There are many definitions of risk and risk management.

Transcription

1 Definition of risk There are many definitions of risk and risk management. The definition set out in ISO Guide 73 is that risk is the effect of uncertainty on objectives. In order to assist with the application of this definition, Guide 73 also states that an effect may be positive, negative or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence. This definition links risks to objectives. Therefore, this definition of risk can most easily be applied when the objectives of the organisation are comprehensive and fully stated. Even when fully stated, the objectives themselves need to be challenged and the assumptions on which they are based should be tested, as part of the risk management process. Enterprise Risk Management The COSO Framework:

2 Risks can impact an organisation in the short, medium and long term. These risks are related to operations, tactics and strategy, respectively. Strategy sets out the long-term aims of the organisation, and the strategic planning horizon for an organisation will typically be 3, 5 or more years. Tactics define how an organisation intends to achieve change. Therefore, tactical risks are typically associated with projects, mergers, acquisitions and product developments. Operations are the routine activities of the organisation. Enterprise Risk Management The COSO Framework:

3 Risk classification systems An important part of analysing a risk is to determine the nature, source or type of impact of the risk. Evaluation of risks in this way may be enhanced by the use of a risk classification system. Risk classification systems are important because 1. they enable an organisation to identify accumulations of similar risks. 2. enable an organisation to identify which strategies, tactics and operations are most vulnerable. Risk classification systems are usually based on the division of risks into those related to financial control, operational efficiency, reputational exposure and commercial activities. However, there is no risk classification system that is universally applicable to all types of organisations. Enterprise Risk Management The COSO Framework:

4

5

6 Recording risk assessments Risk assessment involves the identification of risks followed by their evaluation or ranking. It is important to have a template for recording appropriate information about each risk. The objective of a template is to enable the information to be recorded in a table, risk register, spreadsheet or a computer-based system. Although a simple description of a risk is sometimes sufficient, there are circumstances where a detailed risk description may be required in order to facilitate a comprehensive risk assessment process. Enterprise Risk Management The COSO Framework:

7 Enterprise Risk Management The COSO Framework:

8 The consequences of a risk materialising may be negative (hazard risks), positive (opportunity risks) or may result in greater uncertainty. Organisations need to establish appropriate definitions for the different levels of likelihood and consequences associated with these different risks. ** Risk ranking can be quantitative, semi-quantitative or qualitative in terms of the likelihood of occurrence and the possible consequences or impact. Organisations will need to define their own measures of likelihood of occurrence and consequences. ** assess likelihood and consequences as high, medium or low, with the results presented on a 3 x 3 risk matrix is adequate. Other organisations find that more options are necessary and a 4 x 4 or 5 x 5 risk matrix is required. By considering the likelihood and consequences of each risk, it will be possible to prioritise or rank the key risks for further analysis. Enterprise Risk Management The COSO Framework:

9

10 MAY 2005 P3: Question 1 (a and b) 10 Q

11 MAY 2005 P3: Question 1 (a and b)

12 Quantification of risk exposures (impact if an adverse event occurs) and their expected values, taking account of likelihood. Value at Risk (VaR) The value of an investment portfolio depends on the market prices of the components equities, bonds, commodities or financial instruments which vary with changes in interest and exchange rates. VaR is therefore commonly described as a measure of market risk because it is a monetary estimate of the likely fall in the portfolio value that would result from movements in the market prices of financial assets/liabilities. Its calculation expresses the likelihood of loss in terms of a specified level of probability assuming a given holding period or time horizon during which the portfolio is unchanged. VaR has three parameters: 1. The time horizon (period) to be analyzed may relate to the time period over which a financial institution is committed to holding its portfolio, or to the time required to liquidate assets. 2. The confidence level is the interval estimate in which the VaR would not be expected to exceed the maximum loss. Commonly used confidence levels are 99% and 95%. Confidence levels are not indications of probabilities. 3. Value at risk(var) is given in a unit of the currency.

13 MAY 2006 P3: Question 2 c

14 MAY 2006 P3: Question 2 c solution

15 Enterprise Risk Management (ERM) Enterprise Risk Management (ERM) is increasingly claimed as a tool for improving the capability of companies in predicting and managing risks, enhancing planning and the achievement of their goals. ERM may be considered the culmination of the risk management explosion (Power, 2007) which started during the 1990s. ERM is intended to be a holistic approach for assessing and evaluating the risks that an organisation faces (COSO, 2004). Interest in ERM has grown rapidly in the past 15 years and after recent financial scandals, there has been further pressure from various parties to adopt and embed ERM in business processes. In the UK, the publication and review of the Turnbull Report signalled a close coupling between internal control and risk management, making ERM a central focus of corporate governance. Enterprise Risk Management The COSO Framework:

16 Parallel to this centrality in corporate governance, ERM seeks to link risk management with business strategy and objective setting, management control, accountability and planning. Enterprise Risk Management The COSO Framework:

17 Enterprise Risk Management The COSO Framework:

18 Enterprise Risk Management The COSO Framework:

19 ISO describes a framework for implementing risk management, rather than a framework for supporting the risk management process. The risk architecture, strategy and protocols shown represent the internal arrangements for communicating on risk issues. 1. It also sets out the roles and responsibilities of the individuals and committees that support the risk management process. 2. The risk strategy should set out the objectives that risk management activities in the organisation are seeking to achieve. 3. Risk protocols describe the procedures by which the strategy will be implemented and risks managed. Enterprise Risk Management The COSO Framework:

20 Challenges in ERM 1. Positioning of ERM as a managerial tool. ERM is often linked to corporate governance needs and external requirements, which may undermine its implementation as a tool for enhancing managerial actions and decisions. The cases highlighted that the choices in terms of measurement qualitative versus quantitative owners or champions approach interactive versus diagnostic and hierarchical line or commitment management control, internal auditing, strategic committees do affect the perception of its managerial usefulness within the organisation. This perception of usefulness is essential for an effective implementation not only for convincing managers in using ERM, but in turn also for the essential need to have management collaboration for the implementation and continuous evolution of ERM. In the cases in which ERM has become a managerial instrument, there is a collaborative tension between ERM owners and managers, who are continuously challenged to think of the unexpected the so called Black Swan effect (Taleb, 2007). Enterprise Risk Management The COSO Framework:

21 2. Space for the ERM champions or owners within the corporate roles These roles include management accountants but also risk specialists. When other systems of risk management and control are perceived to be satisfactory by managers, ERM and its owners struggle to find a space. There is a new managerial sensitivity is achieved by showing them real examples of how current systems may fail to holistically manage risks or to manage those with a longer term perspective. This does not mean a contraposition with other corporate roles. On the contrary, the more effective cases evidenced a constant search from the ERM owner of alliances with other actors in charge of controlling risks and company performance. 3. ERM is both a challenge and a strategic choice. The issue with the integration of ERM and budgetary control. Process and output integration Output integration such as risks and performances Reciprocal consideration Voluntary separation posing ERM as a strategic tool and budget and its risks as a short/medium term device Unaware separation Enterprise Risk Management The COSO Framework:

22 Purposes and importance of internal control and risk management for an organisation. 22

23 The risk manager role (including as part of a set of roles) as distinct from that of internal auditor. 23

24 24

25 Issues to be addressed in defining management s risk policy. The board of directors is responsible for the company s system of internal control. It should set appropriate policies on internal control and seek regular assurance that will enable it to satisfy itself that the system is functioning effectively. The board must further ensure that the system of internal control is effective in managing risks in the manner which it has approved. In determining its policies with regard to internal control, and thereby assessing what constitutes a sound system of internal control in the particular circumstances of the company, the board s deliberations should include consideration of the following factors: 1. the nature and extent of the risks facing the company; 2. the extent and categories of risk which it regards as acceptable for the company to bear; 3. the likelihood of the risks concerned materialising; 4. the company s ability to reduce the incidence and impact on the business of risks that do materialise; and 5. the costs of operating particular controls relative to the benefit thereby obtained in managing the related risks. 25

26 Risk management Risk management is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources. The strategies include: transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. T A R A Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, death and lawsuits). Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments. The objective of risk management is to reduce different risks related to a preselected domain to the level accepted by society. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. On the other hand it involves all means available for humans, or in particular, for a risk management entity (person, staff, organization). 26

27 27

28 Enterprise Risk Management The COSO Framework:

29 Elements in internal control systems (e.g. control activities, information and communication processes, processes for ensuring continued effectiveness etc). An internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together: 1. facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company s objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud, and ensuring that liabilities are identified and managed; 2. help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation; 3. help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business. A company s system of internal control will reflect its control environment which encompasses its organisational structure. The system will include: 1. control activities; 2. information and communications processes; and 3. processes for monitoring the continuing effectiveness of the system of internal control. 29

30 Operational features of internal control systems (e.g. embedding in company s operations, responsiveness to evolving risks, timely reporting to management). The system of internal control should: 1. be embedded in the operations of the company and form part of its culture; 2. be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment; and 3. include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified together with details of corrective action being undertaken. A sound system of internal control reduces, but cannot eliminate, the possibility of poor judgement in decision-making; human error; control processes being deliberately circumvented by employees and others; management overriding controls; and the occurrence of unforeseeable circumstances. A sound system of internal control therefore provides reasonable, but not absolute, assurance that a company will not be hindered in achieving its business objectives, or in the orderly and legitimate conduct of its business, by circumstances which may reasonably be foreseen. A system of internal control cannot, however, provide protection with certainty against a company failing to meet its business objectives or all material errors, losses, fraud, or breaches of laws or regulations. 30