0© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
April, 2019
KPMG Lower Gulf Limited
kpmg.com/ae
kpmg.com/om
IIA conference UAE
Enterprise Risk
Business ContinuityManagement
Management and
Introduction toRiskManagement (RM)
2© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
What is risk management?
Risk
management
is a mere
compliance
requirement
Risk
management
does not
provide any
benefits
Risk
management
is only for
senior
management
Risk
management
is an audit
requirement
Today, we are surrounded by so many questions and doubts about risk
management
?
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
3© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
What is risk management?
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
4© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 4
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
What is risk management?
a process, effected by an entity’s
board of directors, management
and other personnel designed
to identify potential events that
may affect the entity, and manage
risk to be within its risk appetite,
to provide reasonable assurance
regarding the achievement of entity
objectives.
Risk Management is…
”
“
5© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
.
5
Risk vs Opportunity
Risks
v/s
Opportunities
Events can have a negative impact,
positive impact, or both. Events with a
negative impact represent risks, which
can prevent value creation or
erode existing value. Events with positive
impact may offset negative impacts or
represent opportunities.
6© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 6
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Make yourself aware
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
COSO
ISO 31000
7© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Global standards What is COSO
What is ISO 31000
COSO stands for the Committee of
Sponsoring Organizations of the Treadway
Commission (COSO) and a joint initiative of
the five private sector organizations.
— American Accounting Association (AAA);
— American Institute of Certified Public
Accountants (AICPA);
— Financial Executives International (FEI);
— Institute of Management Accountants
(IMA); and
— The Institute of Internal Auditors (IIA).
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
ISO is an independent, non-governmental
international organization with a
membership of 162 national standards
bodies.
— It is the International Standard which
provides principles and generic
guidelines on risk management;
— It can be used by any public, private or
community enterprise, association,
group or individual. Therefore, this
International Standard is not specific to
any industry or sector; and
— It can be applied throughout the life of an
organization.
8© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Component of ERM frameworkRisk Strategy &
Appetite
Risk
GovernanceRisk Culture
Risk
Assessment &
Measurement
Risk
Management &
Monitoring
Risk Reporting
& Insights
Data &
Technology
Linkage to
Corporate
Strategy
Board Oversight
& Committee
Knowledge &
Understanding
Risk Definition &
Taxonomy
Risk Mitigation,
Response &
Action Plans
Risk ReportingData Quality
& Governance
Risk Strategy
Company Risk
Operating
Structure
Company Risk
Operating
Structure
Risk
Identification
Testing,
Validation &
Management’s
Assurance
Business/
Operational
Requirements
Risk Analytics
Risk Appetite
& Tolerance
Risk
Guidance
Competencies &
Context
Assessment &
PrioritizationMonitoring
Board & Senior
Management
Requirements
Technology
Enablement
Roles &
Responsibilities
Action &
Determination
Quantitative
Methods &
Modeling
Risk in Projects/
Initiatives
External
Requirements
Decision
Support
Risk
Aggregation,
Correlation &
Concentration
Scenario
Analysis & Stress
Testing
Capital &
Performance
Management
9© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Traditions vs Next generation approachWith passing time, risk management has shown some distinct transitions.
Traditional
Vs
Next
generation
approach
Risk appetite are aligned with the
organization’s vision, mission, and
objectives
Risk movement and
assessment is
performed based on
advanced and predictive
data analytics
Risk management is a
dynamic process and
integral part of every
decision making
Opportunity management is evolution
of risk management approach
directed towards exploiting
opportunities
Risk management was seen as mere
compliance requirement
Highly administrative
processes involving lot of
documentations
Risk assessment was an
annual exercise, typically
performed during the
Audit Committee and/or
Board meetings
Risk management was considered
to be the senior management and
board’s responsibility only
Risk Strategy andAppetite
11© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Risk Universe
- Risk Universe is the integration of all the risks an
organization might face;
- Risk Universe forms the basis from which an
organization is able to construct a risk profile.
Understanding organization’s thresholds
Ris
k U
niv
erse
Ris
k C
ap
acit
y
Risk Capacity
- Risk Capacity is the maximum amount of risk that
an entity is able to absorb in the pursuit of strategy
and business objectives.
Ris
k A
pp
etite
Risk Appetite
- Risk Appetite is the types and amount of risk, on a
broad level, an organization is willing to accept in
pursuit of value;
- Risk Appetite needs to be measurable;
- Risk Appetite are established by the Board as the
board is responsible for determining the nature and
extent of the significant risks it is willing to take in
achieving its strategic objectives.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
12© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
High vs LowDepending upon the nature of the organization and the willingness of the board
the organization’s risk appetite may vary
Very high risk appetite
- The organization is wiling to
take high risks in pursuit of
its objectives
- Risk taking organizations
such as private equity (PE)
and new ventures.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
Very low risk appetite
- The organization is willing to
take minimal risk in pursuit
of its objectives
- Risk avers organizations
such as NGOs, charitable
organizations, and
government entities.
Balanced risk appetite
- The organization is willing to
take balanced and informed
risks in pursuit of its
objectives
13© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Building risk appetiteThe stages involved in developing risk appetite statements are as follows :
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
1 2 3
4 5
Identify stakeholders and
their expectations, together
with an analysis of the risks
to strategy, tactics,
operations and compliance,
as set out in the risk
register
Establish the desired level
of risk exposure that will
lead to a risk appetite
statement that provides a
set of qualitative and
quantitative statements
Define the range of
acceptable volatility or
uncertainty around each of
the types of risks leading to
a statement of acceptable
risk tolerances.
Reconcile the risk appetite,
risk tolerances with the
current level of risk
exposure and plan actions
to bring current risk
exposures into line with risk
appetite
Formalize and ratify a risk
appetite statement(s),
communicate the
statement with
stakeholders and implement
accordingly
14© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Categories of risk appetite
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
Financial sustainability
Reputation and image
Health, safety and environment
Operational continuity
Compliance to laws and regulations
Professional ethics & anti-bribery
Low High
Low High
Low High
Low High
Low High
Low High
15© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Test of risk appetite statementBelow are the four tests that organizations should apply while reviewing their risk
appetite framework
Do the managers
who make decisions
understand the
degree to which they
(individually) are
permitted to expose
the organization to the
consequences of an
event or situation?
Do the executives
understand their
aggregated and
interlinked level of risk
so they can determine
whether it is
acceptable or not?
Are both managers
and executives clear
that the risk appetite
is not constant?
Does the board and
executive leadership
understand the
aggregated and
interlinked level of risk
for the organization as
a whole?
Anything approved
by the board must
have some flexibility
built in.
Are risk decisions
made with full
consideration of
reward?
The risk appetite
framework needs to
help managers and
executives take an
appropriate level of
risk for the business,
given the potential for
reward.
16© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affi liated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Defining risk appetite and risk toleranceObjective statement: Ensure safety of People & Environment
Objective of the organization
1 Ensure safety of People & Environment
Appetite Statement
The organization ABC is committed to create a clean, safe, and healthy working environment for all its employees; including the staff and
workers working on behalf of the Company. All operations; including the investments shall be based on the principles of sustainability to meet
the needs of the present; without, compromising the ability of the future generations to meet their own needs.
The Company shall perform its operations strictly in compliance with the applicable Health, Safety, and Environmental (HSE) regulations. Any
operation which possesses the potential to cause permanent damage to the environment above the allowable limits or lead to fatality shall be
terminated. ABC will strive to be in the Top Quartile performer in the relevant industry
ABC will operate its businesses with zero tolerance on violation of health, safety and environment standards set by Omani laws and
regulations.
# Tolerance ExamplesTarget Acceptable Barely Tolerable Intolerable
1Compliance to Occupational Safety
regulations
100% compliance with the
applicable safety regulations
without any concession
100% compliance with the
applicable safety regulations with
concession / dispensation
One or more non-compliance with
the applicable safety regulations
leading to 1 or more LTIs / yr
One or more non-compliance with
the applicable safety regulations;
leading to 1 or more fatalities / yr
2 Compliance to Sustainability regulations
100% compliance with the
applicable sustainability
regulations without any
concession
100% compliance with the
applicable sustainability regulations
with concession / dispensation
One or more non-compliance with
the applicable sustainability
regulations; but, recoverable in
nature
One or more non-compliance with
the applicable sustainability
regulations; which are irrecoverable
in nature
3 Impact on Environment No environmental damageLocal environmental damage which
is fully recoverable
Material environmental damage
which is fully recoverable
Material environmental damage
which is irrecoverable
4Compliance to Occupational Safety
regulations
100% compliance with the
applicable safety regulations
without any concession
100% compliance with the
applicable safety regulations with
concession / dispensation
One or more non-compliance with
the applicable safety regulations
leading to 1 or more LTIs / yr
One or more non-compliance with
the applicable safety regulations;
leading to 1 or more fatalities / yr
5 Impact on people / workersNo adverse impact on the
employee
First aid case or medical treatment
case, not affecting work
performance or causing disability
1 or more LTI(s) /year; resulting in
permanent disability1 or more fatalities
Risk Governance
18© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
The three lines of defense (3LoD)Having robust three lines of defense within the organization’s control framework is
the cornerstone of good governance philosophy.
The Board / Shareholders
Senior Management
1st
Line of Defense
Operational
Management
Develop and implement
policy, procedure,
manuals, & other
internal control
elements
2nd
Line of Defense 3rd
Line of Defense
Internal Audit
Ex
tern
al A
ud
ito
rs
Reg
ulato
rs
Risk Management
(RM)
Legal
Compliance & Ethics
Quality, HSE, Asset
Integrity
Risk Culture
20© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Understanding risk culture
Risk Culture: The norms of behavior for an individual or group within the organization
that determine the collective ability to understand, discuss, report and act on the
organization’s current and the future risks.
Risk leadership
Ability to deal with
bad news
Accountability
Transparency Risk skills
Risk resources
Reward
Informed risk
decisions
De
cisio
nC
om
pe
te
ncy
Go
ve
rn
an
ce
To
ne
a
t th
e T
op
21© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 21
10 questions every board should answer
1
2
3
5
4
6
7
8
10
9
What tone do we set from the top? Are we
providing consistent, coherent, sustained and
visible leadership in terms of how we expect
people to behave when dealing with risk?
How do we establish sufficiently clear
accountabilities for those managing risks and hold
them to their accountabilities?
What risks does our current corporate culture
create for the organization? Can people talk
openly without fear of consequences or being
ignored?
How do we acknowledge and live our stated
corporate values when addressing and resolving
risk dilemmas?
How do the organization's structure, processes
and reward systems support or detract from the
development of our desired risk culture?
Do we have practice to look at ourselves from the
perspective of the stakeholders and not just
assume we’re getting it right?
How do we respond to whistleblowers and
others raising genuine concerns? When was the
last time this happened?
How do we reward and encourage appropriate
risk taking behaviors and challenge unbalanced
risk behaviors (either overly risk averse or risk
seeking)?
How do we satisfy ourselves that new joiners
will quickly absorb our desired cultural values and
that established staff continue to demonstrate
attitudes consistent with our expectations?
How do we support learning and development
associated with raising awareness and
competence in managing risk at all levels? What
training have we as a board had in risk?
Risk Assessmentand Measurement
23© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Phases of risk assessmentRisk Assessment is a structured processes which is split into seven distinct steps
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
1
2
3
4
5
6
7
Establishing the internal context
- The risk management process should be
aligned with the organization's culture,
processes, structure and strategy;
- It includes culture, governance, structure,
policies, procedures, and objectives; and
- The context of risk management vary
according to the needs of an organization.
Defining risk criteria
– An organization should define criteria to
evaluate the significance of risk;
– The criteria may consist; but not limited
to probability of occurrence, financial and
non-financial impact, velocity, etc.; and
– Criteria should be aligned with the
organization’s nature of business
Risk Identification
– Comprehensive identification is critical,
because a risk that is not identified at this
stage will not be included in further
analysis
Risk Analysis
- It involves developing an understanding of the risk
and provides input to risk evaluation and to
decisions on whether risks need to be treated, and
on the most appropriate risk treatment strategies;
Risk Evaluation
- It involves comparing the level of identified risk
against the criteria established for risk acceptance;
- Accordingly, need for risk responses is determined
and actions are taken, as required.
Risk Response
- It involves selecting one or more options for
modifying risks, and implementing those options.
Once implemented, responses provide or modify
the controls.
Monitoring and Review
- Organization's monitoring and review processes
should encompass all aspects of the risk
management process
24© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Small things can make big impactGenerally, all organizations follow 80/20 rule…
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
20%
Risk Managementand Monitoring
26© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Risk responseRisk responses comprises the actions taken by the organization to reduce the risk
within the acceptable appetite of the organization.
Transfer
This can be achieved
through the use of
various forms of
insurance, or the
payment to third
parties who are
prepared to take the
risk on be half of the
organization.
Treat
This is a method of
controlling risk through
actions that reduce the
likelihood of the risk
occurring or minimize
its impact prior to its
occurrence.
Terminate
This is the simplest and
most often ignored
method of dealing with
risk. This can be done by
altering an inherently
risky process or practice
to remove the risk.
Tolerate
This is where no action
is can be taken to
reduce a risk. This may
be because the cost of
instituting risk reduction
or mitigation activity is
not cost-effective or
impact are so low that
they are deemed
acceptable to the
business.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
Risk Reportingand Insights
28© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Key playersEvery individual within the organization has its unique role to play in the risk
management process.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
The board / CEO
– Accountable for the ultimate success of RM;
– Oversight on the functioning of risk management;
– Establish and roll-out risk appetite; and
– Own / respond to the strategic / high priority risks.
Business unit manager
– Get actively involve in risk management process;
– Identify, assess, and analyze risks;
– Recommend suitable risk response strategies; and
– Ensure implementation of risk responses.
Individual employee
– Ensure clear and transparent information flow;
– Report any incident which may possibly trigger risk;
– Participate in risk work-shops / discussion; and
– Embed risk management in routine operations.
Chief risk officer / Risk manager
– Responsible to implement risk management program;
– Coordinate risk management activities;
– Consolidate and present risk movement to the board;
– Promote / communicate benefits of risk management.
Risk champion
– Function as a link between risk manager / risk owner;
– Facilitate periodic risk-workshops / challenge sessions;
– Gather and report progress on risk response; and
– Ensure that risk information is updated periodically.
Audit committee
– Review critical / high priority risks;
– Challenge risks, their assessment / analysis; and
– Perform assessment of RM program and provide
independent and objective feedback to the board.
Data & Technology
30© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affi liated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Use of technologyThe GRC tools (RSA Archer, Metricstream, BWise, ARM, Thomson Reuters) can
facilitate integrated approach to internal controls as illustrated below:
Internal ControlInternal Audit
ComplianceRisk Management
Introduction toBusiness ContinuityManagement (BCM)
32© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
What is business continuity management (BCM)?There are some misconceptions about Business Continuity Management (BCM).
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
Business Continuity
Management (BCM)
is same as IT
Disaster Recovery
Management
We don’t require
Business
Continuity
Management.
BCM is not
applicable for us.
33© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Origin of business continuityMany BCM programs can trace their origin to single source
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
A crisis event close call increased awareness that
BCM capabilities were needed
A regulatory obligation requires a formal
BCM program
Key customers insisting on BCM
evidence
Cyber risks threaten operational
resilience
34© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 34
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Defining business continuity management (BCM)
A comprehensive management
process, which focuses on those
threats which possess an ability
to disturb continuity of
organization’s operations.
Identification of such threats
enable organization to develop
resilience which would protect
itself; including, the interest of
the stakeholders, brand, and
reputation.
Business continuity management
is…
”
“
35© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
What is business continuityBusiness continuity is the ability of the organization to continue deliver product
or services at the desired level following a disruptive event.- ISO 22301: Social Security – Business Continuity
Management (BCM)
Time
Se
rvic
e leve
l
Disaster
Crisis
Without BCM
With BCM
Business continuity management (BCM)
– is an holistic process that identifies potential threats to an organization and the impact on continuity of
the organization’s operations; and
– provides a framework for building organizational resilience with the ability for an effective response that
safeguards the interests of key stakeholders, reputation, brand and value-creating activities.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
36© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Benefits of business continuity management (BCM)Business continuity management (BCM) enables an organization to...
Create value for organization by promising uninterrupted
services to its client / customers.
Enable organization to gain compliance with the local
regulatory standards
Preserves brand value and reputation of the organization
Develop resilience against the risks which can threaten the
continuity of organization’s operations
Improve stakeholder confidence – employee, community,
customers, suppliers, and the regulators
Business ContinuityManagement (BCM)Standards
38© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 38
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Make yourself aware
ISO 22301
NCEMA
39© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Global standards What is ISO 22301 What is NCEMA
ISO 22301: Business continuity
management systems specifies
requirements to plan, establish, implement,
operate, monitor, review, maintain and
continually improve a documented
management system to protect against,
reduce the likelihood of occurrence, prepare
for, respond to, and recover from disruptive
incidents when they arise.
– The requirements specified in ISO 22301
are generic and intended to be applicable
to all organizations, or parts thereof,
regardless of type, size and nature of the
organization; and
– The extent of application of these
requirements depends on the
organization's operating environment and
complexity.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
National Emergency Crisis and Disaster
Management Authority (NCEMA) 7000 is
developed to help entities systematically
build their business continuity capability
before, during and after an emergency,
disaster or crisis.
– In both the public and private sectors all
initiatives are aimed at ensuring ongoing
performance of prioritized functions and
services for the purpose of enhancing the
UAE’s national stability;
– United Arab Emirates is a leading nation
in this field since there is no BCM
standard in Arabic in the region; and
– Legislative and licensing bodies may
establish further specifications in addition
to those defined in NCEMA this standard
to ensure community safety, and
security.
Business ContinuityManagement (BCM)Framework
41© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affi liated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Elements of the framework
Overview
— BCM comprises development of strategies, plans,
and actions which provide entity projection and/or
alternate modes of operations during (and after)
crisis situation; thus, ensure that the stakeholders
needs are fulfilled without interruption.
Building resilience
— BCM helps organizations to enhance their
operational resilience; thereby, effectively
enabling them to respond to threats which
otherwise would disturb the sustainable
operations of the organization.
Alignment with RM
— RM and BCM share common goals to identify,
assess, and manage high impact threats which would
serve to prevent achievement of the organization’s
strategic objectives.
Decoding NCEMA
43© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Nation’s Objectives…The organization shall
establish, implement and
maintain a methodology for
identifying the business
impact of disruptions of
prioritized activities. BIA lays
the foundation for the
organizations BCM program
by quantifying and qualifying
the impact of disruption over
time on the delivery of
product and services.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Business Continuity
Management (BCM) refers to
building the organization’s
capability to continue
performing essential
functions and services (at a
minimum) in and after an
emergency, crisis or disaster
that could have resulted in a
business disruption.
The Business Continuity
Management (BCM)
objectives of the UAE
government or local
governments of each emirate
and the entities under their
jurisdiction in both public
and private sectors.
Maintain continuity of prioritized
activities in both public and private
sectors
Set up effective business continuity plan
for delivering prioritized activities, when
an emergency occurs, in a planned and
controlled manner
Develop proactive business continuity
at all federal and local entities in the
UAE, and the entities under their
jurisdiction in both public and private
sectors
Secure supply chain required for
business continuity
44© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
NCEMA framework
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
– Today, business continuity
management is being
unquestionably recognized
as an increasingly important
element in the emergency
and crisis management
process;
– NCEMA provides a Business
Continuity Management
Standard to build an
organization’s capability to
continue functioning and
delivering its prioritized
activities when its
operations are disrupted due
to emergencies or crises.
Understanding
the organization
Top Management
Commitment
Incident
Response Plan
Business
Continuity Plan
Media Response
Plan
Annual Review /
Internal Audit
Management
Review
Test and Exercise
Awareness and
Trainings
Business Continuity
Strategy
Risk Assessment
Business Impact
Analysis
Establish
Operate
Revie
w
Co
ntin
uo
us Im
pro
ve
me
nt
45© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Overview of Business impact analysis (BIA)
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
The organization shall
establish, implement and
maintain a methodology for
identifying the business
impact of disruptions in
prioritized activities. BIA lays
the foundation for the
organizations BCM program
by quantifying and qualifying
the impact of disruption over
time on the delivery of
product and services.
Section title
Business
Impact
Analysis
Understand
And study
entity’s
functions
accurately Determine
the normal and
minimal level
of resource
requirements
Study activities
and define RTO
and MAO for
critical
services
Determine
Internal /
external
dependency
among
departments
Determine
the level of
business
disruption and
BC objectives
Confirm and
prioritize critical
and essential
functions of the
entity
46© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Types of business impact analysis (BIA)There are three main phases of Business Impact Analysis
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
Strategic Tactical Operational
Identify and prioritize the most
urgent products and services
and determine the
organization’s Recovery
timescales and disruption
tolerance levels at a strategic
level.
Determine the process or
processes required for delivery
of the organization’s most
urgent products and services
and assess the impact of a
disruption on them at a tactical
level.
Identify and prioritize the
activities at an operational
level which contribute to the
identified process or
processes that deliver the
most urgent products and
services and to determine the
required continuity and
recovery resources.
47© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Requirements of business impact analysis (BIA)
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
The organization shall
establish, implement and
maintain a methodology for
identifying the business
impact of disruptions of
prioritized activities. BIA lays
the foundation for the
organizations BCM program
by quantifying and qualifying
the impact of disruption over
time on the delivery of
product and services.
The organization shall:
– Identify its prioritized functions, activities and services and define
impact categories that are fit to the nature of the organization;
– Identify disruption impacts on the organization based on
predefined impact categories;
– Identify Recovery Time Objective (RTO) of each activity disruption
and the Maximum Acceptable Outage (MAO);
– Identify actions required to support prioritized functions, activities
and services;
– Identify activities deemed paramount to the continuity of
prioritized activities;
– Prioritize activities and services according to their recoverability
priority, as per the BIA;
– Identify internal and external bodies, which an organization relies
on for continual performance of main/essential activities and
services, including support by suppliers and service providers;
– Verify the capability of vendors, suppliers and service providers to
support and maintain minimum service levels for prioritized
activities during disruptive incidents; and
– Identify the indispensable resources for each activity, function or
service to ensure business continuity.
48© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affi liated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Overview risk assessment and BC strategy
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
The organization shall
establish a methodology for
risk assessment to identify,
analyze and evaluate the
risks which may disrupt
continuity of activities. The
risk assessment process
should be carried out in a
structured manner as per pre-
defined procedure.
The organization shall:
– Identify and approve risk parameters;
– Identify the risks that can disrupt the performance of prioritized
activities;
– Analyze the risks against predefined evaluation criteria;
– Evaluate the impact of the addressed risk; and
– Take into account interdependencies related to the performance
of prioritized activities.
Business continuity strategy
Risk assessment
BCM strategies should
enable organization to
continue performing its
prioritized activities following
a business disruption. The
organization should also
analyze the BCM capability of
suppliers to service the
minimum requirement to
continue prioritized activities.
The organization shall:
– The organization shall implement strategies to achieve defined
RTO’s for the prioritized activities and allocate resources required
to achieve RTO’s; and
– The organization shall protect its supply chain dependency by
having in place appropriate agreements covering aspect of
“service levels” during business as usual and crisis or
emergencies.
49© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Overview of incident response plan
© 20189KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
The organization shall
establish, implement and
maintain an incident
response plan and its
procedures to respond to an
event that may cause a
disruption to the
organizational activities.
Incident response plan shall
ensure life safety of
personnel as a priority, along
with the assets of the
organization to restrict and
reduce loss or damage.
The incident response plan shall include :
– Incident response structure;
– Assigned roles and responsibilities;
– Incident detecting and warning procedures;
– Activation criteria;
– Escalation process;
– Recovery procedures; and
– Communication to the interested parties.
A response mechanism shall be embedded that can monitor
incidents on a regular basis, enable early detection of any incident
causing disruption, its impact, criterion for invoking business
continuity response along with clarity on roles and responsibilities of
personnel.
50© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Overview of media response plan and awareness
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
The organization shall
establish a media response
plan that has clear-cut
communication procedures
to enable personnel and
mass media to communicate
to get better acquainted with
the incidents that impacted
organization’s business
continuity.
The organization shall
– Assign a spokesperson to receive, acknowledge and, respond to
queries related to the organization;
– Integrate its communication procedures/systems with national /
regional / global communication systems; and
– Test the communication capabilities as part of the regular testing
and exercising of BCM program.
Media response plan
Awareness
The organization shall
establish, implement and
maintain a training and
awareness program that is
developed and implemented
to effectively support the
BCM objectives by
developing required
competence
The organization shall
– The organization shall develop a training program to ensure that
the training provided for personnel and teams matches their roles
and responsibilities in the BCM program; and
– The internal and external interested parties shall be aware of their
roles and responsibilities during disruptive incidents, to achieve
BCM requirement within agreed timelines maintaining the
approved agreements.
51© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affi liated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Overview of test, exercise, and review
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
The organization shall
conduct tests and exercises
at regular intervals to ensure
that the plan remain fit – for -
purpose and effective, and
shall establish, implement
and maintain a ‘Test and
Exercise Plan’.
– Tests shall be conducted to assess readiness, usability and
adequacy of the tools, technology, facilities, and infrastructure
required to implement the organization’s BCM plans. Post-Test
reports shall be developed, reviewed and corrective action takes,
when necessary; and
– Exercises shall be conducted to ensure BCM effectiveness and
meet its objectives. Subsequently, post-exercise report should be
developed to document results of exercises.
Test and exercise
Review
Management shall
periodically or when
significant changes occur,
review the organization’s BC
capability to ensure it
remains fit-for-purpose and
continues to meet BCM
objectives.
The organization shall
– The organization shall establish, implement and maintain an
internal audit program;
– Assess supplier capability through joint tests and exercises or
through compliance review of the extent of supplier; and
– The Management Review shall be carried out annually.
52© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Overview of business continuity plan
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
The organization shall
implement and maintain
plans detailing its business
disruption to maintain
continuity of its prioritized
activities at the
predetermined performance
levels following a business
disruption.
The organization shall ensure
that risks identified are
addressed to continue the
prioritized activities.
The business continuity plan shall :
– Be consistent with the BCM strategy and incident response plan,
capabilities and requirements of interested parties;
– Define the criteria for invoking the plan and the method whereby
the plan is invoked;
– Identify people who are assigned the authority to invoke the plan
under any given circumstances;
– Define roles and responsibilities of personnel teams during and
following an incident;
– Include prioritized objectives in terms of prioritized activities to be
recovered, recovery timescale and recovery levels needed for
each main activity;
– Recovery procedures to be followed to return to normal post
emergency, and after minimum business continuity objectives
have been met;
– "Stand down procedure" once incident is over and organization
personnel need to return to their normal duties.
– Be accessible to and understood by interested parties upon
implementation; and
– Be communicated to all personnel who needs to be aware of it.
53© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE, member firms of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
kpmg.com/socialmedia kpmg.com/app
For further details, please contact :
Our AwardsMENA
Insurance awards
Best Audit Service 2018
International
Association of
Outsourcing
Professional's
World's Best Outsourcing Advisors 2017
Working Mother
Top 5 Best Companies for Multicultural
Women 2017
The Times
Top 50 Employer for Women 2017
IDC | UAE
Leader in Business Consulting 2017
The Accountant &
International
Accounting Bulletin
Awards
Global CEO Outlook wins Thought Leadership of the
Year 2016
Adviser Rankings
Preferred auditor for stock market clients 2017
New York Law
Journal
Best Business Accounting Provider 2016
Partnerships
Bulletin Awards
Global Financial Adviser 2016
Tolley’s
Taxation Awards | UK
Best Tax Team in a Big Four Firm 2016
WorldatWork
| US
Innovative Excellence Engagement Award
2016
MENA Fund manager
awards
Best Audit Service 2016
The Forbes Middle East
Vijay Malhotra features in the Top 10 of
Forbes Middle East's Top Indian Business
Leaders in The Arab World 2016
Karim Yahfoufi
Associate Director | Risk Consulting
KPMG Lower Gulf Limited
T: +971 24014814
kpmg.com/social media kpmg.com/app
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we
endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the
particular situation.
© 2019 KPMG Lower Gulf Limited and KPMG LLP, operating in the UAE and member firms of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Arab Emirates.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Thank you
Kindly use the following code to receive the CPE hours via the mobile application: 14567
Karim Yahfoufi
Associate Director | Risk Consulting
KPMG Lower Gulf Limited
T: +971 24014814