The Institute of Chartered Accountants of India Conference on Hotel & Tourism Industry. Risk Management and Audit. Hotel and Tourism Industry

Transcription

1 The Institute of Chartered Accountants of India Conference on Hotel & Tourism Industry Risk Management and Audit in Hotel and Tourism Industry CA Dipak Ghose 10 th December, 2011

2 Agenda Module 1 : Risk Management an important element of Corporate Governance Module 2 : Risk Definition, Categories, Examples of Risks Module 3 : Enterprise Risk Management (ERM) Concept & Process Module 4 : Value Creation through ERM Module 5 : Risk Examples in Hotel & Tourism Industry Module 6 : Audit Objectives and Roles (a) Statutory Audit (b) Internal Audit 2

3 Risk Management An important concept in Corporate Governance 3

4 Risk Management An Element of Corporate Governance Corporate Governance..enhancement of shareholder value keeping in view the interests of all other stakeholders An important element of Corporate Governance includes that.. The Risk Management process enables continual improvements in decision making It is a well defined program that encompasses the culture, processes and structures dealing with effective management of both potential opportunities, as well as, adverse effects 4

5 Risk 5

6 What is Risk? What is risk? any threat or opportunity that can potentially prevent a corporate from meeting its objectives. In short, it is anything that prevents a company from protecting existing assets or increasing shareholder value. organisations should maintain a systematic methodology to identify risks and opportunities, and decide what (if anything) needs to be done. It is measured in terms of likelihood and consequences 6

7 Examples of Risks Environmental e.g. Noise, contamination, pollution. Financial e.g. Contractual risks, misappropriation of funds, fraud, fine. Economic e.g. Currency fluctuations, interest rates, share market. Human e.g. Riots, strikes, sabotage, error. Natural Hazards e.g. Climatic conditions, earthquakes, bushfires, vermin, volcanic activity. Professional Liability e.g. Wrong advice, negligence, design error Regulatory e.g. Statutory and legal compliance, code of conduct, intellectual property/ trademarks. Technological e.g. Innovation, obsolescence, dependability. Security e.g. Cash arrangements, vandalism, theft, misappropriation of information, illegal entry. 7

8 Risk Formula Risk(Objectives) - Control = Exposure Objectives are what your organization aims to accomplish. Risks are everything that get in the way of sustainable achievement of your objectives. Controls are any action or activity that increases the likelihood of achieving your business objectives. 8

9 Risk Management Objective Objective of risk management process is to bring the inherent level of risks to a desired level of acceptable risks Inherent risk Controls Controls Effective controls Residual Risk Treatment Plan(s) ACCEPTABLE Residual Risk Desired level of residual risk 9

10 Enterprise Risk Management (ERM) 10

11 What is Enterprise Risk Management? Enterprise Risk Management (ERM) is a process effected by an entity s board of directors, management and other personnel applied in strategy setting and across the enterprise designed to identify potential events that may affect the entity manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives 11

12 - Strategic Alignment Mission/ Vision Approved Strategy Business Objectives Business Objectives Business Objectives Risks Risks Risks Risks Risks Risks Controls Controls Controls Controls Controls Controls Established by Management and refined by Company Board Considered as part of Risk Management process Identified, discussed and enhanced through the risk management process 12

13 Why is Enterprise Risk Management important Identify obstacles to achieving business objectives Allow management to make/evaluate decisions on a well informed, risk adjusted basis Determine accountability/ownership of all key risks Enable definition of realistic tolerances and measures of risk to support reasonable budgeting for risk (expected loss) and allocation of capital ( unexpected loss) Increase risk and control awareness of all employees, at all levels Proactively identify potential difficulties 13

14 Potential Benefits of Effective Enterprise Risk Management Early mover into new business areas Greater likelihood of achieving business objectives Higher share prices over the longer term Reduction in management time spent in fire fighting Fewer sudden shocks and unwelcome surprises POTENTIAL BENEFITS Increased likelihood of change initiatives being achieved Achievement of competitive advantage Better basis for strategy setting and decisions Lower cost of capital More focus internally on doing the right things properly Source: Implementing Turnbull a Boardroom Briefing 14

15 Risk Management Process 15

16 Global ERM standard Risk Management Process Overview Establish the context Identify risks Analyse risks Evaluate risks Communicate and consult Monitor and review Assess risks Treat risks Risk management overview (AS/NZS 4360:1999) 16

17 Risk Identification Comprehensive risk identification using a well-structured systematic process is critical. Risks can be identified in a number of ways, like: Workshop Brainstorming Interviews Press and media searches Discussion with peers Seminars 17

18 Risk Assessment 3 Key Risk Assessment Components EVENT IMPACT PROBABILIT Y 18 Before any risk analysis can begin, these three risk components must be defined in some systematic and meaningful way - Event: An incident / activity which may happen leading to some loss Probability: A qualitative description of probability or frequency Impact: The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event.

19 Example Driving to Work What are the risks in driving to work? 19

20 Example OBJECTIVE Driving to workplace RISK Not reaching the workplace on time CONSEQUENCE Work not accomplished / Boss is upset at you / You get fired / Lose face with clients or peers THREAT LIKELIHOOD IMPACT CONTROL Run out of petrol Low Low Always fill at ½ Mark Traffic Jam High High Leave Early/Alt Route Accident Low High Defensive driving Blown Tire Low Low Rotate tires / Spare Overheating Low High Maintenance Groupings: Internal and External Within my Control (Petrol), outside my Control (Others) 20

21 Risks Statement, Contributing Factors & Impact Risk Statement: The Risk Statement gives a brief description of the risk issue that the company is faced with Contributing Factors: The Contributing Factors are the factors that contribute to the risks mentioned in the Risk Statements Impact: The Impact indicates the outcome that the company might face if a particular risk event mentioned in the Risk Statement materializes 21

22 Relationship between Risks, Potential Impacts and Contributory Factors An issue can be either a risk, a contributory factor or a potential impact, depending on the level used. Eg. A house keeping department of a Hotel is worried about inadequate safety measures being adopted in the premises. They raise the following points: Electrical Shock Electrical Equipment Malfunctioning Lack of regular inspection of electrical safety features Possible liability issues Reputational Damage How risks are identified alongwith impact and Contributing factor 22

23 Some Possibilities Risk Impact Contributing Factor Electrical Shock Injury & Liability Electrical Equipment Malfunctioning Electrical Equipment Malfunctioning Electrical Shock Lack of regular inspection of electrical safety features Lack of regular inspection of electrical safety features Possible liability issues & Reputational Damage Electrical Equipment Malfunctioning 23

24 Risk Assessment - Methodologies A combination of two risk assessment methodologies is used across an enterprise: Quantitative assessment is possible when sufficient data are available. Quantitative- Qualitative- Used where potential likelihood and impact are low or where numerical data and expertise for quantitative assessments are not available. Also be used for high-impact events that require substantive expertise for assessment. 24

25 Risk Assessment In determining what constitutes a given level of risk the following scale may be used for likelihood and Impact assessment: Levels / Ratings Descriptors (Likelihood) 1 Very low likelihood 2 Low likelihood 3 Moderate likelihood 4 High likelihood 5 Very high likelihood Levels / Ratings Descriptors (Impact) 1 Very low impact 2 Low impact 3 Moderate impact 4 High impact 5 Very high impact 25

26 Risk Assessment Example for Calculation of Group Score: Rating of Risk X : Likelihood (A) Impact (B) Participant Participant Participant Total 9 15 Group Score for risk X i.e. Simple Average ( Total / No. of Participants) Combined Score for risk X (Group Score A*Group Score B)

27 Risk Evaluation Process Likelihood probability or frequency of an event occurring Consequences/ Impact the outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage, or gain. Risk Evaluation the process to determine Risk Management priorities by comparing the level of risk, as assessed using the above two scales, against predetermined standards, benchmarks, target risk levels Overall Risk Rating Overall Risk Rating is defined as Likelihood Rating*Impact Rating 27

28 Risk Prioritization The output of risk evaluation leads to generation of a prioritized list of risks for further action The Risk Statement alongwith Contributing Factors and Overall Risk Rating are captured in the form of a Risk Register and are prioritized in three categories: High (Red zone or unacceptable Average score more than 11) Medium (Yellow zone or cautionary Average score between 6 to 11) Low (Green zone or acceptable Average score upto 6) The Risk Register is prepared in a specific format to document the results of risk identification and risk assessment exercise using the two parameters viz. Likelihood and Impact Rating 28

29 Risk Prioritization LIKELIHOOD IMPACT 29 Most Critical Need active monitoring High Impact/ Likelihood Need periodic monitoring Low likelihood & Impact Need Annual Review

30 Risk Treatment, Communication and Monitor & Review Treat Risks Select and implement appropriate options for dealing with risk i.e. Avoid exit that activity that entails the particular risk Accept choose to accept the risk as in the case of changing policies Share form a joint venture for a new business Transfer insure and transfer the risk to the insurance company Reduce hedging in case of foreign currency exposure Control install safety equipment for safety related risks Diversify spread to new markets or move into new businesses Implement action plans and validate mitigation of risks Communicate & Consult Communicate and consult with internal and external stakeholders as appropriate at each stage of the risk management process concerning the process as a whole Review & Monitor Review and monitor the action plans 30

31 Risk Flow Diagram Board Risk Diagnostic Steering Committee Board BU risk diagnostic to determine focus BU BU BU BU BU BU BU BU Department Department Department Department Department Group Group Group Group Group BU Risk Framework 31

32 Risk Management Organization Risk Management Organisation Audit Committee Board of Directors Risk Management Steering Committee Chief Risk Officer (CRO) Risk Owner Risk Owner Risk Owner Risk Owner Risk Champion Risk Champion Risk Champion Risk Champion 32

33 Value Creation through ERM 33

34 ERM - Value Creation Activities ERM Areas Expected Risk Management Practices Risk Management Culture and Governance Management understands and intends to manage all of their risks Stakeholders have trust in the risk management program Decision making reflects the impact of risk on the particular decision Managers understand risk tolerance The Board is involved in discussions on risk and risk management Long term planning and resource allocation incorporates risk/ reward and cost/ benefit trade-offs; and Management has allocated sufficient (in amount and quantity) resources to ensure risk management meets its objectives 34

35 ERM - Value Creation Activities ERM Areas Expected Risk Management Practices Strategic Risk Management Integration of risk management and return into strategic decision-making Understanding and addressing changes in risk profile Integration of risk management capability into budgeting, asset allocation, product and new venture decisions, M&As and divestitures, and incentive compensation 35

36 Risk : Examples in Hotel & Tourism Industry 36

37 Risks in Hotel Industry Hotel industry, which entirely depends on the services it offers, should be able to identify and manage its risks effectively It should be noted that, while control of physical risks is important, liability with respect to services provided should not be overlooked Recently evolved risk assessment techniques have been recognized as meaningful and important tools for integrating and internalizing the Safety, Health and Environment aspects in business operations 37

38 Specific Objectives of Risk Management Study in Hotel Industry Identify hazards in various operations and tasks performed at the facility Establish underlying causes for hazard initiations Assess the strengths and weaknesses in the existing SHE systems Estimate risk levels after analyzing the effects and consequences of hazard events and likelihood of its occurrence Evaluate risk levels and initiate risk control measures, if required 38

39 Examples of Risks Associated with Hotel Industry During the last several years, hospitality companies -- like many other industries -- have increased the utilization of outsourcing arrangements for items such as procurement services, network and other data host sites, and food and beverage. Hotel owners and managers need to measure and monitor the risk to their organizations should these business partners not be in a position to honor their contractual obligations It should be realized that there are many operations in hotels, which involve use of chemicals and hazardous material (Dry-cleaning, LPG and HSD storage, plating and polishing etc.,) and other related operations like in any other industry Food contamination and environmental releases are some of the other major hazards associated with hotel operations 39

40 Examples of Risks Faced by the Hotel Industry Property & Environment: Fire and Explosion Natural disaster like Hurricanes or rise in sea level and third party Security Environment Threats from terrorism People: Key personnel Health and Safety Reputation: Erosion of Brand Value Commercial: Corporate reputation Food Poisoning Services liability Air conditioning Kitchen Safety Microbiological risks Political risk Financial: Exchange rate risk Financial risk Operational: Business interruption Project risk IT and communications Product liability Catastrophe recovery Industry risks Legal: Regulatory compliance Tenant s legal liability Contractual Liability 40

41 Relevance of Risk Management in Tourism Industry Although adequate insurance coverage is a necessary response to many related risks, yet Relying exclusively on insurance to cover the risks associated with this industry is no longer viable. Business organizations worldwide have adopted "risk management" principles to address the increasing legal, ethical and financial obligations to manage the principal risks of the tourism industry Risk management is required in order to make optimum insurance purchasing decisions. Even insurers will offer their best terms and conditions to those businesses that are well managed and considered to be a good risk 41

42 Risks Pertaining to Tourists. With millions of people travelling daily, diseases, crime, acts of terrorism, questions of violence or natural disasters directly impact these industries ability to promote a safe and worry free experience Travellers should be encouraged to take adequate travel insurance some of which includes: Adequate medical insurance required to meet expenses incase of emergency hospitalization and/or medical expenses Accident benefits to be covered through adequate insurance policy coverage Adequate coverage incase of loss of personal belongings due to theft or burglary 42

43 Risks Associated with the Tourism Industry The specific risks associated with the Tourism Industry can originate broadly from four source areas viz : The human and institutional environment outside the tourism sector; Which includes common delinquency (theft, burglary, fraud, deception), terrorism, hijacking, wars, social conflicts and political and religious unrest The tourism sector and related commercial sectors; Through defective operation, tourism and sectors related to tourism such as transport, sports and retail trade, can endanger visitors' personal security, physical integrity and economic interests through poor safety standards in tourism establishments (fire, construction errors, lack of anti-seismic protection), poor waste management systems and disrespect for the environment s sustainability, non-compliance with contracts and strikes by staff. The individual traveller (personal risks) Travellers or visitors can endanger their own safety and security by practicing dangerous or risky sports and leisure activities, consuming unsafe food and drink, sudden illness or injuries Physical or environmental risks (natural, climatic, epidemic) 43

44 Examples of Risks Faced by the Tourism Industry Safety & Environment : Fire and Explosion Natural disaster and third party Security Financial : Exchange rate risk Financial risk Foreign exchange risk People : Key personnel Sudden illness/injury Health and Safety Political & Geographical : Riots Strikes Wars 44

45 Audit 45

46 Statutory Audit 46

47 Objectives of Statutory Audit Major objectives of statutory audits are: To convey professional opinion on the financial statements of the companies For comprehensive review of the accounting and internal control system of the client For continuous dialogue with the management, concerning any material weakness in the internal control system 47

48 Role of Statutory Auditor The primary role of external auditors is to : express an opinion on whether an entity's financial statements are free of material misstatements and issue a certificate of compliance under Clause 49 of Corporate Governance Normally, external auditors review the entity's information technology control procedures when assessing its overall internal controls They must also investigate any material issues raised by inquiries from professional or regulatory authorities, such as the local taxing authority 48

49 Compliance Requirements Under Clause 49 Basis of Related Party Transactions Related party transactions to be disclosed as transactions in ordinary course & others that are not in normal course Additionally transactions not at arms length to be disclosed separately & placed before Audit Committee with Management Justification Disclosure of Accounting Treatment Disclosure of differential treatment of financial statements from that prescribed in an Accounting Standard, together with the management s explanation for such alternative treatment All listed companies are required to prepare consolidated financial statements as per Accounting Standards, namely, AS21, AS23 and AS27 issued by the ICAI in relation to the Consolidation of Financial Statements In addition, all listed companies are required to publish segment wise profit and loss as per Accounting Standard 17 Segment Reporting issued by ICAI. 49

50 Migration to International Financial Reporting Standards International Financial Reporting Standards (IFRS) are Standards, Interpretations and the Framework adopted by the International Accounting Standards Board (IASB). The IFRS is an international effort to harmonize financial reporting globally. In India, the Institute of Chartered Accountants of India (ICAI) has said that all companies and banks should draw up their accounts in conformity with IFRS from

51 Internal Audit 51

52 Objectives of Internal Audit Aim of internal auditing is to assist the organization to achieve its objectives Evaluating emerging technologies Assessing risks, controls, ethics, quality, economy, and efficiency Assuring that controls in place are adequate to mitigate the risks Communicating information and opinions with clarity and accuracy 52

53 Role of Internal Auditor The primary role internal auditors is : To provide independent, objective assurance and consulting activity designed to add value and improve an organization's operations To help an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of : risk management, control, and governance processes. 53

54 Changing Paradigm of Internal Audit-Evolution Traditional Internal Auditing Find & Fix: Reactive Reengineering of Internal Auditors Integrated Internal Auditing Anticipate & Prevent: Proactive Risk Assessment: An Ad-hoc Activity Risk Assessment : Continuous Activity Focus only on Financial and Accounting Controls Minimum use of technology Multifunctional Knowledge Techno Savvy New Tools Benchmarking Use Industry/External data Focus on Risk Management Have Persuasive Skills Audit Business Processes; not just Controls Tech./Knowledge Leveraged Perceived as Policing Perceived as Partner in Business Compliance Focus Profit Optimization 54

55 Internal Auditor s Role in ERM Core Internal Audit Roles in ERM Giving assurance on the risk management process Giving assurance that risks are correctly evaluated Evaluating risk management processes Evaluating the reporting of key risks Reviewing the management of key risks 55

56 Internal Auditor s Role in ERM Roles Internal Audit should Not Undertake Setting the risk appetite Imposing risk management process Management assurance on risks Taking decisions on risk responses Implementing risk responses on management s behalf Accountability for risk management 56

57 Internal Auditor s Role in ERM Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. Assist management and the board or audit committee in the process by : Monitoring - Evaluating Examining - Reporting Recommending improvements 57

58 Role : Internal Audit vis-à-vis Risk Management Role Enterprise Risk Management Group Internal Audit Purpose Coordinate an integrated enterprise wide view of significant risks and responses Support risk assessment planning and monitoring, as applicable Activities Provide support and facilitate overall risk management process Provide assurance on risk assessment process, mitigation activities, test results, monitor action plans Deliverables Escalate key risk exposures, risk policies and metrics Independent testing of risk assessment results & action plan; reports to management and audit committee 58

59 Internal Auditor s Responsibility Risk Based Audit Plan Identify the risks Prioritize the risk Identify the controls Evaluate the effectiveness of the Control This risk assessment is to serve as the basis from which audit plans are devised and against which internal controls are tested. 59

60 Risk Based Internal Audit (RBIA) 60

61 Definition of Risk Based Internal Audit (RBIA) RBIA provides an independent and objective opinion to an organisation s management as to whether its risks are being managed to acceptable levels 61

62 Risk Based Internal Audit Methodology An Overview 62

63 ERM and Risk Based Internal Audit Methodology An Overview ERM process supports Risk Identification, Assessment and Prioritization The Prioritized list of risks is the input for development of risk based internal audit strategy / plan 63

64 Risk Related Controls Risk assessment Exercising controls based on risk evaluation Appropriate and effective Internal control system - COSO framework 64

65 COSO Framework of Internal Control Control Environment It deals with soft issues of control Management Philosophy Commitment to Competence Risk Assessment Identify and analyze risk Prioritize the risk according to impact and probability Control Activities Ensure controls are exercised to address risk to achieve entities objective Information & Communication Relevant information should be identified and communicated - enabling informed decision making Monitoring Measuring the control effectiveness. Assess the quality of the system s performance Prepare report identifying deficiency 65

66 Questions? 66

67 Thank You 67