An effective risk management process requires four steps: (1) risk identification, (2) quantitative or qualitative assessment of the documented risks, (3) risk prioritization and response planning, and (4) risk monitoring. Some in business today typically just assess an area as high‐, medium‐, or low ‐risk and then make quick insurance or risk protection decisions based on those options, others use more sophisticated qualitative or quantitative tools to help them understand and evaluate their risks. Risk Identification This risk identification process should occur at multiple levels with an understanding that a risk that impacts an individual business unit or project may not have a great impact on the entire enterprise or beyond. A good way to start the risk identification process is to begin with a high ‐level enterprise chart that lists corporate‐level as well as operating units. Each of those units may have facilities in multiple global locations and also may consist of multiple and different types of operations. Each separate facility will then have its own departments or functions. Some of these facilities may be closely connected to one another, while others represent little more than corporate investments. Key Risk Assessments A simple but often effective approach here is to take the list of identified risks discussed previously and circulate them to key managers with a questionnaire asking for each risk: What is the likelihood of this risk occurring over the next one‐year period? Using a scoring range of 1 to 9, assign a best‐guess score as follows: o Score 1 if you see almost no chance of that risk happening during the period. o Score 9 if you feel the event will almost certainly happen during the period. o Score 2 through 8 depending on where you feel the likelihood falls in this range. What is the significance of the risk in terms of cost to the enterprise? Again using a 1 ‐to ‐ 9 scale, scoring should depend on the financial significance of the risk. A risk whose costs could lower earnings per share by perhaps 1 cent might qualify for the maximum score of 9. Probability and Uncertainty When a large number of risks have been identified, management should think of the individual estimated risk likelihoods and occurrences in terms of two‐digit probabilities ranging from 0.01 to 0.99. Rather, the joint probability of two independent events is the product of the two separate probabilities using the formula: Pr Event (1) × Pr(Event 2) = Pr(Both Events) Risk Interdependencies Risk independencies must be considered and evaluated throughout the organizational structure. Any entity should be concerned about risks at all levels of the organization but only really has control over the risks within its own sphere. Risk Ranking The risk significance and probabilities of occurrence are often called the risk drivers or the primary risks for a set of identified risks. Management must identify these unit‐by ‐unit assessed risks to make certain that risk likelihood and significance estimates are appropriate throughout.
Quantitative Risk Analysis: Expected Values and Response Planning
There is little value in identifying signify cant risks unless an enterprise has at least some preliminary plans for the action steps necessary if they incur one of them. Some hypothetical risks, labeled A, B, and C, illustrate this type of thinking: Risk A: Loss of up to X% market share due to changing consumer tastes. Estimate the reduction in sales and loss of profits due to the X% drop. Estimate how much it will cost to begin to restore the lost market position. Risk B: Temporary loss of major manufacturing facility for X days due to hurricane. Estimate the best‐ and worst‐case costs to get the plant temporarily repaired and back in operation within X days. Estimate the extra labor and production costs incurred during the interim. Risk C: Loss of information systems for X days due to a pernicious computer virus. Estimate the business and profitability loss during the down period. Estimate the cost to transfer operations to the business continuity site. Quantitative Risk Analysis: Risk Monitoring Accurate monitoring processes are an essential component of risk management. An enterprise may have gone through an elaborate process to identify its more significant risks. However, the current status of those risks needs to be monitored on a regular basis with changes made to the identified risks as necessary.
7.2 COSO ERM: ENTERPRISE RISK MANAGEMENT
COSO Enterprise Risk Management is a framework to help enterprises have a consistent definition of their risks. Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Professionals should consider these key points and concepts supporting the COSO ERM framework definition, including: ERM is a process. The ERM process is implemented by people in the enterprise. ERM is applied through the setting of strategies across the overall enterprise. An enterprise’s risk appetite must be considered. ERM provides only reasonable, not positive, assurance on objective achievements. An ERM is designed to help attain the achievement of objectives.
7.3 COSO ERM KEY ELEMENTS
This COSO ERM framework with the components of:
Four columns representing the strategic objectives of enterprise risk; Eight horizontal rows or risk components; and Multiple levels to describe any enterprise, from a headquarters entity level to individual subsidiaries. Depending on organization size, there can be many slices of the model here. COSO ERM: The Internal Environment Component The COSO ERM internal environment component consists of the following elements: Risk management philosophy Risk appetite Board of directors’ attitudes Integrity and ethical values Commitment to competence Organizational structure Assignments of authority and responsibility Human resources standards COSO ERM Objective Setting Ranked right below the internal environment in the COSO ERM framework, objective setting outlines important conditions to help management create an effective ERM process. COSO ERM emphasizes that a mission statement is a crucial element for setting objectives; it is a general, formalized statement of purpose and a building block for the development of specific functional strategies. Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.
COSO ERM Event Identification
Many enterprises today have strong performance monitoring tools in place, with the monitoring process of costs, budgets, quality assurance, compliance, and the like. However, going beyond a meter on a production assembly line, monitoring processes should include: External economic events Natural environmental events Political events. Social factors. Internal infrastructure events Internal process–related events External and internal technological events COSO ERM Risk Assessment A key part of this risk assessment process, however, is the need to consider the very important concepts of inherent and residual risks as well as: Inherent risk defined as potential for waste, loss, unauthorized use, or misappropriation due to the nature of an activity itself. Inherent risk is outside the control of management and usually stems from external factors. Residual risk. This is the risk that remains after other management responses to risk threats and countermeasures have been applied. COSO ERM Risk Response Elements the COSO ERM’s risk response process calls for a careful review of estimated risk likelihoods and potential impacts, with consideration given to their associated costs and benefits, to develop appropriate risk response strategies, following any of four basic risk strategies: Avoidance. This is a strategy of walking away from a risk—such as selling a business unit that gives rise to a risk, exiting from a risky geographical area, or dropping a product line. Reduction. A wide range of business decisions may be able to reduce certain risks. Sharing. Virtually all enterprises regularly share some of their risks through the purchase of insurance, but other risk‐sharing techniques are available as well. Acceptance. This is the strategy of no action, such as when an enterprise self-insures by taking no action to reduce a potential risk. COSO ERM Control Activities ERM’s control activities are the policies and procedures necessary to ensure action on identified risk responses. Although some of these activities may only relate to an identified and approved risk response in an area of the enterprise, they often overlap across multiple functions and units. risk event identification, assessment, and response processes, risk monitoring requires the following steps: (1) Develop a strong understanding of the significant risks and establish control procedures to monitor or correct for them. (2) Create fire drill–type testing procedures to determine if those risk‐related control procedures are working effectively. (3) Perform tests of risk‐monitoring processes to determine if they are working effectively and as expected. (4) Make adjustments or improvements as necessary to improve risk‐monitoring processes.
7.4 OTHER DIMENSIONS OF COSO ERM: ENTERPRISE RISK OBJECTIVES
Each component of COSO ERM operates in this three‐dimensional space where each must be considered in terms of the other related categories. The top‐facing components of strategic, operations, reporting, and compliance risk objectives are important for understanding and implementing COSO ERM. Operation Risk Management Objective There are many types of operations risks that can impact an enterprise. Following the three‐ dimensioned ERM framework, the operations‐level risk objective calls for the identification of risks for each enterprise unit or component. Reporting Risk Management Objective This ERM objective covers the reliability of an enterprise’s reporting, including the internal and external reporting of financial and nonfinancial data. Accurate reporting is critical to an enterprise’s success in many dimensions. Legal and Regulatory Compliance Risk Objectives COSO ERM recommends that compliance‐related risks be considered for each of the risk framework components, whether in the context of the internal environment, objective setting, or risk monitoring, as well as across the enterprise. These are important elements of the risk management framework that need to be communicated and understood.
7.5 ENTITY‐LEVEL RISKS
Environmental-type risks that can affect multiple cycles and financial statements areas, risks recorded in an engagement file using one or more of the entity level categories will appear in all risk report (e.g., RRPT, risk report at the top of all Risk Response Programs, etc.) Risks are identified through organization‐wide objective setting, they should be considered on an entity wide basis as well as by individual operating units. Those individual unit risks should be first reviewed and consolidated to identify any key risks that may impact the overall organization. In addition, any organization‐wide risks should be identified. 7.6 PUTTING IT ALL TOGETHER: AUDITING RISK AND COSO ERM PROCESSES An enterprise’s appetite for risk, the need to look at an enterprise’s overall portfolio of risks, and the need to apply risk management within the context of overall strategy setting, COSO ERM provides an excellent platform for considering an enterprise’s overall risk environment. Process Flowcharting: can be useful in describing how risk management operates in an enterprise. This requires looking at documentation prepared for risk‐related processes, determining if they are correct given current conditions, and describing the overall adequacy of all levels of enterprise risk processes. Reviews of risk and control materials: An ERM process often results in a large volume of guidance materials, documented procedures, report formats, and the like. There may often be value to an internal audit to review the risk and control materials from an effectiveness perspective. Benchmarking: The process of looking at functions in another environment to assess their operations and to develop improved approaches based on the best practices of others. Questionnaires: questionnaires can be sent out to designated stakeholders with requests for specific information. This is often a valuable internal audit technique.