P3: Risk

Management
 ● RISKS
1 RISK AND RISK EXPOSURE ● Strategic ● Operational

● Business ● Non- Business

Risk is a condition a quantifiable dispersion in the
Contractual inadequacy risk DIVERSIFICATION OF RISKS ● Product ● Financial ● Information & IT
possible outcomes form any activity
– contractually obliged but Managing risk with offsetting them
unable to do so with risks that might offset them on ● Environmental ● Event ● Compliance
Fundamental risks – no one can control the opposite direction (PESTEL)
Particiular risk – can be controlled Employee malfeanse risk – Correlation risks – move on the same
direction ● Stakeholder ● Wastage
Speculative risk – two directions can come anything but fraud
out from this Related risks – risks that are
connected because they are caused ● Investment ● Reputation & ethics
Opure risk – only negative outcome
with the same thing
HAZARDS Diversification – offsetting risks that ● Fraud
A possible source of danger are negatively correlated to balance
Downside risk
Natural their impact and likelihood
● Health and Safety
Upside risk
Human caused, accidental or
intentional
RISK FACTORS The types of risk faced by an international business
External events – economic changes, political Economic risk – foreign exchange movements
developments, etc. Market risk – value or availability fluctuates
Internal events – human error, equipment failure, etc. Short vs long term positions – ST LT
Leading event indicators – could give rise to an Translation risk – assets and liabilities
event Transaction risk – income and expenditure
Escalation triggers – require immediate action Political risk – government action, no access to a
particular market
Strategic risks – volatility of performance over the Product risk and cultural risk – product might not be
longer term integrated as easily
Reputation and ethics is strategic Trading and credit risk – trading risk e.g. things going
Information risks can create both risks missing or damaged. Credit risk, people not paying
Financial risks – threat of going concern
Interest rate risk Understand and assess scale of the risk
Currency risk Quantify
Market risk – resources and the prices Regression – assing a value is not simple
Simulation and scenario planning –
Operational risks Expected values – probability of loss x impact
Human error Sensitivity analysis – NPV/PV
Fraud Risk mapping – qualitative techniques
Loss of key personnel risk Objective and subjective risk perception
Business interruptions Acceptability of risk – there will always be atrade off with
Non compliance with regulations of internal acceptability and risk ALARP (As low as reasonably
procedures practicable
Losses form internal control system
 ● Severity
2 Managing risks ● ● Low ● High
● Frequency
RISK TOLERANCE, APPETITE AND CAPACITY
● Low ● Accept ● Transfer
RISK AND RETURN Risk appetite – is what you would aim for
Commercial organisation Risk tolerance – risk that can handle but don’t aim ● High ● Control or reduce ● Abandon or avoid
Higher risk should mean higher return. for. Can still cope with
Not possible to eliminate risk altogether. Risk universe – risks beyond what you can handle.
Some organisations are not focused on profit. Exists
Risk is always present Risk capacity – collection of assets and liabilities in
order to help it cope with the risks that exist/faces
RISK APPROACH
Risk is always there and needs to be managed
ATTITUDES TO RISK
The board of directors would be responsible for
Risk aversion – do not undertake if higher risk unless
deermining how risk is manager.
the higher level of return compensated for the risk
Control environment –
Risk seeking – only interested in the return, the
Internal control procedures
higher the better

RISK COMMITTEE
• Ensure system exists
• Set risk policy assess risks
• Review internal audit work
• Review risk register
• Advise board

Executive directors and NEDS can lead the board

RISK MANAGER
• Leadership of enterprise risk management
• Establishing and promoting enterprise risk
management
• Developing common risk management policies
• Establishing a common risk language
• Dealing with insurance companies
• Implementing risk indicators, (such as designing
early warning systems)
• Allocation of resources based on risk
• Reporting to the CEO/ board/ risk committee as
appropriate
 3 Strategy, reputation and risk ● BOSTON CONSULTING GROUP BCG

CONSESNSUS FORECASTING
DELPHI METHOD Other forms of disruption ● Relative market share
Strategic analysis – BRAINSTORMING Climate change
Information ● ● High ● Low
Stareteigc choice – DERVIDED DEMAND – Brexit
Strategic intelligence covid Market
Implementation RELATIONSHIP BETWEEN
●
Benchmarking
Review and control - PARTIES growth rate ● High ● Star ● Question mark
Forecasting ●

Corporate objectives as a way to manage risk. Stakeholders FORECAST

Expressed in deliverable terms, these can determine The risks that they might present. PROJECTION
if these strategies have been met. They can affect the actions and EXTRAPOLATION
policies
● Low ● Cash cow ● Dog
Corporate mission statement, what it wants to do Understanding stakeholders might
and who the key stakeholders are. not always be easy

Where you currently are. Level of interest and power. Understanding how people respond to the digital age
Scenario planning
PESTEL Track the changing influences and try to think the Digital natives – always worked that way
Internally consistent view of what the future might
SWOT impact they might have on the strategy Digital immigrants – people who knew the world before the
turn out to be
digital age
Data is important to help you Macro scenarios
Product life cycle, How does technology disrupt strategy?
understand where you are Scenarios that model macro economic or political
shake out phase when things start to change Customers are more price conscious
Maturity – do we have something that is going to factors
Competitive data All parts of businesses are affected by technology
keep customers engaged?
Economic data SCENARIO PLANNING AND DISRUPTION STRESS TESTING
Political data Disruption – an interruption in the usual way that a LEAD TESTING – CAN COPE WITH ANTICIPATED
Legal data Due diligence is carried out in an operational and system, process or event works. LEVELS OF DEMANS
Social data financial way Something that gets in the way of normal, STRESS TESTING – CAN COPE WITH AS MUCH
Technological data technology? Telephone calls on the internet. The use AS POSSIBLE
of cash. VALUE AT RISK TRYING TO MEASURE THE MAX
PARTNERING
Competitive advantage and EXPECTED LOSSES THAT AN ORGANISATION
JINT VENTURE Technology disrupt strategy, easier and cheaper
strategic choice CAN EXPECT BASED ON NORMAL PROBABILITY
FRANCHISING ways to do things
Porter generic strategies DISTRIBUTIONS
STRATEGIC ALLIANCE Disruptive innovation, new technology
INTERNAL PARTNERING Robotic process automation
Suitability Partnering externally can bring risks The doff frank act us – assess enough capital to Banking
Acceptability – is it such as reputation withstand losses BASELINE, ADVERSE AND BASEL III – min amounts of capital required for
acceptable
DEVERLY ADVERSE banks to maintain their financial stability, better
Feasibility – right skills?
Bank of England – assess banks profitability and visibility of risks using systems of supervisory
Financial, people
Stress testing strategy itself capital ratios under a baseline macroeconomic review, better levels of disclosure that encourage a
Global bazaar – less loyalty scenario market that is disciplined and not reckless
Cautious capitalism – less trust
 4 Governance risk

Remuneration committee Role of non executive directors.

Corporate governance – relationship,
Connected to performance Strategy
structure, framework. The systems by which
Best practice Scrutiny
organisations are directed and controlled.
Market factors Risk
People

Organisation for economic cooperation and Advantages

development
How stakeholders are treated. Support
governance. Disclosure transparency and the
wat the board operates.
In Japan there are three tires of boards – policy Expertise
( strategic), functional (operational) and ,monocratic Assurance to third parties
(largely symbolic for public relation purposes
Problems
Lack of independence and lack of effectiveness

International corporate government network

Board membership, roles and structure Executive remuneration
Advice boards on what they should be doing
Clarity
Membership Simplicity
Shareholders – principles Size Risk
Agents – directors Inside/outside mix – right balance of risk and Predictability
The issues comes from the fast that internal oversight Proportionality
employees have their own interests e.g. pay, Diversity – make the business more effective Culture
and shareholders want to raise money. They
could choose to hire less people to make Company secretary
more money but this could have an impact Risks of poor corporate governance
Admin of the business – board meetings Barings bank
organisation Enron
The agency solution This role is needed. Loyalty must be to the company
Could remove directors from office BHS
and not to the individuals. Sports direct
Consider forms of control
Employing consultants and appointing Carillion
external auditors
Director's remuneration
Corporate governance disclosures Attract
G20/OECD Retain
Motivate The us approach to corporate governance
ICGN
SARBOX
Fixed and variable elements SOX
Principles or rules Cash and non cash Rules based, people doing for the right reasons or
UK approach is the principles, comply or Immediately and deferred elements people doing as little as they can?
explain. Long term and short term elements
 COSO Internal control – integrated components
5 Internal controls systems

Purpose of internal controls Developments in management accounting

Other senior roles to support
Internal control is a process, something Just in time
Risk management group
required from all people in the organisation Throughput accounting
Language
Lean management accounting
Insurance
Operational objectives Life cycle costing
Indicators
Reporting objectives Target costing
Reporting
Compliance objectives Kaizen
Economic value (Eva) – calculates operating profit less an
imputed charge for capital employed. Focuses on long term
Control environment – ethical values, the Public sector and not for profit shareholder wealth
culture organisations
Risk assessment – Economy Managerial
Control activities Efficiency Financial and non-financial
Information and communication Effectiveness performance measures
Monitoring activities Operational Volume, timescales
Balanced scorecard
Internal and external What is management Financial
Responsibility centres audit accounting? customer
Cost centres - only responsible for costs, Line managers Decision making, problem Innovation and learning
managing the inputs or maximising outputs Staff solving, forward planning, Internal business
Profit centres - income and expenditure profit measurement, inventory
Investment centres – providing capital for valuation The cost of quality
investment, is the right system being used? Total quality management

Budgeting
Ethical threats Costing systems
Management responsibility –making and Performance measurement systems
reviewing management decisions Capital investment appraisal
Advocacy
Self-review
Self-interest
Intimidation Post completion audits
Familiarity

Assignment of authority and responsibility

 Types of information system
6 Risk management and internal control Office automation system – email or instant messaging
system
Transaction processing systems – billing
Knowledge work systems- training
COSO cube
Management information systems – delivery reports
Enterprise resource planning system – supply, purchase,
Types of internal control Short term objective payroll and accounting functions
• Financial or non-financial Quality Strategic enterprise management system – process for
• Prevent, detect, correct , direct Customer service value added activities
• Input, process output recruitment Decision support system - spreadsheet
• Outsourcing – ad hoc, project management,
Executive information system/executive support system -
partial, total
dashboard
• Service level agreements (SLAs) – timescale,
Expert system – routing training
service levels, change process, exit route
Most common forms of dysfunctional behaviour
• Tunnel vision – detriment of other areas Systems development
Control activities
• Myopia – short sightedness Fit for purpose make efficient use of resources
Authorisation
Information processing • Measure fixation - dysfunctional behaviour
• Misrepresentation – people lying they have Feasibility – can it be done?
Performance review System investigation – what does it need
Physical controls achieved certain targets
• Ossification – unwillingness to change Systems analysis - solutions
Segregation of duties
System design – detail so they know what they are doing
System implementations – tested in order for it to do what is
Limitations of internal controls intended
• Costs, pragmatic balance between cost and
benefit Implementation
Information as a form of control
• Human error or fraud It needs a sponsor, steering committee
Critical success factors – this might change overtime
• Non routine events – system can’t cope Internal audit to get the understanding
Key performance indicators
• Change – no longer fit to control Implementation

Direct change over

Dysfunctional behaviour Parallel running
People went to make themselves look as good as Pilot running
possible. Phased changeover
SMART objectives that suit are important What is information required to do ?
• Strategic management Big data
• Tactical management Volume
• Operational management Veracity
HOPWOOD, three management styles Variety
Budget contrained – short term, manipulation Velocity
Profit conscious – hitting targets regardless Variability
Non –accounting- doesn’t fit within the financial Validity
framework you are dealing with Vulnerability
Volatility
Visualisation
 External audit
7 Internal audit Shareholders
Opinion on truth and fairness and compliance with
laws and regulations
Internal audit needs to be planned
Testing via evidence gathering
What is internal audit? Risk assessment
Laws and regulations, auditing standards,
Degree of uncertainty whether this is effective accounting standards
Individual processes and independence to Inherent risk- supcptibility e.g. cash
ensure these are working effectively Control risk – control systems fail,a re absent or inadequate
Detenction risk – IA does not detect errors How to deliver internal audit
Residual risk – what is acceptable according to the Do we need internal audit? Some cases might not
Overall objectives of IA Value for money businesses’ risk appetite need one in a regular basis
SEFGUARD ASSETS Economy
COMPLIANCE Efficiency Testing Could outsource internal audit
REDUCE OVERHEADS Effectiveness Walk through – what the system includes
EFFECTIVE CONTROLS Test of control – determine whether controls are operating
ACCOUNTING RECORDS Best value – value for money, Substantive testing – verifying the amount e.g. Benchmarking
MANAGING RISK getting the most of each pound? Analytical review procedures
Enquiry, inspection, observation, recalculation or
computation, confirmation, reperformance Auditing in an information systems
Types of audits Analytical review – ratios, qualitative. Analytical reviews environment
Systems audit – tests and evaluated the analysing date to identify trends, errors or issues.
internal controls within a system
Compliance audit – ensure performance
Auditing computer systems
conforms to a s tatutory, regulatory, policy or
Understand the system
contractual requirement
Identify how the system can be tested

Fraud investigations
Best value is achieved by Management audit
Investigate and detective Computer assisted audit
attempting the four cs Social and environmental audit Internal audit reports
Prevention and detection techniques – application of
Challenge Social audit – people are being used The business objective that the manager is aiming to
Compare appropriately auditing procedures using
CRESSEY TRIANGLE achieve
Consult Environmental – safeguarding the the computer as an
Pressure The operational standard
Complete environment auditing tool
Opportunity Observations of actual performance against the
Rationalisation standard, including any control weaknesses
The causes of the weaknesses
Professionalism The effect of the weaknesses
Authority Recommendations to address the weaknesses
Independence
resources Ethical issues
 8 Cybersecurity threats
Information system risks
Cybersecurity – practice of protecting systems,
networks and programs from digital attacks
Nature and impact of cybersecurity risks
Sensitive information
Customer personal data
Supplier data
Employee data
Financial records
etc
Cybersecurity objectives
AIC
AVAILABILITY
CONFIDENTIALITY
INTEGRITY OF DATA
INTEGRITY OF PROCESSING
ESTABLISHING MAINTAINING AND APPROVING OBJECTIVES
ORGANISATIONAL CHARACTERISTICS
Technologies – online? Hardware?
Connection types and service providers, cloud based
computing, we could outsource instead of a big
investment on this?
Delivery channels
Cybersecurity risks
PESTEL
Dumpster diving
ROBERT CIALDINI
RECIPROCATION – DESIRE TO REPAY GOOD
MALWARE THREATS AND DEFENCES DEED
MALWARE – MALICIOUS SOFTWARE COMMITMENT AND CONSISTENCY – AVOIDING
VIRUS – ATTACH THEMSELVES HYPOCRITE
WORM – DON’T NEED TO BE ACTIVATED SOCIAL PROOF – MIMICKING BEHAVIOUR OF
TROJANS – INVADE, LOOK HARMLESS, OTHERS AROUND
OPERATING SOMETHING THAT IS NOT VISIBLE
LIKING – BEHAVING SAME WAY AS PEOPLE
BOT – ACTIVITY DATA RECORDED THEY LIKE
AUTHORITY – OBEYING SOMEONE WHO IS IN
CHARGE
SCARCIT – SHORTAGE OF SOMETHING CAN
MAKE IT SEEM IMPORTANTY
DEFENCES AGAINST MALWARE OPPORTUNITIES FROME THICAL,UNETHICAL
Firewall AND GREY HAT HACKERS
Back up copies Train people through simulations
Gatekeeping – limiting the access
Web application attcks
Phishing
Ransomware
Distributed denial of service attack – bombarding
with more than what the system can cope with
Structure query language injection – sensitive data
accessed
Xxs attacks – malware passed onto a site
Buffer overflow attacks – bombarding system
Ethical hacker
Unethical hacker
Social engineering – exploiting someone’s trust
Grey-hat hacker – could be a good or bad guy
Bug bounty
 9 Cybersecurity process

AICPA framework Protection against malware General controls

PROTECTION Risks from vendors and business partners Monitoring Application controls
DETECTION Strategic Back ups Software controls
RESPONSE – proactive and reactive Operational – due diligence, Contingency plans Network controls
Financial
Has to start at the top of the organisation. It has to Network configuration management
be part of the culture. Monitoring
Back ups
Contingency planning
Cybersecurity risk governance structure Reconnissance – being aware of how you appear to
Personnel cybersecurity planning
Hiring and developing right personnel those outside your org Patch management - a software update that Division of responsibilities inn the data
How the board is able to oversee cybersecurity team Simulation – assume that you will be hacked at some addresses a known vulnerability processing department
Monitoring and reporting point
End user computing
Connection – considering between all parts of the Digital identity – find ways of identifying everyone Certificates – authenticate messages or Computer support department
business and everything that interacts with you digitally transactions. Man in the middle attacks is what this
prevents
Encryptions – scrambling the data at one end of a
Developing a cybersecurity policy Communicating cybersecurity policies communication, channel, transmitting the scrambled
Information security system data
Zero day attack – spotting it on day 1, cannot be Business continuity planning
found before Physical and environmental security Centralised monitoring of
Blockchain
Starters leavers and movers process Cryptocurrencies – accessed through data mining cybersecurity controls
Centralised management of cybersecurity controls Supplier management Crypto jacking – remotely and illegally obtaining
Disaster planning Asset management cryptocurrency via an innocent third part computer Iso 27001
How back up sites Information governance that usually been infected by malware Methodology consistence
Warm back up sites Training and awareness Assessment of all potential data
Cold back up sites risks
Mirror sites Regulations Tara
Computer incident repose tem n Identify members of staff if required Report covering all results
Firewalls Weaknesses
Email – what can we do to make us as cyber safe as Consistent trends in cs events
possible? Training
Passwords – Policy a root cause
Back up controls
 10 Cybersecurity tools, techniques and reporting
Cybersecurity tools and techniques
Forensic analysis – the application of science and
technologies to investigate crime,
Cause culprits and consequences
Forensic analysis of the storage, has it
International association of chiefs of police
Malware analysis, techniques might require
something more scientific
Reverse engineering – allowing you to understand
by taking it apart.
Decomplication – simpler for humans to use
Disassembly – more difficult for humans to read
Cybersecurity risk management program (CRMP) –
cost vs benefit approach, component driven, system
SOC for cyber security
Description
Responding to malware
Control
Important for someone to be skilled at this.
Attestation – thirdly independent certified public
accountants
Penetration testing = probing for vulnerabilities.
Connections with the internet.
Contents of an SOC for cybersecurity report
White box testing – access
Description of criteria
Grey box testing – some access
Controls
Black box testing – no access
Opinion of cpas
Someone from internal audit can look into this
Software security
SOC2 – used by service organisations that might
Tier 1 software - stop provide outsourced services
Tier 2 software – stop and alert
Tier 3 software – stop, alert, protect • To assess their service organisation controls
• Soc 2 criteria
Cyber-risk reporting frameworkds • Description criteria
Risk reporting and governance • Written assertion
• Must be aicpa trust services criteria
Ncsn cybersecurity reporting needs
driven Contents of a SOC 2 report
WRITEEN ASSETIONS BY THE SERVICE ORG
MANAGEMENT
OPINION FROM CPA – DESCRIPTION CONTROLS
DETAILED DESCRIPTION OF TESTS CARRIED
OUT BY CPA