2._Managing_Risk(5).pdf

Full Transcript

Managing
Risk
Noelito M. Sales, MBA, CPA, LPT, CTT
 Introduction

Internal auditing…
an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations.
helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance
processes.
 Introduction

Understand risk and appreciate the importance of risk
management to an organization.
Important aspects of the risk management system relating to risk
policies and tools such as enterprise-wide risk management and
control self-assessment.
 What is Risk?

The word ‘risk’ derives from the early Italian word risicare, which
means ‘to dare’.
Risk is a choice rather than a fate.
The actions we dare to take, which depend on how free we are to
make choices, are what the story of risk is all about.
And that story helps define what it means to be a human being.
 What is Risk?

The stewardship concept underpinning corporate governance
forces management to seek out risks to the business and address
them, where appropriate.
Peter L. Bernstein goes on to suggest: ‘The capacity to manage
risk, and with it the appetite to take risk and make forward-looking
choices, are the key elements of energy that drives the economic
systems forward.’
The point is that success in business and the public sector is
intimately tied into the act of risk taking.
 What is Risk?

Risk arises from uncertainty and controls are based on reducing
this uncertainty where both possible and necessary.
The uncertainty of outcome within a range of exposures arising
from a combination of the impact and probability of potential
events.
The uncertainty of an event occurring that could have an impact
on the achievement of objectives. Risk is measured in terms of
consequences and likelihood.
What is Risk?
 The Risk Challenge

Risk represents a series of challenges that need to be met.
The key feature of this challenge à it appears when a major
decision has to be made.
Risk has no real form unless we relate it to our own direction, that
is what we are trying to achieve.
It is the risks to achieving objectives that affect us in that they
detract from the focus on success and stop us getting to the
intended result.
 The Risk Challenge

Good systems of risk management keep the business objectives
firmly in mind when thinking about risk.
Poor systems hide the objectives outside the model or as
something that is considered peripheral to the task of assessing
the impact of the risks.
 The Risk Challenge

The act of setting objectives in itself is based on real and
perceived risks, that is some uncertainty about the future.
We can adjust slightly our risk model to make the risk component
interactive—in that the objectives are themselves set by reference
to the uncertainty inherent in organizational climate.
 The Risk Challenge

Risk should not only be viewed from a negative perspective.
The review process may identify areas of opportunity, such as
where effective risk management can be turned to competitive
advantage.
Basic two dimensions of measuring risk. (1) defining the impact of
the risk and (2) extent to which the risk is likely to materialize.
The Risk Challenge
 The Risk Management and
Residual Risk
Risk management is a dynamic process for taking all reasonable
steps to find out and deal with risks that impact on our objectives.
It is the response to risk and decisions made in respect of
available choices (in conjunction with available resources) that is
important.
The embedding of risk management is in turn critical to its
success; it should become an intrinsic part of the way the
organization works, at the core of the management approach; not
something separated from the day to day activities.
The Risk Management and
Residual Risk
 The Risk Management and
Residual Risk
Identification
Identifying all risks that face an organization
Should involve all parties who have expertise, responsibility and
influence over the area affected by the risks in question
All imaginable risks should be identified and recorded.
Assessment
Assess the significance of the risks that have been identified
Should revolve around the two-dimensional impact and likelihood
considerations.
 The Risk Management and
Residual Risk
Management
Development of strategies for managing high impact, high
likelihood risks.
Ensures that all key risks are tackled and that resources are
channeled into areas of most concern, which have been identified
through a structured methodology.
Review
Entire RMP should be reviewed and revisited on a continual basis.
Should involve updating the risk management strategy and
reviewing the validity of the process that is being applied across the
organization.
Mitigation through Controls
In terms of risk management we need to add to our risk model to
set out the types of response to risk that ensure we can remain in
control
Mitigation through Controls
Ten measures for addressing risks that have already been assessed
for impact and likelihood:
1. Terminate – discontinue the operation
2. Controls – if controls are in place and are enough
3. Transfer – spreading risk, wherever possible
4. Contingencies – in the event the risk materializes
5. Take more – low/low on impact, likelihood
6. Communicate – controls may not address the risk to an
acceptable level
Mitigation through Controls
Ten measures for addressing risks that have already been assessed
for impact and likelihood:
7. Tolerate – risk that pose no threat can be tolerated
8. Commission research – finding out more about the risk
9. Tell someone – some high/high risks can only really be resolved
by parties outside
10.Check compliance – Often overlooked; ensure that controls are
actually working as intended
Risk Registers and Appetites
Risk registers
Act as a vehicle for capturing all the assessment and decisions
made in respect of identified risks.
May form part of the assurance process where they can be used
as evidence of risk containment activity, which supports the
statement of internal control.
Can be attached to risk management process to record the stages
and end up with both a record and action plan.
Risk Registers and Appetites
Risk Registers and Appetites
What goes in the register and what we document as significant as
opposed to immaterial risk depends on the perception of risk (risk
appetite or risk tolerance).
 The Risk Policy
Board Sponsor
Board make a statement on the systems of internal control in the
annual report and reports that this system has been reviewed.

People Buy-In
The individual is really the foundation of risk management, since it
is what people do and how they behave that determines whether
an organization succeeds or fails.
Start with the individual and work through how they fit into the risk
management process, or better still, how risk management can be
made part of the way they work in future.
 The Risk Policy
Chief Risk Officer
Proactively directs the effort and sets up systems that embed the
risk policy into everyday activities.
Some of its role may include:
– Translating the board’s vision on risk management.
– Helping to develop and implement the corporate risk policy.
– Providing training and awareness events where appropriate.
– Helping respond to requirements from regulators that impact on risk
management systems.
– Ensuring that the business is responding properly to changes and
challenges that create new risks on a continuous basis.
– Helping facilitate risk management exercises and programs.
 The Risk Policy
The policy may be a brief document that gives an overview of the
organization’s position of risk management with clear messages
from the board.
Enterprise-Wide Risk Management
Simply the extension of risk management across the
organization in an integrated fashion.
New model à working towards is for risk management to
be part of the strategic planning process and therefore
integrated within the performance measurement system.
Mission that is translated into a strategy, which when
implemented relates to performance measures that are
used to monitor the progress of the adopted strategy and
action taken to review and adjust.
Enterprise-Wide Risk Management
 Control Self-assessment
The success of enterprise-wide risk management depends on an
integrated process for ensuring that risks are assessed and
managed across an organization in a dynamic and meaningful way.
Techniques for control self-assessment:
– Use of questionnaires that are completed by key employees as a way of
assessing whether there are operations that are at risk and whether controls
are addressing these risk areas properly.
– Use of interviews with managers in particular business units to gauge
whether the area is under control or not.
– Commission comprehensive reviews of risk in high profile parts of the
organization normally by the use of external consultants, who would report
back on any problems found.
Embedded Risk Management
Embedded Risk Management
ERM/CRSA
There should be a process that ensures risk is understood,
identified and managed.
There should be a further process for ensuring risk assessment is
undertaken throughout key parts, if not all, of the organization.
The chief risk officer (CRO) would help co-ordinate these efforts.

Statement of Internal Control (SIC)
The risk efforts and ensuring controls should feed into SIC that
each larger organization should formally publish.
Embedded Risk Management
Stakeholders
The organization should have a formal process for communicating
with stakeholders the efforts of the risk management system and
any information that gives value to various interested parties.

Time
The risk model is based on doing more to research, analyzing and
addressing risks that impact the organization and ensuring there is
transparency and competence in the way these risks are
addressed.
Effective risk management depends in part on the time that is made
available.
Embedded Risk Management
Cost
It does cost money to implement new ideas even when building these
ideas into existing systems.
The board level support for risk management needs to be matched with a
proper delegated budget, ideally located with the CRO.

Values
It is better to have as an objective the need to instill an acceptance that
risk management is an important aspect of the business and it should be
part of the values that people within the organization subscribe to.

Embed
Embedding risk management into and inside the organization.
The Internal Audit Role in Risk Management

The internal auditors should be alert to the significant risks that
might affect objectives, operations, or resources.
However, assurance procedures alone, even when performed with
due professional care, do not guarantee that all significant risks will
be identified.
The internal audit activity should assist the organization by
identifying and evaluating significant exposures to risk and
contributing to the improvement of risk management and control
systems.
Thank You!