Explanation of Internal Control
‘The process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.
Internal control consists of the following components:
(a) The control environment;
(b) The entity’s risk assessment process;
(c) The information system, including the related business processes, relevant to financial reporting, and communication;
(d) Control activities; and
(e) Monitoring of controls.’
Examples of internal controls:
• Division of duties
• Accounting
• Management
• Physical
• Supervision
• Organisation
• Authorisation, and
• Personnel
************
Showing posts with label Risk Management. Show all posts
Showing posts with label Risk Management. Show all posts
Tuesday, September 20, 2011
Sunday, August 21, 2011
Qualitative characteristics of information on Risk and Internal Controls needed by the Board
The information on risks and internal controls should be high quality information. This means that it enables the full information content to be conveyed to the board in a manner that is clear and has nothing in it that would make any part of it difficult to understand. Communications should be reliable, relevant and understandable. They should also be complete.
By reliable means the trustworthiness of the information: the assumption that it is ‘hard’ information, that it is correct, that it is impartial, unbiased and accurate. Even In the event of conveying bad news.
By relevant means not only that due reports should be complete and delivered promptly, but also that anything that that should be brought to the board’s attention, should be brought to the board’s attention while there is still time for them to do something about it.
Not all directors possess the technical and nautical knowledge of senior operating personnel of the company. It is therefore particularly important that information conveyed is understandable. This means that it should contain a minimum of technical terms that have obvious meaning to operating managers but may not be understandable to a non-specialist. All communication should therefore be as plain as possible within the constraints of reliability and completeness.
By complete means that all information that the directors need to know and which the operating managers have access to, should be included, regardless of
any inconvenience that it may cause to one or more colleagues.
**********
The importance for the board of directors to have all the information
The importance for the board of directors to have all the information relating to key operational internal controls and risks
1. In the first instance, the information provided enables the board to monitor the performance of the company on the crucial issues. This includes compliance, performance against targets and the effectiveness of existing controls. By being made aware of the key risks and internal control issues at the operational level, the board can work to address them in the most appropriate way.
2. The board also needs to be aware of the business impact of operational controls and risks to enable the board to make informed business decisions at the strategic level. If the board is receiving incomplete, defective or partial information then they will not be in full possession of the necessary facts to allocate resources in the most effective and efficient way possible.
3. The board has the responsibility to provide information about risks and internal controls to external audiences. Best practice reporting means that directors have to provide information to shareholders and others, about the company’s systems, controls, targets, levels of compliance and improvement measures and hence quality information are needed to achieve this.
***********
1. In the first instance, the information provided enables the board to monitor the performance of the company on the crucial issues. This includes compliance, performance against targets and the effectiveness of existing controls. By being made aware of the key risks and internal control issues at the operational level, the board can work to address them in the most appropriate way.
2. The board also needs to be aware of the business impact of operational controls and risks to enable the board to make informed business decisions at the strategic level. If the board is receiving incomplete, defective or partial information then they will not be in full possession of the necessary facts to allocate resources in the most effective and efficient way possible.
3. The board has the responsibility to provide information about risks and internal controls to external audiences. Best practice reporting means that directors have to provide information to shareholders and others, about the company’s systems, controls, targets, levels of compliance and improvement measures and hence quality information are needed to achieve this.
***********
Advantages and Disadvantages of Risk Committee made up of NEDs
The UK Combined Code, for example, allows for risk committees to be made up of either executive or non-executive members.
Advantages of non-executive membership
1. Separation and detachment from the content being discussed is more likely to bring independent scrutiny. Sensitive issues relating to one or more areas of executive oversight can be aired without vested interests being present.
2. Non-executive directors often bring specific expertise that will be more relevant to a risk problem than more operationally-minded executive directors will have. The NEDs, being from different backgrounds, are likely to bring a range of perspectives and suggested strategies which may enrich the options open to the committee when considering specific risks.
Disadvantages of non-executive membership (advantages of executive membership)
1. Direct input and relevant information would be available from executives working directly with the products, systems and procedures being discussed if they were on the committee. Non-executives are less likely to have specialist knowledge of products, systems and procedures being discussed and will therefore be less likely to be able to comment intelligently during meetings.
2. Non-executive directors will need to report their findings to the executive board. This reporting stage slows down the process, thus requiring more time before actions can be implemented, and introducing the possibility of some misunderstanding.
***********
Advantages of non-executive membership
1. Separation and detachment from the content being discussed is more likely to bring independent scrutiny. Sensitive issues relating to one or more areas of executive oversight can be aired without vested interests being present.
2. Non-executive directors often bring specific expertise that will be more relevant to a risk problem than more operationally-minded executive directors will have. The NEDs, being from different backgrounds, are likely to bring a range of perspectives and suggested strategies which may enrich the options open to the committee when considering specific risks.
Disadvantages of non-executive membership (advantages of executive membership)
1. Direct input and relevant information would be available from executives working directly with the products, systems and procedures being discussed if they were on the committee. Non-executives are less likely to have specialist knowledge of products, systems and procedures being discussed and will therefore be less likely to be able to comment intelligently during meetings.
2. Non-executive directors will need to report their findings to the executive board. This reporting stage slows down the process, thus requiring more time before actions can be implemented, and introducing the possibility of some misunderstanding.
***********
Importance of independence of Auditor
The auditor must be materially independent of the client for the following reasons:
1. To increase credibility and to underpin confidence in the process. In an external audit, this will primarily be for the benefit of the shareholders and in an internal audit, it will often be for the audit committee that is, in turn, the recipient of the internal audit report.
2. To ensure the reliability of the audit report. Any evidence of lack of independence (or ‘capture’) has the potential to undermine all or part of the audit report thus rendering the exercise flawed.
3. To ensure the effectiveness of the investigation of the process being audited. An audit, by definition, is only effective as a means of interrogation if the parties are independent of each other.
***********
Framework for assessing risk
Risk is assessed by considering each identified risk in terms of two variables:
– its hazard (or consequences or impact) and,
– its probability of happening (or being realised or ‘crystallising’).
The most material risks are those identified as having high impact/hazard and the highest probability of happening. Risks with low hazard and low probability will have low priority whilst between these two extremes are situations where judgement is required on how to manage the risk.
In practice, it is difficult to measure both variables with any degree of certainty and so it is often sufficient to consider each in terms of relative crude metrics such as ‘high/medium/low’ or even ‘high/low’. The framework can be represented as a ‘map’ of two intersecting continuums with each variable being plotted along a continuum.
***********
Contribution of Risk Committee
Evaluate the contribution that a risk committee made up of non-executive directors could make to shareholders’ confidence in the management of an organistion
Risk committees are considered best practice by most corporate governance regimes around the world for a number of reasons. A risk committee made up of non-executive directors could provide an independent viewpoint on the company’s overall response to risk, and to challenge the CEO’s attitude. A risk committee can help increase the confidence in a number of ways:
Determining overall exposure to risk
The committee can pressure the board to determine what constitute acceptable level of risk, bearing in mind the likelihood and the risks materialising and the company’s ability to reduce the incidence and impact on the business.
Monitoring the overall exposure to risk
Once the board defined acceptable risk levels, the committee should monitor whether the company is remaining within these levels and whether earnings are sufficient given the levels of risks that are being borne.
Reviewing reports on key risks
There should be a regular system of reports to the risk management committee covering areas known to be of high risk, also one-off reports covering conditions and events likely to arise in the near future. This should facilitate monitoring of risk.
Monitoring the effectiveness of the risk management systems
The committee should monitor the effectiveness of the risk management systems, focusing particularly on effective management attitudes towards risks and the overall control environment and culture. A risk committee can judge whether there is an emphasis on effective management or whether insufficient attention is being given to risk management due to the pursuit of higher returns.
************
Risk committees are considered best practice by most corporate governance regimes around the world for a number of reasons. A risk committee made up of non-executive directors could provide an independent viewpoint on the company’s overall response to risk, and to challenge the CEO’s attitude. A risk committee can help increase the confidence in a number of ways:
Determining overall exposure to risk
The committee can pressure the board to determine what constitute acceptable level of risk, bearing in mind the likelihood and the risks materialising and the company’s ability to reduce the incidence and impact on the business.
Monitoring the overall exposure to risk
Once the board defined acceptable risk levels, the committee should monitor whether the company is remaining within these levels and whether earnings are sufficient given the levels of risks that are being borne.
Reviewing reports on key risks
There should be a regular system of reports to the risk management committee covering areas known to be of high risk, also one-off reports covering conditions and events likely to arise in the near future. This should facilitate monitoring of risk.
Monitoring the effectiveness of the risk management systems
The committee should monitor the effectiveness of the risk management systems, focusing particularly on effective management attitudes towards risks and the overall control environment and culture. A risk committee can judge whether there is an emphasis on effective management or whether insufficient attention is being given to risk management due to the pursuit of higher returns.
************
Saturday, August 20, 2011
Appointment of Internal Auditors from Inside or Outside
In practice, a decision such as this one will depend on a number of factors including the supply of required skills in the internal and external job markets. In constructing the case for an external appointment, however, the following points can be made.
Primarily, an external appointment would bring detachment and independence that would be less likely with an internal one.
Firstly, then, an external appointment would help with independence and objectivity (avoiding the possibility of auditor capture). He or she would owe no personal loyalties nor ‘favours’ from previous positions. Similarly, he or she would have no personal grievances nor conflicts with other people from past disputes or arguments.
Some benefit would be expected from the ‘new broom’ effect in that the appointment would see the company through fresh eyes. He or she would be unaware of vested interests. He or she would be likely to come in with new ideas and expertise gained from other situations.
Finally, as with any external appointment, the possibility exists for the transfer of best practice in from outside – a net gain in knowledge for the company.
***********
Primarily, an external appointment would bring detachment and independence that would be less likely with an internal one.
Firstly, then, an external appointment would help with independence and objectivity (avoiding the possibility of auditor capture). He or she would owe no personal loyalties nor ‘favours’ from previous positions. Similarly, he or she would have no personal grievances nor conflicts with other people from past disputes or arguments.
Some benefit would be expected from the ‘new broom’ effect in that the appointment would see the company through fresh eyes. He or she would be unaware of vested interests. He or she would be likely to come in with new ideas and expertise gained from other situations.
Finally, as with any external appointment, the possibility exists for the transfer of best practice in from outside – a net gain in knowledge for the company.
***********
Objectivity and Internal/External Auditors
Objectivity is a state or quality that implies detachment, lack of bias, not influenced by personal feelings, prejudices or emotions. It is a very important quality in corporate governance generally and especially important in all audit situations where, regardless of personal feeling, the auditor must carry out his or her task objectively and with the purpose of the audit uppermost in mind. The IFAC Code of Ethics explains objectivity in the following terms (Introduction, clause 16): “… fair and should not allow prejudice or bias, conflict of interest or influence of others to override objectivity.”
It thus follows that characteristics that might demonstrate an internal auditor’s professional objectivity will include fairness and even-handedness, freedom from bias or prejudice and the avoidance of conflicts of interest (e.g. by accepting gifts, threats to independence, etc.).
The internal auditor should remember at all times that the purpose is to deliver a report on the systems being audited to his or her principal. In an external audit situation, the principal is ultimately the shareholder and in internal audit situations, it is the internal audit committee (and then ultimately, shareholders).
************
It thus follows that characteristics that might demonstrate an internal auditor’s professional objectivity will include fairness and even-handedness, freedom from bias or prejudice and the avoidance of conflicts of interest (e.g. by accepting gifts, threats to independence, etc.).
The internal auditor should remember at all times that the purpose is to deliver a report on the systems being audited to his or her principal. In an external audit situation, the principal is ultimately the shareholder and in internal audit situations, it is the internal audit committee (and then ultimately, shareholders).
************
Friday, August 12, 2011
Risk awareness
Explanation
Risk awareness is a capability of an organisation to be able to recognise risks when they arise, from whatever source they may come. A culture of risk awareness suggests that this capability (or competence) is present throughout the organisation and is woven into the normal routines, rituals, ways of thinking and is taken-for-granted in all parts of the company and in all employees.
***********
Why is it necessary for organisation to cultivate a culture of risk awareness and that this should permeate all levels of the company?
Risks can arise in any part of the organisation and at any level. Not all risks are at the strategic level and can be captured by a risk assessment. A culture of risk awareness will help ensure that all employees are capable of identifying risks as and when they arise.
Risks are dynamic and rise and fall with changes in the business environment and with changes in the company’s activities. With changes to the company’s risk profile occurring all the time, it cannot be assumed that the risks present at the most recent risk assessment will remain the same. Being prepared to adapt to changes is a key advantage of a culture of risk awareness.
A lack of risk awareness is often evidence of a lack of risk management strategy in the organisation. This, in turn, can be dangerous as the company could be more exposed to risk than it need be because of the lack of attentiveness by staff. A lack of effectiveness of risk management strategy leaves the company vulnerable to unrecognised or wrongly assessed risks.
**********
Risk awareness is a capability of an organisation to be able to recognise risks when they arise, from whatever source they may come. A culture of risk awareness suggests that this capability (or competence) is present throughout the organisation and is woven into the normal routines, rituals, ways of thinking and is taken-for-granted in all parts of the company and in all employees.
***********
Why is it necessary for organisation to cultivate a culture of risk awareness and that this should permeate all levels of the company?
Risks can arise in any part of the organisation and at any level. Not all risks are at the strategic level and can be captured by a risk assessment. A culture of risk awareness will help ensure that all employees are capable of identifying risks as and when they arise.
Risks are dynamic and rise and fall with changes in the business environment and with changes in the company’s activities. With changes to the company’s risk profile occurring all the time, it cannot be assumed that the risks present at the most recent risk assessment will remain the same. Being prepared to adapt to changes is a key advantage of a culture of risk awareness.
A lack of risk awareness is often evidence of a lack of risk management strategy in the organisation. This, in turn, can be dangerous as the company could be more exposed to risk than it need be because of the lack of attentiveness by staff. A lack of effectiveness of risk management strategy leaves the company vulnerable to unrecognised or wrongly assessed risks.
**********
Why risk assessment is dynamic
Risk assessment is a dynamic management activity because of changes in the organisational environment and because of changes in the activities and operations of the organisation which interact with that environment.
A risk may arise from a change in the activity of the company: a new product launch. The new product may introduce a new risk that was not present prior to the new product. It may be a potential liability from the use of the product or a potential loss from the materials used in its production, for example.
Changes in the environment might include changes in any of the PEST (political, economic, social, technological) or any industry level change such as a change in the competitive behaviour of suppliers, buyers or competitors. In either case, new risks can be introduced, existing ones can become more likely or have a higher impact, or the opposite (they may disappear or become less important). Risk may arise from a change in legislation which is a change in the external environment.
************
A risk may arise from a change in the activity of the company: a new product launch. The new product may introduce a new risk that was not present prior to the new product. It may be a potential liability from the use of the product or a potential loss from the materials used in its production, for example.
Changes in the environment might include changes in any of the PEST (political, economic, social, technological) or any industry level change such as a change in the competitive behaviour of suppliers, buyers or competitors. In either case, new risks can be introduced, existing ones can become more likely or have a higher impact, or the opposite (they may disappear or become less important). Risk may arise from a change in legislation which is a change in the external environment.
************
Monday, August 8, 2011
Systematic approach to Control and Risk Management
How Using a systematic approach to Control and Risk Management can enable companies to fulfill the core aims of Corporate Governance
Core Aims of Corporate Governance are:
1. Ensuring integrity
2. Promotion of strategic objectives
3. Control over companies
4. Enhancing risk management
5. Involvement of shareholders
6. Protection of shareholders and stakeholders
7. Establishment of accountability
8. Maintenance of effective scrutiny
9. Provision of accurate and timely information
Ensuring Integrity
The problem that an organization may face as a result of the lack of integrity of its staff should be part of the risk assessment processes. Risk such as probity risks are significant risks which should be assessed and managed. An important aspect has been stressing the role of directors in influencing the culture, tone and core value of the company.
Promotion of strategic objectives
Guidance in risk management models stresses the need for risk management to be aligned with the strategic objectives. Most risk management models have objective setting as s key stage.
Control over companies
Risk management models emphasize the importance of companies building into their systems the need to follow governance guidance. Two of the four types of objectives in the COSO framework are reliability of reporting and compliance with applicable laws and regulations.
Enhancing risk management
Key feature of risk management model is that they demonstrate how risk management is a continual process. Models show the need to assess organization-wide risks and also specific process or unit risks. They are also used to assess the interaction between risks. Models show that risk management is a logical process, taking the organization through initial risk identification, then identification of events that may cause risks to crystallize, assessment of how great losses might be and in the light of these how best to respond to risks. This will help to identify who should be responsible for which aspects of risk management.
Involvement of shareholders
All risk management models have information provision as a key stage, and this includes information provision to shareholders. Australia and New Zealand Standard on risk management has communication and consultation as an underlying stage of its risk management model, reflecting the requirement in governance reports for communication with major stakeholders.
Protection of shareholders and stakeholders
Risk management models aim to reinforce the protection given to shareholders and other stakeholders. Adopting a systematic approach to risk management should make sure that the risks for investors are at appropriate levels, given the strategic objectives of the company. Effective risk management should mean that the directors are not reckless in their decisions, and consider the risk of solvency problems very seriously.
Establishment of accountability
Risk management models reinforce the idea that clear organizational structures strengthen governance. Responsibility for decision-making is a key part of the internal environment of organizations. Some risk management models emphasize the responsibilities of specific individuals, for example CIMA’s model stresses the need to establish a risk management group. Other models build in decision-making as a key stage
Maintenance of effective scrutiny
Models emphasize the importance of monitoring risk management procedures and controls once they are in place. The feedback from this monitoring will impact upon future risk assessments and also lead to continuous improvements in processes. Some models, for example the CIMA model, emphasize this by showing risk management as a circular process.
Provision of accurate and timely information
As indicated, information provision is a key stage of risk management models. The CIMA model puts information for decision-making at the centre of the model, with all the risk management stages feeding into it.
**********
Core Aims of Corporate Governance are:
1. Ensuring integrity
2. Promotion of strategic objectives
3. Control over companies
4. Enhancing risk management
5. Involvement of shareholders
6. Protection of shareholders and stakeholders
7. Establishment of accountability
8. Maintenance of effective scrutiny
9. Provision of accurate and timely information
Ensuring Integrity
The problem that an organization may face as a result of the lack of integrity of its staff should be part of the risk assessment processes. Risk such as probity risks are significant risks which should be assessed and managed. An important aspect has been stressing the role of directors in influencing the culture, tone and core value of the company.
Promotion of strategic objectives
Guidance in risk management models stresses the need for risk management to be aligned with the strategic objectives. Most risk management models have objective setting as s key stage.
Control over companies
Risk management models emphasize the importance of companies building into their systems the need to follow governance guidance. Two of the four types of objectives in the COSO framework are reliability of reporting and compliance with applicable laws and regulations.
Enhancing risk management
Key feature of risk management model is that they demonstrate how risk management is a continual process. Models show the need to assess organization-wide risks and also specific process or unit risks. They are also used to assess the interaction between risks. Models show that risk management is a logical process, taking the organization through initial risk identification, then identification of events that may cause risks to crystallize, assessment of how great losses might be and in the light of these how best to respond to risks. This will help to identify who should be responsible for which aspects of risk management.
Involvement of shareholders
All risk management models have information provision as a key stage, and this includes information provision to shareholders. Australia and New Zealand Standard on risk management has communication and consultation as an underlying stage of its risk management model, reflecting the requirement in governance reports for communication with major stakeholders.
Protection of shareholders and stakeholders
Risk management models aim to reinforce the protection given to shareholders and other stakeholders. Adopting a systematic approach to risk management should make sure that the risks for investors are at appropriate levels, given the strategic objectives of the company. Effective risk management should mean that the directors are not reckless in their decisions, and consider the risk of solvency problems very seriously.
Establishment of accountability
Risk management models reinforce the idea that clear organizational structures strengthen governance. Responsibility for decision-making is a key part of the internal environment of organizations. Some risk management models emphasize the responsibilities of specific individuals, for example CIMA’s model stresses the need to establish a risk management group. Other models build in decision-making as a key stage
Maintenance of effective scrutiny
Models emphasize the importance of monitoring risk management procedures and controls once they are in place. The feedback from this monitoring will impact upon future risk assessments and also lead to continuous improvements in processes. Some models, for example the CIMA model, emphasize this by showing risk management as a circular process.
Provision of accurate and timely information
As indicated, information provision is a key stage of risk management models. The CIMA model puts information for decision-making at the centre of the model, with all the risk management stages feeding into it.
**********
Saturday, August 6, 2011
Why the flow of information upwards to the board on matters of internal control and risk is so important
In the first instance, the information provided enables the board to monitor the performance of the company on the crucial issues in question. This includes compliance, performance against targets and the effectiveness of existing controls. By being made aware of the key risks and internal control issues at the operational level, the board can work to address them in the most appropriate way.
The board also needs to be aware of the business impact of operational controls and risks to enable us at board level to make informed business decisions at the strategic level. If the board receiving incomplete, defective or partial information then they will not be in full possession of the necessary facts to allocate resources in the most effective and efficient way possible.
The board has the responsibility to provide information about risks and internal controls to external audiences. Best practice reporting means that they have to provide information to shareholders and others, about the systems, controls, targets, levels of compliance and improvement measures and they need quality information to enable us to do this.
***************
The board also needs to be aware of the business impact of operational controls and risks to enable us at board level to make informed business decisions at the strategic level. If the board receiving incomplete, defective or partial information then they will not be in full possession of the necessary facts to allocate resources in the most effective and efficient way possible.
The board has the responsibility to provide information about risks and internal controls to external audiences. Best practice reporting means that they have to provide information to shareholders and others, about the systems, controls, targets, levels of compliance and improvement measures and they need quality information to enable us to do this.
***************
Roles and Responsibilities of the Chief Executive in Internal Control
1. It is the chief executive of any organisation who must assume final responsibility for all internal controls. A CEO must assume ‘ownership’ of the systems and this ownership must be a part of the manner in which the CEO leads the company.
2. The CEO is to facilitate the setting of the tone from the top in both establishing and enforcing the control environment. The control environment is enforced through having internal control compliance embedded within the culture of the company.This setting of the tone should express itself in terms of the way that managers are treated and the way that the tone is cascaded down through the company.
3. The CEO is to pay particular attention to those areas most vulnerable or open to damaging breaches.
4. The CEO is to ensure the effective internal audit function operating in the company. The internal audit function is an imperative part of the governance structure and must be given the priority it clearly deserves.
**********
2. The CEO is to facilitate the setting of the tone from the top in both establishing and enforcing the control environment. The control environment is enforced through having internal control compliance embedded within the culture of the company.This setting of the tone should express itself in terms of the way that managers are treated and the way that the tone is cascaded down through the company.
3. The CEO is to pay particular attention to those areas most vulnerable or open to damaging breaches.
4. The CEO is to ensure the effective internal audit function operating in the company. The internal audit function is an imperative part of the governance structure and must be given the priority it clearly deserves.
**********
Factors affecting the need for internal audit and controls
(Based partly on Turnbull guidance)
1. The nature of operations within the organisation arising from its sector, strategic positioning and main activities.
2. The scale and size of operations including factors such as the number of employees. It is generally assumed that larger and more complex organisations have a greater need for internal controls and audit than smaller ones owing to the number of activities occurring that give rise to potential problems.
3. Cost/benefit considerations. Management must weigh the benefits of instituting internal control and audit systems against the costs of doing so. This is likely to be an issue for medium-sized companies or companies experiencing growth.
4. Internal or external changes affecting activities, structures or risks. Changes arising from new products or internal activities can change the need for internal audit and so can external changes such as PESTEL factors.
5. Problems with existing systems, products and/or procedures including any increase in unexplained events. Repeated or persistent problems can signify the need for internal control and audit.
6. The need to comply with external requirements from relevant stock market regulations or laws.
*********
1. The nature of operations within the organisation arising from its sector, strategic positioning and main activities.
2. The scale and size of operations including factors such as the number of employees. It is generally assumed that larger and more complex organisations have a greater need for internal controls and audit than smaller ones owing to the number of activities occurring that give rise to potential problems.
3. Cost/benefit considerations. Management must weigh the benefits of instituting internal control and audit systems against the costs of doing so. This is likely to be an issue for medium-sized companies or companies experiencing growth.
4. Internal or external changes affecting activities, structures or risks. Changes arising from new products or internal activities can change the need for internal audit and so can external changes such as PESTEL factors.
5. Problems with existing systems, products and/or procedures including any increase in unexplained events. Repeated or persistent problems can signify the need for internal control and audit.
6. The need to comply with external requirements from relevant stock market regulations or laws.
*********
Friday, August 5, 2011
External Risk Audit vs Internal Risk Audit
What is External Risk Audit
External risk auditing is an independent review and assessment of the risks, controls and safeguards in an organisation by someone from outside the company. It involves an identification of the risks within given frames of reference (the whole company, a given area of activity, a given department or location) and advice on managing those risks in terms of a risk assessment.
The first argument in favour of an external risk audit
1. The ‘fresh pair of eyes’ effect that applies to the use of any external consultant. It seems evident that the existing management is unaware of all of the risks faced by the company and a new person coming in might identify new risks.
2. An external person would take responsibility away from the squabbling directors who are unlikely to work together on it. There is obviously enough tension and discord among board members to threaten any audit where collaboration would be needed to provide information and implement any recommendations.
3. An external risk auditor would provide an unbiased view of the causes of poor risk management and hence be able to give advice on where things can be improved. This will be important when recommending changes to systems to account for risks as it may impact some departments more than others.
4. In some countries, (i.e. under Sarbanes Oxley), an element of independent assessment is necessary for compliance. In any event, encouraging independent scrutiny is good practice and reassures external stakeholders (such as shareholders) in the same way that an external financial audit does. At a time when the effectiveness of internal risk controls have been questioned, investor confidence is especially important.
*************
External risk auditing is an independent review and assessment of the risks, controls and safeguards in an organisation by someone from outside the company. It involves an identification of the risks within given frames of reference (the whole company, a given area of activity, a given department or location) and advice on managing those risks in terms of a risk assessment.
The first argument in favour of an external risk audit
1. The ‘fresh pair of eyes’ effect that applies to the use of any external consultant. It seems evident that the existing management is unaware of all of the risks faced by the company and a new person coming in might identify new risks.
2. An external person would take responsibility away from the squabbling directors who are unlikely to work together on it. There is obviously enough tension and discord among board members to threaten any audit where collaboration would be needed to provide information and implement any recommendations.
3. An external risk auditor would provide an unbiased view of the causes of poor risk management and hence be able to give advice on where things can be improved. This will be important when recommending changes to systems to account for risks as it may impact some departments more than others.
4. In some countries, (i.e. under Sarbanes Oxley), an element of independent assessment is necessary for compliance. In any event, encouraging independent scrutiny is good practice and reassures external stakeholders (such as shareholders) in the same way that an external financial audit does. At a time when the effectiveness of internal risk controls have been questioned, investor confidence is especially important.
*************
COSO Framework
Framework for enterprise risk management
COSO framework consists of 8 interrelated components
1. Internal or control environment
This covers the tone of an organization, and sets the basis for how risk is viewed and addressed by an organization’s people, including risk management philosophy and risk appetite, integrity and ethical values and the environment in which they operate.
The board’s attitude, participation and operating style will be a key factor in determining the strength of the control environment.
2. Objective Setting
Objectives for the entity should be in place and the chosen objectives should support and align with the entity’s mission and be consistent with the risk appetite.
3. Event Identification
Both internal and external events which affect the achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities.
4. Risk Assessment
Risks are analysed, considering likelihood and impact, as basis for determining how they should be managed. The analysis process should clearly determine which risks are controllable, and which risks are not controllable.
5. Risk Response
Management selects risk responses such as avoidance, reduction, transfer, or acceptance which are used to develop a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities or Procedures
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
7. Information and Communication
Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication should be broad – flowing up, down and across the entity. There should also be effective communication with third parties such as shareholders and regulators.
8. Monitoring
Risk control processes are monitored and modifications are made if necessary. Effective monitoring requires active participation by the board and senior management, and strong information systems, so the data senior managers need is fed to them.
***********
COSO framework consists of 8 interrelated components
1. Internal or control environment
This covers the tone of an organization, and sets the basis for how risk is viewed and addressed by an organization’s people, including risk management philosophy and risk appetite, integrity and ethical values and the environment in which they operate.
The board’s attitude, participation and operating style will be a key factor in determining the strength of the control environment.
2. Objective Setting
Objectives for the entity should be in place and the chosen objectives should support and align with the entity’s mission and be consistent with the risk appetite.
3. Event Identification
Both internal and external events which affect the achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities.
4. Risk Assessment
Risks are analysed, considering likelihood and impact, as basis for determining how they should be managed. The analysis process should clearly determine which risks are controllable, and which risks are not controllable.
5. Risk Response
Management selects risk responses such as avoidance, reduction, transfer, or acceptance which are used to develop a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities or Procedures
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
7. Information and Communication
Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication should be broad – flowing up, down and across the entity. There should also be effective communication with third parties such as shareholders and regulators.
8. Monitoring
Risk control processes are monitored and modifications are made if necessary. Effective monitoring requires active participation by the board and senior management, and strong information systems, so the data senior managers need is fed to them.
***********
Friday, July 29, 2011
Methods of Embedding Risk Awareness in Organisation
Risk embeddedness
Risk embeddedness refers to the way in which risk awareness and management are interwoven into the normality of systems and culture in an organisation. These two twin aspects (systems and culture) are both important because systems describe the way in which work is organised and undertaken, and culture describes the ‘taken-for-grantedness’ of risk awareness and risk management within the organisation.
The methods by which risk awareness and management can be embedded in organisations are as follows:
1. Aligning individual goals with those of the organisation and building these in as part of the culture. The need for alignment is important because risk awareness needs to be a part of the norms and unquestioned assumptions of the organisation.
2. Training of staff at all levels is essential to ensure risk is embedded throughout the organisation.
3. Including risk responsibilities with job descriptions. This means that employees at all levels have their risk responsibilities clearly and unambiguously defined.
4. Establishing reward systems that recognise that risks have to be taken (thus avoiding a ‘blame culture’). Those employees that are expected to take risks (such as those planning investments) should have the success of the projects included in their rewards.
5. Establishing metrics and performance indicators that monitor and feedback information on risks to management. This would ensure that accurate information is always available to the risk committee and/or board, and that there is no incentive to hide relevant information or fail to disclose risky behaviour or poor practice. A ‘suggestion box’ is one way of providing feedback to management.
6. Communicating risk awareness and risk management messages to staff and publishing success stories. Part of the dissemination of, and creating an incentive for, good practice, internal communications is important in developing culture and continually reminding staff of risk messages.
*************
Risk embeddedness refers to the way in which risk awareness and management are interwoven into the normality of systems and culture in an organisation. These two twin aspects (systems and culture) are both important because systems describe the way in which work is organised and undertaken, and culture describes the ‘taken-for-grantedness’ of risk awareness and risk management within the organisation.
The methods by which risk awareness and management can be embedded in organisations are as follows:
1. Aligning individual goals with those of the organisation and building these in as part of the culture. The need for alignment is important because risk awareness needs to be a part of the norms and unquestioned assumptions of the organisation.
2. Training of staff at all levels is essential to ensure risk is embedded throughout the organisation.
3. Including risk responsibilities with job descriptions. This means that employees at all levels have their risk responsibilities clearly and unambiguously defined.
4. Establishing reward systems that recognise that risks have to be taken (thus avoiding a ‘blame culture’). Those employees that are expected to take risks (such as those planning investments) should have the success of the projects included in their rewards.
5. Establishing metrics and performance indicators that monitor and feedback information on risks to management. This would ensure that accurate information is always available to the risk committee and/or board, and that there is no incentive to hide relevant information or fail to disclose risky behaviour or poor practice. A ‘suggestion box’ is one way of providing feedback to management.
6. Communicating risk awareness and risk management messages to staff and publishing success stories. Part of the dissemination of, and creating an incentive for, good practice, internal communications is important in developing culture and continually reminding staff of risk messages.
*************
Saturday, July 23, 2011
Related and Correlated Risks
Related risks are risks that vary because of the presence of another risk. This means they do not exist independently and they are likely to rise and fall in importance along with the related one. Risk correlation is a particular example of related risk.
Risks are positively correlated if the two risks are positively related in that one will fall with the reduction of the other and increase with the rise of the other. They would be negatively correlated if one rose as the other fell.
In the case of environmental risks and reputation risk, they may be positively correlated for the following reasons:
***Environmental risks involve exposure to losses arising from an organisation’s consumption of resources or impacts through its emissions. Where an environmental risk affects a sensitive situation, (be it human, flora, fauna or other), this can cause negative publicity which can result in reputation damage.
***These two risks can have a shared cause, i.e. they can arise together and fall together because they depend upon the same activity. They are considered separate risks because losses can be incurred by either of both of the impacts (environmental or reputational).
***Positively correlated risk - Activities designed to reduce environmental risk, such as acquiring resources from less environmentally-sensitive sources or through the fitting of emission controls, will reduce the likelihood of the environmental risk being realised. This, in turn, will reduce the likelihood of the reputation risk being incurred. The opposite will also hold true: a reduction of attention to environmental risk will increase the likelihood of reputation loss.
***Negatively correlated risks are also present in some situations. If, for example, a company borrows money to reduce its environmental emissions then it might be that its environmental risks are reduced but, with its increased gearing, its financial risks are increased at the same time. This is because the higher gearing will increase the vulnerability to rising interest rates and put pressure on cash flow. In this case, then, there is a direct relationship between the environmental risk reducing and the financial risk increasing.
************
Risks are positively correlated if the two risks are positively related in that one will fall with the reduction of the other and increase with the rise of the other. They would be negatively correlated if one rose as the other fell.
In the case of environmental risks and reputation risk, they may be positively correlated for the following reasons:
***Environmental risks involve exposure to losses arising from an organisation’s consumption of resources or impacts through its emissions. Where an environmental risk affects a sensitive situation, (be it human, flora, fauna or other), this can cause negative publicity which can result in reputation damage.
***These two risks can have a shared cause, i.e. they can arise together and fall together because they depend upon the same activity. They are considered separate risks because losses can be incurred by either of both of the impacts (environmental or reputational).
***Positively correlated risk - Activities designed to reduce environmental risk, such as acquiring resources from less environmentally-sensitive sources or through the fitting of emission controls, will reduce the likelihood of the environmental risk being realised. This, in turn, will reduce the likelihood of the reputation risk being incurred. The opposite will also hold true: a reduction of attention to environmental risk will increase the likelihood of reputation loss.
***Negatively correlated risks are also present in some situations. If, for example, a company borrows money to reduce its environmental emissions then it might be that its environmental risks are reduced but, with its increased gearing, its financial risks are increased at the same time. This is because the higher gearing will increase the vulnerability to rising interest rates and put pressure on cash flow. In this case, then, there is a direct relationship between the environmental risk reducing and the financial risk increasing.
************
Why Manufacturing has a greater challenge with the management of Liquidity Risk
Manufacturing has historically had a greater challenge with the management of liquidity risk compared to some other sectors (especially low inventory businesses such as those in service industries)
There are two main reasons:
Firstly, manufacturing usually requires higher working capital levels because it buys in and sells physical inventory, both on credit. This means that both payables and receivables are relatively high. It also, by definition, requires inventory in the form of raw materials, work-in-progress and finished goods, and therefore the management of inventory turnover is one of the most important management tasks in manufacturing management. In addition, wages are paid throughout the manufacturing process, although it will take some time before finished goods are ready for sale.
Secondly, manufacturing has complex management systems resulting from a more complex business model. Whilst other business models create their own liquidity problems, the variability and availability of inventory at different stages and the need to manage inventories at different levels of completion raises liquidity issues not present in many other types of business (such as service based business).
*************
There are two main reasons:
Firstly, manufacturing usually requires higher working capital levels because it buys in and sells physical inventory, both on credit. This means that both payables and receivables are relatively high. It also, by definition, requires inventory in the form of raw materials, work-in-progress and finished goods, and therefore the management of inventory turnover is one of the most important management tasks in manufacturing management. In addition, wages are paid throughout the manufacturing process, although it will take some time before finished goods are ready for sale.
Secondly, manufacturing has complex management systems resulting from a more complex business model. Whilst other business models create their own liquidity problems, the variability and availability of inventory at different stages and the need to manage inventories at different levels of completion raises liquidity issues not present in many other types of business (such as service based business).
*************
Subscribe to:
Posts (Atom)