GOVERNANCE, INTERNAL AUDIT AND ERM PROCESSES

Internal auditing is sometimes described as one of the four cornerstones of governance. The other three cornerstones are external auditing, executive management, and the board of directors.Two key contributions that the internal audit activity makes to governance are included in the definition of internal auditing:

1. Assurance on the effectiveness of governance, risk management, and internal control,
2. Advisory services for improvement for the risk management processes (RMP).

Clearly, internal auditing plays a very important role in improving the maturity of risk management with respect to effective risk management, including:

1. Raising the profile of risk in organizational decision-making and planning at all levels.
2. Providing training and guidance to other managers and staff.
3. Making recommendations for improvement to risk-based controls.
4. Keeping up-to-date with the latest thinking and serving as a source of risk expertise for the organization.
5. Ensuring risk management is consistent and well-coordinated on an enterprise-wide basis.
6. Providing assurance on risk management and its processes.
7. Reporting on the level of operational risk as part of routine audit work.
8. Championing risk and advocating enhanced risk maturity.
9. Leading risk identification workshops.
10. Providing practical tools that may assist risk management processes.
11. Providing training for audit committees and management on all aspects of risk. 
12. Offer consulting services in support of those charged with risk management. 
13. Evaluate strategic risk management by determining whether strategic risks are known, responded to appropriately, and monitored accordingly. 
14. Develop the expertise of the internal audit function to maximize its competency in risk.
15. Supplement risk-related skills of the internal audit team (as required) by drawing upon third- party support.

As enterprise-wide risk management becomes established in organizations, the internal audit activity can progress from being risk-based to being ERM-based. It important for audit planning to be ERM-based rather than simply risk-based.

The chief audit executive (CAE) is responsible for developing a risk-based plan. 

• The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. 
• The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
• With an effective, integrated, enterprise-wide approach to risk management, internal audit no longer needs to identify the risk universe. 
• Management takes on that responsibility, and the internal auditors adopt it as the basis for describing the internal audit universe (the summation of all possible internal audits).
• The audit universe will normally be influenced by the results of the risk management process. The CAE prepares the internal audit activity’s audit plan based on the audit universe, input from senior management and the board, and an assessment of risk and exposures affecting the organization. Of course, this assumes the internal auditors are confident about the ERM processes used to develop the risk universe. 
• ERM can help identify and prioritize the risks that may then direct risk-based audit planning. However, to maintain its independence and objectivity, the internal audit activity must never be wholly dependent on ERM, and the internal auditors must exercise their own judgment about internal audit priorities.

Internal audit draws upon ERM for its risk-based approach. 

The internal auditors are responsible for assessing enterprise risk management—which is part of the risk universe—and providing assurance on it.

BANKACILIKTA İÇ KONTROL SİSTEMİ

Faydaları sebebiyle etkin ve yeterli bir iç kontrol sistemine altı (6) noktada ihtiyaç duyulur.

1. Faaliyetlerin güvenli (etkin ve yeterli) bir şekilde gerçekleştirilmesi,
2. Stratejik amaçlara ulaşılması, Uzun dönemli karlılık hedeflerinin gerçekleştirilmesi,
3. Finansal /yönetsel rapor ve bilgiler üzerinde doğruluk ve güvenilirliğinin sağlanması,
4. Hile/Usulsüzlük önlenmesi, İtibar zedeleme riskinin azaltılması,
5. Düzenlemelere (Yasalara),  politikalara, plan ve prosedürlere uyulmasının sağlanması,
6. Kurum/ amaçlarının gerçekleştirilmesi (Yasa Amacı, Yönetim Amacı, Hissedar Amacı, Çalışan Amacı, Denetim Amacı...)

İç kontrol sistemi kurum kurumsal yönetiminin önemli bir parçasıdır. Kurumsal Yönetim Tebliği:

• İnsan
• Sistem
• Süreç 
• İlkeler, bütününden oluşmaktadır.

Internal Environment- Hard and Soft Controls

Choices around systems, processes, structure, communication, planning, and allocation of resources each represent a potential strength or weakness, as well a source of risks or opportunities. They also may form part of the risk response, including internal controls.

Risk management processes need to fit in with the rest of the organization, and processes for identifying, analyzing, responding to, and reporting on risks are required to operate in such a way that they successfully
manage risks across all elements of the internal environment.

This is particularly useful as a tool for management when trying to bring about change. It also can serve as an indicator that risks and opportunities may arise not just within one area, but as a result of separate components working together.

Hard and Soft Elements (7S):
Hard Elements - Strategy, Structure, Systems
Activities: (Review,inspections, policies, reconciliations, structure, limits, user ID- passwords, physical counts, bank reconciliation).
Soft Elements- Style, Shared Values, Staff, Skills
People: Openness, clarity, competency, expectations, communications.

• Hard elements are readily grasped and manipulated by management, and soft elements that are much less tangible and more easy to change. For example, it is relatively easy to issue a new strategy or introduce a revised system. However, to make either of these things work requires adjustments to other elements such as skills and shared values, which present a much greater challenge to manipulate.
• Soft elements are more difficult to change, introduce, monitor, and manage.

RISK PSYCHOLOGY

Risk psycholog is a fascinating field of research. There is an unavoidable, yet desirable, subjectivity to risk analysis and a natural inclination to focus on impact, because it is harder to comprehend likelihood in quite the same way. The result is that likelihood becomes exaggerated.
Consider the insecurities many people have about flying. The consequences of an airborne disaster are easy and somewhat unsettling to imagine. This translates into a perception that flying is more dangerous (i.e., more risky) than it is- perhaps even more risky than driving.
The fact that a passenger is more likely to suffer injury or death in the car on the way to or from the airport does not ease the psychological weight given to the risk level associated with flying. This has to do with the element of personal control. When driving a car, the driver feels—rightly or wrongly—that he can make a personal intervention to avoid an accident, but an airline passenger must rely on the pilot’s actions, someone else’s security arrangements, and the mechanical integrity of the plane.
Likewise, the psychological element is important when considering risk appetite. A group of managers may agree on the defined appetite of the organization, but each individual may vary when it comes to being either a risk taker or a risk avoider. The perceived level of acceptable risk depends on how it aligns with personal risk appetite.
In all situations, the role of “risk management” is to try to lead organizations toward an understanding of risk and objective appraisal while recognizing both the inevitability and value of subjective impressions. Armed with better information, the organization can make a more intelligent response.

Key Internal Stakeholders

A stakeholder is defined as anyone who has a stake or an interest in some activity, project, or
enterprise; or in this case, the organization as a whole. Stakeholder theory offers a more enlightened
perspective, compared with a narrower focus on the immediate beneficiaries, such as shareholders.
Being aware and taking account of those interests enables managers to secure support as required and
to anticipate resistance to an initiative. This analysis is an extremely important management activity. Organizations exist to serve the needs and interests of their stakeholders by:

1. Delivering a sought-after service or product to customers.
2. Providing financial returns on an investment to investors and owners.
3. Paying amounts that are due in a timely fashion to suppliers.
4. Creating a safe, attractive work environment.
5. Providing accurate and timely data on pay to tax authorities.

Sometimes these interests can be in conflict. One party’s efficiency gain might be another ’s cut in income, and one party’s enhancements to product quality and service might be another ’s erosion of profit. Two primary stakeholders—the owners and management—sometimes can be in conflict, as the managers might seek personal or short-term gain, while the owners desire long-term returns on their investment. Organizational boundaries are often indistinct. For example, where does the organization end and the stakeholder begin ?

Managers are quick to realize that stakeholders wield great power. Customers may withhold their business, investors may withdraw their capital, employees may take industrial action, the government may raise taxes and increase regulation, pressure groups may lobby for greater environmental protection, and the public may demand greater transparency and ethical leadership.
Like other organizational endeavors, risk management processes should be designed to reflect a
balanced response to the needs and interests of stakeholders. This requires careful analysis, but it is
not always easy to identify the stakeholders and their interests, and even when they are known, they
may be subject to change. Often, an individual may span several stakeholder groups (an investor who
is also a customer, an owner, or shareholder who is also part of the executive team). However, despite
these problems, the analysis is still very valuable as it leads to greater sensitivity to potential sources
of conflict or opportunities for support.

Stakeholder analysis can be applied to any planned activity and development, including strategic
planning. When developing and reviewing risk management processes, asking key questions will help give due consideration to the needs and expectations of stakeholders:

1. Whose interests will be affected (positively or negatively) by risk management ?
2. What are the interests or stakes (objectives) of these stakeholder groups ?
3. How could these groups impact (positively or negatively) on our ability to implement risk
4. management ?
5. What strategies can we adopt to anticipate, mitigate, and exploit the reactions of stakeholders to make risk management processes more successful ?

Simple measures, like involving stakeholders in the development of "risk management processes" and keeping people informed, can deliver the greatest benefit in stakeholder management.
Stakeholders may be categorized as being internal or external. Some refer to connected
stakeholders, such as non-executive directors who cross organizational boundaries between internal
and external stakeholders, and peripheral stakeholders who only have limited and intermittent
interests.

Staff interests may be promoted by official or unofficial representatives, trade unions, and similar
kinds of associations. Managers and directors may be considered to be part of staff as employees of
the organization, but they are also likely to have other personal, financial, and professional stakes in
it. The owners in a private sector organization look for a financial return on their investment and
have an interest in seeing their vision come to fruition.

All of these groups are internal stakeholders. In the public sector, the government department, body, or agency manages the organization on behalf of the public at large or specific groups within it, and these too become internal stakeholders with a greater or lesser degree of direct influence, depending upon the decision-making structures. Risk management processes must serve the interests of the organization and enable it to achieve its objectives. It is important to understand the impact risk management processes have on internal stakeholders.

Management of Third-party Business Relationships

Third parties are a stakeholder group comprising individuals or organizations that have been
engaged to undertake an activity on behalf of or in partnership with the contracting organization.There are significant benefits of working this way. Indeed, it is difficult to avoid entering into a
range of relationships with third parties. However, when working with others, the risks must be
considered carefully.
Third parties include:

• Suppliers.
• Contractors.
• Subcontractors.
• Consultants.
• Strategic allies.
• Business partners.
• Subsidiaries.
• Agents.

There should be a good reason for collaborative efforts, such as a way of increasing efficiency,

sharing risk, gaining additional capability, or exploiting new opportunities. Sometimes, however,

organizations are presented with the chance to work with another party and then attempt to create

activity to exploit the opportunity. While this can be successful, it also can result in unfocused activity

that falls outside the strategic plan, and ultimately serve as a distraction from achieving core

objectives.

Clarifying the nature of the relationship through a formal agreement or memorandum of

understanding (MOU) is one way of confirming expectations at the outset and avoiding

misunderstanding later. Such agreements may specify the period the relationship is intended to

endure, the objectives to be achieved, the roles and responsibilities of each party, how financial

commitments and rewards are to be shared, and the options for terminating the agreement.

Once initiated, such relationships rely on effective communication and good working relations. It

is important to agree on a schedule for making contact, holding meetings, sharing information, and

issuing reports.

The engagement of a third party to undertake some activity does not absolve the organization of

responsibility for risk. The organization’s own risk management processes need to extend to the

exposure to risks presented by the use of third-party contractors, subcontractors, vendors, affiliates,

and partners. While the appropriate response to any of these risks may be through various legal and

financial protections, it is important to recognize the full range of potential risks. 

Third-party risks tend to be greater when:

1. The relationship is new.
2. The relationship is entered into quickly.
3. The services provided are critical to the organization’s operations.
4. The financial value of the arrangement is significant.
5. The duration of the relationship is extensive.
6. The nature of the undertaking is complex.
7. The third party is also engaged in other activities or relationships that may be in direct competition or conflict. There are several parties involved.
8. The third party is planning to subcontract some or all of the work. 
9. The potential for risk in third-party relationships is significant, stemming from failures by the third party or of the relationship itself. 

These risks include:

1. Operational risk due to the complexities of two or more organizations working together different systems and strategic priorities.
2. Reputational risk through association with another organization’s shortcomings.
3. Financial risk involving delays, disruptions, underperformance, and penalties.
4. Compliance risk where expectations are unclear and no party within the alliance has full oversight of all activities and related regulatory duties.
5. Legal risks arising from a partner ’s breaches in regard to regulation and statutory requirements.
6. Strategic risk through the potential for the relationship with the third party to soak up additional time and resources, divert the organization away from its primary goals, and result in the failure to achieve major objectives.

CONSULTING ROLE OF INTERNAL AUDITOR

The internal auditors can make to risk management through consulting. While assurance engagements for ERM are generally delivered when everything needed is already in place, consultancy is likely to be required when there are no systems and processes or they are new, incomplete, or less than optimal. When serving as consultants, the internal auditors must adopt a different mindset from that of assurance, even though they will employ the same expertise and build useful knowledge.

The nature and extent of consulting to be offered by the internal audit activity must be set out clearly in the charter (in accordance with Standard ) and, like all activities undertaken by the internal audit function, must be limited to those tasks that can be performed competently by available capabilities. Standard  states that:
The chief audit executive must decline the consulting engagement or obtain competent advice
and assistance if the internal auditors lack the knowledge, skills, or other competencies
needed to perform all or part of the engagement.
This is in contrast to assurance engagements, which are not to be declined if resources are lacking
internally. (In such assurance cases, resources would be secured from other sources.)
Advisory work focuses on governance, risk, and control, which form internal audit’s primary
knowledge base. Consulting can take many forms.The various kinds of consulting services the internal auditors may provide or contribute to include:

• Business process improvement.
• Continuous monitoring.
• Control self-assessment of risk and control self-assessment.
• Forensic auditing.
• Governance and ethics training.
• Internal control review.
• Internal control training.
• Participation on committees or task forces.
• Readiness.
• Review of a new product or service before implementation.
• Risk self-assessment.

We will focus on seven types of consulting engagements related to risk management:

• Assisting in the identification and evaluation of risks through an analysis of strategy and the internal and external environments.
• Developing management’s capabilities in respect to risk responses by providing coaching
• Helping to draw risk management activities together across the organization in a more coherent, effective, and deeply embedded fashion 
• Strengthening risk reporting by ensuring it is timely, relevant, and focused.
• Maintaining and improving the risk management framework through a combination of testing, validation, and the offering of potential solutions to identified weaknesses .
• Promoting risk management across the organization by acting as its champion (IV.F).
• Advancing the progression toward greater risk maturity by developing the risk management strategy.

There are several characteristics, as well as important differences, that assurance and consulting

engagements have in common. The similarities arise from the simple fact that any activity carried out

by the internal auditors should be delivered in accordance with high standards of professional

practice. More specifically, both types of internal audit engagements must be:

• Defined in the internal audit charter.
• Delivered by the internal auditors with:
• Due professional care.
• Independence and objectivity

Internal auditors must exercise due professional care during a consulting engagement by considering the:

1. Needs and expectations of clients, including the nature, timing, and communication of engagement results.
2. Relative complexity and extent of work needed to achieve the engagement’s objectives.
3. Cost of the consulting engagement in relation to potential benefits.

Furthermore, if it is clear at the outset that if there are any impediments to independence or

objectivity, they must be declared before accepting the engagement. This is also evident in the

Standards:If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.

The overriding safeguard is that, under no circumstances, should the internal auditors take

responsibility for risk management. It is also clear that a consulting engagement should not be

accepted simply because management requests it. It must be relevant and planned.

ARGUMENTS ON AUDIT FUNCTIONS

From The IIA’s definition of internal auditing, we know that the activity adds value to an organization through assurance and consulting (or advisory) services.

The definition of internal auditing was amended with much debate in 1999 to include consulting as
an explicit and distinct part of its role. Those opposed to broadening the definition in this way raised
four main objections:

1. Internal audit had always included a consulting element through the recommendations it delivers within an assurance engagement and, therefore, it is unnecessary, unhelpful, and perhaps even damaging to separate it out.
2. Consulting is not a distinctive activity, as many other functions offer advice and guidance to management. The primary value of internal audit comes through the delivery of assurance.
3. There is a potential conflict of interest if internal audit takes on a consulting role separate from the delivery of assurance.
4. The new definition includes both assurance and consulting with no indication of which is more important—the natural conclusion is that there should be an even split between the two activities. However, while consulting may be a trendier or more attractive role, assigning it undue emphasis could damage the primary focus for internal audit, which is and should remain assurance.

Despite these arguments, it has proved tremendously helpful to the profession and its stakeholders
for the definition to make clear the two ways in which internal audit adds value with independence and
objectivity. This has been supported by the development of corresponding standards and guidance that
provide much needed assistance for implementation. It is important to point out that the internal
auditors can only recommend, as they are not in a position to implement such actions, and
management is free to accept or reject any proposals.

In addition to the features that consulting and assurance engagements have in common, there are
some significant differences (see below). In practice, it may sometimes be hard to separate assurance
and consulting. For one thing, it is common for an assurance engagement to address weaknesses in
internal control and offer recommendations for improvement, and for a consulting engagement to
contribute to an overall audit opinion. Indeed, it is a requirement of the Standards that information
garnered through consulting be applied to the auditing of risk management:

• Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes.
• Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes.

Furthermore, it is often through assurance engagements that the need for consultation is identified
in the first place, leading to discussions with management regarding actions. Consulting, on the other
hand, can provide additional assurance by giving management detailed insights on a particular aspect
of the organization. The internal auditor should take care when framing an opinion on the basis of a
consultancy assignment to avoid any distortion regarding the materiality of the findings with respect
to risk and control.
Standards defines consulting services as follows:
Advisory and related client service activities, the nature and scope of which are agreed with
the client, are intended to add value and improve an organization’s governance, risk
management, and control processes without the internal auditor assuming management
responsibility. Examples include counsel, advice, facilitation, and training.

Consulting services are advisory in nature, and are generally performed at the specific
request of an engagement client. The nature and scope of the consulting engagement are
subject to agreement with the engagement client. Consulting services generally involve two
parties: (1) the person or group offering the advice—the internal auditor, and (2) the person
or group seeking and receiving the advice—the engagement client. When performing
consulting services, the internal auditor should maintain objectivity and not assume
management responsibility.
Despite the origin of the consulting engagement, the skills and insights that enable an internal auditor to follow a risk-based approach in evaluating controls and delivering an opinion on their effectiveness are also highly valuable when providing constructive advice about systems development and business improvement.
However, assurance and consulting are distinct. If an assurance engagement identifies the potential value that consulting may bring to the same area of review, the scope must not shift from assurance to consulting without setting out a new proposition. If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated
in accordance with consulting standards.

Risk Management and Corporate Governance

• What is Corporate Governance ?
• What is Risk Management ?
• How do they intersect ?
• Why is Risk Governance important ?
• What is consequence of failure?
• What to do or how do we respond ?

Risk Management:
It is defined in ISO 31000 as the effect of uncertainty on objectives (whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Risk management is the identification, assessment, and prioritization of risks.
Key Issues
•Probability (Likelihood) of event occurring,
•Severity (Impact) of the event on set objectives.
The strategies to manage risk typically include transferring the risk to another party, avoiding the risk, reducing the negative effect or probability of the risk, or even accepting some or all of the potential or actual consequences of a particular risk.
Credit Risk - Credit risk is most simply defined as the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms.
Market Risk - Market risk refers to the risk of loss to an institution resulting from movements in market prices, in particular, changes in interest rates, foreign exchange rates, and equity and commodity prices.
Operational Risk – This is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

What happens when it fails?
ENRON – Before bankruptcy in December 2001, one of global leading power, energy & utilities companies - employed 20,000 staff. “A” rated. Was one of Fortune’s Top 100 companies to work for in America in 2000. Creative accounting. Chairman Ken Lay; CEO – Jeff Skilling; CFO – Andrew Fastow. Placed liabilities in shell companies – not appear in books. Fraudulent deals - Also led to demise of Arthur Andersen. Partly led to Sarbanes Oxley Act of 2002 (Public Company Accounting and Investor Protection Act). Corporate Governance rules – responsibility of directors; criminal penalties etc.

WorldCom – was America’s second largest long distance phone company (after AT & T). CEO Bernard Ebbers; CFO Scott Sullivan; Comptroller David Myers – aggressive growth strategy – tried to merge with Sprint in 2000. Not approved by regulators. Fraudulent Financial records from mid-1999 to 2002 – booking interconnectivity costs as capital instead of expenses and inflating revenues. Internal auditors unearthed $3.8BN in fraud. Arthur Andersen withdrew opinion. Bankruptcy July 2002.
Lehman Brothers – Founded 1850. Fourth largest investment bank in US (after Goldman Sachs; Morgan Stanley and Merrill Lynch). Declared bankruptcy September 2008. following large exodus of clients; drastic losses in stock and downgrade of assets by credit rating agencies. Largest bankruptcy in US history! Holdings shared between Barclays (NA divisions) and Nomura (Asia-Pac, Europe and Middle East). Financial accounting gimmicks; sub-prime mortgage bets (large positions in securities backed by lower rated mortgages). In first half of 2008, lost 73% of value as credit markets continued to tighten – had to sell of $6bn of assets and lost $2.8bn.
Bear Stearns – Founded 1923. Issued large amounts of asset-backed securities including mortgages (by Lewis Ranieri – “father of mortgage securities”). As losses mounted in 2006 and 2007, company actually increased exposure especially to mortgage backed securities which were central to sub-prime crisis. Sold to JP Morgan for $10/share from 52 week pre-crisis high of $133.20.
Barings Bank – Oldest merchant bank in London (founded 1762) until collapse in 1995 after loss from unauthorized speculative trades by its Head Derivatives Trader, Nick Leeson in Singapore – lost GBP827m. Instead of buying and simultaneously selling, Leeson held on to the contract, gambling on future direction of Japanese markets. Internal challenges – doubled as both floor manager and head of settlement operations. No check and balance.
Societe Generale – Jerome Kerviel – caused Eur4.9bn ($6.1bn) trading loss in 2008. one of largest in history. Arbitraging between equity derivatives and cash equity prices. Wiped off almost two years of pre-tax profits of SG’s investment banking unit. Taking unhedged positions far in excess of desk limits up to Eur 49.9bn (in excess of bank’s total market cap) – disguising exposure with fake hedges. Highlights lack of risk experts on risk committees. States making a profit makes hierarchy turn blind eye
J.P Morgan – Losses on Trading/derivatives bet – Made by CIO in London – invests excess deposits to create interest rate hedge – brought in $4bn over last 3 years. Estimates could reach as much as $6bn - $9bn (versus Q1 profit of $5.4bn). CEO Jamie Dimon under pressure. Pay of responsible officers to be docked – little real impact.
Barclays – Rate-rigging scandal brought down CEO, Bob Diamond. Fined GBP290m (approx $450m). Possible criminal prosecution. Glass-Steagall type action possible (division between investment and commercial banking). CEO lost $30m bonus
RBS – IT glitch caused breakdown of service to customers – could they have tested on one of their brands or regionally before full rollout? Also fighting to keep LIBOR records private – rate fixing scandal.
So who is to save us?
–Board
–Executive Management
–Internal Audit
–Accounting firms
–Rating agencies
–Regulators
All have failed.

RISK CULTURE

Risk culture can be defined as the system of values and behaviors present throughout an organization that shape risk decisions. Risk culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits.

Essential parts of a successful risk culture:

• Leadership and commitment from the highest levels of the organization.
• Adherence to ethical principles and concern for all stakeholders.
• Organization-wide recognition of the need for effective risk management.
• Ready access to reliable information relating to risk at all levels.
• Active encouragement to share information when things go wrong so that the lessons can be learned.
• Application of risk management to all activities, even those considered to be complex, remote, or too hard to understand.
• Encouragement and reward for appropriate risk-taking as well as sanctions for reckless or negligent approaches.
• Ready access to support and resources for the development of risk management skills.
• Acceptance of multiple perspectives to challenge the approaches adopted.
• Alignment of risk culture with the organizational culture.

These can be regarded as the characteristics of a risk mature organization.

Risk culture is revealed in a number of ways. The risk appetite is an expression of how much risk the organization is prepared to accept or tolerate. This in turn is related to its risk capacity, which reflects the ability to accept risk as a consequence of the skills and resources at the organization’s disposal. More than being just the totality of risk appetite, capacity, framework, and processes, however, risk culture determines whether there is genuine buy-in at all levels to address risks and opportunities that arise out of the uncertainty of events.

RİSK MANAGEMENT PROCESES

The main processes of risk management relate to:
Risk analysis:
Risks (both current and emergent) must be identified and assessed for relevance to the organization, its context, and its objectives, and evaluated, leading to a determination of the key risks—the ones requiring most urgent attention by management.
Risk response:
There are a number of ways to respond to identified risks, depending on the risk appetite, available resources, and perceived priorities.
Risk Monitoring:
The potential for change requires routine monitoring with regard to:

• The system of internal controls and other responses to determine whether they remain relevant, and whether the required measures are in place and are having the intended effect with respect to the risks or opportunities (sometimes referred to as the control objectives).
• Changes to the internal and external environments that may alter the risk profile, making some less severe while raising the severity of others; or introducing new and previously unanticipated risks, each requiring a new response.
• Adjustments to the strategy of the organization, causing objectives and risks to change.

Risk Reporting: 
Management and the board (directly or via the audit committee or other similar body such as a risk committee or combined audit and risk committee) will require updates and assurance on the risk profile of the organization and its state of preparedness with respect to internal controls. Risk management does other things:It establishes and maintains a risk management framework that is aligned to organizational objectives as well as coordinated, integrated, and enterprise-wide (where “risk management framework” refers to the sum total of all elements of risk management). The framework helps less risk mature organizations to move toward this desired status.It helps management determine:

• Risk appetite.
• Responses to particular risks.
• The overall risk culture of the organization, enabling it to be progressively more risk mature.
• It enables organizations to prepare for risks and opportunities before they arise to maximize operational effectiveness and strategic gain.
• It allows organizations to deploy their resources according to need and potential for advantage.

While risk management can report on the risk profile, internal audit’s analysis of risks and internal control effectiveness provides independent and objective assurance by virtue of its unique role and position. The effectiveness of the risk management framework and processes is often reflected in terms of the organization’s overall risk maturity.

RİSK MANAGEMENT PROCESS

Risk management process objectives include the following:

1. To contribute to the long-term survival of the organization.
2. To maximize the value delivered to all stakeholders.
3. To link growth, risk, and return.
4. To safeguard the assets and reputation of the organization.
5. To facilitate greater operational effectiveness and efficiency.
6. To increase the likelihood of achieving strategic and operational objectives.
7. To comply with legal and regulatory requirements.
8. To improve organizational learning and resilience.
9. To be better placed to take advantage of opportunities as they arise.
10. To help an organization become more risk mature by considering its current and future risks in a coordinated manner within an enterprise-wide framework.
11. To improve the understanding an organization has of itself and its activities to enable better decision-making, operational management, and deployment of capital and resources.
12. To reduce uncertainty and volatility in those areas of organizational activity that do not benefit from being risk-laden. In other words, if there is not a reason to accept a risk or to incur the costs associated with controls, the risk should be minimized or removed.

Risk management follows a cyclical and iterative process that uses monitoring as a feedback loop to maintain alignment with strategic objectives, improve the effectiveness of identification and response, and continually raise the level of risk maturity.

Risk management, as a structured approach to addressing the full range of risks faced by an organization, has developed considerably over the last 30 years.
Operational and strategic plans may fail because events occur or conditions arise for which the organization was unprepared. Similarly, losses may arise if resources are irreversibly committed to one opportunity when a better opportunity presents itself. Risk management processes aim to help management by identifying and analyzing potential threats, vulnerabilities, and opportunities; agreeing on effective strategies; and providing regular updates to confirm risks are being managed effectively.

Organizational Governance and Risk Management

Risk management, as a structured approach to addressing the full range of risks faced by an organization, has developed considerably over the last 30 years.
Operational and strategic plans may fail because events occur or conditions arise for which the organization was unprepared. Similarly, losses may arise if resources are irreversibly committed to one opportunity when a better opportunity presents itself. Risk management processes aim to help management by identifying and analyzing potential threats, vulnerabilities, and opportunities; agreeing on effective strategies; and providing regular updates to confirm risks are being managed effectively.
There are many highly sophisticated tools, models, frameworks, and resources that organizations can adopt. However, since risk management exists to serve the needs of the organization, it is very important that the approach used is tailored to particular requirements based on its goals, culture, internal and external environments, and overall risk maturity. Therefore, any assessment of risk management processes—the first stage in providing risk management assurance—must consider how well those processes support organizational aims.

Assess risk management processes in the context of alignment with strategic imperatives

The principal purpose of risk management is to help an organization achieve its strategic objectives. It does so by assisting management in:

•   Identifying and assessing the sources and nature of uncertainties that may impact positively or negatively on organizational objectives.

•   Determining how much risk stakeholders are prepared to tolerate.

•   Establishing and maintaining appropriate responses, including controls, to keep risk at a tolerable level.

Any assessment of whether risk management processes are effective must include the extent to which those processes are aligned with organizational objectives.

Objectives of risk management processes

The purpose of risk management and its processes is not always to eliminate or even minimize risk. Instead, the primary aim is to understand risk so that management can make informed decisions. Risk is unavoidable and, to an important extent, desirable. The key processes relate to reviewing strategic objectives, and then risk identification, risk analysis, risk response, monitoring, reporting, and review.

Risk culture

Risk culture refers to the overall attitude and approach an organization takes toward risk. Organizations may be described as being more or less risk mature. As the risk culture becomes more mature, greater importance is attached to understanding risk and considering it in planning and decision-making throughout the organization.

Risk capacity, appetite, and tolerance of organization

Risk capacity refers to how much risk an organization is able to take with respect to its resources and capabilities. Risk appetite is a measure of how much risk an organization is prepared to take, from being risk averse to tolerating higher levels of risk (temporarily or on a long-term basis) in exchange for potential benefits.

Assess the processes related to the elements of the internal environment in which organizations seek to manage risks and achieve objectives

Risk management processes are set in a framework that must be understood and developed in the context of the organization’s internal environment. The approach and implementation of risk management should be sympathetic to and mesh with the organization’s resources and capabilities, and serve to reveal and manage the risks that exist in the internal environment.

Integrity, ethical values, and other soft controls

Unethical behavior has the potential to create significant reputational and financial risks, while acting with integrity may generate positive opportunities. Organizations need to address business ethics with leadership from the highest levels. Risk management processes themselves must be delivered with integrity and support the organization’s resolve for compliance with its codes for professional conduct and ethical behavior.

Role, authority, responsibility, etc., for risk management

Organizations function effectively when there is a clear division of labor with well-defined roles and lines of authority that usually flow down the various structural tiers. Risk management equally requires an appropriate structure together with the necessary resources and channels of communication. From such arrangements, it gains its authority.

The three lines of defense model makes a sharp distinction among the roles of:

• Operational management.
• Risk management oversight.
• Internal auditing (independent and objective assurance on the effectiveness of internal controls and risk management).

In addition, as primary stakeholders, senior management and the board have a critical role to play in ensuring that these three lines of defense are in place and working.

Management’s philosophy and operating style

The organization has a way of doing things that forms a large part of its culture. The “tone at the top” should drive that culture and be reflected by the approach management takes and the style that is adopted across all operational areas.

Organizational culture makes a significant impact on the risk culture

Risk management processes must consider the attitude and style of management generally, and aim to be consistent with the prevailing philosophy while moving the organization toward greater risk maturity.

Legal/organizational structure

The structure of an organization is determined by the way it distributes its responsibilities and resources and the manner in which the various divisions interact. 

1. Strategic goals, internal capabilities, and its response to the external environment are all determining factors of the structure. As these may change over time, it is sometimes necessary to alter the structure, whether organically or through a more substantial readjustment.
2. Risk management processes should recognize the risks and benefits of different organizational structures as well as the current configuration.
3. In addition to structure, organizations may use one of a number of legal forms that are available to reflect the needs of the organization in terms of its size, ownership, control, sources of capital, liability for losses, stakeholder interests, and reporting requirements

Documentation of governance-related decision-making

Corporate governance arrangements exist to ensure that the interests of the stakeholders—especially those of the agent (management) and the principal (owner)—remain in balance with transparency and accountability. 

• Documentation is used in support of decision-making and as an audit trail that can be accessed and referenced to ensure openness. 
• The board (or equivalent) and its subcommittees collectively form the principal mechanisms for oversight and governance. In addition, other external functions may contribute to this process. 
• Risk management plays a major role in corporate governance

Capabilities of people and other resources (i.e., capital, time, processes, systems, and technologies

An organization adds value by taking various inputs and transforming them in some fashion. The extent to which this is possible depends upon the capabilities represented by the staff, equipment, systems, processes, etc.An organizational advantage is gained by meeting customer demands or service-user expectations better than the competition. Each of these capabilities should be evaluated in order to identify risks and opportunities.

Management of third-party business relationships

Organizations can extend their capabilities significantly by engaging with third parties to pursue goals of common interest and the mutual benefits of shared resources. Such relationships carry both risk and opportunity. Risk management processes should extend to cover such relationships and consider the internal arrangements for managing risks by those third parties.

Needs and expectations of key internal stakeholders

The key internal stakeholders are staff, managers, and the owners of the organization. They have significant stakes (or interests) that must be taken into account when considering any new initiative or strategy. Stakeholders contribute greatly to the success or failure of an enterprise. At times, the interests of different groups may be in competition. Therefore, management of stakeholder interests needs to be an integral part of strategic and operational planning

Internal policies

To ensure consistent operational activity in a way that serves to deliver strategic objectives, it is necessary to set organizational policies. These provide the rationale and guidelines for procedures and are likely to form part of internal controls. Their operation should be considered by risk management processes to determine whether they are working and having the desired effect.

Assess the processes related to the elements of the external environment in which organizations seek to manage risks and achieve objectives

Organizations operate in an external environment in which multiple influences are a continual source of changeable threats and opportunities. Risk management processes should protect the organization from surprises by monitoring the external environment for signs of change to be exploited, resisted, or endured.

Key external factors (drivers and trends) that may impact the objectives of the organization

External factors are often analyzed under the headings of political, environmental, social, technological, economic, and legal (PESTEL). This provides a convenient framework in which to identify risks and opportunities that may have an impact on organizational objectives. It is important to understand the forces that drive change in the external environment and identify the underlying trends.

Needs and expectations of key external stakeholders (e.g., involved, interested, influenced)

There are many external stakeholders (including customers, suppliers, investors, banks, the government, regulators, local communities, and the public at large) who can be powerful allies or strong adversaries to organizational efforts. Identifying them and anticipating their reactions are part of the process of determining risk and enabling management to establish suitable strategies for stakeholder engagement.

Risk management is a part of organizational governance, providing stakeholders with clear information about risks and opportunities. In fostering a better understanding and appreciation of risk (both positive and negative), risk management is able to raise the level of risk maturity and contribute to the greater success of the organization.

Risk management processes are not only required to provide management with insights into the riskiness of the organization’s internal environment, they are also very much part of that same environment, intrinsically linked to the ethical values, culture, structural arrangements, policies and procedures, and capabilities that operate in the organization. The real strength of an embedded, enterprise-wide approach is that risk management processes are working consistently along with routine activities to shine a spotlight on uncertainties that are always present and to help the organization understand them.

As an organization can only be understood in its environmental context, risk management can only truly enable an organization to understand itself by providing a view on current and emerging risks. There are key drivers in play that create an endlessly changing set of conditions.
By analyzing the underlying causes and likely trajectory of these changes, risk management processes are able to help the organization prepare its responses. It has been said that forewarned is forearmed.
By eliminating surprises, organizations are better able to resist, endure, and exploit the threats and opportunities that come along.

RİSK GALAKSİSİ-MONTE CARLO RİSK MODELİ

Risk tanımlama konusunda bankaların uygulamada karşılaştıkları temel sorun çok fazla sayıda riskin tanımlanması yönündeki eğilimdir. Bu durum geniş risk yelpazesinde risk galaksisi olarak bilinmektedir. Monte Carlo RİSK modeli, samanyolu veya risk galaksisinin parlayan bir yıldızıdır.

The Monte Carlo method was invented by scientists working on the atomic bomb in the 1940s, who named it for the city in Monaco famed for its casinos and games of chance.  Its core idea is to use random samples of parameters or inputs to explore the behavior of a complex system or process...! Faced physics problems, such as models of neutron diffusion, that were too complex for an analytical solution -- so they had to be evaluated numerically.  
The Monte Carlo method is surprisingly ineffective and hence useless method in determining risk and uncertainty in risk management literature too.