RISK MANAGEMENT - All organizations should be aware of the wide range of
compliance requirements that they have to fulfil, and
DEFINITIONS OF RISK
- The uncertainty of an event occurring that could have
an impact on the achievement of the objectives. Risk is
measured in terms of Consequences and likelihood. -
Institute of Internal Auditors (IIA)
- Risk is the effect (positive or negative) of Uncertainty
on an organization’s objectives. – Association of
Certified Fraud Examiners (ACFE)
- Risk is the combination of the probability of an event
and its consequence. Consequences can Range from
positive to negative. - Institute of Risk Management
(IRM)
- Effect of uncertainty on objectives. Note that an effect
may be positive, negative, or a deviation from the
expected. Also, risk is often described by an event, a
change in circumstances or a consequence. ISO Guide
73, ISO 31000
- The Oxford English Dictionary definition of risk is as
follows: ‘a chance or possibility of Danger, loss, injury
or other adverse consequences
TYPES OF RISK
- Risk may have positive or negative outcomes or may
simply result in uncertainty; therefore, risks may be
considered related to an opportunity or a loss or the
presence of uncertainty for an organization.
- Every risk has its own characteristics that require
particular management or analysis.
1. Compliance risk (mandatory risk)
2. Hazard risk (pure risk)
3. Control risk (uncertainty risk)
4. Opportunity risk (speculative risk)
COMPLIANCE RISK (MANDATORY RISK)
The risk of legal or regulatory sanctions, material financial
loss, or loss to reputation an organization may suffer
because of its failure to comply with laws, regulations,
rules, related self-regulatory organization standards, and
codes of conduct applicable to its activities.
Organization seeks to minimize compliance risk
these compliance requirements vary considerably
between business sectors, and many sectors are highly
regulated with their own dedicated regulator for the
industry or sector.
- Failure to comply with regulatory requirements may
result in the ‘license to operate’ being withdrawn by the
regulator
- It is important for organizations to recognize their
compliance risks and include consideration of these
risks in their risk management activities
- Organizations will work towards ensuring full
compliance with all applicable rules and regulations
and, thereby, minimize the compliance risks
HAZARD RISK (PURE RISK)
Risk that can only result in negative outcomes.
Associated with a source of potential harm or a situation
with the potential to undermine objectives in a negative
way.
Organization seeks to mitigate hazard risk:
- Organizations should minimize safety risks to the
lowest level that is cost-effective and in compliance
with the law.
- As an example, most organizations will suffer a low
level of petty theft, and this may be tolerable. The cost
of eliminating this petty theft may be very large and so
it becomes cost-effective for the organization to accept
that these losses will occur
- The range of hazard risks that can affect an
organization needs to be identified because Hazard
risks can result in unplanned disruption for the
organization
- The desired state in relation to hazard risk
management is that there should be no unplanned
disruption or inefficiency from any reasons.
CONTROL RISK (UNCERTAINTY RISK)
Risks that give rise to uncertainty about the outcome of a
situation. Associated with unknown and unexpected
events
Organization seeks to manage control risk
- When looking to develop appropriate responses to
control risks, the organization must make the necessary
resources available to identify the controls, implement
 the controls and respond to the consequences of any
control risk materializing
- The nature of control risks and the appropriate
responses depend on the level of uncertainty and the
nature of the risk.
- Uncertainty represents a deviation from the
required or expected outcome.
- Deviation from the anticipated benefits of a
project represents uncertainties that can
only be accepted within a certain range.
- Control risk management is concerned with reducing
the uncertainty associated with significant risks and
reducing the variability of outcomes.
- The purpose of control risk management is to reduce
the variance between anticipated outcomes and actual
results.
OPPORTUNITY RISK (SPECULATIVE RISK)
Risk deliberately taken by organizations to achieve a
positive return or result
Two main aspects associated with opportunity risks
1. there are risks/ dangers associated with taking an
opportunity, and
2. the risks associated with not taking the opportunity.
OR relate to the relationship between Risk and Return
- the purpose is to take action that involves risk to
achieve positive gains
OR may not be visible or physically apparent, and they are
often financial in nature
Organization seeks to embrace opportunity risk
- Opportunity risks are the type of risk with potential to
enhance (although they can also inhibit) the
achievement of the mission of the organization.
- All organizations have some appetite for seizing
opportunities and are willing to invest to those
opportunities
- Every organization will need to decide
what appetite it has for seizing new
opportunities, and the level of investment
that is appropriate
- The board of the company should be aware
of the fact that, although they may have an
appetite for seizing the opportunity, the
organization might not have the risk
capacity to support that course of action.
- Opportunity management is the approach that seeks
to maximize the benefits of taking entrepreneurial risks
- The desire is to maximize the likelihood of a
significant positive outcome from investments in
business opportunities.
INHERENT LEVEL OF RISK
- This is the level of the risk before any actions have
been taken to change the likelihood or magnitude of the
risk
- It is an assessed level of raw or untreated risk; that is,
the natural level of risk inherent in a process or activity
without doing anything to reduce the likelihood or
mitigate the severity of a mishap, or the amount of risk
before the application of the risk reduction effects of
controls
- Identifying the inherent level of the risk makes it
possible to identify the importance of the control
measures in place
The guidance from the IIA has previously stated that: ‘in
the risk assessment, we look at the inherent risks before
considering any controls.
DEFINITION OF RISK MANAGEMENT
- The process of determining the maximum acceptable
level of overall risk to and from a proposed activity,
- using RISK ASSESSMENT TECHNIQUES to
determine the initial level of risk and,
- if this is EXCESSIVE, developing a strategy to
ameliorate appropriate individual risks until the overall
level of risk is reduced to an acceptable level.
- Process which aims to help organizations understand,
evaluate and take action on all their risks with a view to
increasing the probability of success and reducing the
likelihood of failure. - Institute of Risk Management
(IRM)
- Risk management is the process of evaluating the
chance of loss or harm and then taking steps to combat
the potential risk.
- Coordinated activities to direct and control an
organization with regard to risk - ISO Guide 73 BS
33100
- A systematic and logical process, during
which organizations manage risk by
identifying it, analyzing and then
evaluating whether the risk should be
modified by risk treatment in order to
satisfy their risk criteria)
OBJECTIVES OF RISK MANAGEMENT
a. Mandatory obligations placed on the
organization: The basic objective for any risk
management initiative is to ensure conformity with
applicable rules, regulations and mandatory
obligations
b. Assurance regarding the management of
significant risks: The board and audit committee
of an organization will require assurance that risk
management and internal control activities are
complied.
c. Decisions that pay full regard to risk
considerations: Risk management activities should
ensure that appropriate risk-based information is
available to support decision making.
d. Effective and efficient core processes: Risk
management considerations will assist with
achieving effective and efficient strategy, tactics,
operations and compliance to ensure the best
outcome with reduced volatility of results.
PRINCIPLES OF RISK MANAGEMENT (ISO 31000)
1. RM creates and protects value.
2. RM is an integral part of all organizational
processes;
3. RM is part of decision making;
4. RM explicitly addresses uncertainty;
5. RM is systematic, structured and timely;
6. RM is based on the best available information;
7. RM is tailored;
8. RM takes human and cultural factors into account;
9. RM is transparent and inclusive;
10. RM is dynamic, iterative and responsive to change;
11. RM facilitates continual improvement of the
organization.
IMPORTANCE OF RISK MANAGEMENT
- RM can also contribute to the provision of greater
assurance to stakeholders, as well as assisting with
better decision making and improved efficiency
- The directors of any organization need to
be confident that risks have been identified
- Appropriate steps have been taken by the
management to manage risk to an
appropriate level
- RM has become more important because of increasing
stakeholder Expectations and the ever-increasing ease
of communication.
- RM has taken on an increasingly high profile in recent
times, because of the global financial crisis and the
number of high-profile corporate failures across the
world that preceded it.
- RM is also important for accurate reporting of
information by organizations, including risk
information, as stakeholders require detailed
information on company performance, including risk
awareness
- The Sarbanes–Oxley Act of 2002 (SOX) in
the United States has accuracy of financial
reporting as its main requirement
- It brings the issue of the accurate reporting
of results to a higher priority (section 404),
whilst also requiring full and accurate
disclosure of all information about the
organization (section 302)