods, fire, earthquakes etc Political: Political agendas, laws and regulations, tax rates Internal factors and events Infrastructure: Increasing capital to preventive measures, improving customer satisfaction Personnel: Workplace infrastructure, fraudulent activities, loss of available personnel Process: Process execution errors, inefficiency, customer dissatisfaction, loss of repeat business Technology: Security breaches, potential system downtime

Social: Changing demographics, social mores, family structures, terrorism activity Technological: New means to electronic commerce, expanded availability to data Note: Events can be identified at entity level or activity level

Event identification techniques look to both the past and future: Past: Focuses on past events and considers trends e.g. payment default histories Future: Focuses on future exposures e.g. changing demographics

Event identification techniques: 1. Event inventories: Detailed listing of events common to companies in industry 2. Internal analysis: Part of routine business planning cycle e.g. via staff meetings

3. Escalation or threshold trigger: Alert management to areas of concern by comparing current transactions or events with predefined criteria 4. Facilitated workshops and interviews: Management, staff and other stakeholders 5. Process flow analyses e.g. BPA 6. Leading event indicators: Monitoring date correlated to events, entities indentifies the events that could give rise to events e.g. monitoring payment patterns enables potential to default be mitigated by timely action 7. Loss event data methodologies: Past individual lost events to identify trends and root causes Events can be interdependent- one event can trigger another. Its important to understand how events relate to one another so as to determine where best to direct risks management efforts Event categories are useful: Develop an understanding of relationships between events Consider the completeness of event identification

Tutorial Relationship between objectives and missions:

Entity's mission/vision

Strategic and related objectives

Critical success factors

Key performance indicators

Feedback: Are objectives met?

Implications of clients risk management for external auditors: Understand clients control environment Sets financial statement expectations Assess risk of material misstatements Assess viability of clients Anticipate clients needs

2 frameworks for identifying events: 1. Entity level: Entity level business Model-> Business Objectives

Usefulness: Considers both external and internal perspective in identifying risks Disadvantage: Does not look at individual process, may not be in-depth enough, does not consider which objectives are threatened

2. Process level: Business Process Analysis-> Process objectives

Usefulness Value chain analysis: Analyses the contribution of individual activities in a business to the overall level of customer value Considers all supports of a business process e.g. inputs, outputs, systems Linked specifically to process objectives

Weaknesses May be too narrowly viewed i.e. lacks linked to strategic objectives Does not consider effect of other business process on the one analysed

Readings Point with risks management is not to eliminate risks, but to manage it to an appropriate level- not too high and not too low. No risks, no reward! Emergent risks arise from actions taken in multiple areas of the company that by themselves, do not increase risk (may even reduce it), but combined, they can dramatically increase it. For example, need for rare metal to develop product: Purchasing: Hedge by entering long term contracts to purchase metals at locked-price R&D: Develop new products that do not require the rare metals Result: New products that no longer require the rare metal committed to purchasing

6 dimensions of risk 1. 2. 3. 4. 5. 6. Likelihood of a relevant trend or event Magnitude of the effects of trend or event Degree of uncertainty in estimating event likelihood Degree of uncertainty in estimating event magnitude The ability to influence event likelihood The ability to influence event magnitude

Short comings of ERM Ability to collect all relevant data needed to manage risks internally and externally Ability to employ analytical tools that address not only historical data, but can project risks and impact for events that have never previously occurred Ability to identify a chain of events that may follow an initial loss event and accurately project the impact of ripple effects emanating that event

Seminar 6 and 9: Qualitative and Quantitative Risk Assessment CERM Chapter 5: Risk Assessment Risk assessment allows an entity to consider the extent to which events have an impact on objectives. Management assess events from 2 perspectives- likelihood and impact- and normally uses a combination of qualitative and quantitative methods Inherent risks: Absence of any actions management might take to alter likelihood and impact Residual risks: After risks responses have been developed

Assess inherent risks

Consideration when assessing risks

Identify risk responses

Assess residual risks

1. Time horizon used to assess risks should be consistent with the time horizon of related strategy and objective. Management needs to be cognizant of objectives with longer timeframe and not ignore risks that may be further out 2. Impacts should be measured in the same terms that the objective is measured in 3. Certain risks may have slight impacts on their own, but when combined with related risks, it can become more significant 4. An objective may be affected by several events; an event may also threaten several objectives 5. Perceptions of risks may be different - Ground level thinks its serious - High level may think less so (understand the mechanism e.g. hedging in place) Estimates of likelihood and impact made by using Internal data: E.g. existing risk registers, company websites, workshops, surveys External data: E.g. news, credit agencies, analysts report, competitors websites

Assessment techniques Qualitative Uses words (e.g. high, low) to describe magnitude of event and its likelihood Subjected to biases and can be highly influenced by perceptions 1. Overconfidence: Mitigated by evidence 2. Framing biases - Positively framed questions: Risk adverse - Negatively framed: Risk seeking Used to provide quick snapshots relatively quickly and inexpensively or when risks do not lend themselves to quantification Simplicity of qualitative risk assessment represents an inherent risks that quantification method can address E.g. GroupSystem technology enables real time, rapid data collection in face-to-face and remote risk storm sessions Quantitative Typically bring more precision and are used in more complex and sophisticated activities to supplement qualitative techniques Disadvantages: 1. Require higher degree of effort, rigor and expertise 2. Highly dependent on the quality of the supporting data and assumptions 3. More relevant to risks with a known history and frequency of variability Tends to be more accurate and more objective Provides a basis of comparison with past and for comparison with others (benchmark)

E.g. Benchmarking, probabilistic models, and nonprobabilistic models

PwC Lecture: Qualitative Risk Analysis 6 key elements of effective Corporate Governance Framework: 1. 2. 3. 4. 5. 6. Board structure and composition Board operation and effectiveness Strategy, Planning and Monitoring Robust Risk Management and compliance processes Transparency and Disclosure Corporate citizenship (Social, ethics and environment)

Process risks are often not given enough emphasis- they may snowball to something serious Relating strategy, objectives, appetite and tolerance:

Risk categories are identified by considering key drivers and stakeholders, business objectives and current processes. Breaking risks into categories help ensure the full spectrum of risks is considered. Common categories: 1. Business and strategic risks 2. Operational risks 3. Financial risks

Qualitative risk measurement scale- Likelihood

Qualitative risk measurement scales- Impact

Seminar 7: Risk Response CERM Chapter 6: Risk Response 4 main kinds of risks responses: 1. 2. 3. 4. Avoidance: Exiting the activities that give rise to the risk Reduction: Action is taken to reduce likelihood, impact, or both Sharing: Reduce likelihood or impact by transferring a portion of risks e.g. hedging Acceptance: No action is taken to affect response and likelihood

In determining risk response, management should consider things such as: 1. Assessing the effect on risk likelihood and impact i.e. which response options align with entitys risk tolerances 2. Cost and benefits of response 3. Possible opportunities to achieve objectives As such, the risk response chosen may not always be the one that result in least amount of risk Sometimes a combination of responses can be used to address a single risk. Conversely, sometimes one response can affect multiple risks Recognise that some level of residual risk will always exist, not only because resources are limited, but also because future uncertainty and limitations inherent in all activities Tutorial The TRAP response to risks: Terminate, Reduce, Accept, Pass If a particular response is unable to bring us down to within appetite, we can carry out responses in a series of steps or concurrently Decisions should take account of the need to consider carefully rare but severe risks that may warrant risk treatment actions that are not justifiable on strictly economic grounds One should always determine the cause of the risk before deciding on a response- to treat where the problem comes from! In coming up with responses, are there any risks that will be invoked which: Threatens the objective it is trying to protect? Threaten other business objectives?

Other consideration Acceptability: Acceptable by relevant stakeholders? Administrative efficiency: Is it easy to implement? Compatibility: Is it compatible with others that may be adopted?

Continuity: Short term or long term effect? Regulatory: Does the treatment breach any regulatory requirements? Risk creation: Does the treatment introduce more tisks? Economic, social and environmental: Any effects? Cost benefit considerations:

Seminar 8: Control activities CERM Chapter 7: Control activities While controls are generally established to ensure risks responses are appropriately carried out with respect to certain objectives, sometimes control activities themselves are the risk response Includes Approvals, Authorisations, Verifications, Reconciliations, Reviews of Operating Performance, Security of Assets, and Segregation of Duties In some instances, a single control activity addresses multiple risk responses. In others, multiple control activities are needed for one risk response Selection of controls should include consideration of their relevance and appropriateness to the risk response and related objectives Categories of controls: Preventive, Detective, Manual, Computer, Monitoring, IT dependent, Complementary

Types of control activities: Top-level reviews: Reviews actual performance against budgets, forecasts, prior periods and competitors Information processing: Check accuracy, completeness, and authorisation or transactions Physical controls: Physically secured and periodically counted Performance indicators: Relating different sets of data, together with analyses of the relationships and investigative and corrective actions Segregation of duties: Duties divided to reduce risk of error or fraud

Controls over information Systems can be separated into 2 main kinds: 1. General controls: Apply to many if not all application systems and help ensure their continued, proper operation 2. Application controls: Computerised steps within application software to control processing, focus directly on completeness, accuracy, authorisation and validity General Controls Information Technology Management - Steering committee to provide oversight Information Technology Infrastructure - Controls applied to installation, configuration, integration and maintenance Security Management - Logical access controls such as passwords Software acquisition and development - Manage change, including acceptance testing, stress testing and project risks assessment Application Controls Balancing control activities - Detect data capture errors by reconciling amounts entered Check digits - Validate data by calculations Predefined data listing - Provide user with predefined lists of acceptable data e.g. vendor lists Data reasonableness test - Compare data with a present or learned pattern of reasonableness Logic tests - Include use of range limits or value or alphanumeric tests

Tutorial Information Processing Objectives Completeness Accuracy Validity Restricted Access Definition All transactions that occur are processed once and only once Transactions are recorded at the correct amount in the appropriate amount and proper period Only authorised economic events that actually occurred are entered Data protected against unauthorised amendments and access. Physical assets are appropriately restricted to authorised personnel. Can be difficult to achieve other 3 objectives without this

Seminar 10: IT Governance and Risk Management COBIT 4.1 Executive Summary and Framework

Why the need to have a control framework for IT governance Increasing realisation of importance of information to success of enterprise To heighten the understanding of IT to leverage it for competitive advantage

The Control Objectives for Information and related Technology (COBIT)s characteristics 1. 2. 3. 4. Business-focused Process-oriented Controls-based Measurement-driven

1. Business-Focused

Information criteria Effectiveness Relevant information in a timely, correct, consistent and usable manner Efficiency Productive and economical use of resources Integrity In accordance with business values Availability Available for processes; Safeguarded Compliance With laws, regulations and contractual obligations Reliability Appropriate information to exercise fiduciary and governance responsibilities

IT resources Applications Automated user system and manual procedures to process information Information Data used by business Infrastructure Technology and facilitates that enable processing of applications People Personnel required: Internal, contract, outsourced

2. Process- Oriented The IT activities in a generic process that can be separated into 4 interrelated domains 1. Plan and Organise (PO) - Provides direction to solution delivery (AI) and service delivery (DS) - Identifies the way IT can best contribute to achievement of business objectives 2. Acquire and Implementation (AI) - Provides solutions - IT solutions developed or acquired, as well as implemented and integrated into process 3. Deliver and Support (DS) - Receives the solutions and makes them usable for end users - Actual delivery of required services 4. Monitor and Evaluate (ME) - Monitors all processes to ensure that the direction provided is followed - Regularly assess IT processes quality and compliance with control requirements Across these domains, COBIT identifies 34 IT processes 3. Controls-Based In addition to control objectives for each domain (PO, AI, DS and ME), each process has generic control requirements identified by PCn. They should be considered together to have a complete picture of control requirements. PC1 Process Goals and Objectives PC2 Process Ownership- Roles and responsibilities of owners PC3 Process Repeatability- Repeatable and produce consistent results PC4 Roles and Responsibilities- Assign and communicate ambiguous roles PC5 Policy, Plans and Procedures- Documentation, Reviews, Maintenance and Reviews

PC6 Process Performance Improvement

Controls applied to all IT are known as general controls, which is necessary for reliance to be placed on application controls General Controls System Development Change Management Security Computer Operations Application Controls Completeness Accuracy Validity Authorisation Segregation of Duties

Boundaries of Business, General and Application Controls

4. Measurement-Driven Goals are defined at 3 levels: 1. IT goals define what the businesses expects from IT 2. Process goals define what the IT process must deliver to support the IT objectives 3. Activity goals define what needs to happen inside the process to achieve the performance Metrics are defined as two different types 1. Key Goal Indicators (KGI) indicate whether goals have been met. These can be measured only after the fact, and therefore, are lag indicators 2. Key Performance Indicators (KPI) indicate whether goals are likely to be met. They can be measured before the outcome is clear, and therefore, are lead indicators

Relationships between Goals

Possible Outcome Measures

Tutorial 2 Factor Authorisation (2FA) What you know (Password) What you have (Password generating Token) What you are (Biometrics)-> 3FA

Seminar 11: Information and Communication CERM Chapter 8: Information and Communication Financial information is used for developing financial statements for reporting purposes, and also for operating decisions, such as in monitoring performance and allocating resources (e.g. variance reports, budgets) A challenge organisation faces is in establishing an information system infrastructure to source, capture, process, analyse, and report relevant information Information systems can be formal and informal. Conversations with customers, suppliers and regulators can provide critical information. Attendance in seminars can also provide valuable information

Strategic and Integrated System As enterprises become more collaborative with customers and suppliers, the division between an entitys information systems architecture and that of external parties is increasingly blurred Information systems are increasingly integrated into other aspects of operations (e.g. ERP); this allows real time sharing of information among departments Present data To determine whether entity is remaining within established risk tolerances Real-time view to identify variations from expectations

Historical data To track actual performance against targets, plans and expectations To identify correlations and trends, and to forecast future performance

Information Quality is defined as: 1. 2. 3. 4. 5. Content is appropriate- Is it at the right level of detail? Information is timely- Is it there when required? Information is current- Is it the latest available? Information is accurate- Is the data correct? Information is accessible- Is it easy to obtain by those who need it?

Communication should effectively convey Importance and relevance of effective ERM Entitys objectives Entitys risk appetite and risk tolerances A common risk-language The roles and responsibilities of personnel in effecting and supporting the components of ERM

Internal Communications External Communications Personnel should know how their activities Customers and suppliers can provide relate to the work of others highly significant inputs Front-line employees are often in best Open communications about risk appetite position to recognise problems as they arise and tolerances especially to others in the supply chain. This helps align risk Must have open communications channels philosophies with external parties and a willingness to listen Communication to stakeholders, regulators, Both normal reporting line, and channel financial analysts help them understand the that directs to the chief internal auditor or circumstances and risk the entity faces legal counsel Personnel to understand theres no reprisal for reporting relevant information Code of conduct, employee training sessions, etc

Means of communications: Policy manuals, memoranda, e-mails, bulletin boards etc, but nothing speaks louder than action!

Seminar 12: Monitoring CERM 9: Monitoring An entitys ERM changes over time. Risk responses that were once effective may become irrelevant; control activities may become less effective, or entitys objectives may change. There is a need for constant monitoring Monitoring can be done in two main ways: Ongoing activities and Separate evaluations. The greater the degree and effectiveness of ongoing monitoring, the less need for separate evaluations Ongoing monitoring Separate evaluations Performed on a real-time basis, reacts Take a fresh look from time to time, focus dynamically to changing conditions, and is directly on ERMs effectiveness ingrained in the entity Often due to trigger points such as change Done in the ordinary course of running the in management or economy business Usually takes place after something goes Stems from regular management activities, wrong, and can be done by 3rd party such as variance analysis, comparisons of information, and reviewing reports Methodology: Checklists, questionnaires, and flowchart techniques Readings: Role of IA in ERM
Core IA roles in regard to ERM Legitimate IA roles with safeguards Roles IA should NOT undertake

Giving assurance on risk management processes Giving assurance that risks are correctly evaluated Evaluating risk management processes Evaluating the reporting of key risks Reviewing the management of key risks

Consulting Roles Facilitating identification and evaluation of risks Coaching management in responding to risks Coordinating ERM activities Consolidating the reporting on risks Maintaining and developing the ERM framework Championing the establishment of ERM Developing risk management strategy for board approval

Setting the risk appetite Imposing risk management processes Taking decisions on risk responses Implementing risk responses on managements behalf Accountability for risk management

Internal audit can take on consulting services so long it has no role in actually managing risks- to protect objectivity and independence. Safeguarding conditions are as follow: 1. 2. 3. 4. Should be clear that management remains responsible for risk management Nature of IAs responsibilities should be documented in charter and approved by AC IA should not manage any of the risks on behalf of management IA should provide advice, challenge and support to managements decision making, as opposed to taking risk management decisions themselves

5. IA cannot give objective assurance on any part of the ERM for which it is responsible for developing. Such assurance should be provided by other suitably qualified parties 6. Any work beyond assurance activities should be recognised as a consulting engagement and relevant standards followed Reading: Control Self-Assessment CSA Unique because internal controls evaluations are performed by operational employees as opposed to internal or independent auditors This forces employees to think about control and conditions to improvement It instils a sense of ownership upon these employees Can be facilitated by IT such as GroupSystems, which can also bypass problems such as lack of autonomy and groupthink Weaknesses May not be suitable for all cultures. Some employees may fear the consequences of their negative inputs

Advantages Superior to traditional control evaluations techniques in the evaluation of techniques in evaluating Soft controls, such as controls over effectiveness of communications, corporate culture, ethics and integrity of management, and controls designed to drive customer satisfaction Strengthen control environment by making participants realise that internal control is everyones responsibilities Conclusions from facilitated team are typically superior to the results of traditional questionnaire evaluations

Seminar 13: Implementation issues in ERM CERM Chapter 11: Limitations of ERM 3 distinct concepts must be recognised 1. Risks relate to the future, which is inherently uncertain - No one can predict the future with certainty 2. ERM can help ensure that management and board is aware of the extent to which the entity is moving toward achievement of those objectives - Certain events are outside managements controls 3. ERM cannot provide absolute assurance with respect to any of the objective categories - No process will always do what it is intended to do

Weakness Judgment Breakdowns Collusion Cost versus Benefit

Management override

Description Effectiveness of ERM is limited by the realities of human frailty in making business decisions Personnel may misunderstand instructions, and judgmental mistakes may break down even the well-designed ERM Collusive activities of 2 or more individuals can result in ERM failures, which cannot be detected by the ERM process Due to resource constraints, entities must consider the relative costs and benefits of decisions In a competitive industry, it is important to find the right balance in having the right amount of controls. Too much may reduce the competitiveness (e.g. loaning systems too cumbersome), while too little may increase risks. Manager with criminal intent may still override the ERM to enhance financial condition or compliance status. Not to be confused with managerial intervention, which represents actions departed from the prescribed policies for legitimate purposes

Readings: Success factors for ERM Success Factors 1. Focus on Strategy and Business Objectives 2. Think broadly about the expansive range of risks facing your organisation - Many risks are related. Without understanding them and managing them in concert, the interplay and ability to offset some risks may be missed 3. Recognise that ERM is a Multi-Year Journey Challenges Do we have strong support from Top Management? Do we have sufficient resources for ERM?

How do we maintain the stamina needed for ERM?

Benefits of ERM 1. Can reduce a banks overall risk profile, which lowers the cost of capital 2. Enables capital to be allocated more appropriately for long-term growth 3. Lead to higher stock valuation and increased shareholder returns Integrating BSC and ERM framework

Seminar 14: Fraud and Ethics Readings Unethical behaviours may not be fraudulent (illegal), but fraudulent activities are definitely unethical The fraud triangle links the 3 conditions that fraud experts say are always present when fraud occurs. One can probably prevent fraud by eliminating one of them. It may be more practical and efficient to eliminate the Incentives and Rationalisation.

Branch Opportunity

Incentives/Pressure

Rationalisation

Description Sealing the cracks and gaps Most effective, but most difficult way to prevent fraud Requires anticipation through continuous assessment of possible fraud schemes, and to implement appropriate preventive control activities Protect good people from committing bad acts Can nullify fraud risk if perpetrator believes that he or she will be detected and punished Most powerful motivations derives from the pressure to avoid a loss Individuals generally do not commit fraud without some form of incentive/pressure, such as the need to maintain employment, secure promotion, or impress the boss with strong performance What would their mother say? Fraudsters generally do not think of themselves as bad people when they are committing the fraud They often rationalise by assuring themselves that they will make it up the next quarter or that they are not hurting anyone. Some may even think the company owes them something. Cynics view is that one with powerful pressure and opportunity will find a way to rationalise their actions

Effective fraud risk management consists of: 1. Fraud monitoring through detective control activities 2. Contemporaneous management review 3. After-the-facts fraud auditing Seminar 15: Business Continuity Management Readings Business Continuity Management A holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value creating activities Frequency of manmade and natural disasters has increased in recent years Impacts of disasters on businesses have increased thanks to technological advances, progressing globalisation, and the extension of supply chain Although technology remains very important to businesses, connectivity exacerbates the negative impact of a prolonged business interruption BC planning require a cross-company perspective and cant be owned by solely the IT department Risk assessment: Impact, Likelihood and Time BCM is a subset of ERM BCM Strategies and tactics focus on the processes that occur after an event. The objectives of those processes are to restore the business to normal operations as efficiently and effectively as possible

ERM Risk management strategies (Avoidance, Reduction etc) are formulated before an event, or risk occurs

Business benefits of BCM To differentiate their service-delivery or product-delivery resilience to potential customers Thorough business impact analyses can expose business inefficiencies Retaining customers following a disaster is less expensive than acquiring new customers Successful crisis management experiences can boost morale and help prevent employee turnover following a disaster

Difficulty in implementing BCM Vividness bias: Prevents individuals from thinking about troubling matters and major risks unless those issues play out, intensively and repeatedly, before their eyes Competing priorities: Many companies resist BCM when more immediate and visible demands occupy them Lack of standards: New discipline that has undergone dramatic evolutions in recent years

Business Continuity Institute (BCI) Good Practice Guidelines: Understanding the organisation - Including business impact analysis to determine: o Critical business functions o Maximum tolerable period of disruption o Recovery time objective Determining BCM strategy - Resources required, Implementation time line etc Developing and implementing BCM response - Monitoring by Business Continuity Team, Media arrangement, Communication with stakeholders Exercising, maintaining, and reviewing BCM arrangements - Review to refresh the relevance of risks and threats identified; Test runs to ensure the viability of BCM Embedding BCM in the organisations culture - Communications with employees, Obtain feedback, Observations - Deliver through formal training sessions