Professional Documents
Culture Documents
We know that decisions are taken on the basis of forecast which again depends on
future events whose happenings cannot be anticipated/predicted with absolute cer-
tainly due to some factors, e.g., economic, social, political etc. That is why question
of risk and uncertainty appear before the business world although it varies from one
investment proposal to another.
Therefore, while evaluating investment proposals care should be taken about the
effect that their acceptance may have on the firm’s business risk as apprehended by
the creditors and/or investors. As such, the firm should always prefer a less risky
investment proposal than a more risky one.
In short, risk may be defined as the degree of uncertainty about an income. Risk is a
character of the investment opportunity and has nothing to do with the attitude of
investors Consider the following two investment opportunities, viz., X and Y which
have the possible payoffs presented in Table 7.1 below depending on the state of
economy.
(Assume that the three state of economy are equally likely)
From the table 7.1 presented above, it becomes clear that the average expected
return from both the projects are Rs. 1,000 (Rs 3,000 3). But the return from
investment-X will lie between Rs. 990 and R 1,010 as compared to investment-Y
which lies between Rs. 0 and Rs. 2,000, i.e., in other words, more uncertainty arises
about the return from the investment Y.
However, decision situations may be broken down into three types: Certainty, Risk
and Uncertainty.
(i) Certainly:
No Risk
(ii) Risk:
It involves situations in which the probabilities of a particular event which occurs are
known, i.e., chance of future loss can be foreseen.
(iii) Uncertainty:
The probabilities of a particular event which occurs are not known i.e., the future loss
cannot be foreseen. The basic difference between risk and uncertainty is that
variability is less in case of risk whereas it is more in case of uncertainty although
both the terms are used here interchangeably.
Financial risk is a type of danger that can result in the loss of capital to interested
parties. For governments, this can mean they are unable to control monetary policy
and default on bonds or other debt issues. Corporations also face the possibility of
default on debt they undertake but may also experience failure in an undertaking the
causes a financial burden on the business.
Financial risks are everywhere and come in many shapes and sizes, affecting nearly
everyone. You should be aware of the presence of financial risks. Knowing the
dangers and how to protect yourself will not eliminate the risk, but it can mitigate
their harm and reduce the chances of a negative outcome.
1. Market risk
Among the types of financial risks, one of the most important is market risk. This type
of risk has a very broad scope, as it appears due to the dynamics of supply and
demand.
The same applies for innovations and changes in the market. One example is the
commercial sector. Companies that have managed to adapt to the digital market to
sell their products online have experienced an increase in revenue. Meanwhile,
those that have resisted these transformations show lagging competitiveness.
2. Credit risk
In financial risk management, credit risk is of paramount importance. This risk refers
to the possibility that a creditor will not receive a loan payment or will receive it late.
Credit risk is therefore a way of determining a debtor’s capacity to fulfill its payment
obligations.
The first refers to the risk involved in financing individuals and small businesses,
Subprime mortgages were high-risk, high-interest loans granted to people who were
unemployed or did not have a stable income.
3. Liquidity risk
Real estate or bonds, for example, are assets that can take a long time to turn into
money. That is why each company must verify whether it has current assets to pay
off short-term commitments.
4. Operational risk
Finally, among the types of financial risks there is also operational risk. There are
different types of operational risk. These risks occur due to lack of internal controls
within the company, technological failures, mismanagement, human error or lack of
employee training.
Eventually, this risk almost always leads to a financial loss for the company.
Operational risk is one of the most difficult to measure objectively. In order to be able
to calculate it accurately, the company must have created a history log with the
failures of this type and recognized the possible connection between them.
These risks can be avoided if a specific risk is considered to be able to trigger further
risks. A broken-down machine, for example, not only implies the expense to repair it.
It also causes losses for production downtime, which can lead to a delay on product
deliveries and even affect the company’s reputation.
Operational Risk Management: Recruitment &
Training, Work flow Design
The term operational risk management (ORM) is defined as a continual cyclic
process which includes risk assessment, risk decision making, and implementation
of risk controls, which results in acceptance, mitigation, or avoidance of risk. ORM is
the oversight of operational risk, including the risk of loss resulting from inadequate
or failed internal processes and systems; human factors; or external events. Unlike
other type of risks (market risk, credit risk, etc.) operational risk had rarely been
considered strategically significant by senior management.
Levels
Deliberate
In Depth
Time Critical
People
Regulations
Flow:
Risks must be identified so these can be controlled. Risk identification starts with
understanding the organization’s objectives. Risks are anything that prevents the
organization from attaining its objectives.
Risk assessment is a systematic process for rating risks on likelihood and impact.
The outcome from the risk assessment is a prioritized listing of known risks. The risk
assessment process may look similar to the risk assessment done by internal audit.
Step 3: Risk Mitigation
The risk mitigation step involves choosing a path for controlling the specific risks. In
the Operational Risk Management process, there are four options for risk mitigation:
transfer, avoid, accept, and control.
Transfer: Transferring shifts the risk to another organization. The two most
often means for transferring are outsourcing and insuring. When outsourcing,
management cannot completely transfer the responsibility for controlling risk.
Insuring against the risk ultimately transfers some of the financial impact of
the risk to the insurance company. A good example of transferring risk occurs
with cloud-based software companies. When a company purchases cloud-
based software, the contract usually includes a clause for data breach
insurance. The purchaser is ensuring the vendor can pay for damages in the
event of a data breach. At the same time, the vendor will also have their data
center provide SOC reports that show there are sufficient controls in place to
minimize the likelihood of a data breach.
Control: Controls are processing the organization puts in place to decrease
the impact of the risk if it occurs or to increase the likelihood of meeting the
objective. For example, installing software behind a firewall reduces the
likelihood of hackers gaining access, while backing up the network decreases
the impact of a compromised network since it can be restored to a safe point.
Once the risk mitigation choice decisions are made, the next step is implementation.
The controls are designed specifically to meet the risk in question. The control
rationale, objective, and activity should be clearly documented so the controls can be
clearly communicated and executed. The controls implemented should focus
preventive control activities over policies
Step 5: Monitoring
Since the controls may be performed by people who make mistakes, or the
environment could change, the controls should be monitored. Control monitoring
involves testing the control for appropriateness of design, implementation, and
operating effectiveness. Any exceptions or issues should be raised to management
with action plans established.
Workflow Documentation
Workflow documentation is the process of storing, tracking, and editing business
documents that shape your workflow.
In other words, workflow documentation outlines your business processes and
workflows.
Process:
First things first, you need to outline the process of the workflow. It’ll be a top-level
overview of what you envisage the specific workflow to involve.
Now you need to identify what the output should be. Will you have made a sale?
Launched a new product? Hired a new employee? Whatever it is, make sure you’re
clear on what the outcome should be. This will give you the direction you need to
make sure your workflow delivers what you want.
Now you know what the workflow involves and what the outputs are, you can
document the entire workflow step-by-step.
Review your data on where you need to start, where you need to finish, and what
your key milestones will be. You can then focus on filling in the gaps between each
key milestone to get you from start to finish.
Once you’ve outlined the entire workflow, it’s time to scrutinize it. Double-check
everything before you roll it out to your team. The last thing you want is to distribute
the business process documentation only to find an error somewhere down the line.
Benefits:
When you have a clear process, it’s easy for everyone to follow it. There’s less room
for error, and team members won’t be confused about what actions they need to
take.
Workflow documentation helps teams improve their business processes. Think about
it. If you’re tracking and documenting your workflow, it’s much easier to identify room
for improvement. Without workflow documentation, you simply won’t have this level
of clarity.
Using digital documentation allows you to speed up your day-to-day processes and
focus on tasks that matter.
Elements of Delegation
Authority always flows from top to bottom. It explains how a superior gets work done
from his subordinate by clearly explaining what is expected of him and how he
should go about it. Authority should be accompanied with an equal amount of
responsibility. Delegating the authority to someone else doesn’t imply escaping from
accountability. Accountability still rest with the person having the utmost authority.
For achieving delegation, a manager has to work in a system and has to perform
following steps:
Authority is the legal right of person or superior to command his subordinates while
accountability is the obligation of individual to carry out his duties as per standards of
performance Authority flows from the superiors to subordinates,in which orders and
instructions are given to subordinates to complete the task. It is only through
authority, a manager exercises control. In a way through exercising the control the
superior is demanding accountability from subordinates. If the marketing manager
directs the sales supervisor for 50 units of sale to be undertaken in a month. If the
above standards are not accomplished, it is the marketing manager who will be
accountable to the chief executive officer. Therefore, we can say that authority flows
from top to bottom and responsibility flows from bottom to top. Accountability is a
result of responsibility and responsibility is result of authority. Therefore, for every
authority an equal accountability is attached.
Under centralization, the important and key decisions are taken by the top
management and the other levels are into implementations as per the directions of
top level. For example, in a business concern, the father & son being the owners
decide about the important matters and all the rest of functions like product, finance,
marketing, personnel, are carried out by the department heads and they have to act
as per instruction and orders of the two people. Therefore in this case, decision
making power remain in the hands of father & son.
On the other hand, Decentralization is a systematic delegation of authority at
all levels of management and in all of the organization. In a decentralization concern,
authority in retained by the top management for taking major decisions and framing
policies concerning the whole concern. Rest of the authority may be delegated to the
middle level and lower level of management.
Implications of Decentralization
Control Environment-sets the tone for the organization, influencing the control
consciousness of its people. It is the foundation for all other components of
internal control.
Risk Assessment-the identification and analysis of relevant risks to the
achievement of objectives, forming a basis for how the risks should be
managed
Monitoring-processes used to assess the quality of internal control
performance over time.
Multiple components comprise the framework. The first thing to ensure that the
companies’ controls work perfectly is an appropriate control environment. This is
what sets the conscious levels, making everyone from top management to staff
members follow and keep a check on the policies, procedures, principles, and
technology deployed. In addition, it sets the values, commitment, policies,
responsibilities, operating style, participation, structure, and overall tone of the
company.
Control over Sale and Purchase: With proper and efficient control system
for transactions regarding purchase and sale of material, handling of material
and accounting for the same is must.
Cash: Here, internal control is applied over payments and receipts of an
organization. This is to safeguard from misappropriation of cash.
Financial Control: It deals with the efficient system of accounting, recording
and supervision.
Capital Expenditure: Internal control system ensures the proper sanction of
capital expenditure and also the use of it for the purpose intended.
Employee’s Remuneration: Internal control system is applied to preparation
and maintenance of records of employees and the payment methods also. It
is also necessary to safeguard against misappropriation of cash.
Inventory Control: It covers the proper handling of inventory, minimization of
slow-moving items or dead stock, proper valuation of stock, recording of it,
etc.
Control over Investments: Internal control system is applied to the proper
recording of transactions be it purchases, additions, sale or redemption,
income on investments, profit or loss on investment.
Limitations:
Internal Audit
Internal auditors are not responsible for the execution of company activities; they
advise management and the board of directors (or similar oversight body) regarding
how to better execute their responsibilities. As a result of their broad scope of
involvement, internal auditors may have a variety of higher educational and
professional backgrounds.
The Institute of Internal Auditors (IIA) is the recognized international standard setting
body for the internal audit profession and awards the Certified Internal Auditor
designation internationally through rigorous written examination. Other designations
are available in certain countries. In the United States the professional standards of
the Institute of Internal Auditors have been codified in several states’ statutes
pertaining to the practice of internal auditing in government (New York State, Texas,
and Florida being three examples). There are also a number of other international
standard setting bodies.
Internal auditing activity is primarily directed at evaluating internal control. Under the
COSO Internal Control Framework, internal control is broadly defined as a process,
effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of the
following core objectives for which all businesses strive:
Objectives
Statutory Requirement
The Central Government may, by rules, prescribe the manner and intervals in
which the internal audit shall be conducted and reported to the Board.
Such class or classes of company as may be prescribed shall be required to
appoint an internal Auditor, who shall either be a Chartered Accountant or
Cost Accountant or such other professional as may be decided by the Board
to conduct internal audit of the functions and activities of the company.
Similarities between internal control and internal audit
People: Both internal control and internal audit need people to deliver on their
objectives.
Reporting format: Both internal audit and internal control do not have a generally
agreed reporting format.
Ensuring that the CCO and staff members of the compliance function do not perform
business responsibilities.
Allowing the compliance function unfiltered access to information needed to carry out
its oversight role.
Importance:
Without a compliance function, you cannot reliably build or maintain trust with others.
Trust is fostered through three elements: (1) repeated interactions with another
person; (2) honest communication with that person; and (3) following through on
commitments. Organizations cannot ensure that they are meeting element (2) or (3)
unless they have adopted rules about proper communications and proper follow
through. The head of the organization can’t be confident that others are being honest
in their interactions unless the organization has adopted rules about honesty and
trained people about the importance of honesty and candor. The leader cannot be
confident that people are following through on commitments unless there are rules
and norms that have been adopted and emphasized throughout the organization.
Compliance can serve as a driver of change and innovation. Some people also view
compliance as inherently conservative. They think the purpose of compliance is to
rein in conduct. Again, that’s not true. Compliance instead can serve as a powerful
tool of long-term change. If every day behavior stems from training and codes of
conduct, and codes of conduct stem from values, articulation and modification of
values over time can profoundly influence organizational behavior. In the words of
system theorists, values can be a leverage point, and compliance ultimately focuses
on the driving values of an organization.
Effective CROs are concerned with what the institution’s leaders may not know and,
therefore, must occasionally offer a contrarian point of view; otherwise, the decision-
making process may end up flawed with “group think.” In today’s environment,
decision-making processes should be driven by objective assessments of the
risk/reward balance, rather than by the emotional investment, management bias and
short-termism that underlie dangerous organizational blind spots.
Functions:
System Audit
The data and information generated in companies today are endless. The
information that is processed and processed within a company is incalculable.
Companies, increasingly, need technology to work, requiring complex software and
computerized equipment to develop their activity in an optimized and efficient
manner.
The audit of systems involves the review and evaluation of controls and computer
systems, as well as their use, efficiency, and security in the company, which
processes the information. Thanks to the audit of systems as an alternative to
control, follow-up, and review, the computer process and technologies are used
more efficiently and safely, guaranteeing adequate decision-making.
(1) “Corporate governance means that company managers its business in a manner
that is accountable and responsible to the shareholders. In a wider interpretation,
corporate governance includes company’s accountability to shareholders and other
stakeholders such as employees, suppliers, customers and local community.” –
Catherwood.
(2) “Corporate governance is the system by which companies are directed and
controlled.” – The Cadbury Committee (U.K.)
Today a company has a very large number of shareholders spread all over the
nation and even the world; and a majority of shareholders being unorganised and
having an indifferent attitude towards corporate affairs. The idea of shareholders’
democracy remains confined only to the law and the Articles of Association; which
requires a practical implementation through a code of conduct of corporate
governance.
Corporate scams (or frauds) in the recent years of the past have shaken public
confidence in corporate management. The event of Harshad Mehta scandal, which is
perhaps, one biggest scandal, is in the heart and mind of all, connected with
corporate shareholding or otherwise being educated and socially conscious.
The need for corporate governance is, then, imperative for reviving investors’
confidence in the corporate sector towards the economic development of society.
It has been observed in both developing and developed economies that there has
been a great increase in the monetary payments (compensation) packages of top
level corporate executives. There is no justification for exorbitant payments to top
ranking managers, out of corporate funds, which are a property of shareholders and
society.
(vii) Globalisation:
Desire of more and more Indian companies to get listed on international stock
exchanges also focuses on a need for corporate governance. In fact, corporate
governance has become a buzzword in the corporate sector. There is no doubt that
international capital market recognises only companies well-managed according to
standard codes of corporate governance.
(i) Transparency:
Transparency means the quality of something which enables one to understand the
truth easily. In the context of corporate governance, it implies an accurate, adequate
and timely disclosure of relevant information about the operating results etc. of the
corporate enterprise to the stakeholders.
(ii) Accountability:
The misconduct can be in the form of fraud, corruption, violation of company rules
and policies, all done to impose a threat to public interest. The whistle blowing is
done to safeguard the interest of the society and the general public for whom the
organization is functioning.
The companies should motivate their employees to raise an alarm in case they find
any violation of rules and procedures and do intimate about any possible harm to the
interest of the organization and the society.
Most often, the employees fear to raise a voice against the illegal activity being
carried out in the organization because of following reasons:
Threat to life
Lost jobs and careers
Lost friendships
Resentment among workers
Breach of trust and loyalty
Thus, in order to provide protection to the whistle blowers, the Whistle Blower
Protection Bill is passed in 2011 by Lok Sabha.
Now, the question comes in the mind that which offenses are considered valid for
whistle blowing and for which the protection is offered by the law. Following are the
acts for which the voice can be raised and are law protected:
1. Fraud
2. Health and safety in danger
3. Damage to the environment
4. Violation of company laws
5. Embezzlement of funds
6. Breach of law and justice
Social Responsibility
Ultimately, it’s management who is responsible for risk management and the board
is responsible for overseeing management’s process of identifying, monitoring and
mitigating risks. If there is no established risk management framework, the board
should charge management to develop a framework that includes the board’s
oversight duties. Boards can break down their responsibilities by establishing certain
directors with experience or knowledge in a particular area to oversee a certain risk
management process. For instance, the Public Policy Committee of ConocoPhillips
is responsible for overseeing risks related to health, safety and environmental
issues. However, these committees are still responsible for seeing the big picture
and should come together on a periodic basis to discuss the risks they are
overseeing as well as risks the company is seeing as a whole.
The thought paper offers recommendations for boards to develop and define their
oversight responsibilities. Boards should work with management to assign risk
oversight responsibilities to individual committees; committees should collaborate on
risk-related happenings, and have management brief the entire board on strategic
risks facing the company.
To promote an effective risk culture, boards can create a tone that allows employees
to voice their concerns without fear of loosing their jobs. They can also help to
develop a process to measure risk intelligence that management continually
monitors and they should support management with resources, training and data
from the company.
Risk appetite is the amount of risk a company is willing to take. This can be defined
in quantitative or qualitative ways. Management should be the one to develop the
risk appetite for the organization and the board should understand management’s
assumptions and approve or disapprove the company’s overall level of risk appetite.
Once an appetite has been defined, the board should help management monitor
emerging risks and opportunities, and evaluate whether the risk appetite should be
changed. The board should also evaluate management’s previous decisions to see
whether the risk appetite was bypassed. And finally, the board should align
management’s incentives with the company’s risk appetite. This will prevent
management from taking on too much risk.
The board is also responsible for helping management develop a strategy that is
aligned to the company’s mission. When the company is developing its strategy, the
board should at the same time discuss the risks to the strategy and the risks of the
strategy. This will help the entity identify risks that could ultimately disrupt its ability
to compete. In order to do this, the board should challenge management on their
assumptions by asking the right questions, establishing an open dialogue, and
identifying alternatives.
The board should consider whether to provide “active oversight” in these strategic
settings. That may include verifying that management has established key risk
indicators and a process for monitoring these indicators, scanning the horizon for
emerging risks, and fostering flexibility at the management level to avoid risks or
seize opportunities.
One common measurement boards use to evaluate risk maturity is the amount of
experience the company has with risk management. Boards should dive deeper
than this and consider more criteria, such as:
The SEC now requires public companies to disclose how the board oversees risk
and how it works with management to address risks to the company. These rules
were established to provide greater transparency to investors and stakeholders.
However, the thought paper states that meeting this minimum requirement is not
enough to make stakeholders comfortable with the company’s risk management
process. By explaining the company’s risk management process and oversight
clearly to stakeholders, companies attract more long-term investors. Over the past
three years, Deloitte has seen an increase in the quality of risk disclosures.
Companies can improve their risk disclosures by explaining the processes in plain
English, provide insight to the board’s oversight role and ensure risk disclosures are
accurate, relevant and specific.
Enterprise risk management (ERM) has emerged as a best practice in gaining an
overview of strategic, financial and operational threats, and in determining how to
mitigate and manage those risks.
The following steps can help your company achieve the ERM objective.
1. Just Do It!
The process of creating an ERM program is valuable, revealing much about
your organization and the interrelatedness of elements within it. Document
your efforts in your board minutes and share them with any auditors. You will
generally find those parties willing to provide constructive feedback because
they have a vested interest in the success of your efforts.
2. Get a Champion
Your board of directors is accountable to shareholders and the SEC (if your
company is public)—and possibly to other entities by industry—for the
adequacy of risk management procedures, controls and ultimately for the
competence of management. A logical champion of your ERM efforts is the
chairperson of your board audit or ERM committee, followed by the chair of
the board and other board members. If these individuals understand that an
ERM program can help them discharge their duties and protect them from
personal financial risk, you will likely see top-level buy-in and a trickle-down
effect through senior management.
3. Merge the Silos
If existing risk committees and sub-committees are functioning as intended
and get consistently high marks from outside auditors, it’s unlikely that
fundamental changes are needed. Yet it is important they understand where
they fit in the bigger picture. A board-level champion can help provide this
perspective, and reinforce the role of the ERM committee in setting the
organization-wide level of acceptable risk.
4. Weight the Risks
Certain areas of risk have the potential to seriously harm your organization.
Others, however, are less critical. When your management team assembles
an ERM framework, create a logical mechanism for assigning relative weights
to each area of risk, and to selected components within those areas.
5. Create a Dashboard
A dashboard containing a high-level summary of major risk elements
supported by “drill-down” detail enables board members and senior managers
to connect all the pieces of the risk management puzzle.A dashboard need
not be complex. Some managers use Microsoft Excel to create multi-layered
risk workbooks, which summarize details provided by the risk sub-committees
into a single page of high-level information.
6. Understand Risk and Reward
Some risks are worth taking, because the reward is greater than the likelihood
and consequences of failure. In other cases the reward does not outweigh the
potential consequences. Then there are risks not worth considering, when the
risk is a “bet-the-farm” proposition, or is illegal or immoral. Each risk
committee and sub-committee should understand the risk-versus-reward
proposition.
7. Set Limits
One important function of the board ERM committee is to work with
management to establish limits to risk taking. Management should make
recommendations to the board, supported by reasonable data and arguments,
which establish the boundaries of the organization’s risk appetite.
Management’s role is to advise and inform, with the ultimate decision resting
with the board.
A Top-To-Bottom Effort
It is possible for ERM practices to become part of your organizational culture. Global
awareness of the process and a rank-and-file understanding of the board’s focus on
effective risk management are critical to obtaining the buy-in of the entire
organization. After all, risk management is everybody’s job—today more than ever.