INTERNAL AUDIT AND RISK MANAGEMENT

KAREM OBEID

CHIEF AUDIT EXECUTIVE , TAWAZUN ECONOMIC COUNCIL

EXECUTIVE BOARD MEMBER , VICE CHAIRMAN – GLOBAL SERVICES, INSTITUTE OF INTERNAL AUDITORS (IIA) - GLOBAL

Changing Environment

Geopolitical, Environmental, Technological, Economic andSocietal risks dominate the World Economic Forum Global Risks2017 report.

The Global Risks Landscape 2017

THE GLOBAL RISKS INTERCONNECTIONS

(Source: WE The Global Risks Report

2017)

Emerging Technologies

Travel and Tourism Ecosystem

THREE LINES OF DEFENSE

THREE LINES OF DEFENSE MODEL

1st Line of Defense - Management

• Functions that own and manage risks.

• Functions that oversee risks.

• Functions that provide independent assurance.

2nd Line of Defense – Risk Management and Compliance Functions

• A risk management function (and/or committee)

that facilitates and monitors the implementation of

effective risk management and assists risk owners in

defining the target risk exposure and reporting

adequate risk-related information throughout the

organization.

• A compliance function to monitor various specific

risks such as noncompliance with applicable laws

and regulations.

• A controllership function that monitors financial

risks and financial reporting issues.

THREE LINES OF DEFENSE MODEL

10%

18% 18%

37%

50%

45%

26%24% 24%24%

8%

13%

0%

10%

20%

30%

40%

50%

60%

GLOBAL GCC UAE

Risk Management Practices in Place

No,risk management processes are in place.

Risk management processess are informal or just developing.

Formal risk management processess and procedurs are in place.

The organization has a formal ERM process with CRO or equivalent

Source: Internal Auditing in GCC Region, IIA UAE and KSA

Demographics: By country – Bahrain (1%), Kuwait(4%), Oman(5%), Qatar(7%), UAE(39%) and KSA(44%).

By Staff Level: CAE (22.81%), Director or Senior manager(15,79%), Manager(23.48%) and Staff(37.92%).

3rd Line of Defense – Internal Audit

Internal audit provides assurance on the effectiveness

of governance, risk management, and internal

controls, including the manner in which the first and

second lines of defense achieve risk management and

control objectives.

THREE LINES OF DEFENSE MODEL

Mission: To enhance and protect organizational value

by providing risk-based and objective assurance,

advice, and insight.

THREE LINES OF DEFENSE

The Line is getting

thinner

RISK ASSESSMENT CRITERIA

VELOCITY ( speed of onset)

LIKELIHOOD

IMPACT

VULNERABILITY

Auditing at the Speed

of Risk

Improve the agility of Internal Audit

= Improve agility of the whole

business/organization

• Get involved early

• Understand stakeholder’s expectations

• Re-evaluate company’s Risk posture

and Internal Audit Plan

• Develop and operate a risk driven

Integrated Assurance Plan

• Evaluate the skills, knowledge and

competence of the audit team

• Keep a close eye on business as usual

activities

• Integrated Thinking and Enterprise Risk Management.

• Supportive relationships with Risk Managers, Chief

Information Security Officers and Chief Information

Offices and Chief HSSE Officers.

Source: Forecasting Risks: Internal Auditors and Approaching Storms, Richard

Chambers Blog June 2017

Foresight

Data Analytics / Big Data

Integrating Thinking

Collaboration Between

Lines of Defense

Management

Risk Management, HSSE,

Compliance and other Second

Line of Defense Providers