 Advisory Services Governance, Risk & Compliance Caribbean Confederation of Credit Unions 2010 AGM and Conference Designing and Implementing an Enterprise Risk Management Framework June 2010

PricewaterhouseCoopers 1.Introduction 2.After the Storm: Factors shaping the future Business Environment 3.Theoretical Framework −Overview of the COSO Enterprise Risk Management - Integrated Framework −ISO 31000: Risk Management - Principles and Guidelines on Implementation 4.Putting Theory into Practice 5.Role of Internal Audit 6.Final Thoughts June 2010 Slide 2 Designing and Implementing an Enterprise Risk Management Framework Workshop Agenda

Introduction

PricewaterhouseCoopers Hello, I am…. June 2010 Slide 4 Designing and Implementing an Enterprise Risk Management Framework Participants Introduction

PricewaterhouseCoopers Over the next two days, our objectives will be to: −Understand the key factors that are likely to impact on the future business environment, and by extension, business strategy −Determine where we are now, and where we ought to be, in terms of Enterprise Risk Management (ERM) −Gain an understanding as to the process of getting to the desired state −Assess the role of internal audit in supporting ERM Workshop Overview Introduction Slide 5 June 2010Designing and Implementing an Enterpise Risk Management Framework

After the Storm: Factors shaping the future Business Environment

PricewaterhouseCoopers Worst recession in post-war history Signs of recovery, but… −Slow and uncertain growth −Driven by government intervention and not through business expansion Dark clouds: −European debt crisis −Geopolitical events −Terrorism, civil disturbance −Natural and man-made disasters −Volatility in commodity prices, e.g. oil June 2010 Slide 7 Designing and Implementing an Enterprise Risk Management Framework The Global Economic Crisis and its Impact

PricewaterhouseCoopers Risk management has always been a key priority for boards… −Renewed attention following recent global financial crisis, particularly in light of role of risk management failures Some ‘black swan’ events, but… −Largest cause of significant incidents was failure in day-to-day operations, poor compliance culture, insufficient resources, complacency, perverse incentives, and low morale −Other factors include inadequate monitoring, insufficient enforcement, lack of follow up of known problems −Known track record of risks and possible outcomes June 2010 Slide 8 Designing and Implementing an Enterprise Risk Management Framework A New Look at an Old Issue?

PricewaterhouseCoopers Not clearly defined, but not business as usual! Some drivers have begun to emerge… −Role of government −Public sector finances −Regulation −Consumer behaviour −Cost containment −Risk management June 2010 Slide 9 Designing and Implementing an Enterprise Risk Management Framework The Future Business Environment

PricewaterhouseCoopers Bailout resulted in government assuming ownership and control Impact of wearing ‘two hats’ −Impact on role as regulator Possible bias? June 2010 Slide 10 Designing and Implementing an Enterprise Risk Management Framework Role of Government

PricewaterhouseCoopers Economic stabilisation costs have devastated government finances in most countries −Deficits in region of 10% of GDP! −Deficits financed by debt: total level nearing100% of GDP −Level of debt and deficit considered unsustainable Increase in sovereign risk profile, cost of borrowing Efforts to address deficit/debt −Increase in revenues (through taxation) −Decrease in public sector expenditure −Alternative funding for public infrastructure June 2010 Slide 11 Designing and Implementing an Enterprise Risk Management Framework Public Sector Finances

PricewaterhouseCoopers Taxation −Limited options, given need to spur expansion of business sector −Financial services sector identified for increased tax burden Expenditure −Cut backs in social services programmes −Impact of increased costs of borrowing −Need to enhance efficiency, economy and effectiveness Infrastructure financing −Increasing use of PPP models June 2010 Slide 12 Designing and Implementing an Enterprise Risk Management Framework Public Sector Finances

PricewaterhouseCoopers Reform driven by adverse events −Basle III? −Rules based vs. principles based −Focussed on regulated entities, questions of ‘over-reaching’ −What about regulators? Appropriateness of measures −Poor track record of previous initiatives Specific implications for credit unions −Increasing involvement of central banks in credit union regulation Ability to leverage on existing institutional capabilities and capacity June 2010 Slide 13 Designing and Implementing an Enterprise Risk Management Framework Regulation

PricewaterhouseCoopers Focus on thrift and saving Distrust of financial institutions −Trickle down of financial support −Questions of integrity −Increased scrutiny likely in future Increasing intolerance and decreasing loyalties Increasing role in defining products and services −Focus on life cycle products June 2010 Slide 14 Designing and Implementing an Enterprise Risk Management Framework Consumer Behaviour

PricewaterhouseCoopers Key element to survival for crisis situations −Rationale not always logical Generally not sustained as business environment improves Trend unlikely to continue in future −Focus on enhancing efficiency and effectiveness −Adoption of risk based approach to resource allocation −Integration of governance, risk and compliance function −Enterprise-wide approach June 2010 Slide 15 Designing and Implementing an Enterprise Risk Management Framework Cost Containment

PricewaterhouseCoopers Risk management is a key area of responsibility for Boards, but.. −Priority tends to vary according to business environment −Unintended consequences of success of measures General trend to review and enhance function in post-crisis environment −Comprehensive approach −Measures must be cost efficient and effective −Control optimisation Change in risk appetite (short-term?) to a more risk averse position −Retreat to zone of comfort June 2010 Slide 16 Designing and Implementing an Enterprise Risk Management Framework Risk Management

PricewaterhouseCoopers Narrow view of risk: primarily as a hazard −Inadequate focus on upside (opportunity) or managing uncertainty Risk management initiatives generally driven by regulator −Level of focus dependent on adequacy of regulatory oversight −Impact of perception that there is excessive regulation on response Tendency towards achieving minimum compliance Development of a ‘checklist’ approach Initiatives overly influenced by cost considerations Lack of formal processes −Focus on ‘obvious’ risks June 2010 Slide 17 Designing and Implementing an Enterprise Risk Management Framework The Caribbean Experience – General Observations

PricewaterhouseCoopers Approach based on traditional model −‘Silo’ approach vis-à-vis ERM −Inadequate consideration of interrelationship of risks Internal audit not effectively utilised Remedial efforts not completed on a timely basis Increasing concerns by internal and external stakeholders relative to the effectiveness of existing practices June 2010 Slide 18 Designing and Implementing an Enterprise Risk Management Framework The Caribbean Experience – General Observations

Overview of the COSO Enterprise Risk Management - Integrated Framework

PricewaterhouseCoopers Committee of Sponsoring Organisations (COSO) of Treadway Commission: −Concluded that there was a need for a recognized framework despite an abundance of literature on the subject. −Believed there is consensus that all organizations can benefit from improved risk identification and risk analysis procedures. −Recognized that many organizations are engaged in some aspects of enterprise risk management. −Believed that the study will help identify all of the aspects that should be present and how they can be coordinated. June 2010 Slide 20 Designing and Implementing an Enterprise Risk Management Framework Background

PricewaterhouseCoopers Underlying principles: −Every entity, whether for-profit or not, exists to realize value for its stakeholders. −Value is created, preserved, or eroded by management decisions in all activities, from strategy setting to operating the enterprise day-to-day. ERM supports value creation by enabling management to: −Deal effectively with potential future events that create uncertainty −Respond in a manner that reduces the likelihood of downside outcomes and increases the upside. June 2010 Slide 21 Designing and Implementing an Enterprise Risk Management Framework Importance of Enterprise Risk Management

PricewaterhouseCoopers Enterprise risk management provides enhanced capabilities to: −Align risk appetite and strategy −Link growth, risk and return −Enhance risk response decisions −Minimize operational surprises and losses −Identify and manage cross-enterprise risks −Provide integrated responses to multiple risks −Seize Opportunities −Rationalize capital June 2010 Slide 22 Designing and Implementing an Enterprise Risk Management Framework Enhancing Management Capabilities

PricewaterhouseCoopers “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework COSO. June 2010 Slide 23 Designing and Implementing an Enterprise Risk Management Framework Definition of ERM

PricewaterhouseCoopers ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. ERM is a process that includes: −Identification of potential events that may impact objectives −Risk assessment and response −Consideration of risks in formulation of strategy −Application across the entity −Managing risk is to be within the entity’s risk appetite −A portfolio view of risks at the entity-level is taken −Monitoring the performance of ERM June 2010 Slide 24 Designing and Implementing an Enterprise Risk Management Framework Key Concepts

PricewaterhouseCoopers The Framework Has Eight Interrelated Components June 2010 Slide 25 Designing and Implementing an Enterprise Risk Management Framework Framework Components

PricewaterhouseCoopers Entity objectives can be viewed in the context of four categories −Strategic −Operations −Reporting −Compliance June 2010 Slide 26 Designing and Implementing an Enterprise Risk Management Framework Categories of Objectives

PricewaterhouseCoopers ERM considers activities at all levels of the organization −Enterprise-level −Division or subsidiary −Business unit processes June 2010 Slide 27 Designing and Implementing an Enterprise Risk Management Framework Entity-wide

PricewaterhouseCoopers Enterprise risk management requires an entity to take a portfolio view of risk. −Management considers how individual risks interrelate. −Management develops a portfolio view from two perspectives: Business unit level Entity level June 2010 Slide 28 Designing and Implementing an Enterprise Risk Management Framework Portfolio View

PricewaterhouseCoopers Establishes a philosophy regarding risk management Recognizes that unexpected as well as expected events may occur Establishes the entity’s risk culture Considers all other aspects of how the organizations actions affect its risk culture June 2010 Slide 29 Designing and Implementing an Enterprise Risk Management Framework Internal Environment

PricewaterhouseCoopers Is applied in objective-setting when management considers risks strategy in the setting of objectives Forms a risk appetite at the entity level: a high-level view of how much risk management and the board are willing to accept Risk tolerance is the acceptable level of variation around objectives, and is aligned with risk appetite June 2010 Slide 30 Designing and Implementing an Enterprise Risk Management Framework Objective Setting

PricewaterhouseCoopers Distinguish risk and opportunity −Events that may have a negative impact represent risks −Events that may have a positive impact represent natural offsets or, opportunities, which management channels back to strategy setting −Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives −Addresses how internal and external factors combine and interact to influence its risk profile June 2010 Slide 31 Designing and Implementing an Enterprise Risk Management Framework Event Identification

PricewaterhouseCoopers Allows an entity to understand the extent to which potential events might impact objectives Assesses risks from two perspectives – likelihood and impact The unit of measure used to assess risks normally the same unit used to measure the related objectives Employs a combination of both qualitative and quantitative risk assessment methodologies Time horizons are related to objective time horizons Assesses risk on both an inherent and residual basis June 2010 Slide 32 Designing and Implementing an Enterprise Risk Management Framework Risk Assessment

PricewaterhouseCoopers Identifies and evaluates possible responses to risk Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses and degree to which a response will reduce impact and/or likelihood Assessment of and response to risks are integral components of ERM; which specific response is selected is not Selects and executes its response based on evaluation of the portfolio of risks and responses June 2010 Slide 33 Designing and Implementing an Enterprise Risk Management Framework Risk Response

PricewaterhouseCoopers Control activities are the policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out Occur throughout the organization, at all levels and in all functions Includes application controls and general information technology controls June 2010 Slide 34 Designing and Implementing an Enterprise Risk Management Framework Control Activities

PricewaterhouseCoopers Information is needed at all levels of an entity in identifying, assessing, and responding to risk. Management identifies, captures and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across and up the organization. June 2010 Slide 35 Designing and Implementing an Enterprise Risk Management Framework Information and Communication

PricewaterhouseCoopers Monitors the ongoing effectiveness of the other enterprise risk management components through −Ongoing monitoring activities −Separate evaluations −A combination of the two June 2010 Slide 36 Designing and Implementing an Enterprise Risk Management Framework Monitoring

PricewaterhouseCoopers Four broad areas of roles and responsibilities: −Management −The Board of Directors −Risk officers −Internal auditors June 2010 Slide 37 Designing and Implementing an Enterprise Risk Management Framework Roles and Responsibilities

PricewaterhouseCoopers ERM expands and elaborates on elements of internal control as set out in COSO’s Internal Control – Integrated Framework (IC-IF) ERM includes objective setting as a separate component. The IC-IF sets out that objectives as a prerequisite for internal control The ERM framework’s “Reporting” category of objectives expands the IC-IF “Financial Reporting” Effective internal control is necessary for effective enterprise risk management The ERM framework expands on the “risk assessment” component of IC-IF, separating it into three ERM components The ERM framework elaborates on other components of IC-IF as they relate to enterprise risk management June 2010 Slide 38 Designing and Implementing an Enterprise Risk Management Framework Relationship with Internal Control – Integrated Framework

ISO 31000: Risk Management - Principles and Guidelines on Implementation

PricewaterhouseCoopers Issued in 2009 Provides principles and generic guidelines on implementation of risk management Intended to harmonize risk management processes in existing (e.g., COSO ERM) and future standards Can be applied to: −Any public, private or community enterprise, association, group or individual −Throughout the life of an organization, and to a wide range of activities, processes, functions, projects, products, services, assets, operations and decisions June 2010 Slide 40 Designing and Implementing an Enterprise Risk Management Framework Background

PricewaterhouseCoopers Principles for managing risk Framework for managing risk Process for managing risk June 2010 Slide 41 Designing and Implementing an Enterprise Risk Management Framework ISO 3100 Key Components

PricewaterhouseCoopers Creates value Is an integral part of organizational processes Is part of decision making Explicitly addresses uncertainty Is systematic, structured and timely Is based on the best available information Is tailored Takes human and cultural factors into account Is transparent and inclusive Is dynamic, iterative and responsive to change Facilitates continual improvement and enhancement of the organization June 2010 Slide 42 Designing and Implementing an Enterprise Risk Management Framework Principles

PricewaterhouseCoopers June 2010 Slide 43 Designing and Implementing an Enterprise Risk Management Framework Framework

PricewaterhouseCoopers June 2010 Slide 44 Designing and Implementing an Enterprise Risk Management Framework Process

PricewaterhouseCoopers Articulate and endorse the risk management policy Determine risk management performance indicators that align with organizational performance indicators Ensure alignment of risk management objectives with the objectives and strategies of the organization Ensure legal and regulatory compliance. Assign management accountabilities and responsibilities at appropriate levels within the organization Ensure that the necessary resources are allocated to risk management Communicate the benefits of risk management to all stakeholders Ensure that the framework for managing risk continues to remain appropriate June 2010 Slide 45 Designing and Implementing an Enterprise Risk Management Framework Mandate and Commitment

PricewaterhouseCoopers Understanding the organization and its context Risk management policy Integration into organizational processes Accountability Resources Establishing internal communication and reporting mechanisms Establishing external communication and reporting mechanisms June 2010 Slide 46 Designing and Implementing an Enterprise Risk Management Framework Design of Framework

PricewaterhouseCoopers Links between the risk management policy and the organization’s objectives and other policies The organization's rationale for managing risk Accountabilities and responsibilities for managing risk The way in which conflicting interests are dealt with The organization’s risk appetite or risk aversion Processes, methods and tools to be used for managing risk Resources available to assist those accountable or responsible for managing risk The way in which risk management performance will be measured and reported Commitment to the periodic review and verification of the risk management policy and framework and its continual improvement June 2010 Slide 47 Designing and Implementing an Enterprise Risk Management Framework Risk Management Policy

PricewaterhouseCoopers Framework Process −Communication and consultation −Establish context −Risk assessment −Risk treatment −Monitoring and review June 2010 Slide 48 Designing and Implementing an Enterprise Risk Management Framework Implementation

PricewaterhouseCoopers Used to evaluate the significance of risk Should consider: −Nature and types of consequences that can occur and how they will be measured −How likelihood will be defined −The time frame(s) of the likelihood and/or consequence −How the level of risk is to be determined −The level at which risk becomes acceptable or tolerable −What level of risk requires treatment −Whether combinations of multiple risks should be taken into account June 2010 Slide 49 Designing and Implementing an Enterprise Risk Management Framework Risk Criteria

PricewaterhouseCoopers Identification Analysis Evaluation June 2010 Slide 50 Designing and Implementing an Enterprise Risk Management Framework Risk Assessment

PricewaterhouseCoopers Sources of risk, areas of impacts, events and their causes and their potential consequences Important to identify the risks associated with not pursuing an opportunity Process is critical, because a risk that is not identified at this stage will not be included in further analysis Identification should include risks whether or not their source is under control of the organization June 2010 Slide 51 Designing and Implementing an Enterprise Risk Management Framework Risk Identification

PricewaterhouseCoopers Involves developing an understanding of the risk Provides an input to risk evaluation and to decisions on whether risks need to be treated and on the most appropriate risk treatment strategies and methods Involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur Existing risk controls and their effectiveness should be taken into account Can be undertaken with varying degrees of detail depending on the risk, the purpose of the analysis, and the information, data and resources available Analysis can be qualitative, semi-quantitative or quantitative, or a combination of these, depending on the circumstances June 2010 Slide 52 Designing and Implementing an Enterprise Risk Management Framework Risk Analysis

PricewaterhouseCoopers Assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment to prioritize treatment implementation Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered If the level of risk does not meet risk criteria, the risk should be treated Can lead to a decision to undertake further analysis Evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing risk controls June 2010 Slide 53 Designing and Implementing an Enterprise Risk Management Framework Risk Evaluation

PricewaterhouseCoopers Involves selecting one or more options for modifying risks, and implementing those options Cyclical process May include following: −Avoiding the risk −Seeking an opportunity by deciding to start or continue with an activity likely to create or enhance the risk −Removing the source of the risk −Changing likelihood and/or consequences −Sharing the risk with another party or parties −Retaining the risk by choice. June 2010 Slide 54 Designing and Implementing an Enterprise Risk Management Framework Risk Treatment

PricewaterhouseCoopers Involves balancing the costs and efforts of implementation against the benefits to be derived Considers legal, regulatory, and other requirements, social responsibility and the protection of the natural environment Decisions should also take into account risks that can warrant risk treatment actions that are not justifiable on economic grounds e.g. severe (high negative consequence) but rare (low likelihood) risks If the resources for risk treatment are limited, the treatment plan should clearly identify the priority order in which individual risk treatments should be implemented May introduce risks e.g., failure or ineffectiveness of the risk treatment measures June 2010 Slide 55 Designing and Implementing an Enterprise Risk Management Framework Risk Treatment Options

PricewaterhouseCoopers Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective Can also introduce secondary risks that need to be assessed, treated, monitored, reviewed. and incorporated into the same treatment plan as the original risk Residual risk should be documented and subjected to monitoring, review and, where appropriate, further treatment June 2010 Slide 56 Designing and Implementing an Enterprise Risk Management Framework Risk Treatment Options

PricewaterhouseCoopers Used to document how the chosen treatment options will be implemented Treatment plans should include: −Expected benefit to be gained −Performance measures and constraints −Persons who are accountable for approving the plan and those responsible for implementing the plan −Proposed actions −Reporting and monitoring requirements −Resource requirements −Timing and schedule June 2010 Slide 57 Designing and Implementing an Enterprise Risk Management Framework Risk Treatment Plans

PricewaterhouseCoopers Should encompass all aspects of the risk management process to facilitate: −Analyzing and learning lessons from events, changes and trends −Detecting changes in the external and internal context including changes to the risk itself which can require revision of risk treatments and priorities −Ensuring that the risk control and treatment measures are effective in both design and operation −Identifying emerging risks Actual progress in implementing risk treatment plans provides a performance measure Results should be recorded, reported and used as an input to the review of the risk management framework June 2010 Slide 58 Designing and Implementing an Enterprise Risk Management Framework Monitoring and Review

Putting Theory into Practice

PricewaterhouseCoopers Risk is defined as the collection of internal and external factors, which affect an organization’s growth and shareholder value creation Encompasses not only the threat that something bad will happen, (risk as a hazard), but also the possibility that something good will not happen (risk as an opportunity) and the potential that actual results will not equal anticipated outcomes (risk as uncertainty) and anything that may impede an organization from achieving its strategic objectives Credit Risk is the risk of loss to earnings or capital arising from an obligor's failure to meet the terms of any contract with the bank or otherwise fails to perform as agreed. Market Risk is the risk that arises from fluctuations in interest rates, foreign exchange rates, and commodity and equity prices that may result in changes in the values of financial instruments June 2010 Slide 60 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

PricewaterhouseCoopers −Risk is associated with treasury, trading and investment activities in the financial markets as well as related issues such as foreign currency risk, liquidity risk, and interest rate risk −Foreign Currency Risk is the exposure of the entity’s financial strength to the potential impact of movements in foreign exchange rates −Liquidity Risk is the risk to earnings or capital arising from an entity’s inability to meet its obligations when they come due, without incurring unacceptable losses Risk includes the inability to manage unplanned decreases or changes in funding sources Also arises from the entity’s failure to recognize or address market changes that affect the ability to liquidate assets quickly and with minimal loss in value. June 2010 Slide 61 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

PricewaterhouseCoopers −Interest Rate Risk is the risk to earnings or capital arising from movements in interest rates. Arises from the risk that interest-earning assets will decline in value as interest rates change. Operational Risk is the risk associated with variability in earnings arising from problems with service or product delivery, including the potential that inadequate information systems, operating processes, internal controls, employee integrity, fraud or unforeseen catastrophes will result in unexpected losses −Strategic Risk is the risk associated to earnings or capital arising from adverse business decisions or improper implementation of those decisions. June 2010 Slide 62 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

PricewaterhouseCoopers This risk is a function of the compatibility of an organization's strategic goals, the resources to achieve the goals and the quality of the implementation. −Compliance Risk is the risk associated with an organization's ability to comply with regulatory, legal and fiduciary requirements −Financial Risk is the risk associated with financial exposure of an organization that relates to financial reporting, budgetary pressures, and significant reported balances and may lead to incorrect or untimely management decisions. Risk of loss due to unauthorized, inaccurate, and untimely processing of adjustments to general ledger accounts resulting in duplicate errors, incomplete general ledger entries, misstated account balances, postings to incorrect accounts, improper interest rates and loss of income June 2010 Slide 63 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

PricewaterhouseCoopers Includes risk of loss due to unauthorized, inaccurate or untimely computations and formulas relating to processing of interest calculations and amortization of fees, thus, resulting in misstatement of accrual/income balances. −People Risk is the risk that arises from the heavy investment in people in the organization Earnings, capital, and reputation can be affected due to the loss of key personnel, lack of management succession planning, or non-market compensation packages. June 2010 Slide 64 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

PricewaterhouseCoopers Technology Risk is the risk to earnings or capital arising from the failure to maintain acceptable availability of service associated with automated systems −Stability −Obsolescence −Capacity −Dependence −Security −Disaster Recovery June 2010 Slide 65 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

PricewaterhouseCoopers Provides a structure for collating information about risks Enables an organisation to understand its comprehensive risk profile Dynamic, living document Populated through the organisation risk assessment and evaluation processes Enables risks to be quantified and ranked Assists in analysis of risks and facilitates decision making as to how risk are to be treated June 2010 Slide 66 Designing and Implementing an Enterprise Risk Management Framework Risk Register

PricewaterhouseCoopers Objectives Description of risk Risk ranking Responsible person Action/treatment plan Dates Source of assurance Existing controls Location, etc. Cost/benefit analysis Acceptance/completion Comments June 2010 Slide 67 Designing and Implementing an Enterprise Risk Management Framework Risk Register Components

PricewaterhouseCoopers Methods and metrics for tracking status and reporting upstream Status and effectiveness of existing measures Re-evaluation of probability and impact of existing risks Escalation of significant changes Identification, assessment and evaluation of new risk factors Document lessons learned June 2010 Slide 68 Designing and Implementing an Enterprise Risk Management Framework Monitoring

Role of Internal Audit

PricewaterhouseCoopers Fundamental to monitoring process: −Giving assurance on risk management processes −Giving assurance that risks are correctly evaluated −Evaluating risk management processes −Evaluating the reporting of key risks Reviewing the management of key risks −Role determined by considering whether: −The activity raises any threats to the internal auditors' independence and objectivity −It is likely to improve the organization's risk management, control, and governance processes June 2010 Slide 70 Designing and Implementing an Enterprise Risk Management Framework Internal Audit Core Role

PricewaterhouseCoopers May undertake, with adequate safeguards: −Facilitating identification and evaluation of risks −Coaching management in responding to risks −Coordinating ERM activities −Consolidating the reporting on risks −Maintaining and developing the ERM framework −Championing establishment of ERM −Developing risk management strategy for board approval June 2010 Slide 71 Designing and Implementing an Enterprise Risk Management Framework Possible Roles

PricewaterhouseCoopers Internal Audit must not undertake: −Setting the risk appetite −Imposing risk management processes −Management assurance on risks −Taking decisions on risk responses −Implementing risk responses on management's behalf −Accountability for risk management June 2010 Slide 72 Designing and Implementing an Enterprise Risk Management Framework Prohibited Roles

PricewaterhouseCoopers Can your IA function deliver? Six steps to achieving strategic performance through quality assurance −Commit to quality −Design and implement a quality assurance program −Implement policies and protocols −Conduct an external quality assurance review −Correct and enhance −Assess performance June 2010 Slide 73 Designing and Implementing an Enterprise Risk Management Framework From Promise to Performance…

PricewaterhouseCoopers Make a deliberate and documented commitment to quality assurance and improvement Commitment should be −Recognized as significant −Understood by the internal audit department and its stakeholders −Documented in the internal audit charter and approved by the audit committee or the board of directors Successful implementation of a quality assurance and improvement program will demand a significant rigor throughout the entire audit process June 2010 Slide 74 Designing and Implementing an Enterprise Risk Management Framework Commit to Quality

PricewaterhouseCoopers Build a quality assurance program consistent with the IIA Standards Three components of an effective quality assurance program: −Ongoing monitoring −Periodic internal assessments −External assessments IIA Standard 1300: Quality Assurance and Improvement Program June 2010 Slide 75 Designing and Implementing an Enterprise Risk Management Framework Design and Implement a Quality Assurance Program

PricewaterhouseCoopers Establish appropriate policies, procedures and controls to enhance quality and ensure conformance with IIA Standards Conduct a GAP analysis Benchmark against IIA Standards −4 attribute standards −7 performance standards Identify areas for improvement and remediate June 2010 Slide 76 Designing and Implementing an Enterprise Risk Management Framework Implement Policies and Protocols

PricewaterhouseCoopers Charters Reporting structure Policies and procedures Risk assessment Stakeholder input Chief audit executive reporting Audit tracking systems June 2010 Slide 77 Designing and Implementing an Enterprise Risk Management Framework Common Weaknesses

PricewaterhouseCoopers Significant preparation will be necessary −Refer to the IIA’s Quality Assessment Manual Perform a periodic internal GAP analysis and assessment Determine type of external quality assurance review to be used −A full external quality assessment −Self assessment with independent validation Requires extensive preparation, analysis and documentation June 2010 Slide 78 Designing and Implementing an Enterprise Risk Management Framework Conduct a Quality Assurance Review

PricewaterhouseCoopers A full external assessment should address: Compliance with the IIA standards and code of ethics Internal audit’s charter, plans, policies, procedures, practices and applicable legislative and regulatory requirements Key stakeholder perspectives, including board, audit committee, executive and operational management pertaining to the internal audit department Integration of internal audit within the organization’s governance process Tools and techniques for internal audit Self assessment Charter evaluation June 2010 Slide 79 Designing and Implementing an Enterprise Risk Management Framework Scope

PricewaterhouseCoopers Should focus on the core processes of internal auditing including −Organization −Human resources −Technology −Working practices −Communications and reporting −Knowledge management −Performance metrics June 2010 Slide 80 Designing and Implementing an Enterprise Risk Management Framework Methodology

PricewaterhouseCoopers The quality assurance review report should provide: −A set of actionable recommendations intended to ensure conformity with the IIA standards and to enhance the strategic performance of the department −A benchmarking analysis that indicates the extent to which internal audit has adopted best practices −An assessment of how well an internal audit function is adding value to the company and meeting the expectations of key stakeholders −A strategic plan directed toward implementing changes needed to improve performance and value −A tactical plan outlining specific change initiatives June 2010 Slide 81 Designing and Implementing an Enterprise Risk Management Framework Correct and Balance

PricewaterhouseCoopers Formulate specific action plans to remedy deficiencies Continually assess internal audit’s compliance with the standards Integrate performance measurement into a quality assurance and improvement program e.g. use of a “balanced scorecard” June 2010 Slide 82 Designing and Implementing an Enterprise Risk Management Framework Assess Performance

Final Thoughts

PricewaterhouseCoopers Don’t be complacent… −Survival does not necessarily mean preparedness Luck as a factor Tri-partite cooperation ‘Integrated’ and ‘enterprise wide’ does not preclude a staged approach One bad apple does spoil the whole bunch −Seek help when necessary −Seek to assist others in their efforts June 2010 Slide 84 Designing and Implementing an Enterprise Risk Management Framework Final Thoughts

PricewaterhouseCoopers We must dare to think about unthinkable things; Because when things become unthinkable, thinking stops and actions become mindless. James W. Fulbright June 2010 Slide 85 Designing and Implementing an Enterprise Risk Management Framework Final Thoughts

PricewaterhouseCoopers Berkeley Greenidge Director PricewaterhouseCoopers The Financial Services Centre Bishop Court Hill Collymore Rock St. Michael Barbados Telephone (246) (o)(246) Facsimile (246) June 2010 Slide 86 Designing and Implementing an Enterprise Risk Management Framework Keep in touch….

 Just do it! © 2010 PricewaterhouseCoopers. All rights reserved. "PricewaterhouseCoopers" refers to the East Caribbean firm of PricewaterhouseCoopers or, as the context requires, the PricewaterhouseCoopers global network or other member Firms of the network, each of which is a separate and independent legal entity.