Risk Management Processes

Enterprise risk management is a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.

OBJECTIVES OF RISK MANAGEMENT

2120—Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk
management processes.

Determining whether risk management processes are effective is a judgment resulting from the internal
auditor’s’ assessment that:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
• Relevant risk information, is captured and communicated in a timely manner across the
organization,
 enabling staff, management, and the board to carry out their responsibilities .

2120.A1—The internal audit activity must evaluate risk exposures relating to the organization’s
governance, operations, and information systems regarding the:
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets; and
• Compliance with laws, regulations, and contracts.

COSO states their objectives of risk management separately:

This enterprise risk management framework is geared to achieving an entity’s objectives, set forth in
four categories:
• Strategic—high-level goals, aligned with and supporting its mission
• Operations—effective and efficient use of its resources
• Reporting—reliability of reporting
• Compliance—compliance with applicable laws and regulations

ESSENTIAL COMPONENTS OF EFFECTIVE RISK MANAGEMENT

1. Internal Environment
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
 6. Control Activities
7. Information and Communication
8. Monitoring

THE SCOPE OF INTERNAL AUDIT’S ROLE IN RISK MANAGEMENT

TOOLS FOR RISK MANAGEMENT

Risk Matrix
Risk is usually defined as the possibility that an event will occur (that is, a threat will materialise) and
adversely affect the achievement of objectives. It is measured in terms of the degree of likelihood that
the event might occur, coupled with the probable impact should the event occur.
The circle represents either the inherent risk (which is the level of risk that the organisation would be
exposed to if there were no mitigating measures in place) or the gross risk (which is the level that the
organisation is exposed to if it takes no further mitigating actions). The triangle is the level of risk
remaining after the chosen mitigating actions have been introduced and applied.

Appropriate Ways of Mitigating Risk

A. An inherent risk judged to be within quadrant A of the graph is very likely to occur and to
have a large impact on the organisation. Overlaid upon a judicious application of control
approaches appropriate to the mitigation of inherent risks plotted as being within the other
quadrants of the graph, there must be constant attention to the mitigation of this threat by
top management, with review by the board.
B. An inherent risk within quadrant B is not very likely to occur but will have a large impact on
the organisation were it to occur. There are alternative control approaches here. The
organisation may seek to terminate this risk, for instance by having duplicate data centres in
different geographic regions, so that a physical disaster or a withdrawal of staff at one
location will enable essential data processing to continue at the other location.
Alternatively, or additionally, the organisation may develop and test a contingency plan,
thereby putting in place the exceptional measures that will be followed contingent upon the
threat materialising.
C. An inherent risk plotted as being within quadrant C is one that is very likely to occur,
perhaps repeatedly, in the absence of measures to mitigate the risk, but is unlikely to have a
large impact on the business. An example might be invoicing with incorrect unit prices.
Clearly it is necessary to get these things right first time, and so organisations largely depend
on control procedures (what COSO calls “control activities”) to achieve this.
D. A risk in quadrant D has been judged not very likely to occur and of no great likely
significance if it does. It is likely to be enough to develop and apply monitoring measures
which are largely intended to check that the threat remains within this quadrant and so
does not require other mitigation approaches to contain the threat. Monitoring may be a
matter of management reviewing exception reports, of software monitoring exceptions and
trends over time, of the compliance function reviewing processes and outturns, and so on
A More Sophisticated Example of a Risk Matrix
RISK REGISTER
The risk register approach is less visual in its representation, but is widely used to create and maintain a
record of threats and their management at all levels and in all parts of the organisation. The risk register
allows a more detailed description of the approaches being taken to manage risks.