© 2015 Grant Thornton. All rights reserved.
Enterprise Risk Management
and Risk Based Internal Audit Grant Thornton Recommended Methodology
Nasser Barakat
Partner
Grant Thornton – Business Risk
Services
© 2015 Grant Thornton. All rights reserved.
Risk Scope of
Definition
© 2015 Grant Thornton. All rights reserved.
What is risk?
A range of possible
negative events that
could take place in an
uncertain environment.
Each of these events
could have a
significant impact on
the organisation and
its goals.
© 2015 Grant Thornton. All rights reserved.
Risk is anything that will
prevent you from achieving
your business objectives….
© 2015 Grant Thornton. All rights reserved.
Risk
Work unit assets
(resources)
Management
processes
Work unit
objectives
The organisation's
objectives
© 2015 Grant Thornton. All rights reserved.
Control Broadly
Defined
© 2015 Grant Thornton. All rights reserved.
Control
… is broadly defined as ‘the
combination of many factors
which support people in their
efforts to achieve their
business objectives’.
© 2015 Grant Thornton. All rights reserved.
Linking risks, controls and objectives
Risk
Business/Quality Objectives
Control Desired end
results/outcomes
© 2015 Grant Thornton. All rights reserved.
Linking risks, controls and objectives
Desired end
results/outcomes
© 2015 Grant Thornton. All rights reserved.
Linking risks, controls and objectives
Desired end
results/outcomes
© 2015 Grant Thornton. All rights reserved.
What is Risk
Management?
© 2015 Grant Thornton. All rights reserved.
Risk management
© 2015 Grant Thornton. All rights reserved.
Risk management
© 2015 Grant Thornton. All rights reserved.
Risk management
… represents the diversity of
actions management takes
in order to mitigate some or
all of the business risks.
© 2015 Grant Thornton. All rights reserved.
Risk management alternatives
TERMINATE Avoiding risk
TREAT Reducing the impact
and/or probability of
risk assurance
TOLERATE Retaining risk
(acceptance)
TRANSFER Passing on risk
Risk Mitigation
Technique
Transfer Activity
e.g. subcontracting
Transfer Responsibility
e.g. insurance
© 2015 Grant Thornton. All rights reserved.
Risk management alternatives
TERMINATE Avoiding risk
TREAT Reducing the impact
and/or probability of
risk assurance
TOLERATE Retaining risk
(acceptance)
TRANSFER Passing on risk
Risk Mitigation
Technique
Transfer Activity
e.g. subcontracting
Transfer Responsibility
e.g. insurance
© 2015 Grant Thornton. All rights reserved.
Components of risks
Adequately
controlled Insured Accepted
R I S K
© 2015 Grant Thornton. All rights reserved.
GT methodology for the
implementation of an enterprise
risk management system and
risk based internal audit
© 2015 Grant Thornton. All rights reserved.
CRSA Control and Risk
Self Assessment
© 2015 Grant Thornton. All rights reserved.
CRSA
Is a process in which staff collectively
Identify business uncertainties in
their area of responsibility
Assess their control activities
Develop actions for improvements
under the guidance of risk
management.
© 2015 Grant Thornton. All rights reserved.
Sta
ge
3
Sta
ge
2
Workshop:
Identify and access risks and controls
Workshop:
Building a risk and control matrix
Development of compliance tests
Management sign-off
Testing (by both I.A.
and business unit)
Reports on the test results
Reports on CRSA
Sta
ge
1
Senior management
and the board
Internal audit report
Develop and conduct
substantive tests
Sta
ge
4
Sta
ge
5
Internal and external
loss data
© 2015 Grant Thornton. All rights reserved.
The CRSA workshop
The following risk/control matrix,
lists some of the operational risks
and controls related to a bank’s
International Brokerage function
© 2015 Grant Thornton. All rights reserved.
The CRSA workshop
© 2015 Grant Thornton. All rights reserved.
Components of risks
R I S K
Working
gap
Actual gap
Acceptable
gap
Adequately
controlled Insured
© 2015 Grant Thornton. All rights reserved.
Risk Based
Internal Audit
© 2015 Grant Thornton. All rights reserved.
What is RBIA?
The Institute of Internal Auditors defines
Risk Based Internal Auditing (RBIA) as a
methodology that:
1. Links internal auditing to an organisation’s overall risk
management framework
2. Allows internal audit to provide assurance to the
board that risk management processes are managing
risk effectively in relation to the risk appetite.
© 2015 Grant Thornton. All rights reserved.
Traditional approach versus risk based
IA approach
Traditional internal audit approach Risk based internal audit approach
Audit plan based on the audit cycle (time duration) Audit plan based on the results of the business units
risk evaluation. Risky areas are covered first and
more frequently
Important Risks might not be covered in the audit program
Provides assurance that Important risks are being
managed properly
Focus on deficiencies in controls and cases of non
compliance with P&P
Focus on risks that are not properly controlled and/or
overly controlled
An understanding of business unit operations is built
through time consuming process mapping exercises
and might rely on outdated P&P manuals.
In depth understanding of the business unit operations
through risk assessment workshops and with the
participation of the business unit management.
© 2015 Grant Thornton. All rights reserved.
Traditional approach versus risk based
IA approach
Traditional internal audit approach Risk based internal audit approach
Internal audit resources are spread over all business
units/activities
More efficient use of internal audit resources by
concentrating on risky units/areas
Disagreement with the business unit management over the
action plans leading to delays in implementation
Facilitate consensus with line management on the needed
action plans thus improving timely and effective
implementation of corrective measures
Disagreement with the business unit management on the
importance of the findings raised by internal audit
The importance of risks is established during the risk
assessment phase and in agreement between internal
audit the business unit management
Subjective internal audit ratings; they mainly rely on the
auditor’s judgment on the importance of the findings.
More objective ratings (findings are classified in
accordance with pre-agreed risk importance criteria).
© 2015 Grant Thornton. All rights reserved.
Internal Audit
Rating Policy
© 2015 Grant Thornton. All rights reserved.
Rating matrix
Key
controls
working
Within
acceptable
gap
1% – 20%
above
acceptable
20% – 40%
above
acceptable
>40%
above
acceptable
All A A B+ B
Up to 80% B B C+ C
50% – 80% C C D D
20% – 50% D D D
<20% D D
© 2015 Grant Thornton. All rights reserved.
Conclusion
Grant Thornton methodology
Allows for the identification, assessment and
monitoring of all types of risks
Moves the responsibility of control
monitoring/improvement to line management
Allows for the quantification of ‘GAP’ in the
control environment
© 2015 Grant Thornton. All rights reserved.
Conclusion
Facilitates agreement with business units
on implementation of recommendations
Concentrate audit efforts and resources
on ‘high risk’ areas
Provide assurance on whether risks are
properly mitigated
© 2015 Grant Thornton. All rights reserved.
Grant Thornton recommended three lines of
defence framework
Second Line of defence –
Risk management and
compliance
Control
environment
Monitoring
activities
Risk
assessment
Information and
communication
Control
activities
First Line of
defence –
Lines of
business and
committees
Third Line of defence –
Internal audit
© 2015 Grant Thornton. All rights reserved.
Questions
and Feedback