Professional Documents
Culture Documents
Fundamental Concepts of
Risk Management
a) Explain different definitions of Risk and Risk Management
b) Discuss globally accepted frameworks on risk management
internal control (i.e., COSO, ISO 31000, CoCo, COBIT)
c) Discuss the Risk Management Process according to COSO
Learning Objectives
OBJECTIVES CONTROLS
Defined, intended Increase the likelihood of
outcomes achieving objectives
RISKS
Possibility of an event occurring that will have an
impact on the achievement of objectives
GOVERNANCE
Ensure entity effectively and efficiently directs toward
meeting the objectives
Overview
Illustration
Objective
Wake up at 4:30am to go to school as early as possible
Risk
Oversleeping
Insomnia
Controls
Set up alarm clock
Drink milk or take herbal sleeping medicine
Inform other people
Governance
Parents advise you before you sleep
Sermon
Illustration
What is risk?
Risk
The possibility of an event occurring that will have an impact on
the achievement of objectives. Risk is measured in terms of impact
and likelihood.
Definition of Terms
Residual Risk
after a risk response
Opportunity
event will occur and positively affect the achievement of objectives
Risk Appetite
amount of risk is willing to accept in pursuit of value
Risk Tolerance
specific maximum risk that an organization is willing to take
regarding each relevant risk
Definition of Terms
Risk should read as if something went wrong and what the impact
of this would be
Example:
Unauthorized changes are made to the payroll master data
resulting in payments to fictitious employees
Recognition
Risk Management
Definition of Terms
COSO ERM - Integrated
Framework
- Enterprise Risk Management
(ERM) - Integrated Framework
- Published by the Committee of
Sponsoring Organizations of the
Treadway Commission (COSO)
- A structure which Defines
essential components, suggests a
common language, and provides
clear direction and guidance for
enterprise risk management.
Major Supply
initiatives Financial Chain
reporting
Mergers,
Acquisitions, Information
and Technology
divestiture
Strategic Audit Universe Operations
Planning
People/
and
Human
Resource
Resources
Allocation
Compliance
Governance Hazards
Communication Physical
and investor Code of Assets
Regulatory Legal
Relations Conduct
Involves
- Estimate significance/impact
- Assess likelihood
- Consider means to manage
Risk Modeling
- Qualitative methods – listing, ranking and mapping
- Quantitative methods – probabilistic models, weighted, e.g.
assess how risks affect earnings
►High ►M ►H ►H
Impact
►Moderate ►L ►M ►H
►Low ►L ►L ►M
Likelihood
►High ►M ►H ►H
Impact
►Moderate ►L ►M ►H
►Low ►L ►L ►M
Likelihood
Risk Avoidance
ends the activity from which risk arises
Ex. Risk of having a pipeline sabotaged can be avoided by selling
the pipeline
Risk Retention
accepts the risk of an activity
Ex. self-insurance; sinking funds (fund formed by periodically
setting aside money for the gradual repayment of a debt or
replacement of a wasting asset)
Risk Reduction
lowers the level of risk associated with an activity
Ex. Risk of systems penetration (hacking) can be reduced by
maintaining a robust information security function within the
entity
Risk Sharing
transfer some loss potential
Ex. Risk of car crash can be accepted through insurance, hedging,
joint ventures, outsourcing
Risk Exploitation
pursue a high return on investment
Ex. Risk of winning or losing a lottery