Chapt 4 Risk Management 2

8/3/2019 Chapt 4 Risk Management 2

1/21


2/21

''

- - - ~I PROFESSiONAL STAN DAR

AND POSITION PAPERS

2 0 1 0 - Planning

21 00 - Na ture of Work

2 1 . 2 ~ . -Risk Management

-

S, PRACTICFADVISORIES, -ELEVA NT TO CHAPTER 4

Practice Advisory 2010-1: Linking the Audit Plan to Risk and Exposures

Practice Advisory 2120-1: Assessing t he Adequacy ofRisk Management P r o ~ e s s e s

Practice Advisory 221 O.A1-1: Risk Assessment in Engagement Planning

Positjon Paper: The Role of Internal Auditing in Enterprise-wide RiskManagement

Practice Adviso ry 201 o-2: Using the Risk Management Process in InternalAudit Planning

Before beginning the discussion about risk management, it is importantto understand why this area is a frequent topic of discussion in th e business world. Many organizations have f.ound that implementin g effectiverisk management programs is more difficult than first though t. However,there are an increasing number of reasons for organizations to estab lishstrong capabilities in these areas. For example, ratings agencies in th eUnites States are now focusing more heavily on risk management in theirratings evaluations. Moody's Investors Services incorporates governanceinto their rati!lgs ~ ~ considers risk I_Danagen:tentas well. Beginning in2008, Standard & Poor's began evaluating risk management with th e in

tention of formally incorporating it into their ratings in th e future. Thesear e examples of why it is so important for organizations to implement anappropriate risk management structur1!. .

. OVERVIEW OF RISK MANAGEMENT

A Brief History of RiskThe concept of risk is no t a recent phenomenon or new way of approaching th e managemen t of a business. Peter L: Bernstein provides an extensive history of risk in Agains t the Gods: The Remarkable Story o f Risk.His book outlines the evolving acceptance an d understanding of risk overth e centuries. For example:

Gambling ha s been documented back several centuries to earlyGreek an d Egyptian civilizations as w ~ l las in th e Bible (forexample, Pontius Pilate's soldiers cast lots for Christ's robe as hesuffered on the cross). While games of chance have been commonthroughout history, th e theory of probability was not discovereduntil th e Renaissance period in th e mid-17thcentury.After thatdiscovery , probability theory advanced from the mathematicalexercise of explaining outcomes in ganies o f chance to a key toolused in th e business world to support decision-making.

Chinese ~ d Babylonian traders displaye.d risk transfer an ddistribution practices as early as the third and second century, B.C.,respectively. The Greeks and Romans in troduced early forms of


3/21

_health and life insurance around A.D. 600.'lbwimlthe_end of th e-, -- - _ ,-- - :-:f-'Tth certtury, th e gr-OWing impoltaneeotUiidoiiiS'- cehter toi ';.-

trade led to rising demand for marine insurance. In th e late 1680s,Edward Lloyd opened a coffeehouse that became a po pular haw1t ofship owners, merchants , an d ships' captains, an d thereby a reliablesource of th e latest shipping news . I t became th e meeting place forparties wishing to insure .cargoes an d ships, an d those willing tounderwrite such ventures_.,Today, Lloyd's of London remains one ofth e world's leading s p e ~ i a l t yinsurance companies.

~ Similar to insurance businesses, banks and other financialinstitutions have been dealing with risks in all aspects of theirbusinesses throu!fhout th e years . Th e first banks were p r o b a ~ l y_th e religious temples of the ancient world. There ar e records ofloans from th e 18th century B.C. in Babylon that were made -:by temple priests to merchants . The Greek and Roman empireshelj>ed evolve banking practices surrounding loans, deposits, an dcurrency exchange. Banks 1.1Se concepts of risk to determinE! th erates they can charge for loans based on their own cost of fundsand the probabilities of default. Financial institutions also lh avedeveloped financial instruments, such as options, swaps, an dderivative instruments, that create value based on the p r o b a b i l i ~ e sof uncertain future events .1

Definitions of Risk.( ~-

Th e :English language word risk comes from the Italian word " :risi


4/21

"-. :,

-Ri'Sks are inherentin -aU a:spects oflife _;_that is, wherever :. .,.. - ' > -~ -uncertainty exists, one or more risks exist. Th e examples providedin the previous section on th e history of risk illustrate howth e understanding of risk has evolved. Those risks specifically.associated with _ rganizations conducting a form of business ar ecommonly referred to as business ri.sks. This can be thought of

in g.uite simple terms: uncertainti es regarding threats to theachieYement of business objectives ar e COnsidered busineSS risks.

Using this definition of risk, it becomes apparent that there are anextensh e number of risks that organizations face as they tr y to executetheir strateg ies and achieve their objectives. This extensiven ess can besomewhat overwhelming, which brings greater appreciation for th e needto have a process to effectively understand an d manage risks across anorganization. This need can be addressed throug h enterprise risk man-agement


5/21

- . - --. COSO ENTERPRISE ' RISK MANAGEMENT CUB

-- . --

Copyright 2004 by The Committee of Sponsoring Organizations of th e Treadway Commission .ReprodU


6/21

-- C0.S0 stateS t h e , f ~ l f o w m g'a o o u t - a c h i ~v e m e n t;o f objectives: -~ ~ ~-o b -.. - .,jectives relating to reliability ofreporting an d compliance with laws an dregulations ar e within th e entity 's control, enterprise risk managementca n be expecied to provide reasonable assurance of ~ c h i e v i n gthose objectives. Achievement of stra tegic objectives and operations objectives, however , is subject to external events no t always within th e entity's control;

accorpingly, for these objectives, [ERM] tan provide reasonable assurancet l ia t management, and th e board in its oversi!!}:t_ rf?le, ar e made aware,in a t imely manner, of the extent to which th e entity is moving towardachievement of th e objectives ."5

Components of ERM

COSO ERM consists of eight interrelated components. These ar e derivedfrom th e way management runs an enterprise an d ar e integrated withth e management process . These components are :

. . Inte rnal Environment. "Management sets a philosophy regarding

risk and. establishes a risk appetite : The internal environment

encompasses the tone of an organization, and sets the basis for howrisk an d control ar e viewed an d addressed by an entity's people.Th e core of any business is its p e o p l ~.: - their individual a t t r i b u ~ s ,including integrity, ethicalvalues, an d competence - an d th ee'nvironment in which they o p e r a t E~ ., . ;.

COSO goes on to state th .a.t "The in .ternal environment is th e basisfor all other components jO.,fERM, providing discipline an d structure.It influences how strategies an d oQjectives are establi shed, businessactivities are structured, ~ d risks are identified, assessed, an dacted upon. I t also influences th e deSign an d functioning of controlac t ivities, information an d con:i.m:wiication systems, an d monitoringactivities."7

The internal environment is influe need by an organization's historyan d c u l t u r e~ I t comprises m ~ ye l e ~ n t s ,including th e following,which COSO discusses in g r e a ~ rdetail:

Risk managemeri t philosophy, which represent s a se t of sharedbeliefs and attitudes characterizing how th e organizationconsiders r isk in everything it does.

Risk appetite, which represents the amount of risk, on a broadlevel, an organization is willing to accept.

Board of directors, which provides th e structure, experience,independence, and oversight role played by th e organization'sprimary

governing body. ' Integrity and ethical values, which reflect th e preferences,

standards ofbehavior, an d style .

Commitment to competence, including the knowledge and skillsneeded to perform assigned ta s ks .

Organizational structure, as characterized by th e framework toplan, execute, control, an d monitor activities .

Assignment of authority and responsibility, reflecting thedegree to which individuals an d teams are authorized andencouraged to use initiat ive to a d ~ e s sissues an d solveproblems, as well as limits "to their authority.


7/21

' .,;, , ._,,. ~ t " : ' " f f l f m - ~ s o u r c estandards, coint)osed of the practices J>E!rtainingto hiring, orienting, tra ining, evalu ating, counseling, promoting,compensating, an d taking remedial actions.

Objective Setting. "Objectives ar e se t a t th e strategic level,establishing a basis for operations, reporting, and complianceobjectives . Every entity faces a variety of risks from externai an d

internal sources , an d ap r e c o ~ d i t i o n

to effective event identification,risk assessment , an d risk response is establishment of objectives ."8

Objectives must be aligned with the organization's risk appetite,which drives risk tolerance levels for th e organization . Risktolerances ar e th e accepbble leYels of ~ i z ean d variation relativeto th e achievement ofobjectives , and must align with th eorganization's risk appetite.

Event Identification. "Management identifies potential eventsthat, if they occur, will affect th e entity, and detcnn ines whetherthese events represent opportunities or whether they mightadversely affect th e entity's ability to successfully implementstrategy and achieve objectives . Events with negative impactrepresent risks, which requ ire management's assessment andresponse; Events with positive impact represent opportunities,which management channels back into th e strategy and objectiv e-setting pr


8/21

I

.1 '

. .. .Risk Assessm -ent. " R i ~ ka s s ~ ~ ~ l h e r i ta l t ~ { ~-a ne n t i t yto consider the extent to which potential events h a ~ e-:a n impact on achievementof objectives. Management assesses events from ~ o perspectives- likelihood and impact - an d normally uses a combination of

.qualitative and quantitative methods: ::The positive an d negativeimpacts .of potential events should '!>e examined, individuall y or by

. ca}egOiy, across the entity. Risks are as 'sessed on both an inherentaiid residual basis." 12

In simplest terms, inherent risk represents the -gross" risk while .residual risk is the "net" risk. Inherent risk is the risk to anorganization in the absence of any a c ~ i o n smanagement mighttake to alter either th e risk's likelihood or impact. These risksma y be inherent in the organization's business model or relate todecisions manageme nt has made regarding how to operate andexecute that business model. Residual risk is th e risk that remainsafter management's response to the risk (for example, to reduc eor transfer th e risk). Risk assessment should be applied first toinherent risks. Once th e risk responses have been developed,management then considerS residual risk.There ar e many different ways to a ssess th e impact an d likelihoodof risks, ranging .from obtaining the overall j u d g m e n t ~an dperspectives of individuals, to benchmatking against othercompanies, to running sophisticated probabi listic mOdels. Regardlessof which option, or combination of options, is used, i _ t~i s importantthat th e assessme nt consider th e relationships b e t W . ~ nrisks. Thatis, th e realis tic worst-case impact an d likelihood o f r i s ~events maybe dependent on how combinations of risks interrelate. Assessing

_ each risk _ n i ts owq may overlook r e a l i ~ t i cw o r s t < a s e ."s ~ ~ n~~ r i o s. thatth e organization needs to consider.

Risk Response. "Having asse ssed rel ,evant risks, managementdetermines how it will respond. Responses include risk avoidance,reduction, sharing, an d acceptance. In considering it s response; - .management assesses. he effect on risk likelihood an d impact, as well as costs and benefits, selec ting a response that brings residualrisk within desired risk tolerances. Management identifies an yopportunities that might be available, ~ n dtakes an entity-wide, orportfolio, view of risk, det ermining whether overall residual risk iswithin th e entity's risk appetite." 13

As indicated, risk responses faH within four categories, which COSOdefines as:

Avoidance. Exiting or divest ing of the activities giving rise toth e risk. Risk avoidance ma y involve exiting a product line,declining expansion to a ne w ,geographical market, or selling adivision.

Reduction. Action is taken to reduce risk likelihood or impact,or both. This typically involves any of a myriad of everydaybusiness decisions [such as implementing controls).

Sharing . Reducing risk likelihood or impact by transferring orothenvise sharing a portion of the risk. Common techniquesinclude purchasing insurance products, engaging in hedgingtransactions, or outsourcing an actiVity.


9/21

. ":......A.,. ..~ ~ ~ " ' ~ ,.. Nn SJction is t a l t ~~l l f Waffect ljl:lldikelihood or;/ ' - ' -- iin.pact. (i n effect, th e o r g a i l i z u t l u i ~iu mlllilg ;() G:ccept th e

risk at the current level rather than spend valuabll\ resourcesdeploying on: of th e other risk response options.P

I t is important to consider th e portfolio, or aggregated, effect of riskresponses. In some cases, a certain risk response may no t appear tobe the best or most cost -effective response for -a given risk. However,if that risk response helps marl'age other rif'ks, th e benefit to th eorganization ma y justify th e selection of that particular option . Bylooking ~ t ~ ; , k sfrom a portfolio perspective, management can bestensure that risks ar e optimally managed within th e organization's !established risk appetite.

' Control Activities. "Control activit ies ar e th e policies an d proceduresthat help ensure that management's risk responses ar e carried out.Control activities occur throughout th e organization, at all levelsan d in all functions." 15

While control activities ~ . r e most commonly associated with riskreduction strategies, certain control activities also may be necessary

when executing one of th e other risk responses. They are classified .in a variety of ways an d include a range of activities that ma y be preventive o r detective, manual or automated, :an d at th e processlevel or the management level. Refe r to Chapter 6, "InternalControl,,; for a further discussion of the different types of controls.Examples of commonly used control activities .,provided by COSO

.t t ~

include: ; ..~ - ~- -

Top-level reviews ar e controls that ar e typically executed atthe entity level, such as performance against budget reviews,updated forecasts, monitori ng o f c o m p e t i t o r_~ < ; . ~ i g p . s ,_o r costcontainment initiatives. . .

Direct functional or activ;ty management ar e controls executedby managers running s ~ i f i cfunctions or activities, such as reviewing performance reports for th e area or 'Overseeing th eexecution of detailed level controls (for example, reconciliations).

Information processing controls ar e designed to check th eaccuracy, completeness, an d at:thorization of transactions .Additionally, this area includes general infrastru


10/21

..

-~ . . .- ' ' - ' - . . . - - 0 . . cff!#'''. that eriabl" pei)ple to carry ou t their responsibilities." 17 Infornialion

must be 1n sufficient depth consistent with an organization's needto identify, assess, an d respond to risk, and remain within it s various risk tolerance levels. Information systems proeess internallyan d externally generated data into information that is useful for .managing risks . Finally, information must be of sufficient quality tos;1pport decision -making . COSO notes tha t information must be:

Appropriate an d at the right level of detail.

Timely an d 'available when n eeded .J Current, reflecting the most recent financial or operational

information .-

Accurate and reliable .

Accessible to those who need it.

COSO goes on to state "Effective communication also occurs, flowingdown, across, itnd up the organization . All p e n : ~ n n e l: - : : ; - : : ~ i v ea clearmessage from top management that [ERM)' responsibili ties must betaken seriously. They understand their own role in [ERM], as wellas how in d ividual activities relate to th e work of others. They musthave a means of communicating sigrtificant information upstream.1Jlere is also effective communication with external parties, such ascustomers, suppliers, regulators, and .shareholders." 18

There are many different forms of :ommunication, such as policy .. !'.Y.manuals, memoranda, e-mails, Internet an d intranet sites, bulletin - ' . i - 7 . : ~board notices, an d video messages. When messages ar e transmitted '"orally, tone .of voice and body langua ge ma y influence how messagesare interpreted.

Monitoring. "Enterprise risk management is monitored - assessingth e presence an d functioning of its components over time." 1' Thistype of downstream control can be accomplished through ongoingmonitoring activities, separate evaluations, or a combination of th etwo . Ongoing monitoring will generall y occur in the normal course ofday-to-day management activities . The nature, scope, an d frequencyof separate evaluations will depend primarily on management'sassessment of th e underlying risks and the effectiveness of existingongoing moni toring procedures. Deficiencies that are noted from .these monitoring activities are reported upstream, with the mostserious matters reported to senior management and th e board .

In addition to managemen t's ongoing monitoring activities, other

individuals may be involved in th e monitoring process. Fo r example,individuals responsible for the perfo rmance of key activities mayperform self-assessments to evaluate the effectiveness of theirrisk management activities. Internal auditorS typica lly are part ofthe overall monitoring s y s t e ~ . _ w h e r e b yth e results of individualaudits help assess th e effectiveness of th e related -risk managementactivities. In certain circumstances, the work performed by th eindependent outside auditors ma y al so influence management'sassessment of ongoing risk management effectiveness.

In essence, th e components of ERM p r o v i d ~a con text for answering somecommon, everyday questions that s u m m a r l ~ erisk m a n a g e n i ' ~ n tthinking(as linked to th e ERM framework):

1. What ate we trying to accomplish (what are our objectives)?


11/21

: 2. Wfuit could stop us from accomplishing them (what are th e :- 'ris'kS; how bad Could they be, and how likely ar e they ' o oecur)?

3. What options do we have to make sure those things do no thappen (what ar e the risk management strategies, that is,responses)?

4 . Do we have th e ability to execute th9se options (have we

designed an d executed coiJ..trol activities to carry out the riskmanagement strategies)!

5. How will we know that we have accomplished what we wa.ntedto accomplish (does the infonnation exist to evidence success,an d can we monid>r perfonnance to verify that success)?

These five questions apply to more than just risk management in th ebusiness world . They ca n apply to almost an y objective or decision inlife. Answ ering these questions instills a nsk management-based type ofthinking an d discipline that aligns with COSO ERM and other risk man-agement frameworks.

Roles an d Responsibilities in ERMThe board of directors, management, risk officers, financial officers, interna l auditors, and indeed, every individual with in an organization con ,tribute to effective ERM. The roles an d responsibilit ies of each of thesegroups align with those discussed in Chapter 3, "Governance ."

Board of Directors. Th e board provides oversight an d direction to anorganization's management . The board ca n play a role in strategysetting, formulating high-level objectives, broad -based resourceallocation, an d shaping th e -ethical environment . COSO points ou tthat _he _>oard pt:Qvides oversight with regard to ERM by: .

Knowmg th e extent to which management has establishedeffective :ERM in an organization .

... Being r.ware of and concurring with th e organization's riskappetite.

Reviewing the organization's portfolio view of risk andc o n s i d ~ r i n git against the organization's risk appetite .

Being apprised of the most signifir.an 't risks and whethermanagement is responding appropriately. 20

Th e board is also part of th e internal environment component ofER M and must have the requisite composition an d focus for ERMto be effective. Typically, th e board will exercise it s responsibilities :through it s various committees, such as an audit committee and anominating and governance conimittee.

Management. Management is responsible for all activities of anorganization, including E ~ .However, these responsibilitieswill vary, ,depending on the level in the organization and theorganization's characteristics .

Th e CEO is ultimately responsible for the effectiveness and successofERM . On e of th e most important aspects of this responsibilityis ensuring that a positive internal environment exists . The CEOsets the tone at th e top, influences th e composition and conduct ofth e board, provides leadership and direction to senior managers,an d moni tors the oroganization's overall risk activities in relation

..


12/21

. to its risk appetite: FWhen evolving circumstances , emerging risks,strategy implementation, or antic:ipated actions indicate potentialmisalignment with risk appetite, th e CEO will ~ e th e necessaryactions to reestablish alignment.

Senior managers in charge of the various organizational units .have responsibility for manag ing risks related to their specific~ n i t s 'objectives. They convert th e organization's overall strategyinto ongoing operations activities, identify potentia l risk events,assess th e related risks, and implement responses to manage thoserisks . Managers guide th e application of th e organization's ERMcomr>onents relative to and within their spheres of responsibility,ensuring th e application of those components is cons istent withth e related risk tolerances. They ~ s i g nresponsibility for specificERM procedures to managers of th e functional processes. As aresult, th ese managers usually play a more active role in devisingan d executing particular risk procedures that address th e unit'sobjectives, sueh as techniques for ev ent identification an d riskassessment, and in determining specific risk responses (that is;risk manag ement strategies), for example, developing policies an dprocedures for purchasing goods or accepting new customers.

Staff functions, such as accounting, human resources, compliance,or legal, also have important suppo rting roles in designing andexecuting effective ERM practices. These functions may design an d~ p l e m e n tprograms that help manage certain key risks across th ee ~ l . r eorganization .

Risk Officer. Some organizations have established a separate seniormanagement position to act as th e centralized coordinating point to

-f a c i l i t a t e i E R M; A ~ k o f f i c e r -refer.red to in -many organizationsas a chief risk officer (CRO)- typically operates in a staff function,

working with -other managers in establishing ERM in their areasof responsibility. The risk officer ha s th e resources to help effectERM across subsidiaries, businessHS, departments, functions, an dactivities. This individual may have responsibility for monitoringrisk management progress and assisting othar managers inreporting relevant risk information tip, down, an d across th eorganization .

COSO outli.9es the following specific responsibilities of a CRO:

Establishing [ERMJ policies, including defining rolesan d responsibilities an d participating in setting goals forimplementation .

Framing authority and accountability for [ERM] in businessunits.

Promoting [ERM] competence throughout th e entity, includingfacilitating development of technical [ERM) expertise andhelping managers align risk responses with th e entity's risktolerances an d developing appropr iate controls.

Guiding integration of [ERM] with other business planning andmanagement activities.

Estab lishin g a common risk management language thatincludes measures aro und likelihood an d impact, an d commonrisk categories.


13/21

,

:rf Facilitating m a n a g e r s ~~d e v c l o p m e J ) t of reporting protocols,including quantitative an d qualitative thresholds, an dmonitoring th e reporting process.

Reporting to th e chief eXecutive on progress and outliers an d recommending action as needed .21

Financ ial Executives. Finance an d accounting executives an d tQei rstaffs ar e responsible for acti'tities tha t cu t across th e organization .These executives often ar e involved in developing organiz ation-widebudgets an d plans, an d tracking and analyzing performance from

-an operati ons , compl iance, an d reporting perspective. They play animportant role i ,n p r e ~ e n t i n gan d detecting fraudulent reporting ,

an d i n f l u e ~ c eth e design, implementation, an d monitoring of th eorganization's internal control over financial reporting an d th esupporting systems .

Internal Auditors. The internal audit function plays an important role in evaluating th e effectiveness o f - an d recommendingimprovements to - ERM . The IIA's International Standards forthe Professional Practice of Internal Auditing (Standards) specifythat th e scope of the internal audit function should encompassi,9vernance, risk management, and control systems . This includeseyaluating th e reliability of reporting, effectiveness an d efficiency ofbperations, an d compliance with laws an d regulations . In Cfu-rying

.J mt these responsibilities, the internal audit function assists i ~m a n a g e m e n tand the board by examining, evaluating , reporti ng .on,"filnd recommending improvements to the adequacy an d effectiveness"ohhe orga _nization's ERM .

c Other Individuals in the Organization. In reality, ERM is th e.;: -respoftSiOillty ofeveryone in an organization an d therefore shc.ulq

be an integnli part of everyone's job description, both explicitly an dimplicitly. 'This is important-because:

,.4VJ:lilenot every individual may be considered a risk owner pe rse, virtually all individuals play some role in effecting EBM, ranging from producing information used in identifying orassessing risks, to implementing th e strategies and ac t ions ',needed to manage those risks .

All individual s ar e responsible for supporting th e informationan d ~ ~ m m u n i c a t i o nflows that ar e an integral part of an dinherent in ERM .

Independent Outside Auditors. An organization's independentoutside auditors ca n provide both management and th e board ofdirectors an informed, independent , an d objective risk managementperspective that ca n contribute to an organization's achievement pfit s external financial reporting an d other objectives. Findings fromtheir audits ma y relate to risk management deficiencies, analyticalinformation, an d other recommendations for improvemen t that ca nprovide management with valuable information to enhance its r i ~ kmanagement program.

Legislators an d Regulators. Legislators and regulators can affect th eERM approach of many organizations, either through requirementsto establish risk management mechanisms or systems of i n t ena lcontrols (for example, th e U.S . Sarbanes-Oxley Act of 2002) or..


14/21

I

' ., ~- : - . . . !! . ' . - - ~ - --~ . ; .through examinati-ort's o f p a r t i c t i l a r ~ e n t i t i e s (for example, by federal an d state bank examiners). Legislators an d regulators ma y establishrules that provide th e impetus for management ~ n s u r ethat r iskmanagement and control systems meet certain minimum statutoryan d regulatory requ irements. Also, t hey ma y conduct regulatoryexaminations that provide information useful to th e organization

in a_pplying ERM, an d recommendations to management regardingneeded improvements.

Other External Parties. Finally, other outside stakeholde rs mayimpact an organization's ER.M activities:

Customers, vendors , business partners, an d others who conductbusiness with an organization ar e an important source ofinformation used in ERM .

Creditors can provide oversight or direction influencing howorganizations achieve their objectives. For example, debt

_ covenants m.ay require organizations to monitor and reportinformation differently than they otherwise might.

Financial analysts, rating agencies, news media, an d otherexternal parties can influence :risk management activities . Theirinvestigative and monitoring activities can provide insights on

, how others perceive the organization's performance, industryan d economic risks, innovat ive operating or financing strategies,an d industry trends . Managelllent must consider th e insightsan d observations of these p ~ e sand, if necessary, adjust the "'corresponding risk management activities.

Providers ~ foutsourced services ar e becomjng a more prevalentway for organizations to d e l e ~ t eth_,eir day.,toiiay managementof cert ain noncore functions . The external parties discussed

above may directly influence an organization's ER M activities;however, using outside service providers may result in adifferent se t of risks an d response l than if th e organization didno t outsource any functions. Al ,though external parties ma yexecute activities on behalf of the organization, managementcannot abdicate it s responsibility to manage th e associated risksand should establish a program to monitor outsourced activities.Refer to Chapter 5, ."Business Proce :;ses an d Risks," wherebusiness process outsourcing is discussed in greater detail.

Formal ERM is n o ~yet embedded in the b usiness practices of most organizations, bu t there is a growing trend to either implement ERM or a tleast practice many of its key principles. COSO iden tifies th e followingpoten tial ERM value drivers:

Aligning risk appetite and strategy.

Enhancing risk response decisions.

Reducing operational surpr ises and losses.

Identifying an d managing cross-enterpri :;e risks.

Providing integrated responses to multiple risks.

Seizing opportunities.

Impro ving deployment of capital. 22


15/21

._

~ -

I - -

TOPD'OVIJN VIEW OF ENTERPRISE RISK M A ~ A G E M E N T~ I

...

.

Res idual Risk Should Be


16/21

I

. . . . , . . . .. . . , . , . ; . ; , . . . : : ; _ ,- - ~ -~ -: . : . ' . .. 4 _ - th e fact that while th e iiSkS iridividuallymay no t be serious; whenrela ted r isks are aggregated they can become more serious. Initially,these risks are uncontrolled, or ar e ii their i n h e ~ n t ,or gross, riskstate.

e Th e system of internal controls is depicted as a funnel to illustrateth e "filtering" of key risks that occurs at varying levels of that ~ y s t e m .For example, th e largest risks should be mitigated byth e entity-level controls at the to p of the f u u n ~ l .Those that passthrough the entity-level filters ar e next subjected to the processlevel and transaction-level contro ls . As discussed in Chapter 6,"Int erna l Control , . controls ma y be considered key or secondary,depending on whether they reduce the risk associated with criticalobjectives . Additionally, in some cases , management may deployadditional mitigating an d compensat ing controls to further limit th eimpact ofthe risks.

If th e system ofinternal controls is designed adequately andoperates eftectively, those r isks that make it all th e way through th efunnel should be acceptable to th e organization . Stated another way,th e overall residual, or net, ri sk will I')Ot e ~ c e e dth e organization'srisk appetite . ;,_.

TH'E ROLE OF THE INTERNAL AUDIT FUNCTION IN ERM' '

IIA Standard 2120: Risk Management states "The intefual audit activ-ity muzt evaluate th e effectiveness an d contribute to flie improvement ofrisk management processes ." Th e skill sets and broad eXJ)erience levelstha t internal auditors po.c;sess position them to play a valuable role inERM. In fact, considering th e broad purview of most internal audit functions, as well as thei r role in th e overall monitoring p r o C e s s ~f8ilure toinvolve th e internal a u d i ~function in some manner would likely result

in the ERM initiative falling short of expectations. Th e following discussion focuses on the role that th e internal: audit function can playin.ERM,depending on whether or not the organization is fonnally implementingERM.

Organizations with ERMTh e IIA's International Professional Practi ces Framework includes a position paper titled The Role o f nternal Auditing in Enterprise-wide RiskManagement. which outlines s e v e r ~ }opportunities for internal auditorsto get involved . In its summary, the paper states, "Internal auditing's corerole with regard to ERM is to provide objective assurance to the board onth e effectiveness of an organization's ERM activities to help ensure keybusiness risks are being managed ap p ropriately an d that the system ofinternal control[s) is opera ting effectiveiy."23

The position paper depicts th e various roles that th e internal audit function should or should not undertake in a fan- or dial-shaped diagram, asshown in Exhibit 4-4. Th e following types of roles ar e discussed in th epaper.

Core Internal Audit Roles. These roles, which ar e on the left of the dial inth e green section in Exhibit 4-4, r e p r e s e n ~. assurance activities. They ar epart of the wider objective of providing assurance on risk managementactivities. These activities include:


17/21

. .- - 1 ' ' . -

- INTERNALAUDIT;NG'S ROLE IN . __- --: ENTERPRISE RISK MANAGEMENt .

' -

; . R ~ l e sInternal i;udit lhould not underta

This diagram is taken from "Position Statement The Role o f Internal Auditing in E n t e r p ri ~ ~ - w i d !Risk .Management. reproduced with .th e permission of lhe Institute of Internal Auditors- United Kingdomand Ireland . For th e full state ment . visit wwwJia.org .uk. 0 The lnstltute ,oflntemal Auditors- UK and

'Ireland L t d ~July 2004 .

.G i v ' ~ gassurance on th e risk management proceSses. '

Giving assurance that risks ar e correctly evaluatP.d. Evaluating risk management processes.

Evaluating th e reporting of ke y risks.

Reviewing th e management of key risks. 24

Legitimate Internal Audit Roles with Sa feguards. These roles representconsulting services that ma y improve th e organization's governance, riskmanagement, an d control p r o c e s s e s~ The extent of such services will de- .pend on the other resources available to the board an d on th e risk maturity of th e organization. Th e consulting roles ar e shown ih the middle ofth e dial in th e yellow section in Exhibit 4-4. In general, th e further to theright of th e dial that th e internal audit function ventures, th e greater thesafegl!ards _hat ar e required t;o ensure that it s independence and objec ,tivity ar e maintained : These activities include:

Facilitating identification and evaluation of risks .

Coaching management in responding to risks.I

Coordinating ERM activities.

Consolidating th e reporting on risks.

Maintaining an d developing th e ER M framework.

Championing establishment of ERM.

Developing ERM strategy for board approval. 25


18/21

. .Rofes-lnternal){udking Should Nol: U n d e r t a k e ~These roles, w h i ~ a r edepicted on th e right of th e dial in th e red section in Exhibit 4-4, shouldnot be undertaken by th e internal audit function as th e roles represent

..

management :responsibilities that would impair th e internal auditors'independence an d .objectivity. T h e s 1 ~activities include:

Setting the risk appetite.,.,.

. - Imposing riskmanagement processes.

Management assurance on risks (that is, being th e sole source formanagement's assurance that risks ar e effectively managed- thiswould be considered performing a management function].

Taking [making] decisions on risk :responses .

Implement ing risk responses on management' s behalf.

Accountability for risk management. 6

When determining the role the internal audit function plays in ERM, th echief audil; executive (CAE> must e v a l u a t ~whether each activity raises

any threats to the internal audit function's independence or objectivity. Itis important that the o r g a n i z a t ~ o n f u l l yunderstands that managementremains responsible for risk management. As th e internal audit functionextends it s roles further to the right of. th e dial, th e following safeguardss h o ~ l dbe pu t in place:

I t should be dear that m a n a g ~ m e n tremains responsible for riskmanagement.

The nature of the internal audit function's respons ibilities should bedocumented in the internal audit charter an d approved by the auditcommittee.

Th e interna l audit function cannot manage any of the risks on

behalf of management. The internal audi t function shou ld provide advice, challenge, and

support to management's decision-making, as opposed to makingrisk managementdecisions itself.

Th e inte rnal audit function canno t give objective assurance onan y part of th e ERM framework for ::which it is responsible. Suchassu ranc e should be provided by other suitab ly q u a l i f i e d p ~ e s .whether internal or external to th e organization. -

Any work beyond th e assurance activities should be recognized as aconsulting engagement, and the implementation standards relatedto such engagements should be followed.:!'

Organizations with Internal Audit-driven ERM

Pract ice Advisory 2120-1: Assessing th e Adequacy of Risk ManagementProcesses states that "Management an d th e board ar e responsible fortheir organization's risk management and control processes. However,internal auditors acting in a consulting role can assist the organization inidentifying, evaluating, and implementing risk management methodologies an d controls to address those risks." When an organization has notestablished a risk management process, th e practice advisory otTers th efollowing guidance:

In situations where th e organization does not have formal

risk management processes, th eCA E

formally discusses with


19/21

,' ' management anq th e auditcommittee their obligations tlr-

understand, manage, an d monitor risks within th e organization. an d he need to satisfy themselves that there ar e processes

operating within th e organization, even i f nformal, that provide th eappropriate level of visibility into th e key risks an d how they ar ebeing managed an d monitored.

Th e CAE is to obtain an unde_rstanding of senior management 'san d t h ~ b o a r d's expectationiofthe internal audit activity in t he .o r g ~ n i z a t i o n ' srisk management process . This understanding is thencodified i n th e charters of th e internal audit activity and th e (auditcommittee ]. I n t e r n ~ a u d i t i n g ' sresponsibilities ar e to be coord inatedbetween all groups an d ind ividuals within the organization's riskmanagement process .

Ultimately , i t is th e role of senior management an d the board todetermine th e role of internal auditing in the risk managementprocess . Their view on internal auditing 's role is likely to bedetermi n ed by factors such as th e culture of th e organization, abilityof the internal audit staff, and local conditions an d customs of th ecountry. However, taking on management's responsibility rega rdingthe risk management process and the potential threat to th einternal audit activity's independence requi res a full discussion andboard _approval.

This guidance reinforces th e importance of bringing the lack of a riskmanagement process to management 's attention along with sugg estions ;.-for establishing such a process . I f equested, internal auditors can play !\ proactive role in assisting with the initial establishment of a risk man-agement process for th e organiza tion. A more proactive role supplementstraditional assurance activities with a c o ~ u l t a t i v eapproach to improv .. -- ~ c_ .;1-in g fundamental processes . I f uch assistance exceeds normal assurance .

an d consulting activities conducted by internal auditors, independencecould be impaired. In these situations, internal audi tors should complywith"the disclosure requirements of th e Standards .

THE IMPACT OFERM ON INTERNAL AUDIT ASSURANC _;IIA Standard 2010: Planning states, "The chief audit executive must establish risk-based plans to determine th e priorities of th e internal auditactivity, consistent with th e organization'::; goals." SupJ>orting this stan-dard, Prac tice Advisory 2010-1: Linking th e Audit Plan to Risk and Exposures provides guidance to CAEs when developing the annual interna! audit plan . This pract ice advisory offers th e following relative to l inkingth e audit plan to risk an d exposures:

1 . In developing th e internal audit activity's audit plan, many"CAEs find i t useful to first develop or update the audit universe

. . . The CAE ma y


20/21

.. .

risk management process. Th e organization's strategic planconsiders th e environment in which th e organization operates.These same environmental factors would like!y impact th e audituniverse an d assessment of relative risk.

3. The CAE prepares the internal audit activity's audit planbased on th e audi t universe, input from senior management

:, . an d the board, and an assessment of risk and exposures . . .and information to help them accomplish th e organization'sobjectives, including an assessment of the effectiveness ofmanagement's risk managemen t activities.

4. The audit universe and related audit plan are updated to reflectchanges . . .

5. Audit work schedules ar e based on, among other factors, anassessment of risk and exposures . . A variety of risk modelsexist to assist the CA E . Most risk models use r isk factorS suchas impact, likelihood, materiali ty, ~ s s e tliquidity, m ~ f ! a g e m e n tcompetence, quali ty of and adherence to internal controls,

~

'

degree of change or stability, t iming an d results of last auditengagement, complexity, and employee an d governmentrelations .

The points above, which apply at the level of establishing an annual in-ternal audit plan, ar e also relevant at th e engagement level. For example,th e scope an d approach to an individual project will be influenced by:

How risks at th e process level relate to th e strategic plans an dobjectives of th e org&nization . Proces :s.:fevel risks ar e discussedm reater detail in .Chapter 13, "Conducting th e Assuran .ce

: ...~ . , ,; \ o o. -,;/r -- . . . - - - . . . . . . . .Engagement."

Changes in th e process (for example, objectives, procedures,

personnel, an d performance measures) that have occurred over thelast year or since the last audit of the process.

Relevant risk model factors (for example, financial impact an d assetliquidity).

Th e impact an d likelihood of the process-level risks.

In summary, management's approach to risk management, regardless ofwhether or not an organization has implemented ERM, will have a significant influence on both the internal audit charter and annual internalaudit plan.


21/21

,

__SUMMARYAs COSO defines it, "ERM is a process, effected by th e board, management, an d other personnel, applied in a strategy setting and across th eenterprise, designed to identify potential events that may affect an orga-nization's ability to achieve it s objectives an d manage risks to be withini ts risk appetite ."28

An organizat ion's objectives may be strategic, operational, reporting, orcompliance oriented . ERM can be assessed across several components:internal environment, objective set ting, event identification, risk assess-

. ment, risk response, 5.:mtrol activities, information and commutnication,an d monitoring .

Th e skill sets and broad experienc e levels that internal auditors possessposition them to play a valuable role in ERM. The internal audit functionma y take on a variety of roles relat ive to ERM , some of which ar e consis-tent with th e assurance activities as outlined in it s charter, an d some ofwhich may be consultir.g services provided to assist th e organization inimproving it s governance, risk management, and control processes. How-ever, an internal audit function must estaolish appropriate s a f t ~ g \ I a r d stoensure tha t i t does not take on roles that could be equivalent to management's responsibilities, thus impairing independence and objectivity ofi n t e r n ~auditors.

An organization's strategic plan an d inherent risks will have a direct an dprofound impact on both th e charter of an internal audit function as well

, ,, as its annual audit plan. Changes in management direction, objectives,emphas;, an d focus also may impact th e annual internal audit plan. TheCAE must consider risks when prioritizing an d scheduling th e upcoming

_ _ nteznalaudit engagements.

..

Documents

Chapt 4 Risk Management 2