Having identified specific risks, risk assessment involves calculating or estimating their potential
impact and likelihood.
The risk profile allows the company to prioritise its treatment of different risks.
It may choose to spend less on managing one risk in order to release funds to manage another
more effectively.
Problem with above matrix:
Measurability:
Subjective risk is what an individual perceives to be a possible unwanted event.
Objective risk is the actual number of losses in a given time span for a given sample.
Risk
consolidation
Related and
Correlated
risk factors
Risk that has been analysed and quantified at the divisional or subsidiary level needs to be
aggregated to the corporate level and grouped into categories.
Groups of risks sometimes go together in that they are often present at the same time in the same
organization.
A common reason for this is that the risks are in some way related in that they have a common
cause or that one type of risk can give rise to another
A particular type of relatedness is risk correlation (sometimes called risk covariance). While two
risks can be related in that they are often present together, in order to be correlated, they must
vary together (this being the meaning of correlated).
Correlated risks can be negatively correlated (one goes up or down together).
E.g. smoking causes risk of heart disease and the risk of a stroke
E.g. environmental risk and reputation risk (positively correlated)
E.g. environmental risk and financial risk (negatively correlated)
Risk response
Model to use: TARA
Consequences
Likelihood
Low
High
Low
Accept
Transfer
High
Reduce
Avoid
Risk
Transfer
Risk
acceptance
Risk
Reduction
Risk Avoid
It is more a best common practice of judgment of the balance of risk and societal benefit.
Control activities
= COSO =
It is not merely about policy manuals, systems and forms but people at every level of an
organisation that impact internal control. Need to focus on financial reporting objectives.
Control procedures
Corporate, management, business process and transaction controls
Corporate controls include general policy statement, the established core culture and values and overall monitoring
procedures
Management controls encompass planning and performance monitoring, the system of accountabilities to
superiors and risk evaluation.
Business process controls include authorisation limit, validation of input, and reconciliation of different sources
of information
Transaction controls include complying with prescribed procedures and accuracy and completeness checks
Administrative controls and accounting controls
Administrative controls are concerned with achieving the objectives of the org and with implementing policies
The controls relate to the following aspects
Establishing a suitable organisation structure
The division of managerial authority
Reporting responsibilities
Channels of communication
Accounting controls aim to provide accurate records and to achieve accountability
1) The recording of transaction
2) Establishing responsibilities for records, transaction and assets
Prevent, detect and correct controls
Prevent controls are controls that are designed to prevent errors from happening in the first place
Detect controls are controls that are designed to detect errors once they have happened
Correct controls are controls that are designed to minimise or negate the effect of errors
Discretionary and non-discretionary controls
Discretionary controls are controls that are subject to human discretion
Non-discretionary controls are provided automatically by the system and cannot be bypassed, ignored or overridden
Voluntary and mandated controls
Voluntary controls are chosen by the organisation to support the management of the business
Mandated controls are required by law and imposed by external authorities
General and application controls
General controls are controls that relate to the environment in which the application system is operated
Application controls are controls that prevent, detect and correct errors and irregularities as transaction flow through
the business system
Financial and non-financial controls
Financial controls focus in the key transaction areas, with the emphasis being on the safeguarding of assets and the
maintenance of proper accounting records and reliable financial information
Non-financial controls tend to concentrate on wider performance issues
Segregation of duties
Physical measures
Authorisation and
approval
Management
Supervision
Organisation identify
reporting lines, levels of
authority and
responsibility
Arithmetical and
accounting
Personnel
Arithmetical and accounting to check the correct and accurate recording and
processing of transactions
e.g. bank account reconciliation
Attention should be given to selection, training and qualifications of personnel, as
well as personal qualities
eg checking reference during a recruitment process.
Need of directors
Directors will need:
Financial information
Non-financial information such as quality report, customer complaints, human resource data
External information about competitors, suppliers, impact of future economics and social trends
Where to get information?
The directors own efforts
Reports from subordinates
Lines of communication
Reports from control functions
Reports on activities
Reports on resolution of weaknesses
Results of checks
Exception reporting
Feedback from customers
Steps of communication:
Turnbull suggests
Initial guidance from Chief Executive
Dissemination of the risk management policy and codes of
conduct, also key business objectives and internal control.
Workshops on risk management and internal control
A greater proportion of the training budget being spent on IC.
Involvement of staff in identifying and responding to change and in
operating warning mechanisms
Clear channels of communication for reporting breaches and other
improprieties.
Monitoring
= COSO =
Monitoring means that the entirely of enterprise risk management is monitored and
modifications made as necessary. Monitoring is accomplished through ongoing
management activities, separate evaluations or both.
Aims of monitoring
Aims to ensure controls operate effectively, weaknesses reported and root causes corrected.
Objectivity
Self review, review of ones own work is obviously he least
objective
Review by peers or superiors is more objective
Review by impartial evaluators is the most objective
Internal Audit
Internal audit is an independent appraisal function established within an organization to examine and evaluate its
activities as a service to the organization.
Audit committee
The board should establish an audit committee of at least mthree (2 in the case of smaller companies) members, who
should all be independent non-executive directors.
The audit committee should have written terms of reference.
Under SOX this is referred to as the Audit Committee Charter.
The board should satisfy itself that at least one member of the audit committee has recent and relevant financial
experience. (Under SOx having fulfilled the role of CEO is not sufficient experience to qualify as the financial expert on
the audit committee).
Role of Audit committee
Monitoring & Reviewing
Overseeing the work of internal audit
Policy setting
Policy setting
NED
Forum
Provide a forum in which the finance director can raise issues of concern
External
Internal
Confidence