22. The SWF should have a framework that identifies, assesses, and manages the risks of its operations.
22.1. The risk management framework should include reliable information and timely reporting systems, which should enable the adequate monitoring and management of relevant risks within acceptable parameters and levels, control and incentive mechanisms, codes of conduct, business continuity planning, and an independent audit function.
22.2. The general approach to the SWF’s risk management framework should be publicly disclosed.
As a global investor aiming to meet the highest standards of governance, Mubadala is committed to understanding and managing risks in achieving its mandate and business objectives.
Mubadala’s risk management framework is enterprise-wide and enables risks to be understood and managed effectively, through the application of the risk management process at various levels within Mubadala. It also ensures that risk information and insight provide a basis for decision making, reporting and accountability within Mubadala.
The Mubadala Board Executive Committee and ARCC have ultimate responsibility for Mubadala’s risk management, with assistance and advice from several committees and departments, including Enterprise Risk Management, Portfolio Strategy, Treasury and Investor Relations, Ethics and Compliance, Legal and Governance, Tax and Internal Audit.
Risk management is embedded in Mubadala’s investment and asset management related activities including portfolio capital allocation, individual investment decisions and ongoing asset management.
The responsibility for the implementation of risk management activities resides with Mubadala Business Platforms, Corporate Divisions and Assets (Mubadala’s first line of defence).
The Enterprise Risk Management (ERM) unit is responsible for the continual development and coordination of the implementation of the ERM framework, providing specialist ERM guidance to Mubadala (Mubadala’s second line of defence).
The IAD, led by the Executive Director – Internal Audit, forms Mubadala’s third line of defence. The IAD delivers independent, objective assurance and consulting services designed to add value and improve Mubadala’s operations. It helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The independence of the IAD is secured by the Executive Director – Internal Audit reporting functionally to the ARCC, and administratively to the Group CEO.
The purpose, authority and responsibility of the IAD is formally defined in the Internal Audit Charter and is consistent with the mandatory elements of the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF), and the globally recognized professional framework for internal audit. The Internal Audit Charter is approved by the ARCC and is reviewed each year and updated as necessary.
The IAD’s activities are governed by policies and procedures that are consistent with the IPPF. These include preparing a risk-based internal audit plan and associated budget for approval by the ARCC. The Executive Director – Internal Audit attends each meeting of the ARCC to present the results of ongoing internal audit work. The ARCC is provided with assurance over the quality of internal audit work through the activities of the IAD’s Quality and Excellence function.
In line with the IPPF, the IAD is required to subject itself to external assessment at least once every five years to ensure its continued conformance to the IPPF. This assessment was last completed in 2019, when the IAD received a rating of ‘generally conforms’, the highest rating available.