Summary

This presentation covers the topic of managing risk. It details the nature of risk, the process of risk identification and assessment, strategies for risk management, and techniques for controlling and mitigating risk. The presentation is designed for an undergraduate business program.

Full Transcript

Managing Risk Noelito M. Sales, MBA, CPA, LPT, CTT Introduction Internal auditing… an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. helps an organization accomplish its objectives by brin...

Managing Risk Noelito M. Sales, MBA, CPA, LPT, CTT Introduction Internal auditing… an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Introduction Understand risk and appreciate the importance of risk management to an organization. Important aspects of the risk management system relating to risk policies and tools such as enterprise-wide risk management and control self-assessment. What is Risk? The word ‘risk’ derives from the early Italian word risicare, which means ‘to dare’. Risk is a choice rather than a fate. The actions we dare to take, which depend on how free we are to make choices, are what the story of risk is all about. And that story helps define what it means to be a human being. What is Risk? The stewardship concept underpinning corporate governance forces management to seek out risks to the business and address them, where appropriate. Peter L. Bernstein goes on to suggest: ‘The capacity to manage risk, and with it the appetite to take risk and make forward-looking choices, are the key elements of energy that drives the economic systems forward.’ The point is that success in business and the public sector is intimately tied into the act of risk taking. What is Risk? Risk arises from uncertainty and controls are based on reducing this uncertainty where both possible and necessary. The uncertainty of outcome within a range of exposures arising from a combination of the impact and probability of potential events. The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood. What is Risk? The Risk Challenge Risk represents a series of challenges that need to be met. The key feature of this challenge à it appears when a major decision has to be made. Risk has no real form unless we relate it to our own direction, that is what we are trying to achieve. It is the risks to achieving objectives that affect us in that they detract from the focus on success and stop us getting to the intended result. The Risk Challenge Good systems of risk management keep the business objectives firmly in mind when thinking about risk. Poor systems hide the objectives outside the model or as something that is considered peripheral to the task of assessing the impact of the risks. The Risk Challenge The act of setting objectives in itself is based on real and perceived risks, that is some uncertainty about the future. We can adjust slightly our risk model to make the risk component interactive—in that the objectives are themselves set by reference to the uncertainty inherent in organizational climate. The Risk Challenge Risk should not only be viewed from a negative perspective. The review process may identify areas of opportunity, such as where effective risk management can be turned to competitive advantage. Basic two dimensions of measuring risk. (1) defining the impact of the risk and (2) extent to which the risk is likely to materialize. The Risk Challenge The Risk Management and Residual Risk Risk management is a dynamic process for taking all reasonable steps to find out and deal with risks that impact on our objectives. It is the response to risk and decisions made in respect of available choices (in conjunction with available resources) that is important. The embedding of risk management is in turn critical to its success; it should become an intrinsic part of the way the organization works, at the core of the management approach; not something separated from the day to day activities. The Risk Management and Residual Risk The Risk Management and Residual Risk Identification Identifying all risks that face an organization Should involve all parties who have expertise, responsibility and influence over the area affected by the risks in question All imaginable risks should be identified and recorded. Assessment Assess the significance of the risks that have been identified Should revolve around the two-dimensional impact and likelihood considerations. The Risk Management and Residual Risk Management Development of strategies for managing high impact, high likelihood risks. Ensures that all key risks are tackled and that resources are channeled into areas of most concern, which have been identified through a structured methodology. Review Entire RMP should be reviewed and revisited on a continual basis. Should involve updating the risk management strategy and reviewing the validity of the process that is being applied across the organization. Mitigation through Controls In terms of risk management we need to add to our risk model to set out the types of response to risk that ensure we can remain in control Mitigation through Controls Ten measures for addressing risks that have already been assessed for impact and likelihood: 1. Terminate – discontinue the operation 2. Controls – if controls are in place and are enough 3. Transfer – spreading risk, wherever possible 4. Contingencies – in the event the risk materializes 5. Take more – low/low on impact, likelihood 6. Communicate – controls may not address the risk to an acceptable level Mitigation through Controls Ten measures for addressing risks that have already been assessed for impact and likelihood: 7. Tolerate – risk that pose no threat can be tolerated 8. Commission research – finding out more about the risk 9. Tell someone – some high/high risks can only really be resolved by parties outside 10.Check compliance – Often overlooked; ensure that controls are actually working as intended Risk Registers and Appetites Risk registers Act as a vehicle for capturing all the assessment and decisions made in respect of identified risks. May form part of the assurance process where they can be used as evidence of risk containment activity, which supports the statement of internal control. Can be attached to risk management process to record the stages and end up with both a record and action plan. Risk Registers and Appetites Risk Registers and Appetites What goes in the register and what we document as significant as opposed to immaterial risk depends on the perception of risk (risk appetite or risk tolerance). The Risk Policy Board Sponsor Board make a statement on the systems of internal control in the annual report and reports that this system has been reviewed. People Buy-In The individual is really the foundation of risk management, since it is what people do and how they behave that determines whether an organization succeeds or fails. Start with the individual and work through how they fit into the risk management process, or better still, how risk management can be made part of the way they work in future. The Risk Policy Chief Risk Officer Proactively directs the effort and sets up systems that embed the risk policy into everyday activities. Some of its role may include: – Translating the board’s vision on risk management. – Helping to develop and implement the corporate risk policy. – Providing training and awareness events where appropriate. – Helping respond to requirements from regulators that impact on risk management systems. – Ensuring that the business is responding properly to changes and challenges that create new risks on a continuous basis. – Helping facilitate risk management exercises and programs. The Risk Policy The policy may be a brief document that gives an overview of the organization’s position of risk management with clear messages from the board. Enterprise-Wide Risk Management Simply the extension of risk management across the organization in an integrated fashion. New model à working towards is for risk management to be part of the strategic planning process and therefore integrated within the performance measurement system. Mission that is translated into a strategy, which when implemented relates to performance measures that are used to monitor the progress of the adopted strategy and action taken to review and adjust. Enterprise-Wide Risk Management Control Self-assessment The success of enterprise-wide risk management depends on an integrated process for ensuring that risks are assessed and managed across an organization in a dynamic and meaningful way. Techniques for control self-assessment: – Use of questionnaires that are completed by key employees as a way of assessing whether there are operations that are at risk and whether controls are addressing these risk areas properly. – Use of interviews with managers in particular business units to gauge whether the area is under control or not. – Commission comprehensive reviews of risk in high profile parts of the organization normally by the use of external consultants, who would report back on any problems found. Embedded Risk Management Embedded Risk Management ERM/CRSA There should be a process that ensures risk is understood, identified and managed. There should be a further process for ensuring risk assessment is undertaken throughout key parts, if not all, of the organization. The chief risk officer (CRO) would help co-ordinate these efforts. Statement of Internal Control (SIC) The risk efforts and ensuring controls should feed into SIC that each larger organization should formally publish. Embedded Risk Management Stakeholders The organization should have a formal process for communicating with stakeholders the efforts of the risk management system and any information that gives value to various interested parties. Time The risk model is based on doing more to research, analyzing and addressing risks that impact the organization and ensuring there is transparency and competence in the way these risks are addressed. Effective risk management depends in part on the time that is made available. Embedded Risk Management Cost It does cost money to implement new ideas even when building these ideas into existing systems. The board level support for risk management needs to be matched with a proper delegated budget, ideally located with the CRO. Values It is better to have as an objective the need to instill an acceptance that risk management is an important aspect of the business and it should be part of the values that people within the organization subscribe to. Embed Embedding risk management into and inside the organization. The Internal Audit Role in Risk Management The internal auditors should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. Thank You!

Use Quizgecko on...
Browser
Browser