MATTERS TO BE CONSIDERED IN RISK MANAGEMENT
Risk is measure of uncertainty
1. Identifying and measuring risk
2. The risks are related to attainment of objectives
3. Management to should consider how much risk is acceptable
4. Actions taken to minimize the consequences and likelihood of risk
• Diversify or avoid risk
• Sharing the risk with other parties
5. Risk management is necessary because of uncertain events
6. lmpact of risk depends upon
(a) The duration of consequences. The seriousness of the impact is
dependent upon the duration. For example, the impact of one day’s strike in the factory will be different than the impact of a week or a month’s strike.
(b) The assets which are exposed to risks.
The auditor considers what assets are exposed to risks, i.e., maximum monetary risk without considering the probability. The nature of consequences (the auditor gives relatively more importance to valuable assets)
(c) The effectiveness of design and operation of controls. Management can reduce, but eliminate, inherent risks by effective controls. For example inherent risk in cash can be reduced by imprest system and by reducing the cash transaction.
“Controls” are therefore used to mitigate the risks.
The controls will depend upon management’s decision as to what risks are to be reduced and at what cost.
7. The word “threat” include both, impact and likelihood
8. Threats are always present. The controls can reduce the threats
ROLE OF CO TROLS I RISK MANAGEMENT
1. Controls are used to mitigate the risk
2. Risks are threats in achieving objectives; controls are established to assist in attaining objectives.
3. Controls prevent and detect and correct the impact of risk events from affecting operations.
4. An entity has to evaluate impact and likelihood of risk before establishing internal controls.
5. The Committee of sponsoring Organizations (COSO) introduced a general model of internal controls which has been widely accepted by the profession.
6. The COSO report defines internal control as a “process affected by entity’s board of directors, management and other personnel, which is designed to provide reasonable assurance regarding the achievement of objective in one or more categories:
• Effectiveness and efficiency of operations (Operations)
• Reliability of financial reporting (Financial)
• Compliance with applicable laws and regulations (Compliance)
The above three categories of controls represent all of the entity’s activities.Management controls reporting on internal controls include Safeguarding of asset from loss or unauthorized use. The COSO report describes internal controls as having five .cornponents
• Control environment
• Risk assessment
• Accounting system
• Control activities
The control environment set the tone of an organization, influencing the controls consciousness of its people. It is the foundation of all other components of internal controls providing discipline and structure.
Control environment factors include:
• Integrity, ethical values and competence of entity’s people.
• Management philosophy and operating style.
• The way management assigns authority and responsibility and organizes and develops people.
• Attention and direction provided by board of directors.
Basic sequence of management activities as described by COSO are
1. Establish entity’s objectives ——> 2. Assess risks —-> 3. Determine required controls
1. Establish entity’s objectives
The purpose of internal control is to ensure the entity’s objectives are achieved. The objectives are therefore have to be clearly defined and agreed by all concerned managers.
• Risk identification
• Risk measurement
• Risk prioritization
2. Assess risk
Risk assessment (both risks and opportunities) involves three steps:
of likely events (both risks and opportunities) that may have material
consequence for the organization. All risks are not assessed; only those risks are assessed which are likely to be significant threats in attaining entity’s objectives.
The risk is assessed at three levels.
(a) Strategic risk assessment
Strategic risk assessment is performed for 5 to 10 years, usually by board of directors It involves
(i) Examine mission statement or vision statement for entities goal and objectives
(ii) Classify each of the objectives into short, medium and long term issues
(iii) Select strategic risk that are likely to be more significant
• Operational risks: the risk that operational goals will not be achieved
• Fiscal risk: the risk that lapses in expenditure and revenue controls will adversely affect attainment of objectives
• Compliance; the risk that non compliance of laws and regulations will affect attainment of objectives (b) Project or process risk assessment.
Project or process, risk assessment is carried out in order to manage current period’s activity, usually performed by senior managers.
(c) Operational risk assessment
Operational risk assessment is used in every day operations (for example health and safety problems) performed at supervisory
Identification of risks involves assessment of threats and opportunities.
Two major types of risks are
(a) Internal risks i.e., assets exposed to risk
• Tangible assets
• Intangible assets
The above assets are exposed to risk of loss through
• Misuse of assets
• Physical disaster
(b) External risks
• Interest rates
• General economic conditions
• Government policies
After the entity has identified the risks, next step is to measure such risk Risk measurement is quite subjective. Some people prefer to quantify the risk in percentages; others describe such risks as high, medium and low. Although it is difficult to measure the risk precisely, risk measurement is essential because it forms the basis for decision making regarding relative attention to be paid to various areas.
Total risk may be measured as follows
Maximum value at risk x probability of threat occurring x control risk
For example, maximum monetary loss in an equipment is Rs. 2,000,000.
The probability of threat occurring is 0.008 and probability of control failure is 0.30. The annual loss expectancy is:
.2,000,000xO.008xO.30 = 4,800
The last step in risk assessment is to rank the risk
The objective of prioritization is to make decision about applying relative effort to various units.
One simple way of prioritization is to rank the total score in order of magnitude
The auditor will design audit program that would devote more hours on reviewing controls for Product D than reviewing controls for Product E
3. Determine required controls
Once the risks have been assessed, a decision has to be made with the risks assessed. Only key controls should be designed operation of controls may be costly. Possible alternatives are:
(a) Avoid the risk, that is, design the process to eliminate particular risk
(b) Control the risk, which involves measures taken to reduce impact and likelihood of risks.
(c) Share the risk through outsourcing