Risk Management and Internal Control

Risk Management

Risk is an integral part of our business and decision-making process. QNB Group’s sustainable performance depends on our ability to manage risk at all levels. As a result, we have a robust risk management governance structure and framework that ensures a crucial balance between risk and reward. QNB’s risk profile and appetite are approved by the Board of Directors (BOD)  and Group Board Risk Committee (GBRC) and then cascaded down to every division, department and employee.

QNB Group’s Risk Appetite Statement is central to the Group’s integrated approach to risk  management and articulates the risk culture, governance and boundaries of QNB Group. The Risk Appetite Statement provides a framework for QNB Group’s attitude toward risk-taking and is reviewed, reassessed and agreed alongside QNB Group’s strategic and financial planning process. The Risk Appetite statement is also the mechanism used to cascade the Group’s risk appetite and allocations down to a regional and country level. The risk appetite framework ensures alignment with the Group’s vision and strategy by tracking current performance against risk appetite targets.

The identification of principal risks is a process overseen by Group Risk. The material risks are  regularly reported to the GBRC and Group Management Risk Committee (GMRC), together with a regular evaluation of the effectiveness of the risk-operating controls. The day-to-day  governance is delegated through an Enterprise Risk Management (ERM) oversight structure and a robust risk control framework. This framework consists of a comprehensive set of policies, standards, procedures and processes designed to identify, measure, monitor, mitigate and report risk in a consistent and effective manner across the Group. The framework is essential to support our strategic objectives and acts as a platform for our growth. Our centralized approach to risk management is complemented by local expertise and knowledge and every employee in the Group is responsible for highlighting and dealing with potential risks in the course of their work.

Internal Control System

The BOD assumes full responsibility for the QNB Group System of Internal Controls, whereby specific policies, guidelines and controls covering the entire Group’s transactions have been devised. Moreover, the
determinations of responsibility limits, performance monitoring, privileges and authorizations on all banking operations have been implemented in addition to a clear policy for segregation of duties and dual control. QNB Group’s Executive Management is considered responsible for the overall control of these systems in coordination with the concerned General Managers, Divisional Managers and domestic and overseas Branch Managers. The responsibility of implementing efficient internal control systems at the Group level is the direct responsibility of every employee at the Group.

The Group Board Audit & Compliance Committee, on behalf of the BOD, assess on a regular basis the adequacy and effectiveness of internal control systems based on audits and assessment carried out by the Group Internal Audit Division and Group Compliance Division in addition to the reviews that the external auditors conduct.  The BOD is notified on a quarterly basis of control issues (including risk management); it confirms the adequacy of the existence of effective internal controls at Group level based on the recommendations and advice presented by the Group Board Audit and Compliance Committee:


  • Group Internal Audit Division (GIAD)

Rigorous internal audit processes are fundamental component of QNB Group’s business practice to ensure a sound corporate governance framework, following the three Lines of Defense model recommended by BASEL.   

Assurance to Key Stakeholders

GIAD’s purpose is to provide:

  • Independent assurance service to the BOD and the Group Board Audit and Compliance Committee (GBACC) to review the effectiveness of the Group’s governance, risk management and control processes; and
  • Advice to management on the adequacy and effectiveness of governance, risks and controls and recommend necessary enhancements.

In addition, the home and host regulatory and supervisory authorities place reliance on the GIAD’s coverage and assurance.

GIAD is headed by the Group Chief Audit Executive who reports to the BOD and the GBACC.


Professional practices and resources

GIAD adheres to the International Professional Practice Framework (IPPF) of the Institute of Internal Auditors (IIA), as well as Basel Committee recommendations and other leading standards.  The Audit team is composed of professionals with experience from leading financial Institutions and audit firms across the globe.


Group audit universe and coverage

GIAD’s remit in addition to Qatar includes Group’s international branches as well as subsidiaries in all jurisdictions.  In line with relevant regulations and management control agreements, GIAD provides support for Group subsidiaries and affiliates.  As well as sharing knowledge and best practice, GIAD provides advice on audit policy and programmes, alongside high-level assessments. GIAD support is carefully monitored and refined to best support the Group business strategy and to protect against emerging risks.

Audit plan is developed using best practice risk-based assessment of all the Group’s businesses and activities. This is supplemented with additional focus on regulatory requirements including Basel III capital adequacy and liquidity requirements, as well as management areas of concern and emerging risks. The plan is continually reviewed and adjusted, as necessary through the year, in response to changes in the Group’s business activities, operations, systems and controls that change the risk structure of the Group.

The oversight of subsidiaries has also been refined, with focused scope and additional emphasis on the governance, risk management and internal control structures and frameworks as part of the oversight and assessment process. This enables the Division to align the governance structure and arrangements in the subsidiaries with those of the Group, thereby promoting the achievement of the Group’s vision and strategy.


Audit Programs and Techniques

GIAD conforms to the best professional practices for delivery of audit services across the Group.  In its audit implementation practices GIAD also places emphasis on the following for providing enhanced value: 

  • Introducing data analytics and extrapolation techniques.
  • Focus on identifying systemic issues.
  • Conduct root cause analysis and recommend appropriate remedial action.
  • Provide awareness across all levels.
  • On-going updates to audit methodologies and techniques with focus on Risk Based Audit approach.
  • GIAD developed full detailed audit programs incorporating the latest business strategies and developments and associated risks with focus on emerging risks.

Promoting transparency

Audit reports incorporating issues, management’s action plans and target dates for implementation, are regularly issued to the management, GCEO and GBACC. In addition, a quarterly report summarizing activities and outcomes is also issued, and discussed, with the GBACC and the BOD.

GIAD ensures timely and appropriate follow-up and validation of all pending audit issues including issues reported by the QCB and the external auditors. These are facilitated by the Audit Management System.   The periodical status report (Dashboard) on the follow-up activities is issued to the GBACC, GCEO and the GMRC. The report also serves as an escalation to apprise the Executive Management, GBACC and the BOD on the implementation status to remediate pending audit issues, which are also used as part of the performance indicators for control environment.


  • Group Compliance Division

Compliance with laws, regulations and standards will remain the prime responsibility of the GBACC, Executive Management and ultimately the BOD. QNB Group Compliance is an independent function, with a formal status within QNB Group that identifies, assesses, advises on, monitors and reports on the bank’s compliance risk, that is the risk of legal or regulatory sanctions, financial loss, or loss to reputation the Group may suffer as a result of failure to comply with applicable laws, regulations, codes of Ethics & conduct and standards of good practice, which are principally relevant to corporate governance and the business activities of the Group.

These regulations include, but are not limited to, Qatar Central Bank law and regulations along with any regulations and instructions of the tutorial authorities to which the Group is subject to, as well as regulations of every country in which QNB Group operates. They also include those dealing with the prevention of money laundering, terrorist financing and international sanctions programs.

In order for the Group Compliance to carry out its role and responsibilities in the most effective and efficient manner, it is empowered to cover compliance issues of all of QNB Group activities and will be given unrestricted access at any time to all information, records, staff, property and operations in Qatar and overseas. In addition, it will have the right to conduct investigations of possible breaches. The responsibilities of the Group Compliance will be carried out under a compliance program, which sets out its planned activities. Such plan will be approved by the Group Board Audit & Compliance Committee and executed according to the compliance charter, policies, procedures and processes which cover the following:

  • On a pro-active basis, identify and assess compliance risks associated with the business activities
  • Monitor the level of compliance by performing regular and comprehensive compliance risk assessment and testing
  • Report on a regular basis to the Group Board Audit & Compliance Committee and Executive Management on compliance matters, identified breaches and corrective actions taken
  • Ensure compliance with any specific regulatory requirements, and liaising with the regulators whenever needed
  • Carry out the roles and responsibilities of the Anti-Money Laundering and Combating Terrorist Financing activities and fulfilling the reporting requirements to the Financial Information Unit under the National Anti-Money Laundering Committee.
  • Promote staff awareness with respect to compliance and combating money laundering 
  • Implement compliance culture that emphasises high standards of ethical behavior at all levels of the Group
  • Ensure the control of the adoption and implementation of the corporate governance principles
  • Ensure the whistle-blowing and insider-trading policies and processes are appropriately monitored and applied
  • Provide appropriate advice to Executive Management on compliance laws, rules and standards, including keeping them informed on developments in the area 
  • Conduct investigations on the possible breaches of the laws and regulations

Group Compliance will be provided with sufficient resources, according to the approved compliance organisational chart, to be able to carry out its responsibilities effectively.

Was this information helpful?