1. Organizations should be aware of compliance requirements and regulatory risks in their industry to avoid penalties.
2. It is important for organizations to identify compliance, hazard, control, and opportunity risks and include them in risk management.
3. Organizations seek to minimize compliance and hazard risks, manage control risks, and embrace opportunities to enhance their objectives.
1. Organizations should be aware of compliance requirements and regulatory risks in their industry to avoid penalties.
2. It is important for organizations to identify compliance, hazard, control, and opportunity risks and include them in risk management.
3. Organizations seek to minimize compliance and hazard risks, manage control risks, and embrace opportunities to enhance their objectives.
1. Organizations should be aware of compliance requirements and regulatory risks in their industry to avoid penalties.
2. It is important for organizations to identify compliance, hazard, control, and opportunity risks and include them in risk management.
3. Organizations seek to minimize compliance and hazard risks, manage control risks, and embrace opportunities to enhance their objectives.
RISK MANAGEMENT - All organizations should be aware of the wide range of
compliance requirements that they have to fulfil, and
DEFINITIONS OF RISK these compliance requirements vary considerably - The uncertainty of an event occurring that could have between business sectors, and many sectors are highly an impact on the achievement of the objectives. Risk is regulated with their own dedicated regulator for the measured in terms of Consequences and likelihood. - industry or sector. Institute of Internal Auditors (IIA) - Failure to comply with regulatory requirements may result in the ‘license to operate’ being withdrawn by the - Risk is the effect (positive or negative) of Uncertainty regulator on an organization’s objectives. – Association of - It is important for organizations to recognize their Certified Fraud Examiners (ACFE) compliance risks and include consideration of these risks in their risk management activities - Risk is the combination of the probability of an event - Organizations will work towards ensuring full and its consequence. Consequences can Range from compliance with all applicable rules and regulations positive to negative. - Institute of Risk Management and, thereby, minimize the compliance risks (IRM) HAZARD RISK (PURE RISK) - Effect of uncertainty on objectives. Note that an effect Risk that can only result in negative outcomes. may be positive, negative, or a deviation from the Associated with a source of potential harm or a situation expected. Also, risk is often described by an event, a with the potential to undermine objectives in a negative change in circumstances or a consequence. ISO Guide way. 73, ISO 31000 Organization seeks to mitigate hazard risk: - Organizations should minimize safety risks to the - The Oxford English Dictionary definition of risk is as lowest level that is cost-effective and in compliance follows: ‘a chance or possibility of Danger, loss, injury with the law. or other adverse consequences - As an example, most organizations will suffer a low level of petty theft, and this may be tolerable. The cost TYPES OF RISK of eliminating this petty theft may be very large and so - Risk may have positive or negative outcomes or may it becomes cost-effective for the organization to accept simply result in uncertainty; therefore, risks may be that these losses will occur considered related to an opportunity or a loss or the - The range of hazard risks that can affect an presence of uncertainty for an organization. organization needs to be identified because Hazard - Every risk has its own characteristics that require risks can result in unplanned disruption for the particular management or analysis. organization - The desired state in relation to hazard risk 1. Compliance risk (mandatory risk) management is that there should be no unplanned 2. Hazard risk (pure risk) disruption or inefficiency from any reasons. 3. Control risk (uncertainty risk) 4. Opportunity risk (speculative risk) CONTROL RISK (UNCERTAINTY RISK) Risks that give rise to uncertainty about the outcome of a COMPLIANCE RISK (MANDATORY RISK) situation. Associated with unknown and unexpected The risk of legal or regulatory sanctions, material financial events loss, or loss to reputation an organization may suffer because of its failure to comply with laws, regulations, Organization seeks to manage control risk rules, related self-regulatory organization standards, and - When looking to develop appropriate responses to codes of conduct applicable to its activities. control risks, the organization must make the necessary resources available to identify the controls, implement Organization seeks to minimize compliance risk the controls and respond to the consequences of any - The board of the company should be aware control risk materializing of the fact that, although they may have an appetite for seizing the opportunity, the - The nature of control risks and the appropriate organization might not have the risk responses depend on the level of uncertainty and the capacity to support that course of action. nature of the risk. - Uncertainty represents a deviation from the - Opportunity management is the approach that seeks required or expected outcome. to maximize the benefits of taking entrepreneurial risks - Deviation from the anticipated benefits of a project represents uncertainties that can - The desire is to maximize the likelihood of a only be accepted within a certain range. significant positive outcome from investments in - Control risk management is concerned with reducing business opportunities. the uncertainty associated with significant risks and reducing the variability of outcomes. INHERENT LEVEL OF RISK - This is the level of the risk before any actions have - The purpose of control risk management is to reduce been taken to change the likelihood or magnitude of the the variance between anticipated outcomes and actual risk results. - It is an assessed level of raw or untreated risk; that is, OPPORTUNITY RISK (SPECULATIVE RISK) the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or Risk deliberately taken by organizations to achieve a mitigate the severity of a mishap, or the amount of risk positive return or result before the application of the risk reduction effects of Two main aspects associated with opportunity risks controls 1. there are risks/ dangers associated with taking an opportunity, and - Identifying the inherent level of the risk makes it 2. the risks associated with not taking the opportunity. possible to identify the importance of the control measures in place OR relate to the relationship between Risk and Return - the purpose is to take action that involves risk to The guidance from the IIA has previously stated that: ‘in achieve positive gains the risk assessment, we look at the inherent risks before considering any controls. OR may not be visible or physically apparent, and they are often financial in nature DEFINITION OF RISK MANAGEMENT - The process of determining the maximum acceptable Organization seeks to embrace opportunity risk level of overall risk to and from a proposed activity, - Opportunity risks are the type of risk with potential to - using RISK ASSESSMENT TECHNIQUES to enhance (although they can also inhibit) the determine the initial level of risk and, achievement of the mission of the organization. - if this is EXCESSIVE, developing a strategy to ameliorate appropriate individual risks until the overall - All organizations have some appetite for seizing level of risk is reduced to an acceptable level. opportunities and are willing to invest to those opportunities - Process which aims to help organizations understand, - Every organization will need to decide evaluate and take action on all their risks with a view to increasing the probability of success and reducing the what appetite it has for seizing new likelihood of failure. - Institute of Risk Management opportunities, and the level of investment (IRM) that is appropriate - Risk management is the process of evaluating the 10. RM is dynamic, iterative and responsive to change; chance of loss or harm and then taking steps to combat 11. RM facilitates continual improvement of the the potential risk. organization.
- Coordinated activities to direct and control an IMPORTANCE OF RISK MANAGEMENT
organization with regard to risk - ISO Guide 73 BS - RM can also contribute to the provision of greater 33100 assurance to stakeholders, as well as assisting with better decision making and improved efficiency - A systematic and logical process, during - The directors of any organization need to which organizations manage risk by be confident that risks have been identified identifying it, analyzing and then - Appropriate steps have been taken by the evaluating whether the risk should be management to manage risk to an modified by risk treatment in order to appropriate level satisfy their risk criteria) - RM has become more important because of increasing stakeholder Expectations and the ever-increasing ease OBJECTIVES OF RISK MANAGEMENT of communication. a. Mandatory obligations placed on the organization: The basic objective for any risk - RM has taken on an increasingly high profile in recent management initiative is to ensure conformity with times, because of the global financial crisis and the applicable rules, regulations and mandatory number of high-profile corporate failures across the obligations world that preceded it. b. Assurance regarding the management of significant risks: The board and audit committee - RM is also important for accurate reporting of of an organization will require assurance that risk information by organizations, including risk management and internal control activities are information, as stakeholders require detailed complied. information on company performance, including risk awareness c. Decisions that pay full regard to risk - The Sarbanes–Oxley Act of 2002 (SOX) in considerations: Risk management activities should the United States has accuracy of financial ensure that appropriate risk-based information is reporting as its main requirement available to support decision making. - It brings the issue of the accurate reporting of results to a higher priority (section 404), d. Effective and efficient core processes: Risk whilst also requiring full and accurate management considerations will assist with disclosure of all information about the achieving effective and efficient strategy, tactics, organization (section 302) operations and compliance to ensure the best outcome with reduced volatility of results.
PRINCIPLES OF RISK MANAGEMENT (ISO 31000)
1. RM creates and protects value.
2. RM is an integral part of all organizational processes; 3. RM is part of decision making; 4. RM explicitly addresses uncertainty; 5. RM is systematic, structured and timely; 6. RM is based on the best available information; 7. RM is tailored; 8. RM takes human and cultural factors into account; 9. RM is transparent and inclusive;