CONTROL, GOVERNANCE AND RISK MANAGEMENT

GOVERNANCE
- The Institute of Internal Auditors (IIA) defines Governance as, “the system
by which organizations are directed and controlled. It includes the rules and
procedures for making decisions on corporate affairs to ensure success while
maintaining the right balance with the stakeholders’ interest.

- The Organization for Economic Co-operation and Development (OECD)

defines Governance as, “involves a set of relationships between a company’s
management, its board, its shareholders and other stakeholders. Corporate
governance also provides the structure through which the objectives of the
company are set, and the means of attaining those objectives and monitoring
performance are determined.”

KEY POINTS OF GOVERNANCE:

1.) Governance begins with the Board of Directors and its committees.
2.) The Board must understand and focus on the needs of the key
stakeholders.
3.) Day-to-day governance is executed by management of the
organization.

4.) Internal and external auditors provide management and the board
with assurances regarding effectiveness of governance activities.

COMMONLY IDENTIFIED GOVERNANCE PRINCIPLES:

1.) Ensure properly organized and functioning board that has the correct
number of members, an appropriate board committee structure.
2.) Ensure board members possess appropriate qualifications and
experience, with a clear understanding of their role in governance activities.

3.) Ensure that the board has sufficient authority, funding, and resources
4.) Create an organizational structure that supports enterprise in achieving
its strategy.
ENTERPRISE RISK MANAGEMENT
- as defined by the Institute of Internal Auditors (IIA), “is a process to
identify, assess, manage and control potential events or situations to provide
reasonable assurance regarding the achievement of its objectives.”

- as defined by the Committee of Sponsoring Organizations of the

Treadway Commission (COSO), “is a process effected by an entity’s board of
directors, management, and other personnel, applied in strategy setting across
the enterprise, designed to identify potential events that may affect the entity,
and manage risk to be within its risk appetite to provide reasonable assurance
regarding the achievement of its objectives.”
- It is the Chief Executive Officer who has ultimate ownership for the
organization’s ERM.

8 COMPONENTS OF ERM:
1.) Internal Environment – similar to the control environment of one of the
control components, it encompasses the tone of the organization, and sets basis
for how risk is viewed and addressed by the organization’s people, including risk
management philosophy and risk appetite, and integrity, and ethical values.
• Risk Appetite – is the amount of risk an organization is willing to
accept to achieve its goals.
• Risk Tolerance – is the acceptable variation with respect to the
objectives.

2.) Objective Setting – the organization sets forth in broad terms what the
organization aspires to achieve. Objectives may be divided into three
categories: operations objectives, reporting objectives and compliance
objectives.

3.) Event Identification – refers to the identification of potential internal

and external events affecting achievement of objectives, distinguishing
between risks and opportunities.

Event Identification Techniques:

a. Event Inventories
 b. Internal Analysis
c. Escalation or Threshold Triggers

d. Interviews
e. Process flow analysis

f. Loss event data methodology

4.) Risk Assessment -refers to the consideration of likelihood and impact,

as basis for determining how they should be managed. Probabilistic or
non-probabilistic models may be used to quantify risk.
• Residual Risk – is the risk of the event after considering
management’s response.
5.) Risk Response – involves the selection of risk responses that are
consistent with the risk appetite. Risk responses involve the following:
A. Avoidance
B. Reduction

C. Sharing
D. Acceptance

6.) Control Activities – policies and procedures that are established and
implemented to help ensure the risk response are effectively carried out.

7.) Information and Communication – relevant information must be

identified, capture, and communicated to enable people to carry out
their responsibilities. It is needed at all levels of the organizations to
identify, assess and respond to risks.

8.) Monitoring – similar to controls, is a process that assesses the quality of

the system’s performance over time. It consists of ongoing monitoring and
periodic monitoring.
Limitations of the ERM:
1.) Risk relates to the future which is uncertain.

2.) It cannot provide absolute assurance with respect to any of the

objective categories.

-End-