Enterprise risk management

Enterprise Risk Management (ERM) is a fundamental approach for the management and control of an organization. Based on the landmark work of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the 1990s, its Internal Control – Integrated Framework and Enterprise Risk Management - Integrated Framework, have become primary tools for organizational risk management. The value of enterprise risk approach is well recognized and stands as a requirement for well-controlled organizations.

A longstanding requirement of organizations to maintain systems of internal control, requiring management to certify and independent auditor to attest to the effectiveness of those systems, has become even more compelling in recent years.

An organization needs internal controls to provide greater assurance that they will achieve their operating, financial reporting, and compliance objectives. 

Internal Control, according to the definition established by COSO, is a process, effected by an entity’s board of directors, management and other personnel, designed to provide assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.

A robust system of internal controls ensures that the policies, procedures, and practices designed and approved by management and the Board of Directors are functioning properly and as designed. 

Recognising the need for effective internal controls, the Bank has established a functioning, consolidated and on-going mechanism to be able to certify as to the effectiveness of internal controls over external financial reporting, using the COSO’s Internal Control Framework and Enterprise Risk Management, as a basis. Furthermore, the Bank’s ERM mechanism encompasses all key products, processes and systems, facilitating a Bank-wide system of controls, including automated information controls.

The Enterprise Risk Management exercise is implemented following COSO’s Internal Control Framework and Enterprise Risk Management methodology, as a basis. The exercise is broken down and executed in 5 phases, as indicated in figure 1.

Figure 1 – Enterprise Risk Management - Phases

The definition of internal control (phase 1), applicable to the Bank’s environment and objectives was established, after thorough analysis of the Bank’s internal environment and research on international standards, COSO Internal Control – Integrated Framework, COSO Enterprise Risk Management –Integrated Framework and IT Governance Institute’s Control Objectives for Information and related Technology (CoBIT).  In defining the internal controls, emphasis is given to the five control components to the COSO integrated framework: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring.

A Working Group with representatives from all the Bank’s Divisions has been established (phase 2), to assist in the documentation of internal processes and the evaluation of the internal controls’ mechanism.

The evaluation phase commences by considering internal controls at the organization or corporate governance level. Internal controls at the entity level are identified, documented and evaluated (Phase 3).

According to COSO ERM, risk assessment allows an entity to consider the extent to which potential events have an impact on achievement of objectives. Factors that are considered during the overall risk assessment are, the following:

• The size and complexity of the organization
• The nature of the organization’s operations
• The purpose for which monitoring is being conducted, and
• The relative importance of the underlying controls in meeting the organization’s objectives

Internal processes assessed to be significant as a result of materiality analysis of the Bank’s financial statements and having taken into consideration the risk assessment criteria of COSO, are evaluated at a process, transaction and application level (phase 4). 

The major processes in scope of the Enterprise Risk Management (including Internal Controls over Financial Reporting) exercise are the following: Banking Operations (Project Finance, Operations Following Expedited Procedures), Equity Investments, Financial Management & Accounting, Treasury Operations, Information technology and Human Resources.

Each process is analysed in several sub-processes and controls are identified to facilitate the evaluation of the design and operating effectiveness of each business cycle. All controls identified are verified to evaluate design effectiveness and all key controls are tested to evaluate operating effectiveness.

Finally, an overall assessment of the effectiveness and efficiency of internal controls is performed; a remediation plan is produced to include all weaknesses identified which are monitored through the established monitoring system.

Upon the overall assessment of the effectiveness of internal controls over financial reporting, an annual certification statement is issued, signed by the President and the Vice President Finance, subject to review and an attestation by the Bank’s external auditors.

The external auditors review and offer their opinion on management’s assertion as to the effectiveness of internal controls over financial reporting. This opinion is given as a separate report to the audit opinion on the Financial Statements and is published in the Bank’s Annual Report. (phase 5).