Governance, risk management, control Flashcards
Principles of Three lines Model
- Governance
- Governing body roles
- Management and first and second line roles
- Third line roles
- Third line independence
- Creating and protecting value
Risk-based decision making
A considered process that includes analysis, planning, action, monitoring, and review, and takes account of potential impacts of uncertainty on objectives.
Assurance
Statement intended to increase the level of stakeholders’ confidence about an organization’s governance, risk management, and control processes over an issue, condition, subject matter, or activity under review when compared to established criteria.
The governance of an organization requires appropriate structures and processes that enable:
- Accountability by a governing body to stakeholders for organizational oversight through integrity, leadership, and transparency.
- Actions (including management risk) by management to achieve the objectives of the organization through risk-based decision-making and application of resources.
- Assurance and advice by an independent internal audit function to provide clarity and confidence and to promote and facilitate continuous improvement through rigorous inquiry and insightful communication.
The governing body ensures:
- Appropriate structures and processes are in place for effective governance
- Organizational objectives and activities are aligned with the prioritized interests of stakeholders
- Delegates responsibility and provides resources to management to achieve the objectives of the organization while ensuring legal, regulatory, and ethical expectations are met
- Establishes and oversees and independent, objective, and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives
Direction and oversight of second line roles may be designed to secure a degree of independence from
those with first line roles - and even from the most senior levels of management- by establishing primary accountability and reporting lines to the governing body.
IT governance board (scope, members)
Scope: Set business and IT strategy and investment plans
Members: CEO, CFO, CIO(information), plus CAE as nonvoting advisor on risk/control
IT steering committee
(scope, members)
Scope: Ensures IT strategic alignment.
Members: IT senior management and business unit owners
IT portfolio office (scope, members)
Scope: Develop IT architecture design.
Members: IT and business program/project managers
IT portfolio office (scope, members)
Scope: Develop IT architecture design.
Members: IT and business program/project managers
IT architecture office (scope, members)
Scope: Determine IT architecture design.
Members: CIO, CISO(information security), COO(operating), IT infrastructure managers
Technology council (scope, members)
Scope: Evaluate technology opportunities.
Members: CIO, CTO(technology), and business unit owners
Cybersecurity and data protection council (scope, members)
Scope: Evaluate risk and strategies to protect organization’s information assets.
Members: CIO, CTO, CISO, CRO(risk), CFO, COO(operating), business unit owners, and CAE as nonvoting advisor on risk/controls
Directors (of board) attitudes are a key component of the internal environment. They must possess certain qualities to be effective:
- A majority of the board be outsourced directors
- Directors generally should have years of experience either in the industry or in corporate governance
- Directors must be willing to challenge management’s choices. Complacent directors increase the chances of adverse consequences.
Components of COSO ERM framework
- Governance and culture
- Strategy and objective setting
- Performance
- Review and revision
- Information, communication, and reporting
Governance and culture (Component of COSO ERM Framework)
Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, ERM. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
Strategy and objective setting (Component of COSO ERM Framework)
ERM, strategy, and objective setting work together in strategic planning. A risk appetite is established and aligned with strategy, business objectives implement strategy while forming a basis for identifying, assessing, and responding to risk.
Performance (Component of COSO ERM Framework)
Risks to achievement of strategy and objectives are identified and assessed. Risks are prioritized by severity (impact and likelihood) in the context of risk appetite. The organization selects risk responses and takes a portfolio view of the amount of risk it has assumed and reports key risks to stakeholders.
Review and revision (Component of COSO ERM Framework)
By reviewing entity performance, an organization can consider ERM component effectiveness as the organization changes and what revisions are needed.
Information, communication, and reporting (Component of COSO ERM Framework)
ERM requires…
a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
Governance principles
- Board membership
- Board qualifications
- Board independence
- Transparent structure
- Measurable strategy
- Strategic structure
- Governing policy
- Clear lines
- Effective interaction
- Management oversight
- Compensation policies
- Control environment
- Internal audit
- Risk management
- External audit
- Key information disclosure
- Governance disclosure
- Conflict of interest