(Internal Control System and Risk Management Framework)

1.First, let’s define what we mean by these two terms.

An Internal Control Framework refers to the processes and procedures that
organizations implement to ensure the integrity of financial reporting,
compliance with regulations, and efficient operations “When we say integrity
po it means being honest and accurate with financial information following the
rules and reporting efficiently to build trust”. This framework po is primarily
designed to protect assets, ensure reliable financial reporting, and promote
operational efficiency.

On the other hand naman po, Enterprise Risk Management is a broader, more
strategic discipline that focuses on identifying, assessing, and responding to
risks that could affect the organization’s ability to achieve its objectives.” so
strategic discipline naman po it is about finding, understanding and dealing
with risk while making a consistent decisions .ERM encompasses not just
financial risks, but operational, strategic, compliance, and reputational risks as
well.

Principle Explanation:2. it means that a company must establish effective

systems for managing operations and risks, which include an internal control
system to ensure smooth functioning, proper financial management, and
minimization of errors or fraud. Moreover, it should adopt an enterprise risk
management (ERM) framework to systematically identify, assess, and address
potential risks to achieve its goals. The design and implementation of these
systems should consider the company’s size, risk profile, and operational
complexity to ensure that the controls and risk management strategies are
suitable and effective for its unique situation.
“When we say operational complexity po

Reccomendatio 12.1 So basicaly po, it means that a company should create

and maintain its internal controls and risk management strategies in a way
that fits its particular situation, making sure they're effective and appropriate
for what it does.
Recommendation 12.2 It means that The company should establish an
independent internal audit function to provide objective assurance and
consulting services that add value and enhance operational effectiveness. “An
independent internal audit function naman po is is a team that objectively
assesses a company's operations and controls, ensuring compliance and
identifying opportunities for improvement, free from management influence”

A. This function offers objective evaluations of risks to assure the board,

audit committee, and management that controls are effective and risks
are being managed appropriately.
B. This function does regular and special audits based on the yearly audit
plan and the company's risk assessment. This helps make sure
everything is running smoothly and safely. ( So audit po is the careful
examination or review of an organization's records it's main goal is to
ensure that everything is accurate .
C. This means that the organization provides help and advice on how to
manage and oversee activities effectively. They focus on improving
rules and systems to ensure everything runs smoothly and aligns with
goals.
D. A compliance audit assesses an organization’s adherence to relevant
laws, regulations, and contractual obligations. It identifies risks, ensures
accountability, and recommends improvements to protect the
organization from legal and financial consequences.
E. This process identifies weaknesses, ensures compliance with policies,
and evaluates the overall risk management framework to enhance
operational performance and safeguard assets.in all areas of the
company
F. This function Evaluate operations or programs to determine if outcomes
align with established objectives and goals, ensuring activities are
executed as planned.
G.H Evaluating operations at the request of the board involves setting
goals, ensuring rules are followed, and reporting results. This process
helps improve efficiency and effectiveness while aligning with strategic
goals and promoting good governance.
Recommendation 12.3
Depending on the company's size and risk, the board should appoint a
qualified Chief Audit Executive (CAE). The CAE will manage the internal
audit function, including any outsourced work. If the internal audit is fully
 outsourced, a qualified executive or manager should be in charge of
overseeing it. “An outsourced work po is it involves a company hiring
external organizations or individuals to perform tasks or services rather
than managing them within the company.
A. The Chief Audit Executive (CAE) periodically reviews the internal
audit charter(Internal audit charter is a formal document that
defines the purpose, authority, and responsibilities of the internal
audit function within an organization. and presents it to senior
management and the board audit committee for approval,
ensuring it aligns with current practices and organizational goals.
B. A risk-based audit plan looks at the biggest risks in an
organization and ranks them. It ensures that the audits are
consistent with the organization's goals and has clear rules for
communication.
C. A risk-based audit plan prioritizes organizational risks to align
audits with goals, while also communicating resource
requirements and any major changes to senior management and
the audit committee for their review and approval.
D. Manage the internal audit process to make sure it gives useful
benefits to the organization, helping it run better and more
efficiently.
E. So the last responsibility of the CAE is to Regularly reports to the
audit committee on internal audit performance, presents findings
and recommendations, and advises senior management and the
board on improving internal processes.
Recommendation 12.4

The company should have a separate risk management team to find, assess,
and monitor important risks based on its size, how risky it is, and how
challenging its activities are.

A. Establishing the overall approach to identifying, assessing, and

mitigating risks within the organization.These activities collectively help
organizations manage their risks more effectively and ensure they can
achieve their objectives while minimizing potential negative impacts
 B. Identifying and analyzing risks related to economic, environmental,
social, and governance (EESG) factors is important for businesses.
Economic risks include things like market changes, while environmental
risks involve climate change and resource use. By understanding these
risks, companies can create plans to reduce their impact and ensure
long-term success.
C. To evaluate and categorize risks, start by listing all potential risks and
check how likely they are and their possible impacts. Group these risks
into categories like financial, operational, or reputational. Then rank the
risks by seriousness and create plans to manage them. This helps the
company get ready for challenges.
D. Establishing risk involves listing possible problems, explaining them
clearly, ranking their severity and likelihood, creating plans to reduce
their impact, and checking what risks remain afterwards this is known as
residual risk po , which is the risk that still exists after taking steps to
mitigate it—to help a company prepare for challenges.
E. Make a mitigation plan to handle risks by figuring out what could go
wrong in the company, deciding how serious each risk is and how likely
it is to happen, coming up with ways to avoid, lessen, share, or accept
those risks, creating a clear action plan with tasks and deadlines,
checking on the situation often, and keeping everyone updated.
F. Report important risks to the board's risk committee. This includes
business risks like strategy, compliance, operations, finances, and
reputation. Also, discuss any control problems and share the plans to
reduce these risks. Keep it clear and simple so everyone understands
the key points.
G. So lastly, Monitoring and evaluating the effectiveness of the
organization's risk management processes is essential to ensure that
potential risks are identified, assessed, and mitigated appropriately.
Recommendation 12.5
So The Chief Risk Officer (CRO) plays a crucial role in guiding a company's
risk management by identifying risks and developing strategies to address
them. additionally,The CRO needs support from the CEO and board of
directors to be effective. They require a skilled team and the right tools. Good
communication across departments is also important so everyone understand
clearly. The CRO should regularly report on risks and how the company is
addressing them to keep everyone informed.

The CRO has a few functions

First
A. The role manages the Enterprise Risk Management (ERM) process,
focusing on risk identification, assessment, and mitigation. It involves creating
and improving ERM systems to enhance organizational resilience and align
with strategic goals, while promoting risk awareness and integrating risk
management into decision-making. (So when we say Spearhead it refers to
the person or group who leads an initiative, someone who drives progress to a
organization or project.)

B. Reports key risks and their potential impacts, along with the status of risk
management strategies and action plans. This includes challenges faced,
adjustments made, and the effectiveness of efforts to mitigate risks, ensuring
the board's risk oversight committee is well-informed for decision-making.

C.Collaborates with the CEO to assess and update risk profiles, presenting
strategic recommendations to the board's risk oversight committee. This
partnership ensures that the committee is well-informed of emerging risks and
the effectiveness of current mitigation strategies.

D. So Implementing po these policies can help reinforce the organization’s

commitment to effective risk management and enhance its overall
resilience.(When we say resilience po refers to the ability to withstand, adapt
to, and recover from adverse events or disruptions.

E. *1To see if risk management processes are working well, organizations

should track key performance indicators, conduct regular audits, gather
feedback from stakeholders, review past incidents, maintain clear
documentation, and use technology to improve their practices.
*2 So they regularly check and assess the measures they have in place to
manage those risks. They do this to make sure that these measures are
working well and effectively reducing risks.
3. It means that there is a system to make sure everyone follows the
organization's rules for managing risks. This includes checking that
employees and others stick to these rules, which helps keep the organization
safe and aware of potential problems.

There should be clear a clear communication between the Board risk

oversight committee and CRO
why? because Good communication ensures that risks are properly
understood and managed.