Session 4:

RISK GOVERNANCE AND

MANAGEMENT CONTROL ESSENTIALS

Indonesian Entrepreneurs 
Organization

Corporate Governance Workshop
October 2015

Key elements of Management Control 
What it involves?
How do we define Corporate Governance?
Board 
Oversight

Shareholders
Planning and 
Compliance Management Control
Monitoring
Board of Directors
IFC Methodology

Risk  Management
External Audit Internal Audit Internal Control
Management

Information and 
Communication

1
 Implementing an integrated framework 
Management Control
How do we define Corporate Governance?
Business planning
» What are we trying to achieve and how will we achieve it?
» What resources are needed?
» How will we measure progress?
Internal control Shareholders Compliance
» What control activities can safeguard against business risk? » What functions do we have to ensure compliance with 
» Do we have the right processes and information in place to external laws, regulations, internal policies and by‐laws?
monitor performance?
Board of Directors
IFC Methodology
Performance monitoring Risk management
» How is the company performing against its defined » What risks exist in the company’s business?
objectives? » What is the impact and probability of each risk?
activities? » What actions can the company take to mitigate these 
» How is the company performing in its risk relatedManagement
» What are the vital changes that the company needs to make risks?
to improve performance?
» Are the company’s risk management
and control processes working Internal Audit » How can they be improved?
effectively?

» Are the company’s control processes » Is the company’s financial reporting

working effectively? External Audit fair and accurate?

Elements of Management control
» An assurance that sound internal control processes are in place and
How do we define Corporate Governance?
Internal Controls working effectively to ensure fiduciary and operational integrity and
management of the company risks

» Provides independent assurance to the board of directors and

shareholders that the company is maintaining effective internal
Internal audit controls, risk management, and governance practices in the
organization Shareholders

» Helps monitor compliance with and ensure adherence to

Compliance Board of Directors
Advisory Board ‐
internal/external Sample
laws, regulations, and policies

» Directly serves the interest of shareholders/stakeholders by

External Audit independently Management
ensuring the company is practicing sound fiduciary
control and reporting accurately, fairly, and transparently

» Ensure risk management processes and systems are effective, monitors

Risk Management the risk profile at a company and ensures that the BUs’ activities are in
line with the Board’s risk appetite for the company
Detailed information on each of these elements will be covered in the next few sections of this 
presentation

2
Other Management Control considerations
How do we define Corporate Governance?
Key‐person risk » Over reliance on one or more individuals is appropriately mitigated

Organization 
structure » Structure and roles are clear, logical, and understood
Shareholders
Information flow » Communication in the organization is timely and transparent

Board of Directors
Advisory Board ‐ Sample
IT Systems » Help optimize the business and can support future growth

Reporting and  » Adequate reporting and analytical skills in the organization to make use
skills
Management
of data and help support decision‐making

» Is a strategic partner to management and helping address/mitigate HR

HR Function
risk

» Is adequate and there are effective systems to attract, retain, develop

Human capital
qualified people

Management Control
Roles and responsibilities
How do we define Corporate Governance?
Board of Directors Governance, 
guidance and 
Audit Committee oversight 
Shareholders
CEO
Ultimate ownership and 
Board of Directors
responsibility

Integrity and  Leadership and  Set positive control

ethics Management
direction environment

Senior Management

Assign specific internal control 
policies & procedures to 
functional units

3
 Business Planning and Monitoring Processes
Using a structured approach
How do we define Corporate Governance? Performance Management Process
More formal process ensures  Budgeting Process
strategy set and monitored 
formally by board – not just  Forecast Budget
one person informally setting it What is the financial impact  What is our financial plan, 
of our strategies? against which to manage?
Shareholders
Strategic Planning Process

Board of Directors
Mission Goals Objectives Initiatives Measures Monitor

Why are we  What do we  What specific  What specific  How do we  How are we performing?

in business? want to  actions should we  actions should we  measure our 
accomplish? take? take?
Management progress?

Risk Management Process
Risks Mitigating Actions
What can go wrong?  How can we prevent things 
from going wrong?

How do we define Corporate Governance?

Shareholders

Risk Governance Board of Directors

Management

4
Key Components for Risk Governance

Ensures the Board is playing an active role in Risk Governance; including setting of 
strategy, risk appetite, and sound oversight

Ensure there is an effective structure and framework for risk management  embedded in 
the company

Ensure there are effective controls and audit functions to provide assurance

Ensure there is a strong risk management culture instilled throughout the organization

Key Components of Risk Governance
Board:  Risk Appetite, Strategy, & Oversight

Management:  Risk Management framework

Infrastructure Processes Policies

People  Mandates, roles &  Assessment Implementation of desktop 

responsibilities Measurement procedures for all business 
Organisation structure Monitoring and reporting units & product types
IT  Databases, systems Mitigation and control
Optimization

Assurance:  Controls and Audit

Organization-Wide: Risk Culture

5
3 lines of defense framework
An approach for risk governance
1st line of defence 2nd line of defence 3rd line of defence

Risk Management 
Governing Body/ Boards  Internal Audit 
BU process and risk owners (Design, interpret, monitor 
(Oversight) (Test & verify)
& report)

» Sets the ‘Tone from the  » “Owner” of the risk  » Provides interpretation of  » Provides  independent 

top’ management process  regulations/leading  testing & verification of 
» Establishes risk appetite  » Identifies, manages,  practices and  efficacy of corporate 
and strategy mitigates and reports on  disseminates to BUs standard and business 
» Approves the RM  different risks » Designs and deploys the  line compliance
framework,  overall RM framework » Validates the overall risk 
methodologies, overall  framework
policies, and roles and  » Monitors adherence to 
responsibilities framework and strategy » Provides assurance that 
» Leverages risk  » Develops RM  the  risk management 
information into decision  methodologies process is functioning as 
making process.  Accepts,  designed and identifies 
» Develops risk policies and  improvement 
transfers or mitigates  procedures and monitors 
identified risks. opportunities
compliance
» Evaluates BU activities on 
» Performs aggregated risk 
a risk adjusted basis
reporting

Reporting can only be as good 
1st and 2nd line need robust risk profiles
as the underlying analysis

Risk Governance/Mgt Actors & Roles

Key responsibilities Key functionaries

Oversight & Guidance Board 

Risk and Audit 
Escalation
Committees

Risk management 
Coordination division 

Ownership
Business units

Assurance Internal Audit 

6
Risk Governance/Mgt Actors & Roles
» Ultimate accountability for the risk situation
» Articulation of risk appetite, communication of risk 
Board  strategy
» Approval and review of risk policies

Risk and Audit  » Reviewing and challenging risk information 
Committees » Escalating key issues to the Board

Risk management  » Facilitation and co‐ordination of risk 
division  management activity across the bank
» Identification, assessment, 
measurement, monitoring and 
Business units reporting business risks

» Independent assessment of the 
Internal Audit  effectiveness of risk management 
function

Roles and Responsibilities for Risk

Board of Directors
» Develops business strategy
Strategy
» Approves risk management strategy for the company
» Articulates risk appetite
Risk appetite
» Approves risk appetite translation into tolerances & limits
» Decides the risk governance structure
Risk governance
» Ensures development of risk management framework
Board of Directors
» Reviews and approves risk policies and procedures Risk policies and 
Roles and 
» Communicates the risk policies across the company procedures
responsibilities
» Delegates relevant authority to risk functionaries Delegation

» Reviews risk management effectiveness and compliance Performance 

» Reviews significant risk issues highlighted by committees review
» Reports to stakeholders on risk management
Disclosures
» Approves public disclosures

7
Sample Risk Governance Structure - FIs
Governance
Board of Directors

Corporate Risk
Audit Remuneration
Governance Management
Committee Committee
Committee Committee

Executive level risk committees (banks) Management

Performance

Senior
Management
Asset & Liability
Credit Risk Operational
Management Risk
Committee Committee Committee Business
Units

Internal Chief Risk Officer

Audit Risk Management Department

15

Sample Risk Governance Structure – Non FIs

Governance

Board of Directors

Audit & Risk

Committee

Management
Senior
Performance

CRO Management

Risk
Internal Management Business
Audit Team Units

16

8
Comparable Standards
Essentially identical risk management processes in the two standards

ISO 31000 COSO 2004

Source: Aon Risk Solutions, White Paper on Risk Management Committee, 2011

17

Risk Management Process in Simple Form
Five steps process
How do we define Corporate Governance?

1
5

Shareholders

Board of Directors
Advisory Board ‐
Risk  Sample
Management 
Process
2
4 Management

Monitoring 
and reporting

9
Common Themes in Risk Management Frameworks
How do we define Corporate Governance?
1. Risk governance, overall environment, culture

2. Linked to the achievement of objectives/strategies

3. Identification of risks and opportunities
Shareholders
4. Assessment and prioritization of risks

5. Board of Directors
Advisory Board ‐
Risk measurement and aggregation Sample
6. Determining response

7. Monitoring and reviewing Management

8. Establishing controls

9. Communication

10. ‘The Use Test’

New approaches to Risk Management
Emerging trends
How do we define Corporate Governance?
Conventional practices Emerging trends

» Silo‐based risk management leads  » Effort to aggregate existing risk 
to silo‐based reporting reporting packages – comprehensive 
or portfolio view of risks
Shareholders
» Board packages often contain a lot 
of data, not always risk information  » Non‐financial risks are added to risk 
or analysis reporting
» Performance‐focused
Board of Directors
Advisory Board ‐ » Sample
More forward‐looking measures help 
assess potential impact on 
» Focus is on business risks organization
» Somehow difficult to drive action Management
» Increased focus on exceptions and 
» Not forward‐looking trends
» Strengthened linkage between risk 
reporting, performance measurement, 
and strategy
» More actionable type of reporting and 
analysis

10
Exercise
You’ve just been assigned as CRO of a company.
What strategies might you suggest to your board to
help embed risk management into the organization?

Board of Directors

Audit & Risk

Committee

Management
Senior
CRO Management

Risk
Internal Management Business
Audit Team Units

Strategies for Embedding Risk

Ensures framework working Sets Risk Appetite along w/Strategy

effectively Monitors and challenges; discussed as
Goes into depth on particular part of strategy/business oversight
risks to report to board Routine reports elevated to engage
Ensures in line w/Risk Appetite Board of Directors board

Audit & Risk

Committee

Management
Routine risk reports
Senior Part of routine management meetings
CRO Management Made part of managers’ scorecards/objectives
Encouraged to elevate problems; not
penalized
Risk
Internal Management Business
Audit Team Units

Provides independent Facilitates risk management in organization

assurance that controls are Maintains policies/procedures
working and risk Designs reports and tools
management framework is Prepares summary reports and analyzes for Mgt and Board
being adhered to.

22

11
Strategies for Embedding Risk Management in the
Organization

Make an integral part of the strategy and oversight Encourage discussion of risk during routine
processes; not a stand-alone function management status meetings; don’t penalize

Encourage healthy risk dialogue throughout

Ensure Board understands its role and is
actively engaged
Design routine risk reports that drive
discussions from Management to the Board
Consider designating a Chief Risk Officer and
Team to facilitate this process (Imperative for
Banks)
Link to managers’ performance scorecard
processes for accountability & focus
Create routine risk reports (integrated with
performance status) throughout the organization
to improve awareness and transparency
whenever discussing business plans, initiatives, or
investments
Encourage healthy risk dialogue throughout
whenever discussing business plans, initiatives, or
investments
Require discussion of risk mitigation plans and
reports to track progress – incorporate in routine
management meetings
Ensure Risk Management unit/team is integrated
with the business units – not a stand alone,
isolated unit
Keep it frequent, timely, and simple!

23

Considering a CRO
Main principles – depends on each company
» Independent oversight of bank‐wide risks
Primary role » Engage with the board and other senior management on key risk issues
» Key principle: Avoidance of “double‐hatting” i.e. CEO/CFO also serving as the CRO

» Complete independence from business units

Authority and 
» Possess sufficient stature, authority and seniority within the organization ‐ Reflected in the
Independence
ability of the CRO to influence key decisions

» Direct reporting line to CEO or “other senior management”

» Direct access to Board risk committee and the Board without impediment
Reporting line » Frequent, documented meetings with Board
» Periodic meeting of the CRO and the Non‐executive directors (in absence of all senior
management)

» Prior approval from the Board for removal of a CRO, public disclosure of the same
Tenure
» Discussion of the removal of the CRO with the banking regulator/supervisor

» Compensation and other incentives should be sufficient to attract and retain qualified
Compensation
personnel

Other » CRO’s expertise should match the risk profile of the bank

12
Understanding the Board’s risk awareness
Key questions to be answered
How do we define Corporate Governance?
» Does the board ever discuss current and future risks as an agenda item?

» Do Board members receive intuitive reports which enable them to

understand and be comfortable with the company’s potential/inherent risks?
Shareholders

» Is the Board aware of the appropriate risk‐reward tradeoff that the company
Board of Directors
Advisory Board ‐ Sample
is pursuing?

» Is the company on track with delivering its strategy?

Management

» What are the serious challenges the company is facing at the moment?

Articulation of risk appetite

Linking with Business strategy
Considerations:
» Market forces – market structure, » Represents the strategy visualized
Business strategy
competition et al for the bank’s business
» Bank’s vision/mission
Considerations:
» Based on the business strategy
» Capital availability, ability to raise
Risk strategy/capacity » Represents the ability or capacity
capital, strength of operational
to bear risk
processes etc.
Considerations:
» Investor expectations, financial » Reflects the willingness to take on
Risk appetite
strength, largest downside loss, risk
regulatory requirements etc.

Qualitative risk appetite  Risk tolerances
Risk limits/ thresholds
articulation
Articulation

Articulation through  Risk indicators
» Series of qualitative  KRIs and zero tolerance  » Quantitative statements 
statements outlining risk  risks describing risk appetite
appetite » Serve as essential 
» Risk appetite statements  elements in risk control
for individual risk 

13
 Articulation of Risk Appetite (1/2)
Representation of risk appetite in a Bank (Illustrative)
Metric ‐ Quantitative Indicators
Earnings Volatility Not deliver profits after tax below market consensus earning forecast by
more than x%
Return on equity Target return on equity is x%
Target capital ratios Tier 1 capital should not fall below 10% of RWA and total capital ratio
should not fall below 15%
Credit rating AA is our target rating and our intention is to maintain it
Advances / Deposits Ratio to be within the limits agreed with the Board
Growth rate for each key  Target growth rate of xx% for corporate, yy% for retail, zz% for 
portfolio investments etc.
Target market share XX% market share for ABC segment by 20XX
Target concentration level  Name concentration and sector concentration limits
Target impairment levels  Max. of XX% NPLs (as percentage of total loans)

Articulation of Risk Appetite (2/2)

Representation of risk appetite (Illustrative)

Metric – Qualitative Indicators

Business activities Limit business to certain sectors, products, business lines and geographic 
locations
Inefficient growth Monitoring indicators for early warnings in non‐sustainability of growth
Geographic focus Focus primarily on developing/emerging economies 
Zero tolerance risks
Compliance risk No breaches in regulatory norms are tolerated

14
 Risk Management vs. Internal Control
How do we define Corporate Governance?
Risk Management Internal Control
» Identify key risks to the company » Designed to ensure each key risk has a
process to help control the risks
» Measure exposures to those risks Shareholders
» Help to ensure process integrity,
» Monitor risk vulnerability and compliance and effectiveness
determine the corresponding need on
Board of Directors
Advisory Board ‐ Sample
an ongoing basis » Provide comfort that financial and
management information is reliable,
» Control or mitigate risk exposures timely and complete
Management
» Report to Senior management and the » Place reasonable checks on
Board managerial and employee discretion

Example: Linking Risk Mgt, Internal Control, and Internal

Audit
What can go wrong & keeps
you up at night? What are you doing about it? What assurance do I have that it
Risks Controls* is working effectively?
 Financial (examples)
 Revenue not being collected or recorded
 Expenses not controlled or being abused
 Financial Controls Internal Audit
 Inadequate working capital  Reviews
 Interviews
 Observations
 Operational (examples)  Operational Controls  Sampling
 Hotel operations not being run to high standard  Performance Stds  Process Reviews
 Guest experiences are negative  Reporting

 Project Development (examples)

 Project Controls
 Projects not being completed on time, or on quality
 Project costs not being controlled
*Controls in various forms – ex post/ante (e.g.)
 Mgt approvals
 Transx reviews
 Mgt Reporting & Monitoring

30

15
 Example: Linking Risk Mgt, Internal Control, and Internal
Audit
Priority
Objective Risks (Impact/Probability) Control Internal Audit
Unit: Hotels & Resorts - Financial
Management
R1.1B. Guest room Night audits are Semi-Annual: Review
1.1 Revenue - Ensure accurate collection and revenue is not performed to balance samples semi-annually to
recording of cash revenue transactions in hotel recorded and/or High cash/credit receipts with ensure all balance and
operations. collected. system balances. recorded properly.
R1.2A Staff make Signatures are required Annual: Pull sample of
purchases beyond for purchases above large purchases for proper
their authorized defined thresholds. authorizations; Interview
limits. Med Expenditure reports are Purchasing staff to ensure
1.2 Expenditures - Ensure major purchases are monitored monthly. reports are being
authorized and accounted for. monitored.

Unit: Hotels & Resorts - New Building

Projects
R1.2A. Project
1.2 Complete Expansion of New Rooms by delays due to lack of
December, 2009 according to specs and within qualified personnel.
budget.
R1.2B. Cost overruns
due to rising material
costs.
Project timeline is Monthly: Review samples
updated weekly and monthly; discuss
High discussed at team effectiveness of reports
meeting. with key project staff.
Budget report is Quarterly: Review
generated bi-weekly and samples quarterly; discuss
Med discussed at team status effectiveness of budget
meetings. information with key users.

31

Key Questions to Ask about Risk Governance

• Who is responsible for developing the risk management system?

• How are the risks identified and risk appetite set?

• Does the board periodically review the risk management systems?

• What is the role of IA unit in the management of risk?

• How often is management of risks compared to targets approved by the board?

• How is this reported to the board?

• Do the board and management appropriately assess risks when planning new strategies,
activities and products?

32

16
How do we define Corporate Governance?

Shareholders

Internal Control Board of Directors

Management

Key Questions to Ask about Internal Controls

• What is the role of the audit committee and the board in ensuring that proper internal
controls are maintained, risks are managed and that the company is in compliance with all
relevant laws and regulations?

• Describe how the company’s internal controls (operational, financial and compliance,
including IT systems) are designed and maintained?

• Are internal controls risk based?

• Were there any significant problems in internal controls in the past 5 years? Please
describe.

• Does the board monitor that management responds to the deficiencies identified in
Management Letters?

• Are internal controls designed in accordance with a relevant framework, e.g., COSO,
COBIT, Basel?

34

17
A Sound Internal Control Framework
How do we define Corporate Governance?
» Does the company operate a system of internal control that is effective in
ensuring:
 Compliance with laws and regulations
 That all transactions are properly accounted for and allow for proper preparation
of financial statements Shareholders
 That assets are safeguarded against improper or unauthorized use

Board of Directors
» Is the internal controlAdvisory Board ‐
framework Sample
properly embedded across the entire
organization, clearly understood and reinforced by management?
Management
» Is the control framework regularly documented and reviewed to ensure its on
going effectiveness?

» Is the control framework incorporated into the work of an effective internal

audit function that can validate underlying controls?

COSO Framework for Internal Control
How do we define Corporate Governance?
Component COSO Definition

Control   Sets the tone of an

FINANCIAL 
OPERATIONS
REPORTING
COMPLIANCE environment organization
Shareholders  Identification and analysis of
Monitoring Risk assessment
relevant risks to
achievement of the
Activities

Information and  Board of Directors objectives

Advisory Board ‐ Sample
Unit B

Communication  Policies and procedures that

Unit A

Control activities help ensure management

Control Activities directives are carried out
Management  Pertinent information must
Risk Assessment Information and  be identified, captured and
communication communicated in a timely
Control Environment manner
 A process that assesses the
Monitoring quality of the system’s
performance

18
Maintaining a Sound System of Internal Control
Responsibilities
How do we define Corporate Governance?
» Set appropriate policies on internal controls
Board of  » Seek regular assurance to satisfy that the system is functioning
Directors effectively
» Ensure that the system is effective in managing the risks in an
Shareholders
approved approach

Board of Directors
Advisory Board ‐ Sample
» Implement board policies on risk and control
Management
» Identify and evaluate the risk faced by the company

Management
» Should have necessary knowledge, skills, information
Employees » Should have an authority to establish, operate and monitor the system
of internal controls

Source: Financial Reporting Council‐Guidance for Directors on the Combined Code, 2005 

Management Oversight & the Control Culture
How do we define Corporate Governance?
» Has the ultimate responsibility for ensuring that an adequate and effective
system of internal controls is established and maintained
» Should include in its activities the following:
 Periodic discussions with management concerning the effectiveness of

Board of  internal control system

 Timely evaluations of internal controls made by management, internal
Directors Shareholders
auditors and external auditors
 Periodic efforts to ensure that management has promptly followed up on
recommendation and concerns expressed by auditors and supervisory
authorities Board of Directors
Advisory Board ‐
on Sample
internal control weaknesses
 Periodic review of appropriateness of the company’s strategy

Senior  » Responsible for carrying out the directives of the board of directors, including
the implementation of strategies and policies and the establishment of an
Management
Management effective internal control

» Board of Directors and Senior management are responsible for promoting high
ethical and integrity standards, and for establishing a culture within the
Control Culture organization that emphasizes and demonstrates to all levels of personnel the
importance of internal controls

19
How do we define Corporate Governance?

Shareholders

Internal Audit Board of Directors

Management

Internal Audit Objective and Tasks

OBJECTIVE: To provide the board and management with reasonable assurance that the
organization has a sound system of internal control to protect against loss

• Evaluate the system of internal controls, risk management and CG

• Assess risks / component of risk management

• Test operations of systems (including IT)

• Communication, recommendations for improvement

and follow up

40

20
Key Questions to Ask about Internal Audit

• To whom does the Chief Internal Auditor report? How is the IA chief hired/fired and does the CIA privately meet with the
board or the audit committee?

• What is the relationship between IA, the Chair, CEO, CFO, CRO, CIO and external auditor?

• Are the IA work plans reviewed by the audit committee or the board?

• Does the board monitor management’s response to deficiencies and weaknesses identified by the IA function?

• Are internal audits risk based?

• Were there any significant problems with internal audit in the past five years? Please describe.

• Is corrective action taken, followed-up on?

• What are the audit standards applied by IA, e.g., IIA Standards?

• Does the external auditor rely on the work of internal audit in conduct of the annual financial statement audit?

• How are conflicts of interest with internal auditors handled?

41

Internal Audit vs. Internal Control
Key differences
How do we define Corporate Governance?
Internal Audit Internal Control
» Reports to board, Audit committee and » The internal control environment is
is independent of business units established by Business Units to
Shareholders
manage the risks inherent within the
» Conducts reviews of the systems of
products they are delivering
internal control to offer a Board of Directors
second,
independent view on their robustness » Business Units will discuss and agree
these risks with risk management and
Management
» Provides an independent assessment
internal audit
of the adequacy and compliance with
the established internal controls » Business Units are responsible for the
effectiveness of their internal control
systems

21
Internal Audit and Audit Committee
Relationship
How do we define Corporate Governance?
Audit Committee

Enable an audit team that 
Ensure the internal audit  Shareholders
Ensure internal audit 
is independent, 
plan is sufficiently broad in  reports are actionable and 
empowered and 
scope and executed in a  that  they are adequately 
sufficiently staffed and 
timely manner implemented
Board of Directors resourced

Management Promote an open, 
Promoted effective 
committee functioning and  transparent relationship 
staff the committee with  with the audit and other 
sufficient expertise control professionals 

Source: Moody’s – Best Practice in Audit Committee Oversight  of Internal Audit

Audit Reporting
How do we define Corporate Governance?
» All audit reports circulated to the Senior Management as well as line
management responsible for the area audited

» Significant findings circulated to Audit committee

Shareholders

» Periodic internal reports and summaries of audits submitted to management

Board of Directors
team as well as Board Advisory Board ‐ Sample Chairman
Chairman and Audit committee

» CIA meets the Audit committee at least once annually (recommended on

Management
quarterly basis) without management present

» CIA attends all Audit committee meetings and is allowed, at all meetings, an
opportunity to meet with committee without management present

22
Internal audit and Control environment
CIA’s responsibilities
How do we define Corporate Governance?
Internal audit and Control 
Accounting policies and procedures 
environment

» Reviews adequacy of and implementationShareholders

» Reviews and recommends updates to
of internal controls accounting policies and procedures
framework
» Audits operations with work plan, based on
Board of Directors
a risk‐based analysis » Ensures compliance of internal audit with
professional standards
» Coordinates with external auditor
» Keeps Audit committee chairman abreast
Management
» Ensures for follow‐up that audit of material pending changes by accounting
recommendations are implemented; non‐ standard setters
implementation issues raised with Board
» Works with the Audit committee, monitors
» Assists the Board in establishing ethics the adequacy of external reporting
policy and whistle blowing procedures practices against peers

Qualifications and Skills
Professional and Personal
How do we define Corporate Governance?

‘Professional’  Skills Personal

Shareholders
» Licensed auditor » Integrity – understands duties of
loyalty and care
 Holds internationally accepted
Board of Directors
relevant certification (e.g. CPA, CIA, » Communication skills
CFA, etc.)
» Honest and ethical
» Ability to lead and manage auditing Management
staff » Commitment to professional auditing
standards
» Knowledge of relevant standards and
regulations in all jurisdictions in which
the company operates

23
 Thank You!

ifc.org/corporategovernance

Internal Control – Integrated Framework
Control Environment – Essential Components
How do we define Corporate Governance?
Personnel integrity and ethical values

Control 
Shareholders
Dedication to staff competence and skill  environment
enhancement
Information and  Risk 

Samplecommunication
Board of Directors
Advisory Board ‐ assessment

Participation of board members and board 
committees

Management Monitoring
Control 
activities
Positive influence of management’s commitment

Organizational structure that enables the 
management of the company

24
Internal Control – Integrated Framework
Risk Assessment
How do we define Corporate Governance?
Steps that need to be taken by the management to assess risks:
Establishment of company’s risks to achieve its
objectives
Control 
environment
Shareholders
Identification, analysis and assessment of risks to
achieve objectives Information and 
Risk assessment
communication
Board of Directors
Advisory Board ‐ Sample
Assessment of risks from internal and external
sources at both the entity and the activity levels
Control 
Management Monitoring
activities
Assessment of risks related to ‘change in
conditions’

Assessment of financial impacts of risk analysis of

financial statements
Source: COSO Integrated Framework

Internal Control – Integrated Framework
Control Activities
How do we define Corporate Governance?
Control activities consist of the following:
Policies and procedures that ensure management
directives are carried out
Control 
Shareholders environment
Control activities occur throughout the company at
all levels and functions Information and  Risk 
communication assessment
Board of Directors
Advisory Board ‐ Sample
Control activities include limits, approvals,
authorizations, verifications, reconciliations, reviews
of operating performance and segregation of duties Control 
Management Monitoring
activities

Control activities also cover controls over risk

infrastructure

Source: COSO Integrated Framework

25
Internal Control – Integrated Framework
Monitoring
How do we define Corporate Governance?
Monitoring consist of the following:
Internal control systems need to be monitored over
time to assess their quality and performance
Control 
Shareholders environment

Combination of ongoing and separate evaluation of

internal control system must be conducted by Information and  Risk 
management Board of Directors
communication assessment
Advisory Board ‐ Sample

Management and supervisory activities are required

to be evaluated and monitored on an ongoing basis
Management Monitoring
Control 
activities

Management is responsible for carrying out an

independent audit of the internal control systems to
ensure that the internal controls are functioning as
expected
Source: COSO Integrated Framework

Internal Control – Integrated Framework
Information and Communication
How do we define Corporate Governance?
Information and communication consist of the following:
All personnel must receive a clear message from top
management to take control activities seriously
Control 
Information needed by personnelShareholders
to do their job environment

must be timely, identified, captured and

communicated to them Information and  Risk 
communication assessment
Board of Directors
Advisory Board ‐ Sample
Access to internal reports (operational, financial and
compliance) must be provided to employees to
perform their tasks
Control 
Management Monitoring
activities
External communication with customers, suppliers,
regulators, investors and shareholders must be part
of the framework

Effective upstream communication by employees of

their findings must be established
Source: COSO Integrated Framework

26