Risk management and Internal control Flashcards
Risk management process: step 1
identify risk areas
a. This includes identifying all the areas that may negatively impact the organisation from achieving its goals, that is, cause a loss or disruption to the business
b. This can be done by determining retrospective risks, that is those risks which have previously occurred such as incidents or accidents, and/or prospective risks, that is those risks which have not yet happened but might happen in the future
c. Answering questions such what can happen, how can it happen and why could it happen can help with risk identification
d. This is a difficult part as risks are not always easy to recognise, as a result, it is here that companies most often make mistakes
e. It is essential therefore for every organisation to have a system that will monitor risk on a continuous basis
f. This forms part of the control environment that should be an integral part of the business and should be included in every manager’s responsibilities
g. Risk identification is ultimately the job of top management and the board but they must rely on people more directly engaged in the daily business for information
Risk management process: step 2
analyse and prioritize risks
a. This process includes analysing and evaluating all the areas identified in step one as risks to the business
b. This risk analysis step will assist in determining low and high risks by measuring their probability and impact, that is which risks have a greater consequence or impact than others
c. Those risks which have been identified to have a high probability and a high impact will have to be attended to first
d. Risk assessment is the identification and analysis of relevant risks to the achievement of the objectives, forming a basis for determining how the risks should be managed
e. It is essential that managers at all levels should take full responsibility in their areas for identifying, assessing and managing risks and that a culture of risk management be embedded in the organisation
Risk management process: step 3
treat and manage risks
a. This stage includes developing strategies to manage identified risks
b. What needs to be considered is what are the steps that need to be taken to either reduce the risk to where it is at an acceptable risk tolerance level for the company or how to completely eliminate the risk potential
c. There are five types of risk treatment and they are:
i. Avoidance: choosing not to take on the risk by avoiding actions that will cause the risk. If it’s possible, one may decide not to proceed with an activity that is likely to generate risk. Alternatively, one may think of another way to reach the same outcome that doesn’t involve the same risks. This could involve changing your processes, equipment or materials. This risk treatment solution is ideal for high impact, high probability negative risks
ii. Reduction: taking mitigation action to reduce the risk, i.e. reducing the likelihood of the risk happening (e.g. through quality control processes, staff training, change in procedures, etc.) or reducing the impact if the risk occurs (e.g. through emergency procedures, offsite data backup, using public relations, etc.). This is used for risks that are likely to occur but likely to have a low impact
iii. Transfer: transferring all or part of the risk to a third party. Risk transfer takes place because not all risks can be avoided or eliminated and the effects of minimisation cannot be guaranteed. Types of transfer include insurance, outsourcing, joint ventures and partnerships. This response is common for risks that have a high negative impact but low probability of occurring
iv. Acceptance (also known as risk retention): choosing to face the risk. This is an option when there is no other solution or if the cost for treatment far exceeds the benefit, but would only be used for low-impact risks that have a low probability of occurring
v. Sharing: the distribution of the risk to multiple organizations or individuals
Risk management process: step 4
Establish internal controls to mitigate the risks
a. COSO defines internal control as a process, effected by a company’s board of directors, management and other personnel, designed to provide reasonable assurance on the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, compliance with relevant laws and regulations
b. Effective internal control depends primarily on the commitment of the board and executive management
c. Internal audit and, to a lesser extent, external audit, also play a role in monitoring and reinforcing its quality
d. The control activities that make up the essence of internal control are the policies and procedures designed to ensure that management plans are implemented. They anticipate and counteract at all levels the risks that may prevent the organisation from achieving its strategic objective
e. Examples of control activities include the procedures requiring approval of transactions, authorisation of powers, reconciliation or verification of records, review of operating performance, ensuring safety of assets and segregation of duties
f. According to COSO, internal controls are put in place to keep the company on course towards profitability goals and the achievement of its mission, and to minimize surprises along the way. They enable management to deal with rapidly changing economic and competitive environment, shifting customer demands and priorities, and restructuring for future growth
Risk management process: step 5
Monitor, review and report
a. This includes monitoring the risks and the performance of internal controls, and reviewing the effectiveness of the treatment plan, strategies and management systems that have been set up to effectively manage risks
b. Regular reports (to those with the responsibility to act) which focus on operations, financial measures and compliance should enable management to manage the business effectively
Risk management process: step 6
Record
Keeping a written record of all policies and procedures, including documentation of the assessment process, major risks identified and the measures designed to reduce the impact of those risks
Principle 11 of the King IV Code
The governing body should govern risk in a way that supports the organization in setting and achieving its strategic objectives
What is residual risk?
It is the risk that remains after treatment of risk
What is secondary risk?
It is the risk that arises from efforts to reduce risk
What does COSO stand for?
Committee of Sponsoring Organizations of the Treadway Commission
In addition, the following should be disclosed in relation to risk
- an overview of the arrangements for governing and managing risk
- key areas of focus during the reporting period, including objectives, key risks that the organization faces, as well as undue, unexpected or unusual risks and risks taken outside the organization’s risk tolerance levels
- actions taken to monitor the effectiveness of risk management and how the outcomes were addressed
- planned ahead of future focus
Risk and opportunity
- Negative uncertainty is called risk, while positive uncertainty is called opportunity
- Risk and opportunity can potentially rise from the same set of facts (for example the risk of global warming also presents opportunities to sell products that improve energy efficiency)
- Effective risk management needs constant vigilance, in reacting to known risks and in watching out for new ones
- Every company has a different appetite and tolerance for risk depending on the nature of its business, the extent of its financial and other resources and the abilities and attitudes of its people
- A company’s risk tolerance and its approach to risk management are strategic issues that must be decided by the board of directors and become embedded in its strategies and culture rather than be left to the whims of individual managers
- COSO defines risk management as ‘a process, effected by the entity’s board of directors, management and other personnel, applied in strategy setting and across the company, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives’
- Risk management can play an important role in assisting companies avoid or reduce the many risks that businesses face and provides a useful framework for ensuring sound and cost-effective systems of internal control
Recommended practices: risk governance
• The governing body should assume responsibility for risk governance by setting the direction for how risk should be approached and addressed in the organisation. Risk governance should encompass both
a. the opportunities and associated risks to be considered when developing strategy, and
b. the potential positive and negative effects of the same risks on the achievement of organisational objectives
• The governing body should treat risk as integral to the way it makes decisions and executes its duties
• The governing body should approve a policy that articulates and gives effect to its set direction on risk
• The governing body should evaluate and agree the nature and extent of the risks that the organisation is willing to take in pursuit of its strategic objectives, in particular:
a. the organisation’s risk appetite, i.e. its propensity to take appropriate levels of risk
b. the limit to the potential loss that the organisation has the capacity to tolerate
• The governing body should delegate to management the responsibility to implement and execute effective risk management
• The governing body should exercise an on-going oversight of risk (management) and, in particular, oversee that it results in the following:
a. an assessment of the risks emanating from the triple context in which the organisation operates and the capitals that the organisation uses or affects
b. an assessment of the potential upside, or opportunity, presented by risks with potentially negative effects on achieving organisational objectives
c. an assessment of the organisation’s dependency on resources and relationships as represented by the various forms of capital
d. the design and implementation of appropriate risk responses
e. the establishment and implementation of business continuity arrangements that allow the organisation to operate under conditions of volatility and to withstand and recover from acute shocks
f. the integration and embedding of risk management in the business activities and culture of the organisation
• The governing body should consider the need to receive periodic independent assurance on the effectiveness of risk management
• The nature and extent of the risks and opportunities that the organisation is willing to take should be disclosed without compromising sensitive information
