CH4: Risk Management

COSO defines ERM as

A process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Inherent Risk

The combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk that exists, assuming there are no internal controls in place.

Residual Risk

The portion of inherent risk that remains after management executes its risk responses (sometimes referred to as net risk).

How does COSO define risk? How does ISO define risk?

The possibility that an event will occur and adversely affect the achievement of objectives. effect of uncertainty on objectives

In exhibit 4-3, why are some of the balls representing risks clustered together while some are not?

This reflects the fact that some risks will have greater impact than others. Additionally, some risks are clustered together, representing the fact that while the risks individually may not be serious, when related risks are aggregated, they can become more serious.

What are some examples of commonly implemented control activities?

Top-level reviews (budget reviews, updated forecasts, monitoring of competitor actions, cost containment initiatives) Direct functional or activity management (reconciliations, review performance reports) Information processing controls (general infrastructure controls, such as physical and logical security; controls over systems implementation, upgrades, or modifications; disaster recovery; and systems operations controls) Physical controls (counts of cash and physical restrictions) Performance indicators (analyzing and following up on deviations from expected or targeted performance norms) Segregation of duties

What are typical ERM responsibilities of: a. The board of directors?

a. The board provides oversight and direction to an organization's management. The board can play a role in strategy setting, formulating high-level objectives, broad-based resource allocation, and shaping the ethical environment (risk appetite, risk and management responding)

What are typical ERM responsibilities of: b. Management?

b. all activities of an organization, including ERM. Ultimately responsible for the effectiveness and success of ERM. Ensuring that a positive internal environment exists. (tone of the top)

What are typical ERM responsibilities of: c. The chief risk officer?

c. monitoring risk management progress and assisting other managers in reporting relevant risk information up, down, and across the organization. [establish, frame, promote, guide, report to CEO)

What are typical ERM responsibilities of: d. Financial executives?

d. activities that cut across the organization. (fraud, internal control over financing reporting)

What are typical ERM responsibilities of: e. The internal audit function?

e. evaluating the effectiveness of—and recommending improvements to—ERM. Governance, risk management, and control systems

What are typical ERM responsibilities of: f. The independent outside auditors?

f. ERM is the responsibility of everyone in an organization and therefore should be an integral part of everyone's job description, both explicitly and implicitly.

According to IIA Practice Advisory 2010-1: Linking the Audit Plan to Risk and Exposures, how should the internal audit function's audit plan be determined?

to linking the audit plan to risk and exposures: 1. In developing the internal audit activity's audit plan, many CAEs find it useful to first develop or update the audit universe ... The CAE may obtain input on the audit universe from senior management and the board. 2. The audit universe can include components from the organization's strategic plan. By incorporating components of the organization's strategic plan, the audit universe will consider and reflect the overall business' objectives. Strategic plans also likely reflect the organization's attitude toward risk and the degree of difficulty to achieving planned objectives. The audit universe will normally be influenced by the results of the risk management process. The organization's strategic plan considers the environment in which the organization operates. These same environmental factors would likely impact the audit universe and assessment of relative risk. 3. The CAE prepares the internal audit activity's audit plan based on the audit universe, input from senior management and the board, and an assessment of risk and exposures ... and information to help them accomplish the organization's objectives, including an assessment of the effectiveness of management's risk management activities. 4. The audit universe and related audit plan are updated to reflect changes ... 5. Audit work schedules are based on, among other factors, an assessment of risk and exposures ... A variety of risk models exist to assist the CAE. Most risk models use risk factors such as impact, likelihood, materiality, asset liquidity, management competence, quality of and adherence to internal controls, degree of change or stability, timing and results of last audit engagement, complexity, and employee and government relations.37

According to COSO, what are the fundamental concepts encompassed in its definition of enterprise risk management (ERM)?

• A process that is ongoing and flows throughout an organization. • Effected by people (that is, employees) at every level of an organization. • Applied when setting an organization's strategy. • Applied across the organization, at every level and unit. • Focused on taking an entity-level portfolio view of risk. • Designed to identify potential events that, if they occur, will affect the organization. • A means to enable the management of risks within an organization's risk appetite. • Able to provide reasonable assurance to an organization's management and board of directors. • Geared toward achievement of objectives in one or more separate but overlapping categories.

What are the 11 risk management principles identified in ISO 31000?

• Creates and protects value. • Is an integral part of all organizational processes. • Is part of decision-making. • Explicitly addresses uncertainty. • Is systematic, structured, and timely. • Is based on the best available information.24 • Is tailored. • Takes human and cultural factors into account. • Is transparent and inclusive. • Is dynamic, iterative, and responsive to change. • Facilitates continual improvement of the organization.

What five activities are included in the ISO 31000 risk management process?

• Establish the context, which focuses on understanding and agreeing on both the external and internal factors that will influence risk management. This activity also encompasses the definition of risk criteria, which are defined as "the terms of reference against which the significance of a risk is evaluated."26 Such terms may include the organization's risk appetite, risk tolerance levels, and criteria against which risk may be assessed (such as impact and likelihood). • Assess the risks, which involves identifying the risks, analyzing the risks by considering the causes, sources, and types of outcomes, and evaluating the risks to help prioritize which ones should be treated first. • Treat the risks, which involves making decisions similar to those described in the risk response discussion of COSO earlier in this chapter. • Monitor risks to identify the onset of a risk event and evaluate whether the risk treatments are having the desired effect. Therefore, it is also important to make sure risk management activities are properly recorded to assist in this monitoring. • Establish a communication and consultation process to ensure information flows up, down, and across the organization to enable the risk management process.

Legitimate internal audit roles with safeguards. ERM consulting activities:

• Facilitating identification and evaluation of risks. • Coaching management in responding to risks. • Coordinating ERM activities. • Consolidating the reporting on risks. • Maintaining and developing the ERM framework. • Championing establishment of ERM. • Developing ERM strategy for board approval

ERM assurance activities Core internal audit roles

• Giving assurance on the risk management processes. • Giving assurance that risks are correctly evaluated. • Evaluating risk management processes. • Evaluating the reporting of key risks. • Reviewing the management of key risks.

What are the eight COSO ERM components?

• Internal environment. "Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment encompasses the tone of an organization, and sets the basis for how risk and control are viewed and addressed by an entity's people. The core of any business is its people—their individual attributes, including integrity, ethical values, and competence—and the environment in which they operate." • Objective setting. "Objectives are set at the strategic level, establishing a basis for operations, reporting, and compliance objectives. Every entity faces a variety of risks from external and internal sources, and a precondition to effective event identification, risk assessment, and risk response is establishment of objectives." • Event identification. "Management identifies potential events that, if they occur, will affect the entity, and determines whether these events represent opportunities or whether they might adversely affect the entity's ability to successfully implement strategy and achieve objectives. Events with negative impact represent risks, which require management's assessment and response. Events with positive impact represent opportunities, which management channels back into the strategy and objective-setting processes. When identifying events, management considers a variety of internal and external factors that may give rise to risks and opportunities, in the context of the full risk scope of the organization." • Risk assessment. "Risk assessment allows an entity to consider the extent to which potential events have an impact on achievement of objectives. Management assesses events from two perspectives— likelihood and impact—and normally uses a combination of qualitative and quantitative methods. The positive and negative impacts of potential events should be examined, individually or by category, across the entity. Risks are assessed on both an inherent and residual basis. Risk response. "Having assessed relevant risks, management determines how it will respond. Responses include risk avoidance, reduction, sharing, and acceptance. In considering its response, management assesses the effect on risk likelihood and impact, as well as costs and benefits, selecting a response that brings residual risk within desired risk tolerances. Management identifies any opportunities that might be available, and takes an entity wide, or portfolio, view of risk, determining whether overall residual risk is within the entity's risk appetite." • Control activities. "Control activities are the policies and procedures that help ensure that management's risk responses are carried out. Control activities occur throughout the organization, at all levels and in all functions." • Information and communication. that information must be: ■ Appropriate and at the right level of detail. ■ Timely and available when needed. ■ Current, reflecting the most recent financial or operational information. ■ Accurate and reliable. ■ Accessible to those who need it.

What are the five components of the ISO 31000 risk management framework?

• Mandate and commitment from the board and senior management to ensure alignment with organizational objectives and commitment of sufficient resources to enable success. • Design of framework for managing risk, which ensures the foundation is set for effective risk management processes. This involves: ■ Understanding the organization and its context. ■ Establishing a risk management policy. ■ Delegating accountability and authority. ■ Integrating risk management into organizational processes. ■ Allocating the necessary resources. ■ Establishing internal and external communication and reporting mechanisms. • Implementing the risk management framework and process to help the organization achieve its objectives. • Monitoring the framework to determine its ongoing effectiveness. • Continually improving the framework to ensure its sustainability

What are the four fundamental points embedded in the COSO and ISO definitions of risk?

• Risk begins with strategy formulation and objective setting. An organization is in business to achieve particular strategies and objectives, and risks represent the barriers to successfully achieving those objectives. Therefore, because each organization has somewhat different strategies and objectives, they also will face different types of risks. • Risk does not represent a single point estimate (for example, the most likely outcome). Rather, it represents a range of possible outcomes. Because many different outcomes are possible, the concept of a range is what creates uncertainty when understanding and evaluating risks. • Risks may relate to preventing bad things from happening (risk mitigation), or failing to ensure good things happen (that is, exploiting or pursuing opportunities). Most people focus on preventing bad outcomes—for example, a hazard that needs to be mitigated or eliminated. While many risks do, in fact, present a threat to an organization, failure to achieve positive outcomes also may create a barrier to the achievement of an objective and is also a risk. • Risks are inherent in all aspects of life—that is, wherever uncertainty exists, one or more risks exist. The examples provided in the previous section on the history of risk illustrate how the understanding of risk has evolved. Those risks specifically associated with organizations conducting a form of business are commonly referred to as business risks. This can be thought of in quite simple terms: uncertainties regarding threats to the achievement of business objectives are considered business risks.

Roles internal audit should not undertake.

• Setting the risk appetite. • Imposing risk management processes. • Management assurance on risks [that is, being the sole source for management's assurance that risks are effectively managed—this would be considered performing a management function]. • Taking [making] decisions on risk responses. • Implementing risk responses on management's behalf. • Accountability for risk management

What are the four categories of objectives described in COSO's ERM framework? Define each category.

• Strategic objectives. High-level goals that are aligned with and support the organization's mission. • Operations objectives. Broad goals promoting the effective and efficient use of resources. • Reporting objectives. Goals focusing on the reliability of reporting (both external and internal). • Compliance objectives. Goals enforcing compliance with applicable laws and regulations.

What are COSO's four categories of risk response?

■ Avoidance. Exiting or divesting of the activities giving rise to the risk. Risk avoidance may involve exiting a product line, declining expansion to a new geographical market, or selling a division. ■ Reduction. Action is taken to reduce risk likelihood or impact, or both. This typically involves any of a myriad of everyday business decisions [such as implementing controls]. ■ Sharing. Reducing risk likelihood or impact by transferring or otherwise sharing a portion of the risk. Common techniques include purchasing insurance products, engaging in hedging transactions, or outsourcing an activity. ■ Acceptance. No action is taken to affect risk likelihood or impact. [In effect, the organization is willing to accept the risk at the current level rather than spend valuable resources deploying one of the other risk response options.