Sunday 1 January 2012

Topic 1: Risk Management

Risk management is a core competency for most internal audit departments. Internal auditors contribute to risk management through numerous assurance and consulting activities. Risk management is recommended to be managed from enterprise-wide perspective.

Best practice had shown that using a framework can improve the efficiency and effectiveness of enterprise risk management.

The COSO ERM model is an example of comprehensive framework that applies ERM in a strategic setting. Starting at the top and supporting an organization's mission is what differentiates COSO from most other risk models.

COSO's Enterprise Risk Management - Integrated Framework inludes four categories of organizational objectives:

  • Strategic - Strategic objectives are tied to high-level organizational goals. They are aligned to and support an organization's mission. 
  • Operations - These objectives relate to the effective and efficient use of organizational resources.
  • Reporting - Objectives in this category are related to the reliability of reporting.
  • Compliance - Compliance objectives are related to organizational compliance with applicable laws and regulations. 
COSO ERM Components:
  • Internal environments: The internal environment encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by the entity's people. 
  • Objective setting: Ensures that management has a process in place to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite. 
  • Event identification: Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. 
  • Risk assessment: Risks are analyzed, considering likelihood and impact.
  • Risk response: Management selects risk responses - avoiding, accepting, reducing or sharing risk
  • Control activities: Policies and procedures are established and implemented to help ensure that the risk responses are effectively carried out. 
  • Information and communication: Relevant information is identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities. 
  • Monitoring: The entirety of enterprise risk management is monitored and modification are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.
Roles of responsibilities for parties in ERM:
  • The board: The board helps to set strategy and formulate high-level objectives. Often the board delegated the monitoring and assurance responsibilities to management, reserving authority for key decisions. (Internal Environment Component)
  • The management: Assumes primary responsibility for identifying and managing risk and for implementing enterprise risk management is structured, consistent and coordinated approach. The CEO has ultimate ownership for the enterprise risk management process. Management authority and accountability are imperative in enterprise risk management. Each manager should be accountable to the next higher level, with the CEO being accountable to the board.
  • Risk officer: provides central coordination for enterprise risk management across the organization. Empowered by the CEO, a risk officer has the resources to work with other managers in establishing effective risk management practices, monitoring progress and assisting those managers in reporting. Need to establish common risk management language and common measures. CFO sometimes being assigned for this job.
  • Financial executives: Finance and controller-ship activities cut across all operating and business units. Budgeting and planning as well as tracking and analyzing performance and reporting are all in part of the responsibility in ERM. 
  • External auditors: Provide an independent and objective view that can contribute to an organization's achievement for ERM.
  • Legislator and regulators: Establish rules that require an entity's risk management and control systems to meet minimum statutory and regulatory requirements. 
  • Business associates: Channel useful information for risk management activities. 
AS/NZS 4360:2004 is another risk management framework.It points out that risk management involves:
  • Involves balancing opportunities for gains while minimizing losses.
  • Represents an integral part of good management practice and an essential element of good corporate governance. 
  • Facilitates continuous improvement in decision making and performance. 
  • Involves establishing an appropriate infrastructure and culture.
  • Applies a logical and systematic method to managing both potential gains and potential losses.
The framework promotes embedding risk management in an organization's culture - its philosophy, practices and business processes - rather than practicing it as a separate entity.

Turnbull Guidance - Internal Control Guidance for Directors on the Combined Code discusses the adoption of a risk-based approach to internal control and the assessment of its effectiveness. 

Turnbull call for companies listed in the London Stock Exchange to implemented risk management and actively managed. Non-compliance would results disclosure in annual report. The principle for Turnbull is for risk to be managed effectively and to embed internal control in business processes to make sound business sense for any entity. Key tenets for this guidance:
  • Focus on significant risk
  • Emphasis on risk management which promoted proactive in managing risk exposures
  • Ongoing, continuous monitoring of risk and control
  • Engaging all employees
  • Streamlining risk management databases - embedding in the organizational processes.
COSO's External and Internal Factors that Drive Events:
  • Economic
  • Natural environment (disasters)
  • Political
  • Social
  • Technological
  • Infrastructure
  • Personnel
  • Process
  • Technology
COSO's Common Event identification techniques:
  • Event inventories: Detailed listings of potential events common to companies within a particular industry or to a particular process or activity common across industries.
  • Internal analysis: Detail analysis of information which may be part of routine operations or information from other stakeholders.
  • Escalation or threshold triggers: Triggers alerting management to areas of concern that may require further assessment or immediate response. 
  • Facilitated workshops and interviews
  • Process flow analysis
  • Leading event indicators: Monitoring of data correlated to events to identify conditions that could give rise to an event
  • Loss event data methodologies - Examination of data on past individual loss events to identify trends and root causes of events.

Risk assessment is a process of identifying, measuring and prioritizing risk. Risk assessments may be micro or macro in their overall scope. 

If an organization lacks dedicated resources for enterprise risk management, the internal audit activity can help facilitate the initial establishment of a generic framework at management's request. Although internal auditors can facilitate or enable risk management processes, they should not own or be responsible for the management of risks identified.

Risk Assessment Techniques involves:
  • Qualitative assessment (interviews and workshops). Used when sufficient credible data required for quantitative assessment is not readily available. 
  • Quantitative assessment. Used when required to make comparison with qualitative measures. 
COSO Risk Management Responses

Avoidance
Action is taken to exit the activities giving rise to risk. E.g. Eliminating a third-world plant because of political instability and the potential for operation interruptions. 

Reduction
Action is taken to reduce risk likelihood or impact or both. E.g. Diversifying product offerings and methods & Investing in technology upgrades that reduce the likelihood of system failures.

Sharing
Action is taken to reduce risk likelihood or impact by transferring or otherwise sharing a portion of the risk. E.g. Entering into joint ventures or partnerships & Purchasing insurance to protect against significant unexpected loss.

Acceptance
No action is taken to affect likelihood or impact. E.g. Accepting risk that conforms to risk tolerance or Deciding not to self-insure against loss because insurance costs and deductibles exceed the cost of replacement. 


Control risk refers to the tendency of the internal control system to loss effectiveness and expose the assets under control.

Ongoing risk monitoring activities are:
  • Typically performed by line-operating or functional support managers based on the information they received.
  • Focused on relationships, inconsistencies or other relevant implications.
  • Differentiated from activities performed in response to policy.
Internal audit activity's role in risk management process may change over time which includes:

  • No role
  • Auditing the risk management process as part of the internal audit plan
  • Active, continuous support and involvement in the risk management process such as participation on oversight committees, monitoring activities and status reporting
  • Managing and coordinating the risk management process
Internal auditor's assurance role in risk management includes assurance on:
  • Risk management processes, including their design and how well they are working
  • Management of key risks, including the effectiveness of the controls and other activities
  • Reliable and appropriate assessment of risks and reporting of risk and control status.
Internal auditor's consulting role in risk management includes:
  • Educating management about the risk and control tools and techniques used by the internal audit activity and sharing those tools
  • Being a champion for introducing ERM into the organization
  • Providing advice, facilitating workshops and coaching the organization on risk and control
  • Acting as the central point for coordinating, monitoring and reporting on risks
  • Supporting managers as they work to identify the best way to mitigate a risk
The following roles the internal audit function should not undertake:
  • Setting the risk appetite
  • Imposing risk management processes
  • Management assurance on risks
  • Taking decisions on risk responses
  • Implementing risk responses on management's behalf
  • Accountability for risk management
When the CAE believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the CAE must report the matter to the board for resolution

Internal audit's role before a disaster include evaluating the organization's readiness to deal with business interruptions. Also to provide assurance that the disaster recovery plan is not outdated. 

Internal audit's role after disaster is to monitor the effectiveness of the recovery and control of operations. Internal audit activity should identify areas where internal controls and mitigating actions should be improved and recommend improvements to the entity's business continuity plan. 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)