ELTP ERM Trainees Manual 2023 - English Version.pdf

Transcript

ENTERPRISE RISK MANAGEMENT (ERM)
ELTP TRAINEE MANUAL

MODULE 1
1.1 Introduction to ERM

Enterprise risk management (ERM) is a methodology that looks at risk management
strategically from the perspective of the entire firm or organisation. It is a top-down
strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards,
and other potential harm that may interfere with an organisation’s operations and
objectives and/or lead to losses.

ERM provides a framework for risk management, which typically involves identifying
particular events or circumstances relevant to the organization’s objectives (threats and
opportunities), assessing them in terms of likelihood and magnitude of impact,
determining a response strategy, and monitoring process.

By identifying and proactively addressing risks and opportunities, business enterprises
protect and create value for their stakeholders, including owners, employees, customers,
regulators, and society overall.

1.2 Importance and Advantages of ERM

Enterprise risk management is a very relevant and important topic for any organization
that wants to achieve its objectives and survive in a complex and uncertain environment.
ERM can help an organization to:

 Identify and prioritize the key risks that may affect its performance, reputation, or
sustainability.

 Develop and implement effective strategies to manage, mitigate, or transfer those
risks.
 Align risk management with the organisation’s vision, mission, values, and goals.

 Enhance decision-making, planning, and resource allocation based on a
comprehensive understanding of the risk landscape.

1|Page
  Improve communication, collaboration, and accountability across the organization
and with external stakeholders.

 gain a competitive advantage, improve decision-making, increase resilience,
agility and foster innovation in a dynamic changing environment.

 help an organization to meet the expectations of various stakeholders, such as
shareholders, employees, customers, regulators, and society as a whole.
By implementing ERM, an organization can create and protect value for its shareholders,
employees, customers, regulators, and society as a whole. ERM is not a one-time project
or a compliance exercise; it is an ongoing process that requires continuous monitoring,
evaluation, and improvement. ERM is also not a one-size-fits-all solution; it should be
tailored to the specific needs, culture, and context of each organization.

1.3 Traditional Versus Enterprise Risk Management

Traditional risk management (TRM) is an approach to managing risks that focuses on
specific areas or departments of an organization. For example, a manufacturing company
might have a risk management team focused solely on safety risks on the factory floor.
Enterprise risk management does not focus on a specific area but rather it’s on the entire
organisation and individual unit or department risk management is a subset of the holistic
approach.
Key Differences

Traditional Risk ERM

Scope It is a siloed and fragmented It’s a holistic and integrated approach
approach that focuses on specific that considers all types of risks across
risks within a particular area or the entire organization
department

Methodology a reactive and tactical approach a proactive and strategic approach that
that deals with risks as they arise aligns risk management with the
or after they have occurred organisation’s vision, mission, values,
and goals

Outcomes a value-creating and performance- is a value-protecting and compliance-
enhancing approach that helps the oriented approach that helps the
organization to anticipate, organization minimize the impact of
manage, and mitigate risks, risks on a specific area or department

2|Page
 thereby protecting its reputation,
assets, and long-term success,

Perspective Seen to be less effective and more It’s considered to be a more effective
of a knee-jerk approach that is and efficient approach and creates
unsustainable sustainability

However, in today’s complex and uncertain business environment, ERM is generally
considered to be a more effective and efficient way to manage risk than TRM. ERM can
help an organization gain a competitive advantage, improve decision-making, increase
resilience, and foster innovation. ERM can also help an organization meet the
expectations of various stakeholders, such as shareholders, employees, customers,
regulators, and society as a whole.

1.4 Challenges of ERM Implementation

Lack of management support and commitment: ERM requires the involvement and buy-
in of senior management and board members, who need to provide clear direction,
guidance, and resources for ERM activities. Without their support, ERM may not be
aligned with the organisation’s vision, mission, values, and goals, and may not receive
adequate attention or priority.

Different management priorities and perspectives: ERM needs to consider all types
of risks across the entire organization, which may involve different functions,
departments, units, and stakeholders. However, these groups may have different views
and interests on risk management, such as different risk appetites, definitions,
assessments, and responses. This may lead to conflicts, inconsistencies, or gaps in ERM
processes and outcomes.

Reluctance to share sensitive information: ERM requires the sharing of risk-related
information among various parties within and outside the organization. However, some
parties may be reluctant to disclose such information due to confidentiality, security, or
competitive reasons. This may limit the quality and completeness of risk identification,
analysis, and reporting.
Difficulties in quantifying and measuring risks: ERM needs to assess the likelihood
and impact of various risks on the organization’s objectives and performance. However,
some risks may be difficult or impossible to quantify or measure due to uncertainty,

3|Page
complexity, or lack of data. This may affect the accuracy and reliability of risk evaluation
and prioritization.

Lack of a common risk language and framework: ERM needs to establish a common
risk language and framework that can be understood and applied by all parties involved
in ERM activities. However, different parties may use different terms, concepts, models,
or standards for risk management, which may cause confusion or miscommunication.
This may hamper the consistency and effectiveness of ERM practices.

Limited access to data and technology: ERM needs to collect, process, store, analyze,
and report large amounts of risk-related data from various sources. However, some
organizations may not have sufficient access to data or technology that can support ERM
functions. For example, they may lack the tools or systems that can integrate data from
different sources, perform advanced analytics, generate visualizations, or enable real-
time monitoring.

Failure to leverage the power of digital technologies: ERM needs to leverage the
power of digital technologies that can enhance risk management capabilities and
outcomes. For example, artificial intelligence (AI), blockchain, and the Internet of Things
(IoT) can help identify and predict emerging risks, automate risk responses, improve risk
transparency, or create new opportunities. However, some organizations may not be
aware of or prepared for the potential benefits and challenges of these technologies for
ERM.
Inadequate governance and oversight: ERM needs to have a clear governance
structure and oversight mechanism that can ensure the accountability and responsibility
of ERM activities. For example, there should be a designated risk committee or function
that can oversee the development and implementation of ERM policies and procedures.
However, some organizations may not have a well-defined or effective governance model
for ERM that can provide guidance or feedback for continuous improvement.

4|Page
1.5 COMPONENTS OF THE ERM

1.5.1 Goals and Objective Setting

As a company determines its purpose, it must set objectives that support the mission and
goals of a company. These objectives must then be aligned with a company's risk
appetite. For example, an ambitious company that has set far-reaching strategic plans
must be aware there may be internal risks or external risks associated with these lofty
goals. In response, a company can align the measures to be taken with what it wants to
accomplish such as hiring additional regulatory staff for expansion areas it is currently
unfamiliar with.
1.5.2 Risk/Event Identification

Positive events may have a great impact on a company. On the other hand, negative
events may have detrimental outcomes on a company's ability to continue to operate.
ERM guidance recommends that companies identify important areas of the business and
associated events that may have dire outcomes. These high-risk events may pose risks
to operations (i.e. natural disasters that force offices to temporarily close) or strategic (i.e.
government regulation outlaws the company's primary product line).
1.5.3 Risk Assessment

In addition to being aware of what may happen, the ERM framework details the step of
assessing risk by understanding the likelihood and financial impact of risks. This includes
not only the direct risk (i.e. a natural disaster yields an office unusable) but residual risks

5|Page
(i.e. employees may not feel safe returning to the office). Though difficult, the ERM
framework encourages companies to consider quantifying risks by assessing the per cent
change of occurrence as well as the dollar impact. The process of prioritizing risks based
on their significance and urgency is critical.
1.5.4 Risk Response/Treatment
A company can respond to risk in the following four ways:
a. Risk Avoidance. This results in the company leaving the activity that causes the
risk as the company would rather forgo the benefits of the activity than incur the
risk. An example of risk avoidance is a company shutting down a product line and
discontinuing selling a specific good.

b. Risk Reduction. This results in the company staying engaged in the activity but
putting forth effort in minimizing the likelihood or magnitude of the risk. An example
of risk reduction is a company keeping the product line above open but investing
more in quality control or consumer education on how to properly use the product.

c. Risk Sharing. This results in the company moving forward as-is with the current
risk profile of the activity. However, the company leverages an independent third
party to share in the potential loss in exchange for a fee. An example of risk sharing
is purchasing an insurance policy.

d. Risk Acceptance. This results in the company analyzing the potential outcomes
and determining whether it is financially worth pursuing mitigating practices. An
example of risk acceptance is the company keeping the product line with no
changes to operations and risk sharing.

1.5.5 Risk Monitoring and Reporting

This component involves tracking and reviewing the performance and effectiveness of
the risk response strategies, as well as the changes in the risk environment. It also
includes reporting and communicating the risk information to relevant stakeholders.

It involves getting feedback, analysing company data, and informing management of
unprotected risks. Additionally, the team need to capture and apply lessons learned
towards improving the framework, as well as identifying and addressing the gaps and
weaknesses in the ERM framework.

1.6 Integrating ERM into Organizational Strategy

6|Page
To integrate ERM into organizational strategy, an organization needs to follow a
systematic and iterative process that involves the following steps:

1. Understand the environment: This step involves analysing the internal and
external factors that may influence the organization’s strategy, such as its mission,
vision, values, stakeholders, resources, capabilities, competitors, customers,
regulators, and market trends. This step also involves identifying the potential risks
and opportunities that may arise from these factors, as well as their
interrelationships and dependencies.

2. Build the plan: This step involves developing the strategic plan that defines the
organization’s goals and objectives, as well as the strategies and initiatives to
achieve them. This step also involves assessing and prioritizing the risks and
opportunities that may affect or be created by the strategic plan, as well as
determining the risk appetite and tolerance of the organization.

3. Execute the plan: This step involves implementing the strategic plan and
monitoring its progress and outcomes. This step also involves selecting and
applying appropriate risk response strategies to manage, mitigate, or transfer the
risks, or to exploit or enhance the opportunities. This step also involves allocating
resources and responsibilities for risk response actions.

4. Review and revise: This step involves evaluating the performance and
effectiveness of the strategic plan and the risk response strategies, as well as
identifying and addressing any gaps or weaknesses in the ERM framework. This
step also involves updating and improving the strategic plan and the ERM
framework based on feedback and best practices.

By following these steps, an organization can integrate ERM into its organizational
strategy and create more value from its risk management activities. ERM can help an
organization achieve its strategic objectives while minimizing its exposure to potential
threats and maximizing its potential for growth and innovation.

1.7 The Basel Accord

The Basel Accord is a set of international banking regulations issued by the Basel
Committee on Banking Supervision (BCBS), which consists of representatives from
central banks and regulatory authorities from around the world. The first Basel Accord
(Basel I) was introduced in 1988 and focused on credit risk. The second Basel Accord
(Basel II) was introduced in 2004 and expanded the scope to include market risk and
operational risk. The third Basel Accord (Basel III) was introduced in 2010 and revised in

7|Page
2017 to address the lessons from the global financial crisis and enhance the resilience of
banks.

The Basel Accords were developed over several years beginning in the 1980s. The BCBS
was founded in 1974 as a forum for regular cooperation between its member countries
on banking supervisory matters. The BCBS describes its original aim as the enhancement
of "financial stability by improving supervisory know-how and the quality of banking
supervision worldwide." Later, the BCBS turned its attention to monitoring and ensuring
the capital adequacy of banks and the banking system.

The Basel I Accord was originally organized by central bankers from the G10 countries,
who were at that time working toward building new international financial structures to
replace the recently collapsed Bretton Woods system.

The meetings are named "Basel Accords" since the BCBS is headquartered in the offices
of the Bank for International Settlements (BIS) located in Basel, Switzerland. Member
countries include Australia, Argentina, Belgium, Canada, Brazil, China, France, Hong
Kong, Italy, Germany, Indonesia, India, Korea, the United States, the United Kingdom,
Luxembourg, Japan, Mexico, Russia, Saudi Arabia, Switzerland, Sweden, the
Netherlands, Singapore, South Africa, Turkey, and Spain.

1.7.1 Basel I
The first Basel Accord, known as Basel I, was issued in 1988 and focused on the capital
adequacy of financial institutions. The capital adequacy risk (the risk that an unexpected
loss would hurt a financial institution), categorizes the assets of financial institutions into
five risk categories 0%, 10%, 20%, 50%, and 100%.

Under Basel I, banks that operate internationally must maintain capital (Tier 1 and Tier 2)
equal to at least 8% of their risk-weighted assets. This ensures banks hold a certain
amount of capital to meet obligations.
For example, if a bank has risk-weighted assets of $100 million, it is required to maintain
capital of at least $8 million. Tier 1 capital is the most liquid and primary funding source
of the bank, and tier 2 capital includes less liquid hybrid capital instruments, loan-loss,
and revaluation reserves as well as undisclosed reserves.

8|Page
1.7.2 Basel II

The second Basel Accord, called the Revised Capital Framework but better known as
Basel II, served as an update of the original accord. It focused on three main areas:
minimum capital requirements, supervisory review of an institution's capital adequacy and
internal assessment process, and the effective use of disclosure as a lever to strengthen
market discipline and encourage sound banking practices including supervisory review.
Together, these areas of focus are known as the three pillars.

Basel II divided the eligible regulatory capital of a bank from two into three tiers. The
higher the tier, the less subordinated securities a bank is allowed to include in it. Each tier
must be of a certain minimum percentage of the total regulatory capital and is used as a
numerator in the calculation of regulatory capital ratios.

The new tier 3 capital is defined as tertiary capital, which many banks hold to support
their market risk, commodities risk, and foreign currency risk, derived from trading
activities. Tier 3 capital includes a greater variety of debt than tier 1 and tier 2 capital but
is of a much lower quality than either of the two. Under the Basel III accords, tier 3 capital
was subsequently rescinded.

1.7.3 Basel III

In the wake of the Lehman Brothers collapse of 2008 and the ensuing financial crisis, the
BCBS decided to update and strengthen the Accords. The BCBS considered poor
governance and risk management, inappropriate incentive structures, and an
overleveraged banking industry as reasons for the collapse. In November 2010, an

9|Page
agreement was reached regarding the overall design of the capital and liquidity reform
package. This agreement is now known as Basel III.

Basel III is a continuation of the three pillars along with additional requirements and
safeguards. For example, Basel III requires banks to have a minimum amount of common
equity and a minimum liquidity ratio. Basel III also includes additional requirements for
what the Accord calls "systemically important banks," or those financial institutions that
are considered "too big to fail." In doing so, it got rid of tier 3 capital considerations.

The Basel III reforms have now been integrated into the consolidated Basel Framework,
which comprises all of the current and forthcoming standards of the Basel Committee on
Banking Supervision. Basel III tier 1 has now been implemented and all but one of the 27
Committee member countries participated in the Basel III monitoring exercise held in June
2021. The final Basel III framework includes phase-in provisions for the output floor, which
will start at 50% on Jan. 1, 2023, rising in annual steps of 5% and be fully phased-in at
the 72.5% level from January 2028. These 2023 onward measures have been referred to
as Basel 3.1 or Basel IV.

Basel Accord provides a framework for banks to measure and manage their risks,
including credit, market, and operational risks, and to maintain adequate capital to cover
those risks

ERM can help banks comply with the Basel Accord requirements and improve their risk
management practices.

Basel 1 Basel 2 Basel 3

Risk weights categorized Banks use their introduced more
assets into four internal models to standardized and
risk categories calculate risk conservative measures for
based on risk weights for different credit risk, market risk,
weights0%, 20%, types of exposures. and operational risk2.
50%, and 100%.

Risks focused Expanded the scope
principally on to include market
Credit risk risk and operational
risk

10 | P a g e
 Pillars Introduced the Expanded to 3 Maintained the pillars but
Pillar 1, Capital pillars: Supervisory deepened the
requirement process and requirements
disclosure
requirements

Capital 8% Minimum 8% Minimum 10.5% Minimum capital.
requirements Capital capital requirement Introduced the buffer
requirement with with 6% in tier 1 conservatory capital of
4% tier 1 capital capital 2.5% and Counter-cyclical
buffer of 0-2.5%

Leverage Did not address Did not address this introduced a leverage ratio
and Liquidity this of 3% and two liquidity
Ratios ratios: the liquidity
coverage ratio (LCR) and
the net stable funding ratio
(NSFR)

MODULE TWO

2.0. ERM TEAM: ROLES AND RESPONSIBILITIES

2.1. Board Responsibilities

The role of the Board in ERM:

 Defining the bank’s overall strategic direction and tolerance level for each
risk element.
 Ensuring that the bank maintains the various risks facing it at prudent levels.
 Ensuring that senior management as well as individuals responsible for
managing individual risks facing the bank possess sound expertise and
knowledge to accomplish the risk management function.
 Ensuring that the bank implements sound fundamental principles that facilitate
the identification, measurement, monitoring, and control of all risks facing it.

11 | P a g e
  Ensuring that appropriate plans and procedures for managing individual risk
elements are in place.

The Board’s Oversight & Governance:

 To secure the independence of the B o a r d Risk Management
C o m m i t t e e ( BRMC), the Chairman of theBoard shall not be a member of
the committee in line with the Code of Corporate Governance for Banks in
Nigeria.
 Membership of the BRMC shall include at least two (2) non-executive directors,
one of whom should be an independent director. One of the non-executive
directors shall serve as Chairman.
 The MD/CEO shall be a member of the BRMC to complement his oversight role
as the Chief Executive Officer of the bank.
 The Board Risk Management Committee (BRMC) should be responsible for
ensuring adherence to the bank’s risk management policy and procedures as
set out by the board as well as reviewing the bank’s risk strategy for appraisal by
the board.

2.2. Management and Responsibilities

Management’s role in ERM:

Senior management is responsible for the implementation of risk policies and
procedures in line with the strategic direction and risk appetite specifiedby the board.
For the effective management of risks facing a bank, senior management should at the
minimum be responsible for:
 The development and implementation of procedures and practices that translate
the board's goals, objectives, and risk tolerances into operating standards that
are well understood by the bank’s personnel.

12 | P a g e
  Establishing lines of authority and responsibility for managing individual risk
elements in line with the Board’s overall direction.
 Risk identification, measurement, monitoring, and control procedures.
 Establishing effective internal controls over each risk management process.
 Ensuring that the bank’s risk policies, appetite and tolerance are welldocumented
and communicated throughout the bank.

Operationalizing ERM within Management:

This involves integrating risk management practices into the company's daily operations
and decision-making processes. Here are some steps to achieve this:

 Establish Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to
track risk and performance.
 Assign accountability to specific individuals or departments and ensure that risk
owners are responsible for monitoring and managing their assigned risks.
 Conduct training and awareness programs to educate employees about the
importance of risk management and their roles in it.
 Ensure transparency and clear communication of risk exposure and mitigation
progress.
 Periodically review and update the ERM framework and processes.
 Invest in ERM software and tools to streamline risk data collection, analysis, and
reporting.

2.3. Auditors and Responsibilities

Auditor’s Role in ERM Assessment:

 Risk Assessment: Internal auditors assist in identifying and assessing various
types of risks, including credit risk, market risk, operational risk, liquidity risk, and
compliance risk. They evaluate the effectiveness of risk assessment
methodologies used by the bank.

13 | P a g e
  Risk Measurement and Quantification: Internal auditors evaluate the bank's
methods for quantifying and measuring risks. They assess whether the bank uses
appropriate models and data to estimate potential losses under various risk
scenarios.
 Risk Reporting: Internal auditors review the bank's risk reporting process to ensure
that risk information is accurate, timely, and useful to senior management and the
board of directors. They check if reports comply with regulatory requirements.
 Risk Management Policies and Procedures: Auditors assess the adequacy of risk
management policies and procedures in place. They check whether these policies
align with the bank's risk tolerance and regulatory guidelines.
 Regulatory Compliance: Internal auditors ensure that the bank complies with
relevant regulatory requirements, such as Basel III, Dodd-Frank Act, and Anti-
Money Laundering (AML) regulations. They also check for adherence to internal
policies and procedures.
 Control Testing: Auditors conduct control testing to determine whether the risk
mitigation controls are effective in managing identified risks. They assess whether
controls are consistently applied and whether there are any control deficiencies.
 Fraud Detection: Internal auditors may also be involved in detecting and
preventing fraud within the bank. They review transactional data, processes, and
systems to identify potentially fraudulent activities.
 Continuous Monitoring: Auditors perform ongoing monitoring of risks to ensure that
risk profiles are up-to-date and that the bank is responding appropriately to
emerging risks.

Auditing ERM effectiveness:

 Review the bank's risk appetite statement and strategic risk management plan to
ensure alignment with business objectives.
 Review the bank's risk mitigation strategies and controls to determine their
adequacy and effectiveness.
 Examine the bank's risk monitoring and reporting processes to ensure timely and
accurate reporting to senior management and the board.

14 | P a g e
  Evaluate the quality of risk reporting, including the identification of emerging risks.
 Ensure that stress testing results are integrated into the bank's decision-making
processes.
 Evaluate the bank's cybersecurity measures and technology risk management.

2.4. Risk Officers and Responsibilities

Chief Risk Officer (CRO):

The Chief Risk Officer (CRO) is a senior executive responsible for overseeing all aspects
of an organization's risk management efforts within the context of an Enterprise Risk
Management (ERM) system. They ensure that risks are identified, assessed, mitigated,
and monitored effectively to protect and enhance the organization's value and reputation
while ensuring compliance with relevant regulations and standards.

Risk Officer’s role:

 Risk Identification: The risk officer is responsible for identifying and documenting
all potential risks that could affect the organization. This includes both internal and
external risks, such as financial risks, operational risks, regulatory risks, market
risks, and reputational risks.
 Risk Assessment: After identifying risks, the risk officer assesses the potential
impact and likelihood of each risk. This involves analyzing data, historical trends,
and qualitative information to determine the significance of each risk.
 Risk Measurement: The risk officer may use various quantitative and qualitative
methods to measure the magnitude of risks. This can include financial modelling,
stress testing, scenario analysis, and key risk indicators (KRIs).
 Risk Monitoring: Continuous monitoring of risks is crucial. The risk officer tracks
and reports on the status of risks, ensuring that any changes or new risks are
promptly identified and assessed. This involves maintaining a risk dashboard or
reporting system.
15 | P a g e
  Risk Reporting: The risk officer communicates risk information to senior
management, the board of directors, and other stakeholders. Reports should
provide a clear understanding of the organization's risk profile, trends, and
potential impacts on the business..2.5. The Three Lines of Defense Model

The Three Lines of Defense (3LoD) model is a risk management framework commonly
used in Enterprise Risk Management (ERM) to help organizations effectively manage and
control risks. Each "line" represents a different level of responsibility and oversight.

The 3LOD model helps organizations create a structured approach to risk management,
with clear roles and accountabilities at each level. This separation of duties and
responsibilities helps enhance the overall effectiveness of risk management and
promotes a culture of risk awareness and accountability throughout the organization.

Understanding the Model:

First Line of Defense:

The first line of defence consists of the operational business units, departments, and
teams within an organization that directly engage in day-to-day activities and processes.
These units are responsible for identifying, assessing, and managing risks as an integral

16 | P a g e
part of their operations. Key responsibilities include setting risk tolerances, implementing
controls, monitoring, and reporting on risks, and taking immediate corrective actions when
risks are identified.

Second Line of Defense:

The second line of defense is comprised of risk management, compliance, and control
functions that provide oversight, guidance, and support to the first line of defense. This
includes risk management departments, compliance teams, and financial control
functions. Their role is to independently assess and validate the effectiveness of risk
management processes, ensure compliance with regulations and internal policies, and
provide guidance on risk mitigation strategies. They also monitor risk exposures at a
broader organizational level.

Third Line of Defense:

The third line of defense is represented by the internal audit function, which operates
independently from both the first and second lines of defense. Internal auditors provide
an objective and unbiased evaluation of the effectiveness of the risk management and
control processes. They conduct audits and reviews to assess whether the first and
second lines of defense are functioning effectively, adhering to policies and procedures,
and achieving their risk management objectives. Their findings and recommendations are
reported to senior management and the board of directors.

Interaction Between the Lines

 The first line of defense is provided by front-line staff and operational management.
 The second line of defense is provided by the risk management and compliance
functions.
 The third line of defense is provided by the internal audit function.

2.6. Strengths & Weaknesses of the Model:

While the model has its strengths, it also has some weaknesses:

Strengths:

17 | P a g e
Clear Accountability: The 3LoD model establishes clear roles and responsibilities for risk
management, which helps ensure that everyone in the organization understands their
role in managing risk. This clarity can improve accountability and reduce the likelihood of
gaps in risk oversight.

Effective Risk Governance: It promotes strong governance by clearly defining the roles of
various stakeholders, including operational management (1st Line), risk and compliance
functions (2nd Line), and internal audit (3rd Line). This separation of duties helps prevent
conflicts of interest.

Efficient Use of Resources: The model allows organizations to allocate resources
efficiently. Operational teams (1st Line) focus on their core activities, while specialized
risk and compliance teams (2nd Line) provide expertise and oversight. Internal audit (3rd
Line) provides independent assurance.

Comprehensive Risk Management: By involving multiple lines, the model encourages a
holistic view of risks. It combines risk identification and management at the operational
level with independent oversight and audit, ensuring a more comprehensive risk
management approach.

Alignment with Regulatory Expectations: Many regulatory bodies, including banking and
financial authorities, support or require the implementation of the 3LoD model. Adhering
to this model can help organizations meet regulatory compliance requirements.

Weaknesses:

Overlaps and Gaps: In practice, there can be overlaps or gaps in responsibilities between
the lines. This can lead to confusion about who is responsible for specific risk
management tasks, potentially resulting in inadequate risk management.

Complexity: Implementing the 3LoD model can be complex, especially in large
organizations. Managing interactions and coordination between the three lines can be
challenging, potentially leading to inefficiencies.

18 | P a g e
Silos: The model may inadvertently create silos, where each line focuses primarily on its
specific responsibilities and lacks a holistic view of risks. This can hinder effective risk
identification and management.

Resource Constraints: Smaller organizations may struggle to implement the 3LoD model
effectively due to resource limitations. They may find it challenging to maintain distinct
lines of defense and hire specialized risk and compliance staff.

Resistance to Change: Some employees and managers may resist the changes
associated with implementing the model, viewing it as bureaucratic and adding
unnecessary layers of oversight.

Dependency on Culture: The effectiveness of the 3LoD model depends on the
organization's culture. If the organization does not have a strong culture of risk
management and accountability, the model may not function as intended.

In summary, the Three Lines of Defense model provides a structured approach to risk
management with clear roles and responsibilities. However, its successful implementation
requires careful planning, strong communication, and a risk-aware organizational culture
to address potential weaknesses and ensure its effectiveness. Organizations should
adapt the model to fit their specific needs and challenges while addressing any potential
shortcomings.

19 | P a g e
 MODULE THREE

3.0 THE COSO CONCEPT

COSO Enterprise Risk Management - Integrated Framework (COSO ERM
Framework):

The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) is a joint initiative to combat corporate fraud.

20 | P a g e
 It was established to guide executive management and governance entities on
relevant aspects of organizational governance, business ethics, internal
control, enterprise risk management, fraud, and financial reporting.

COSO has established a common internal control model against which companies
and organizations may assess their control systems.

The COSO ERM Framework consists of eight components: Governance and Culture,
Strategy and Objective-Setting, Performance, Review and Revision, Information,
Communication, Reporting, and Monitoring.

It helps organizations integrate risk management into their strategic planning and
decision-making processes.

3.1 Integrated Framework

The COSO framework is designed to view Enterprise Risk Management as an initiative
that covers:

 Eight (8) Components of the Organization

 Across all relevant levels of an organization: Enterprise/Entity Level, Division and
Subsidiary Level, and Strategic Business Unit (component Product or Service)
Levels.

 AND to ensure the achievement of the entity’s objectives: Strategic, Operations,
Reporting and Compliance.

3.1.1 The ERM Framework

depicts the following three sides:

SIDE 1: Entity’s objectives

1. Strategic Objectives – High-level goals.

2. Operations Objectives- Efficient management of the entity’s resources.

3. Reporting Objectives- Reliable reports/feedback process

21 | P a g e
 4. Compliance Objectives- Applicable laws and policies.

SIDE 2: The Eight Components:

The above objectives should cover the following components to ensure effective
Enterprise Risk Management.

1. Internal Environment- The tone and risk culture of the entity

2. Objective setting – Management must set realistic objectives

3. Event Identification- Internal and external events

4. Risk Assessment – Entity’s ability to analyze risks

5. Risk Response- avoiding, accepting, reducing or sharing risks

6. Control Activities- Policies and procedures in place

7. Information and Communication- Get all relevant info.

8. Monitoring – Ensure effective monitoring of the entity risks.

SIDE 3: The different units of the entity that should be covered under the ERM framework
are:

1. Subsidiaries

2. Business Units

3. Divisions

4. Entity Level

3.2 The 8 Components of the Framework.

The COSO principles integrate its 8 components with an entity's objectives across the
different units by ensuring that the components are aligned with the objectives and that
they work together to achieve the objectives.

1. The internal environment

22 | P a g e
  Sets the tone for the organization and creates a culture that is conducive to
effective risk management.

 The tone at the top is set by the organization's leaders, and it should be
communicated throughout the organization.

 The organization's culture should emphasize the importance of risk management
and the need to take responsibility for managing risks.

2. Objective setting

 Ensures that the organization has clear and achievable objectives.

 The objectives should be aligned with the organization's mission and strategic
goals.

 The organization should regularly review its objectives to ensure that they are still
relevant and achievable.

 Is applied when management considers risk strategy in the setting of objectives.

3. Event identification component involves:

 Identifying events that may have a positive impact represents natural offsets
(opportunities), which management channels back to the strategy setting.

Identifying the potential events that could negatively impact the organization's
ability to achieve its objectives (risks).

 These events can be internal or external, and they can be positive or negative.

 The organization should use a variety of methods to identify potential events, such
as brainstorming, interviews, and risk assessments.

4. Risk assessment involves.

 Assessing the likelihood and impact of each potential event.

 The likelihood refers to the probability that the event will occur. The impact refers
to the consequences of the event if it does occur.

23 | P a g e
  The organization should use a variety of methods to assess the likelihood and
impact of potential events, such as quantitative analysis and qualitative analysis.

5. The risk response component involves.

 Developing and implementing strategies to manage the risks identified. The
strategies can include avoiding the risk, transferring the risk, reducing the
likelihood of the risk, or reducing the impact of the risk.

 Identifies and evaluates possible responses to risk, and then selects and executes
response based on evaluation of the portfolio of risks and responses.

 The organization should select the risk response strategies that are most
appropriate for each risk.

6. The control activities component involves the policies and procedures that are
put in place to ensure that the risk responses are effective. The control activities
can be preventive, detective, or corrective. The organization should design and
implement control activities that are appropriate for the risks that it faces.
7. The information and communication component involves ensuring that the
organization has the right information to identify, assess, and manage risks. The
information should be timely, accurate, and accessible to the people who need it.
The organization should establish communication channels to ensure that
information is shared effectively.
8. The monitoring component involves ongoing monitoring of the organization's risk
management processes to ensure that they are effective. The monitoring can be
done through self-assessment, internal audits, or external audits. The organization
should regularly review its risk management processes to identify any areas that
need improvement.

By integrating its 8 components with an entity's objectives, the COSO principles help
organizations to identify, assess, and manage risks to achieve their objectives. All these
must occur throughout the organization, at all levels and in all functions.

24 | P a g e
3.3. Internal Control & Risk Management

Internal control – a system or process that an organization uses to achieve its
operational goals, internal and external financial reporting goals, or legal and regulatory
compliance goals.

Limitations of COSO

The COSO (Committee of Sponsoring Organizations of the Treadway Commission)
principles for Enterprise Risk Management (ERM) are widely recognized and utilized, but
like any framework, they have their limitations and challenges. Here are some of the
limitations associated with the COSO ERM framework:

 The framework is not prescriptive. The COSO framework provides a set of
principles and concepts, but it does not provide specific instructions on how to
implement them. This can make it difficult for organizations to know where to start
and how to ensure that they are implementing the framework effectively.

 The framework is not a silver bullet. The COSO framework is not a guarantee that
an organization will be able to avoid all risks. It is a tool that can help organizations
identify, assess, and manage risks, but it is not a substitute for good judgment and
common sense.

 The framework can be complex and time-consuming to implement. The COSO
framework is comprehensive, and it can be complex and time-consuming to
implement. This can be a barrier for some organizations, especially those that are
small or do not have a lot of resources.

 The framework is not always adaptable to different industries and
organizations. The COSO framework is designed to be adaptable to different
industries and organizations, but it may not be possible to adapt it to all
organizations. This is because the risks that different organizations face can vary
widely.

 The framework can be difficult to monitor and evaluate. The COSO framework is
designed to be monitored and evaluated on an ongoing basis, but this can be

25 | P a g e
 difficult for some organizations. This is because it requires organizations to have a
good understanding of the framework and how to measure its effectiveness.

Despite these limitations, the COSO framework is a valuable tool that can help
organizations identify, assess, and manage risks. However, it is important to be aware of
the limitations of the framework and to take steps to mitigate them.

Here are some tips for mitigating the limitations of the COSO framework:

 Customize the framework to the specific needs of your organization. The COSO
framework is designed to be adaptable, so you should customize it to the specific
needs of your organization. This will help you to ensure that the framework is
effective and that it is not too complex or time-consuming to implement.

 Get buy-in from top management. The success of the COSO framework depends
on the support of top management. Make sure that top management is aware of
the benefits of the framework and that they are committed to implementing it
effectively.

 Provide training to employees. Employees need to understand the COSO
framework and how to implement it. Provide training to employees so that they can
understand their role in the risk management process.

 Monitor and evaluate the framework on an ongoing basis. The effectiveness of the
COSO framework should be monitored and evaluated on an ongoing basis. This
will help you to identify any areas that need improvement and to make sure that
the framework is still effective.

26 | P a g e
MODULE 4

This Photo by Unknown Author is licensed under CC BY-SA

Introduction and Origin of the Equator Principles

Introduction

This session is on the Equator Principles. This framework is of significant
importance in the banking sector, especially for those involved in project
financing. We will delve into what the Equator Principles are, their origins, and
why they matter in banking.

Origin of the Equator Principles
The Equator Principles are a set of environmental and social guidelines for
financial institutions. They were first introduced in 2003 as a response to the
growing need for sustainable project financing. Ten major international banks
initially adopted these principles during the International Finance Corporation
(IFC) annual meetings in Washington D.C.

The impetus for the Equator Principles came from a recognition of the role that
financial institutions play in shaping sustainable development. Banks are
responsible for ensuring that projects they fund adhere to certain
environmental and social standards, thereby mitigating potential risks and
promoting sustainable practices.

Purpose of the Equator Principles

27 | P a g e
The Equator Principles serve several key purposes:
 Risk Mitigation: They provide a framework to identify, assess, and
manage environmental and social risks associated with project financing.
This is crucial in protecting the interests of both the financial institutions
and their stakeholders.

 Promoting Sustainable Development: By adhering to the Equator
Principles, financial institutions contribute to the development of projects
that are not only financially viable but also environmentally and socially
responsible. This ensures the long-term sustainability of the projects and
the communities they impact.

 Alignment with Global Standards: The Equator Principles align with
other global standards and guidelines, such as the International Finance
Corporation's Performance Standards and the World Bank's
Environmental, Health, and Safety Guidelines. This fosters consistency
and coherence in sustainable financing practices worldwide.

 Enhancing Reputation and Brand Value: Banks that adopt the Equator
Principles demonstrate a commitment to responsible banking. This can
enhance their reputation and appeal to stakeholders who prioritize
sustainability in their investment decisions.

Summary of the Equator Principles

The Equator Principles are based on ten key principles:

i. Review and Categorization: Financial institutions commit to categorizing
projects based on their potential environmental and social impacts.

ii. Environmental and Social Assessment: Rigorous assessments are
conducted for high-risk projects to identify potential impacts and develop
mitigation measures.

iii. Applicable Environmental and Social Standards: Projects must comply
with the host country's environmental and social laws and regulations,
as well as international standards.

iv. Environmental and Social Management System: Borrowers are required
to implement a management system to address environmental and social
risks throughout the project lifecycle.

v. Consultation and Disclosure: Meaningful stakeholder engagement and
transparent disclosure of project information are crucial components of
responsible project development.

28 | P a g e
 vi. Grievance Mechanism: Effective mechanisms must be in place for
addressing and resolving grievances from affected communities and
stakeholders.

vii. Independent Review: High-risk projects undergo independent review to
ensure compliance with Equator Principles.

viii. Covenants: Financial institutions include covenants in loan agreements
to ensure ongoing compliance with the Equator Principles.

ix. Independent Monitoring and Reporting: Ongoing monitoring and
reporting on project performance about environmental and social risks.

x. Climate Change: Recognizing the significance of climate change, the
Equator Principles include specific provisions related to greenhouse gas
emissions and climate risk assessment.

In conclusion, the Equator Principles provide a comprehensive framework for
financial institutions to ensure that projects they finance are developed and
managed in an environmentally and socially responsible manner. By adhering
to these principles, banks contribute to sustainable development and uphold
their role as responsible corporate citizens.

NIGERIAN SUSTAINABLE BANKING PRINCIPLES

The principles are:

1. Environmental and Social Risk Management
2. Environmental and Social Footprint
3. Human Rights
4. Women's Economic Empowerment
5. Financial Inclusion
6. Environmental and Social Governance
7. Capacity Building

29 | P a g e
8. Collaborative Partnerships
9. Reporting
:

Introduction

The Nigerian Sustainable Banking Principles are a set of guidelines that form
the bedrock of sustainable banking practices in Nigeria. These principles aim to
align banking operations with social and environmental considerations,
contributing to a more sustainable and inclusive financial sector. Let's dive into
each principle.

1. Environmental and Social Risk Management
This principle centers on the identification, assessment, and management of
environmental and social risks in banking operations. It encourages banks to
incorporate robust risk assessment frameworks that factor in potential impacts
on the environment and society. This ensures that projects funded by the bank
are both financially viable and environmentally and socially responsible.

2. Environmental and Social Footprint
This principle emphasizes the measurement and reduction of a bank's
environmental and social footprint. It entails tracking and reporting on the
bank's resource consumption, emissions, and other impacts. By doing so,
banks can take proactive steps to minimize their negative footprint and
contribute positively to sustainable development.

The first two Principles are regarded as the Umbrella Principles.

3. Human Rights
Respecting and upholding human rights is a cornerstone of sustainable
banking. This principle calls for banks to ensure that their operations do not
infringe upon the rights of individuals, communities, or stakeholders affected
by their activities. This includes respecting cultural heritage, and land rights,
and ensuring fair labour practices.

4. Women's Economic Empowerment
This principle promotes gender equality and women's economic empowerment
within the banking sector. Banks are encouraged to implement policies and
initiatives that support women's access to financial services, entrepreneurship,
and leadership roles within the organization.

5. Financial Inclusion
Financial inclusion is a key driver of sustainable development. This principle
urges banks to proactively work towards providing access to financial services
for underserved and marginalized populations. By doing so, banks play a
crucial role in reducing poverty and promoting economic stability.
30 | P a g e
6. Environmental and Social Governance
This principle emphasizes the importance of strong governance structures
within banks to ensure the effective implementation of sustainable banking
practices. It calls for the integration of environmental and social considerations
into the bank's governance framework, including board oversight and decision-
making processes.

7. Capacity Building
Capacity building is vital for enabling sustainable practices within the banking
sector. This principle encourages banks to invest in the training and
development of their staff, ensuring that they have the necessary skills and
knowledge to implement sustainable banking practices effectively.

8. Collaborative Partnerships
Sustainable banking cannot be achieved in isolation. This principle advocates
for collaboration between banks, regulators, civil society, and other
stakeholders. By working together, these entities can pool resources and
expertise to address complex sustainability challenges.

9. Reporting
Transparency and accountability are fundamental to sustainable banking. This
principle underscores the importance of regular and transparent reporting on a
bank's performance about the Nigerian Sustainable Banking Principles. It
allows stakeholders to assess the bank's progress and hold it accountable for
its sustainability commitments.

In conclusion, the nine Nigerian Sustainable Banking Principles provide a
comprehensive framework for banks to integrate sustainability into their
operations. By adhering to these principles, banks contribute to a more
inclusive, environmentally responsible, and socially conscious financial sector.

31 | P a g e