ERM AUDIT QUESTIONNAIRE

ERM STRUCTURE & GOVERNANCE

REQUESTED MATERIALS
1. Please provide a copy of the board of directors (BOD) governance documents and information package
regarding ERM, such as committee responsibilities, ethics standards and regular reporting provided to the
BOD.
2. Please provide a copy of the executive management committee governance documents and information
package regarding ERM (if different than BOD materials), such as risk management committee responsibilities
and structure/organization, committee meeting minutes, and regular information reporting package (if any).
3. Please provide a copy of any Company X, external audit and internal audit reports to the BOD regarding ERM
or specific aspects of risk management (e.g., credit risk).
4. Please provide a representation and explanation of the Company X organization (e.g., organization chart).
5. Please provide a representation and explanation of ERM responsibilities (e.g., organization chart).
6. Please provide background information about individuals responsible for overseeing and conducting ERM
activities.
7. Please provide any available documentation of Company X’s risk management typology/lexicon (e.g., your
organization’s definition of “risk” and its method for grouping, categorizing and rating/scaling types of risk).
8. Please provide a list of the top 10 organizational risks (ranked by highest priority), including area of ownership,
trend information and status, documented and presented to executive management.
9. Please provide a high-level summary of executive management's broader business objectives (e.g., short-term
and long-term financial and business goals).
10. Please provide a summary of executive management’s short-term and long-term goals for developing and
integrating risk management activities at Company X.

QUESTIONS FOR MANAGEMENT

A. What is the relationship (or documented responsibilities) between internal audit, compliance, enterprise risk
management, credit review, treasury/finance and the business lines at Company X?
B. What are your Year X and Year Y ERM development objectives?
C. What benefits does Company X seek to gain from its ERM program?
D. Does your organization quantitatively model its various business risks and incorporate this information into
capital management activities?

OPERATIONAL RISK MANAGEMENT

REQUESTED MATERIALS
1. Please provide a copy of operational risk management (ORM) policies, frameworks, reporting guidelines and
ORM committee minutes (if any).

1 Source: www.knowledgeleader.com
2. Please provide any executive directives, position announcements or comments related to Sarbanes-Oxley
(SOX) compliance at Company X.
3. Please make available any risk assessments (for all risk types) completed during the past two years.
4. Please make available any control self-assessments (CSAs) completed by business line management during
the past two years.
5. Please provide a status report or summary regarding any SOX activities and provide a sample of available
SOX-related documentation (one process would be fine).
6. Please provide a summary of the key issues and activities involving any recent frauds (internal and external)
involving your organization. (Note: we can discuss onsite, if preferred.)
7. Please provide a summary of the top 10 information security issues realized over the past three years (e.g.,
number of breaches, impact and resolution status).
8. Please provide a summary of the top 10 information system and vendor disruptions over the past 2-3 years
(e.g., what system, how long down, impact and resolution status).
9. Please provide a summary of the top 10 physical asset losses realized over the past 2-3 years.

QUESTIONS FOR MANAGEMENT

A. How frequently and by whom are business risk assessments performed?
B. How frequently and by whom are control self-assessments (CSAs) performed? What are the key issues
resulting from these? Are issues identified through this process readily resolved?
C. What group has day-to-day management responsibility for SOX activities at Company X?
D. What tools are regularly used to conduct risk management activities, namely business risk assessments,
CSAs, process documentation, operational loss event capturing, and financial modeling of risk? Please name
vendors and spreadsheet/database tools.
E. If operational losses are captured, how are they reconciled to the general ledger?
F. Is any external operational loss data incorporated into risk profiling?
G. Are business risks relating to proposed products/services systematically evaluated prior to the launch or
offering of such products/services?

CREDIT RISK MANAGEMENT

REQUESTED MATERIALS
1. Please provide a copy of your credit risk management (e.g., corporate credit committee and credit
administration) policies, frameworks and reporting guidelines.
2. Please provide a sample information package regularly reported to the credit committee or equivalent.
3. Please provide a description of your internal credit risk rating process.
4. Please provide a description or summary of any periodic credit review/loan review activities?
5. Please provide a summary of your net credit losses, if any, over the past 10 years.

QUESTIONS FOR MANAGEMENT

A. How is credit risk managed on a relationship-by-relationship basis and a consolidated portfolio basis at
Company X?

2 Source: www.knowledgeleader.com
 B. How does your organization quantify credit risk?
C. Does your organization track counterparty credit risk via a quantitative measurement?
D. Does your organization utilize any third-party credit risk management software? (Please identify vendor and
package, if any.)
E. Is your organization planning to integrate quantitative credit risk management data into a broader ERM
methodology?

MARKET RISK MANAGEMENT

REQUESTED MATERIALS
1. Please provide a copy of market risk management policies, frameworks, reporting guidelines and committee
minutes (if any).
2. Please provide a copy of the strategic risk management objectives and broader performance objectives related
to Company X’s ALCO, trading and investment areas.
3. Please provide a copy of the organizational structure, including all trading areas and support staff (e.g.,
operations/middle- and back-office, finance, risk management, IT) and an organizational chart that includes the
business owners of the trading areas, the heads of each trading desk, the heads of each of the support areas
and ultimate roll-up of each of these individuals to the C-level executives.
4. Please provide a description of capital modeling activities (e.g., what is done, how is it generally done, by
whom, current issues and gaps, where does the information come from, how is it used, how improvements are
incorporated).
5. Please provide documentation showing trading and investment area performance metrics and performance for
each quarter over the last year as well as year-over-year for the past five years.
6. Please provide copies of the last three audit reports covering the ALCO, trading and investment functions.
7. Please provide documentation on any trading or investment products new to Company X over the last two
years (e.g., monthly amortizing advances), including the systems on which those transactions reside.
8. Please provide a description of market risk management activities (what are they, who is responsible for them,
who acts on the information) and any policy (ALCO, trading or investment) or procedure documentation that
describes or governs these activities, including approval authorities and limits.
9. Please provide copies of market risk management reporting for the past three months, covering the Company
X trading and investment areas. Also provide copies of one week’s daily reports recently utilized to manage
market risk.
10. Please provide a summary-level illustration of the data flow of the reporting and information systems covering
trading and investment transactions, data flows of transactions from front- to back-office, and to any risk and
reference systems.

QUESTIONS FOR MANAGEMENT

A. Are ERM assessments and internal or external audit findings/ratings/recommendations incorporated into the
strategic planning, capital allocation and budgeting processes (if available)? Please explain.

3 Source: www.knowledgeleader.com