Risk quantification

This process can be highly subjective.

Risk quantification may still involve judgement but is an attempt at making a more objective assessment by using
statistical techniques to ascertain certain key figures such as:
Expected loss;
Frequency of loss;
Chances of losses
Largest predictable loss.
May use below methods as well:
Risk rating
Sensitivity analysis
Accounting ratios
Risk profiling

Having identified specific risks, risk assessment involves calculating or estimating their potential
impact and likelihood.
The risk profile allows the company to prioritise its treatment of different risks.
It may choose to spend less on managing one risk in order to release funds to manage another
more effectively.
Problem with above matrix:
Measurability:
Subjective risk is what an individual perceives to be a possible unwanted event.
Objective risk is the actual number of losses in a given time span for a given sample.

Risk
consolidation
Related and
Correlated
risk factors

Risk that has been analysed and quantified at the divisional or subsidiary level needs to be
aggregated to the corporate level and grouped into categories.
Groups of risks sometimes go together in that they are often present at the same time in the same
organization.
A common reason for this is that the risks are in some way related in that they have a common
cause or that one type of risk can give rise to another
A particular type of relatedness is risk correlation (sometimes called risk covariance). While two
risks can be related in that they are often present together, in order to be correlated, they must
vary together (this being the meaning of correlated).
Correlated risks can be negatively correlated (one goes up or down together).
E.g. smoking causes risk of heart disease and the risk of a stroke
E.g. environmental risk and reputation risk (positively correlated)
E.g. environmental risk and financial risk (negatively correlated)

Risk response
Model to use: TARA
Consequences
Likelihood

Low

High

Low

Accept

Transfer

High

Reduce

Avoid

Risk
Transfer

Risk
acceptance

Risk
Reduction

Risk Avoid

Risks can be transferred or shared by techniques such as hedging and insurance.

This is economically viable for risks which would have a devastating impact on the business but
which are relatively rare. For example, car accident insurance.
is where the organisation bears the risk itself, and if an unfavourable outcome occurs, it will suffer
the full loss.
Risks will be accepted if they are low impact and low likelihood or if they are a fundamental part of
the business, for example the risk of grain price fluctuations for a wheat farmer.
Unexpected risks might only be accepted.
Cost of avoiding the risk is too high.
There is no one to transfer risk to.
Self-insurance
Captive insurance
Some risks cannot be avoided altogether should be reduced.
Companies reduce the likelihood of low impact but relatively common risks by implementing
controls.
Residual risk is the risk remaining after actions have been taken to manage risks.
Risks have high impact and high likelihood and which cant be reduced or transferred sufficiently
within the firms resources and its risk appetite have to be avoided.
This is often by refusing to participate or withdrawing from a market.

How to reduce risks?

Contingency
Contingency planning involves identifying the post-loss needs of the business, drawing up
planning
plans in advance and reviewing them regularly to take account of changes in the business.
Loss control
Physical aspect: Many physical devices are installed to minimise losses.
Psychological aspect: Awareness and commitment.
Diversification
Is designed to spread risk and return.
Create portfolio of different risks.
Diversification and CAPM
International diversification
Principles Stop and Go
Inadequate management will involve two types of errors:
Stop error Stop activities which are of high risk, but will generate more revenue than cost.
Go error
Carry on activities and pursued risks, but costs will be more than revenue.
Principles Risk Appetite
Decisions on risk management will not only depend on assessment of possible returns, but will on managers appetite
for taking risks.
Principles ALARP
It represents the relationship between the level of a risk and its acceptability.
As a rule of thumb, a higher risk is less acceptable than a lower risk.
To reduce the risk to an acceptable level will involve incurring the costs of risk mitigation.
The ALARP principle arises from the fact that infinite time, effort and money could be spent on the attempt of reducing
a risk to zero.
For a risk to be ALARP it must be possible to demonstrate that the cost involved in reducing the risk further would be
grossly disproportionate to the benefit gained.
It should not be understood as simply a quantitive measure of benefit against detriment.

 It is more a best common practice of judgment of the balance of risk and societal benefit.

Control activities
= COSO =
It is not merely about policy manuals, systems and forms but people at every level of an
organisation that impact internal control. Need to focus on financial reporting objectives.
Control procedures
Corporate, management, business process and transaction controls
Corporate controls include general policy statement, the established core culture and values and overall monitoring
procedures
Management controls encompass planning and performance monitoring, the system of accountabilities to
superiors and risk evaluation.
Business process controls include authorisation limit, validation of input, and reconciliation of different sources
of information
Transaction controls include complying with prescribed procedures and accuracy and completeness checks
Administrative controls and accounting controls
Administrative controls are concerned with achieving the objectives of the org and with implementing policies
The controls relate to the following aspects
Establishing a suitable organisation structure
The division of managerial authority
Reporting responsibilities
Channels of communication
Accounting controls aim to provide accurate records and to achieve accountability
1) The recording of transaction
2) Establishing responsibilities for records, transaction and assets
Prevent, detect and correct controls
Prevent controls are controls that are designed to prevent errors from happening in the first place
Detect controls are controls that are designed to detect errors once they have happened
Correct controls are controls that are designed to minimise or negate the effect of errors
Discretionary and non-discretionary controls
Discretionary controls are controls that are subject to human discretion
Non-discretionary controls are provided automatically by the system and cannot be bypassed, ignored or overridden
Voluntary and mandated controls
Voluntary controls are chosen by the organisation to support the management of the business
Mandated controls are required by law and imposed by external authorities
General and application controls
General controls are controls that relate to the environment in which the application system is operated
Application controls are controls that prevent, detect and correct errors and irregularities as transaction flow through
the business system
Financial and non-financial controls
Financial controls focus in the key transaction areas, with the emphasis being on the safeguarding of assets and the
maintenance of proper accounting records and reliable financial information
Non-financial controls tend to concentrate on wider performance issues

The detailed controls in place

SPAM SOAP
S

Segregation of duties

Segregation of duties, with no one person having total control of an area

eg the chairman/CEO roles should be split (Cadbury)

Physical measures

Authorisation and
approval

Management

Supervision

Organisation identify
reporting lines, levels of
authority and
responsibility
Arithmetical and
accounting

Physical measures to secure the custody of assets

eg access control to buildings
Authorisation and approval of all business activities by appropriate persons
eg non-executive directors to decide directors pay and sit on a remuneration
committee
Management should provide control through analysis and review of accounts
eg tasking internal audit
Supervision of the recording and operations of day-to-day transactions
e.g. budget monitoring through exception or variance reports
This ensures everyone is aware of their control (and other) responsibilities, especially
in ensuring adherence to management policies
eg enabling named staff to act independently within areas of delegated power

Personnel

Arithmetical and accounting to check the correct and accurate recording and
processing of transactions
e.g. bank account reconciliation
Attention should be given to selection, training and qualifications of personnel, as
well as personal qualities
eg checking reference during a recruitment process.

Information and Communication

Why do we need information?
Monitor performance of the company, know key risks and internal control issues
Make strategic decisions
Provide information to external stakeholders
Comply with corporate governance best practice.
Types of information?
Strategic
Used to plan the objectives of the organisation, and to assess whether the objectives are being
information
met in practice.
Tactical information Used to decide how the resources of the business should be employed, and to monitor how they
are being and have been employed.
Operational
Used to ensure that specific operational tasks are planned and carried out as intended
information
Quality of good information
Accurate
Complete
Cost Beneficial
User targeted
Relevant to task
Authoritative
Timely
Easy to use

Need of directors
Directors will need:
Financial information
Non-financial information such as quality report, customer complaints, human resource data
External information about competitors, suppliers, impact of future economics and social trends
Where to get information?
The directors own efforts
Reports from subordinates
Lines of communication
Reports from control functions
Reports on activities
Reports on resolution of weaknesses
Results of checks
Exception reporting
Feedback from customers

How to make best use of information?

Compare different sources of information
Feedback to others
Review procedures

Communication with employees

Procedures improving staff abilities and attitudes should be built into the control framework.
Important HR issues
Improving staff awareness and attitudes
Training staff
Areas of communication:
Turnbull suggests
Customer relations
Service levels for both internal and
outsourced activities
Health, safety and environmental protection
Security of assets and business continuity
Expenditure
Accounting, financial and other reporting

Steps of communication:
Turnbull suggests
Initial guidance from Chief Executive
Dissemination of the risk management policy and codes of
conduct, also key business objectives and internal control.
Workshops on risk management and internal control
A greater proportion of the training budget being spent on IC.
Involvement of staff in identifying and responding to change and in
operating warning mechanisms
Clear channels of communication for reporting breaches and other
improprieties.

Any problems with communication?

Monitoring
= COSO =
Monitoring means that the entirely of enterprise risk management is monitored and
modifications made as necessary. Monitoring is accomplished through ongoing
management activities, separate evaluations or both.
Aims of monitoring
Aims to ensure controls operate effectively, weaknesses reported and root causes corrected.

Control procedures seek ONLY to CORRECT ERRORS:

Ongoing monitoring and separate evaluation enable management to determine whether internal controls continue
to function over time
Internal control weaknesses should be identified and communicated to those responsible for taking corrective
action, management and the board
Three elements influence the effectiveness and efficiency of monitoring:
Establishing a foundation for monitoring that includes a proper tone at the top, an effective organization structure,
a starting point or baseline of non-effective internal control
Designing and executing monitoring procedures based on prioritising risks and identifying persuasive information
about the operation of key controls that mitigate the significant risks.
Assessing and reporting results, which includes evaluating the severity of any identified deficiencies,
prioritising findings, reporting to the correct level and following up on corrective action.
Monitoring procedures
Periodic evaluation and testing of controls by internal audit
Continuous monitoring programs built into information systems.
Analysis of, and appropriate follow-up on, operating reports or metrics that might identify anomalies
Supervisory reviews of controls, such as reconciliation reviews as a normal part of processing
Self-assessment by the board and management regarding the tone they set in the organization and the effectiveness
of their oversight functions
Audit committee enquiries of internal and external auditors.
Quality assurance reviews of the internal audit department
Role of management in monitoring
Distinction between role of management and role of board
Role of management Monitoring forms part of managements role to implement board policies on risk and control
Role of board
It should regularly receive and review reports on internal control to ensure that management
has implement and effective monitoring system
Quality of management
Competence
Managers knowledge of how controls operates and what
constitutes an effective weakness.
Managers must be able to identify the root causes, and to
do this they must have knowledge of the underlying
control and the risks the control is designed to mitigate.

Objectivity
Self review, review of ones own work is obviously he least
objective
Review by peers or superiors is more objective
Review by impartial evaluators is the most objective

Internal Audit
Internal audit is an independent appraisal function established within an organization to examine and evaluate its
activities as a service to the organization.

The need for internal audit [Turnbull]

Scale, diversity and complexity of the companys operation.
Number of employees
Cost-benefit considerations
Changes in organizational structure
Changes in risks
Problems with internal control systems
Increased number of unexplained or unacceptable events
Threats to independence:
Involvement in system
design
Over-familiarity
Reporting relationships
Scope of work
Independence of internal auditors can be achieved by the following:
Management should ensure staff recruited to internal audit internally do not conduct audits on departments in which
they have worked.
Where internal audit staff have also been involved in designing or implementing new systems, they should not
conduct post-implementation audits.
Internal auditors should have appropriate scope in carrying out their responsibilities, and unrestricted access to
records, assets and personnel.
Rotation of staff over specific department audits should be implemented.
Risk Audit
The main stages of the risk audit are:
Identification of risks
Assessment of risks
Review of management and controls
Reporting

Why do we need risk audit?

Clear assessment of weakness: independent
External expertise
Objectivity: unbiased view; Not affected by internal policies
Assurance to stakeholders
Comply with laws and regulations

Audit committee
The board should establish an audit committee of at least mthree (2 in the case of smaller companies) members, who
should all be independent non-executive directors.
The audit committee should have written terms of reference.
Under SOX this is referred to as the Audit Committee Charter.
The board should satisfy itself that at least one member of the audit committee has recent and relevant financial
experience. (Under SOx having fulfilled the role of CEO is not sufficient experience to qualify as the financial expert on
the audit committee).
Role of Audit committee
Monitoring & Reviewing
Overseeing the work of internal audit
Policy setting

Role of Audit committee

Monitoring &
Financial statements
Reviewing
Price sensitive information
Internal financial controls
Independence of external auditors
Overseeing

Policy setting

Effective internal audit

Appointment of external auditors
Remuneration of external auditors
Non Audit service provided by external auditors (NB most are barred under SOX)

Benefits of Audit committee

Quality
Improve the quality of report
Discipline

Create a climate of discipline

NED

NEDs independent judgment

Forum

Provide a forum in which the finance director can raise issues of concern

External

Strengthen the position of the external auditor

Internal

Strengthen the position of the internal auditor

Confidence

Increase public confidence

Compliance Comply with laws and regulations

Board monitoring and reporting
Turnbull suggest that review of internal controls should be an integral part of the companys operations
Board should regular receive and review reports and information on internal control, concentrating on:
What the risks are and strategies for identifying, evaluating and managing them
The effectiveness of the management and internal control systems in the management of risk
Whether actions are being taken to reduce the risks found
Whether the results indicate that internal control should be monitored more extensively
Internal Control disclosure
SEC requirement:
The board should include below in the annual report:
A statement of managements responsibility for establishing and maintaining adequate internal control over
financial reporting for the company.
A statement identifying the framework used by management to evaluate the effectiveness of this internal
control.
Managements assessment of the effectiveness of this internal control as at the end of the companys most
recent fiscal year.
A statement that its auditor has issued an attestation report on managements assessment.