CHAPTER 1: INTRODUCTION TO RISK THE IMPORTANT OF RISK MANAGEMENT

1. Empowers a business with the necessary tools to adequately

Definition identify and deal with potential risks. Once a risk has been identified,
Risk is a condition in which there exist a quantifiable diversion in the it is then easy to mitigate it. Provides a business with a basis upon
possible outcomes from any activity (CIMA). Risk can be defined as the which it can undertake sound decision-making.
combination of the probability of an event and its consequences. Risk in 2. Prepare for eventualities that may come in the way of progress and
the business is the chance that future events or results may not be as growth. When a business evaluates its plan for handling potential
expected. threats and develops structures to address them, it improves its
odds of becoming a successful entity.
RISK AND UNCERTAINTY 3. Ensures risks of a high priority are dealt with as aggressively as
The term ‘risk’ is often associated with the chance of something bad will possible. Moreover, the mgmt. will have the necessary info that they (1) Low activity – High competitive advantage
happen, and that a future outcome will be adverse. This type of risks is can use to make informed decisions and ensure that the business Identification of process and development should be done to reap
called ‘downside risk’ or ‘pure risk’, which is a risk involving the possibility remains profitable. maximum benefit.
of loss, with no chance of gain. Risk in inherent in a situation whenever (2) Low Activity – Low competitive advantage
an outcome is not inevitable. ASSESSING RISK IN CORPORATE ORGANIZATIONS
Focusing on low-risk activities can easily result in a low ability to
1. To assess and measure the risks that an organization faces, a obtain competitive advantage.
(1) Pure risk (3) High Activity – High competitive advantage
business must be able to identify the principal sources of risks.
When there is a chance that the results may not be better than Should be examine carefully since the development process is risky
2. Risks that can affect achievement of the organization and its overall
expected. Involves probability of loss with no possibility of but might yield favorable results
objectives, must be reflected in its strategic objectives/goals.
gain (4) High Activity – Low competitive advantage
3. Risks should be managed and the strategies to deal with risks must
Example: unexpected situation (power cut, pandemic), risk of Should be avoided by the business as it might not result in
be priorities by the organization
losses from theft and fraud, damage asset from fire. favorable outcomes.
(2) Two-way risk (speculative risk) RISK MANAGEMENT STRATEGY
Actual outcome may either be worse or better than expected RISK MAPS RISK MANAGEMENT PROCESS
Example: failure of new product or project, budgeting differ Provide a useful framework to determine an appropriate risk RISK IDENTIFICATION (list of potential risks)
from what have planned, saving did not reach the target. management strategy Risks are identified by key stakeholders. Risks must obviously be
UNCERTAINTY TARA/SARA identified before they can be managed
Arises from ignorance and lack of information whereby the future cannot (1) Transfer/share
be predicted due to insufficient information about the future outcomes Risk can be transferred wholly or in part to a third party, so that if RISK ASSESSMENT (prioritized risk list)
or probability of occurrence. Reduced by obtaining as much information an adverse event occurs, the third party suffers all or most of the Risks are evaluated according to the likelihood of occurrence and impact
as possible before making decision loss. (insurance) businesses arrange a wide range of insurance on the organization. This assessment provides a prioritized risk list
RISK UNCERTAINTY policies for protection against possible losses. Risk sharing – an identifying those risks that need the most urgent attention.
The probability of winning or Implies a situation where future organization might transfer its exposures to strategic risk by sharing
losing something of worth is events are unknown the risk with a joint venture partner or franchisees. RISK PLANNING (risk avoidance and contingency plans)
known as risk
(2) Avoidance Planning involves establishing appropriate risk management policies.
Measurable Not measurable
An organization might choose to avoid a risk altogether. However, Policies include ceasing risky activities through to obtaining insurance
Chances of outcomes are known The outcome is unknown
since risks are unavoidable in business ventures, they can be against unfavorable events. Contingency planning involves establishing
Controllable Uncontrollable
avoided only by not investing (or withdrawing from the business procedures to recover from adverse events, should they occur.
Yes No
area completely). The same applies to not-for-profit organizations:
Can be assigned to a set of Cannot be assigned
risk is unavoidable in the activities they undertake. RISK MONITORING (risk audit)
circumstances
(3) Reduction Risks are monitored on an ongoing basis. Where risks change or new
By limiting exposure in a particular area or attempting to decrease risks are identified then those risks are added to the risk assessment for
RISK MANAGEMENT OBJECTIVES
the adverse effects should that risk crystallize. Risk minimization. appropriate categorization and action.
(1) To generate high return
Risk pooling. Reducing risk
(2) To make the business dynamic
(4) Acceptance
(3) To be the trendsetter/market leader
Accept that the risk may occur and decide to deal with the
(4) To gain competitive advantage over other organizations
consequences in that particular situation. The strategy is
(5) To gain financial and non-financial benefits
appropriate normally where the adverse effect is minimal. For
example, there is nearly always a risk of rain, unless the activity
cannot take place when it rains then the risk of rain occurring is not
normally insured
CHAPTER 2: TYPES AND SOURCES OF RISKS TYPES OF RISK ANALYSIS (3) ECONOMIC RISK
• Qualitative (most common) a. Risk that resulted from changes in overall business condition
RISK IDENTIFICATION • Semi-quantitative b. Changes in economic landscape might resulted from inflation,
The aim of risk identification is to identify possible risks that may affect, • Quantitative unemployment rates, international trade relations or any
either negatively or positively, the objectives of the business and the changes in fiscal policy decisions by the government.
activity under analysis risks identification can be done by evaluating the TYPES OF RISKS unavoidable c. Uncontrollable
avoidable/can be reduced
following questions. SYSTEMATIC RISKS UNSYSTEMATIC RISKS d. Government might impose control on price mechanism such
Undiversifiable risk Diversifiable risk as price ceiling and price floor which might impact business
WAYS TO IDENTIFY RISK Cannot be eliminated by Can be eliminated by profitability in the long run
diversification diversification e. high inflation rate due to economic instability (the purchasing
(1) RETROSPECTIVE RISK Uncontrollable, external risks Controllable, internal risk due to power parity; whether customer can afford to buy the
Retrospective risks are those that have previously occurred, (incidents or due to external factors internal factors product sold in the market)
accidents). Retrospective risk identification is often the most common Affect all securities Risks are unique to the firm, not (4) FINANCIAL RISK
way to identify risk, and the easiest. It is also easier to quantify its impact all securities Change in a financial condition such as exchange rate, interest rate,
and to see the damage it has caused. Example: recession, political, Example: mismanagement, credit rating of a customer or change in price of goods, related to the
a. Hazard or incident logs or registers war, fluctuation of interest rate consumer preference, labor possibility of change in financial conditions and circumstances.
b. Audit reports strike a. CREDIT RISK
c. Accreditation documents and reports Nonpayment by customers
(1) POLITICAL, LEGAL AND REGULATORY 3E2FBITCP b. CURRENCY RISK
d. Customer complaints
e. Newspapers or professional media Risks those businesses face because of the regulatory regime that Fluctuation in the exchange rate
f. Past staff or client surveys they operate in. c. GEARING RISK
(2) PROSPECTIVE RISK a. POLITICAL RISK Business funding (how the business is being finance) debt or
Often harder to identify. These are things that not yet happened but Risk due to political instability. Generally considered as an external equity.
might happen sometime in the future. risk to the biz. d. INTEREST RATE RISK
a. Brainstorming with staff/ external stakeholder b. LEGAL RISK Changes in interest rate
b. Researching the economic, political Risk that legal action will be brought against the business
c. Conducting ivs with relevant people c. REGULATORY (5) TECHNOLOGY RISK
d. Undertaking surveys of staff or clients to identify issues Risk of changes in regulation affecting the business risk that technology changes will occur that either present new
e. Flowcharting a process d. COMPLIANCE opportunities to business, or on the downside make their existing
f. Reviewing system design or preparing techniques Risk of non-compliance with the law resulting in fines and penalty processes obsolete or inefficient risks in failing to respond to the new
technology as well as adopting new technology.
RISK CATEGORISATION CORS (2) BUSINESS RISK
(1) STRATEGIC RISK Due to the nature of their operations and products a two-way risk like other type of risks, therefore it creates both threats as
Arise from long-term effects such as those relating to the a. STRATEGIC RISK well as opportunities for organisations EX: over-investing in new
nature and type of business, changes in competitive and legal Risk that business strategies will fail technology was the so called ‘dot.com boom’ in the late 1990s and early
environments, poor long-term decisions being made. For b. PRODUCT RISK 2000s. speculation that Internet-based companies would take over the
example, a supermarket which did not respond to the growing Risk of failure of new product launches or loss of interest in markets of established ‘bricks and mortar’ companies
popularity of on-line shopping would have opened itself to a existing products
long-term decline in profits c. COMMODITY PRICE (6) ENVIRONMENTAL RISK
(2) OPERATIONAL RISKS Risk of rise in commodity prices changes in the environment such as climate change or natural disasters.
Short-term, day-to-day problems. For example, a machine d. PRODUCT REPUTATION Some businesses may perceive this risk to be low, but for others, for
breaking down, a key employee leaving, a fire breaking out in Change in product’s reputation or image example insurance companies, it can be more significant
the warehouse or a fraud occurring. e. OPERATIONAL
(3) REPORTING RISKS Business operations may be inefficient or business processes
Risks arising because internal and external reporting are not may fail
reliable. For example, management accounts containing f. CONTRACTUAL
errors can lead to incorrect analysis and decisions Terms of a contract do not fully cover a business against all
(4) COMPLIANCE RISKS potential outcomes
The risks arising from not complying with rules and
regulations. Penalties, loss or reputation and removal of
operating licenses can all result

TYPES OF RISK ANALYSIS

• Qualitative (most common)
• Semi-quantitative
(7) FRAUD RISK There have been cases where a company’s reputation has been ENTERPRISE RISK MANAGEMENT (ERM)
vulnerability of an organisation to fraud. Fraud risk is a risk that is significantly affected by: A process, affected by an entity’s board of directors, management and
considered controllable by most businesses The size of fraud risk for org other personnel, applied in strategy setting and across the enterprise,
is a factor of: a. public suspicions about the damage to health from using the designed to identify potential events that may affect the entity, and
● the probability of fraud occurring company’s products manage risk to be within its risk appetite, to provide reasonable assurance
● the size of the losses if fraud occur b. causing environmental damage and pollution regarding the achievement of entity objectives.
c. employing child labour in under-developed countries or
Fraud risk should be managed, by: operating ‘sweat shops’ in which employees work long hours KEY PRINCIPLES IN ERM
● fraud prevention: ensuring that the opportunities to commit fraud are in poor conditions for low pay • Consideration of risk management in the context of business
minimised d. investing heavily in countries with an unpopular or tyrannical strategy
● fraud detection and deterrence: detection measures are designed to government • Consideration of a broad range of risks (strategic, financial,
identify fraud after it has occurred. If employees fear that the risk of e. involvement in business ‘scandals’ such as misselling products
operational and compliance)
detection is high, they will f. management announcements about the quality of the product
• A focused risk management strategy, led by the board (embedding
● be deterred from trying to commit fraud. a company produces.
risk within an organization’s culture)
(10) INTERNATIONAL RISK • RM is everyone’s responsibility, with the tone set from the top
(8) EMPLOYEE MALFEASANCE RISK (CULTURE)
Malfeasance means doing wrong or committing an offence. Organisations 1. CULTURE • The creation of a risk aware culture
might be exposed to risks of actions by employees that result in an Cultural differences between various countries. Relativism • A comprehensive and holistic approach to risk management
offence or crime (other than fraud). This, like fraud risk, is a type of based. Must understand the difference between countries
operational business risk. 2. LITIGATION COSO ERM FRAMEWORK
Lack of understanding on the local litigation. represented as a three - dimensional matrix in the form of a cube which
Risks from illegal activities by employees should be controlled by suitable 3. CREDIT reflects the relationships between objectives, components and different
internal controls, to ensure that employees comply with established difficulty in controlling credit risk on overseas sales. Chasing organisational levels.
policies and procedures such as: debts is more difficult and expensive
4. ITEM IN TRANSIT OBJECTIVES
○ deliberately making false representations about a product or service in risk of losses or damage in transit if companies are Within the context of an entity’s established mission or vision,
order to win a customer order, exposing the organisation to the risk of transporting goods great distances management establishes strategic objectives, selects strategy, and sets
compensation claims for mis-selling 5. FINANCIAL RISK aligned objectives cascading through the enterprise. This ERM framework
○ committing a criminal offence by failing to comply with statutory is geared to achieving an entity’s objectives, set forth in 4 categories
requirements, such as taking proper measures for the safety and . CHAPTER 3A: ENTERPRISE RISK MANAGEMENT
protection of employees or customers.
1. STRATEGIC – high-level goals, aligned with and supporting its
RISK MANAGEMENT
mission
“The process of understanding and managing the risks that the
(9) CORPORATE REPUTATION RISK organization is inevitably subject to in attempting to achieve its 2. OPERATION - effective and efficient use of its resources
corporate objectives” (CIMA) 3. REPORTING – reliability of reporting
I. Reputation risk is for many organisations a downside risk as
the better the reputation of the business the more risk there
4. COMPLIANCE – compliance with applicable laws and regulations
CONFORMANCE PERFORMANCE
is of losing that reputation.
Controlling threats or hazards Maximizing return or
II. A good reputation can be very quickly eroded if companies
“Bad things do happen” opportunity
suffer adverse media comments or are perceived to be
“Good things might not happen”
untrustworthy
III. organisations succeed in being perceived as ‘environmental-
The traditional view
friendly’ and use public relations and advertising to promote
protecting the organization from loss through conformance procedures
this image.
and hedging techniques – this is about avoiding the downside risk
IV. This could arise from:
The new approach to RM
● environmental performance
taking advantage of the opportunities to increase overall returns within
● social performance
a business – benefiting from the upside risk.
● health & safety performance.
V. reputation risk is a downside risk. The risk can be particularly
significant for companies that sell products or services to
consumer markets
 COMPONENTS OF ERM
The internal environment encompasses the tone of an organization
and sets the basis for how risk is viewed and addressed by an
entity’s people, including risk management philosophy and risk
appetite, integrity and ethical values, and the environment in which
they operate.
Objectives must exist before management can identify potential
events affecting their achievement. Enterprise risk management
ensures that management has in place a process to set objectives
and that the chosen objectives support and align with the entity’s
mission and are consistent with its risk appetite.
Internal and external events affecting achievement of an entity’s
objectives must be identified, distinguishing between risks and
opportunities. Opportunities are channelled back to management’s
strategy or objective-setting processes
Risks are analysed, considering likelihood and impact, as a basis for
determining how they should be managed. Risks are assessed on an
inherent and a residual basis
RISK MANAGEMENT AND SHAREHOLDER VALUE 4. Review & revision
By aligning risk management activity to what the shareholders consider policies and procedures help ensure the risk response are effectively
vital to the success of the business, the shareholders are assured that carried out - to ensure the entire ERM processed is monitored and
what they value is protected modifications made as necessary.
5. Information, communication and reporting
Establish what shareholders value about the company enables people to carry out their responsibilities. The information is
through talking with the investment community and linking value creation reported to the right person and level of authority.
processes to key performance indicators
BENEFITS OF EFFECTIVE ERM
Identify the risks around the key shareholder value drivers the
investment community can identify those factors that will influence their A. Enhance decision making by integrating risks
valuation of the company B. Improvement in investor confidence and hence s/h value
Determine the preferred treatment for the risks C. Focus of management attention on the most significant risks
the investment community can give their views on what actions they D. A common language or risk management which is understood
would like management to take in relation to the risks. throughout the organization
Communication
Communicate risk treatments to shareholders LIMITATION OF EFFECTIVE ERM
A. Realities that human judgement in decision making can be faulty
B. Decisions on responding to risk and establishing controls still need
to consider the relative costs and benefits
C. Management has the ability to override enterprise risk management
decisions.

Management selects risk responses – avoiding, accepting, reducing, CHAPTER 3B – FORMULATION OF A RISK STRATEGY
or sharing risk – developing a set of actions to align risks with the
entity’s risk tolerances and risk appetite. RISK MANAGEMENT STRATEGY
PAST PRESENT
Policies and procedures are established and implemented to help a formal strategy for managing failure to properly identify and
risks would purpose be given to control risks has been identified
ensure the risk responses are effectively carried out.
risk managers to make as a major cause of business
assessments of the risks the failure (take Barings Bank as an
Relevant information is identified, captured, and communicated in business faced and exercise example
a form and timeframe that enable people to carry out their ERM – INTEGRATING STRATEGY WITH PERFORMANCE judgement on what was a
responsibilities. Effective communication also occurs in a broader reasonable level of risk
sense, flowing down, across, and up the entity. 1. Governance and Culture
g relates to the internal environment. Emphasis on the importance of FORMULATING A RISK MANAGEMENT STRATEGY
The entirety of enterprise risk management is monitored and the tone at the top. Include ethical behaviour and understanding of 1. review its internal control system and its adequacy at least annually
modifications made as necessary. Monitoring is accomplished the risk appetite of the ORG. 2. ensure that controls are properly implemented
through ongoing management activities, separate evaluations, or 2. Strategy and objective setting 3. monitor the implementation and effectiveness of controls
both. main focus. Emphasise the importance of making sure ERM and
objectives are aligned to risk appetite in the strategic planning stage
- to make sure the strategies can be implemented successfully =
minimize the risk of having wrong strategy
3. Performance
combines risk identification, risk assessment with risk response.
Maintaining focus on identifying internal and external events (both
positive and negative) which could impact the performance of the
ORG.

1. The way that the organization documents and determines the
specific parts of its risk strategy will have to link to the business
strategy and objectives.
2. Risk management strategy is concerned with trying to achieve the
required business objectives with the lowest possible chance of
failure. The tougher the business objectives, however, the ___ risks
will have to be taken to achieve them.
3. Risk appetite can be defined as the amount of risk an organization
is willing to accept in pursuit of value. It is determined by:
a. risk capacity
the amount of risk that the organization can bear, and
b. risk attitude
the overall approach to risk, in terms of the board being risk
averse or risk seeking.
4. Residual risk is the risk a business faces after its controls have been
considered
RISK MANAGEMENT STRATEGY FEATURES
A. Statement of the organisation’s attitude to risk
B. The risk appetite of the organisation.
C. The objectives of the risk management strategy
D. Culture of the organisation in relation to risk
E. Responsibilities of managers for the application of risk management
strategy.
F. Reference should be made to the risk management systems the
company uses (ICS)
G. Performance criteria should be defined so that the effectiveness of
risk management can be evaluated
ALTERNATIVE RISK MANAGEMENT PROCESS OTHER METHODS:
1. Risk assessment a. Simulation analysis
2. Risk reporting b. Scenario planning
3. Risk treatment/ risk response (TARA/SARA) c. Computer simulations
d. Decision tress
RISK MANAGEMENT CYCLE e. Sensitivity analysis
RISK RESPONSE STRATEGY – THE MNGMT OF RISKS INVOLVES TRYING TO
ENSURE THAT
1. Exposure to severe risks is minimized
2. Unnecessary risks are avoided
3. Appropriate measure of control is taken
4. The balance between risk and return is appropriate
The estimate of the potential loss for each risk should be compared with
the acceptable risk limit for the company. If the risk is greater than the
acceptable limit, the next stage in risk management is to consider how the
risk should be managed or controlled, to bring it down in size
RISK TREATMENT (MANAGEMENT) METHODS
1. AVOID RISK
Some activities are so risky that they should be avoided. Impossible
IDENTIFYING, MEASURING AND ASSESSING RISKS
to apply to all risks in commercial org as risks have to be taken to
1. RISK IDENTIFICATION
make profits.
done by a risk committee or risk management specialists. Risks
2. TRANSFER RISK
identified should be recorded in a risk register - a list of all the risks
In some circumstances, risk can be transferred wholly or in part to a
identified, and the measures/actions taken (if any) to control each
third party. EX: insurance. It does reduce/eliminate risks but
of them. This diagram showing variety of methods that can be used
premiums have to be paid.
by businesses to identify risk.
3. POOL RISK
2. QUANTIFICATION OF RISK EXPOSURES
Risks from many different transactions can be pooled together: each
Quantification of risk is important in understanding the extent and
individual transaction/item has its potential upside and its
significance of the exposure. Risks identified be measured and
downside. The risks tend to cancel each other out, and are lower for
assessed. The extent to which this can be done depends on the
the pool as a whole than for each item individually
information available to the risk manager. In some companies,
4. DIVERSIFICATION
particularly in the banking and insurance industries, many risks can
Diversification is a similar concept to pooling but usually relates to
be measured statistically, on the basis of historical information. In
different industries or countries. risk in one area can be reduced by
many other situations, the measurement and assessment of risk
investing in another area where the risks are different or ideally
depends on management judgement.
opposite.
3. RISK MAPPING
5. RISK REDUCTION
A common qualitative way of assessing the significance of risk is to
ICS reduce either the likelihood of an adverse outcome occurring or
produce a ‘risk map’. The map identifies whether a risk will have a
the size of a potential loss. The costs of the control measures should
significant impact on the organization and links that into the
justify the benefits from the reduced risk
likelihood of the risk occurring. The approach can provide a
6. HEDGING RISK
framework for prioritizing risks in the business. Risks with a
The concept of hedging is of reducing risks by entering into
significant impact and a high likelihood of occurrence need more
transactions with opposite risk profiles to deliberately reduce the
urgent attention than risks with a low impact and low likelihood of
overall risks in a business operation or transaction
occurrence.
7. RISK SHARING
A company could reduce risk in a new business operation by sharing
the risk with another party.
*Risks maps can provide a useful framework to determine an appropriate
risk response*
Examples of quantitative techniques include:
I. Expected values
Expected value = Σ prob X, where prob = probability, X = outcome
II. Volatility
EX, a company might calculate an expected value based on a range of
probabilities but also assess the potential variation from that expected
outcome (range or standard deviation).
III. Value at Risk (VaR)
VaR allows investors to assess the scale of the likely loss in their portfolio
at a defined level of probability. Statistical methods are used to calculate
a standard deviation for the possible variations in the value of the total
portfolio of assets over a specific period of time. VaR may be calculated
as standard deviation × ZScore (where the ZScore can be found from the
normal distribution tables)
CHAPTER 3C – REPORTING & EVALUATING
RISK CUBE
Another way of considering risk and its management is to use the risk
cube. Risk equals the volume of the cube.
Risk is seen as some combination of a threat, exploiting some
vulnerability, that could cause harm to an asset. Residual risk is the
combined function of:
● a threat less the effect of threat -reducing safeguards;
● a vulnerability less the effect of vulnerability -reducing safeguards; and
● an asset less the effect of asset value -reducing safeguards
Managing the risk can be undertaken by reducing the threat, reducing the
vulnerability and/or reducing the asset value.
For example, imagine a company sells machine parts on credit to
industrial customers.
1. The threat might be that the customer doesn't pay for their machine
parts.
2. The vulnerability might be that the selling company has a low cash
balance and therefore needs the funds to pay its own suppliers.
3. The asset is the receivable due.
• The threat-reducing safeguards might include performing a credit
check on all customers.
• The vulnerability-reducing safeguards might include holding a
minimum cash balance at all times to ensure sufficient cash is
available to pay suppliers.
• The asset-reducing safeguards might include setting a limit on each
receivable balance, so that once it is reached no further goods
would be supplied to a customer until payment was made.
RISK REPORTING
“Risk reports” now form a part of company’s annual reports. It is an
important disclosure requirement. Managers of a business, and external
stakeholders, will require information regarding the risks facing the
business.
A risk reporting system would include:
1. A systematic review of the risk forecast (at least annually). 2. A review
of the risk strategy and responses to significant risks.
3. A monitoring and feedback loop on action taken and assessments of
significant risks.
4. A system indicating material change to business circumstances, to
provide an ‘early warning’.
5. The incorporation of audit work as part of the monitoring and
information gathering process
In order to facilitate a review of risk responses effectiveness, risk reports
should show:
• the gross risk = an assessment of risk before the application of any
controls, transfer or management responses, and
• the net risk (or residual risk) = an assessment of risk, taking into account
the controls, transfer and management response
If the residual risk is considered to be too great, then the company will
need to:
• not expose itself to the risk situation; or
• put in place better controls over the risk
The amount of residual risk a company can bear is a management
decision. It is possible to measure that residual risk, possibly as a
proportion of profit/capital turnover, in order to help management, make
that judgement
ABILITY TO BEAR RISK
One approach to assessing the ability to bear a risk is to consider its
financial consequences in relation to:
1. the organisation's profits
2. return on capital employed
3. the organisation expenditure budget (not-for-profit organisations)
EVALUATING RISK MANAGEMENT STRATEGY
1. Has the strategy achieved its objectives?
2. Do the benefits outweigh the costs?
Once the company has established its risk strategy and decided in what
areas it will reduce its risks and the methods it will use to achieve the
desired reductions, the strategy should be evaluated. The purpose of the
evaluation is twofold, as shown in the diagram.
Any risk strategy would only be successful it meets its objectives.
Risk management strategy objective should be:
• Balance between risk and return is appropriate
• To take appropriate measures of control
• To avoid unnecessary risks
• To minimize severe risks exposure
INTERACTION BETWEEN RISKS
Risk identification is very important because risks are often interrelated.
This means that if one risk is more likely or will have a more significant
impact for an organisation, then it may be more likely to be exposed to
other risks or more susceptible to other risks.
A cafe in a busy seaside resort would have compliance risk, it will be
assessed on its food hygiene and if it did not meet the standards that have
been set it may receive fines and it will be published on government
websites and also on review websites that the food hygiene is poor. This
leads to other risks: Financial risk -pay any fines Reputation risk - customer
are likely to check these things and avoid cafes that do not perform well
on these criteria and also warn friends, family and colleagues. Litigation
risk - someone may become ill after eating at the cafe due to the poor
food hygiene and may take legal action against the café
HAS THE STRATEGY BEEN
SUCCESSFUL?
For example, a company might set a target for risk of faulty products at a
set number of percentage level and then formulate a risk strategy to
achieve that level. In order to assess this, a control mechanism will need
to be set up. The basic control idea is that the company compares the
actual results with the required target and assesses whether the target
has been achieved. If not, the reasons must be investigated and action
taken, including possibly a re-assessment of the strategy.
DO BENEFITS OUTWEIGH COSTS?
The costs and benefits of risk measures such as internal controls can be
evaluated, and a cost benefit comparison carried out. The benefits from
risk controls should preferably be measured and quantified, although
some benefits (such as protecting the company’s reputation) might have
to be assessed qualitatively. The evaluation process should be based on
the principle that the costs from a control measure should not exceed the
benefits that it provides.
 CHAPTER 4A – RISK MANAGEMENT & INTERNAL CONTROL
INTERNAL CONTROL
Internal control is considered as part of the risk reduction method of
responding to risk. The need for a robust system of internal control and
risk management is seen as a major element of good corporate
governance.
The whole system of controls, financial and otherwise, established by the
management in order to carry out the business of the enterprise in an
orderly and efficient manner, ensure adherence to management policies,
safeguard the assets, prevent and detect fraud and error, and secure as
far as possible the completeness and accuracy of the records
OBJECTIVES OF INTERNAL CONTROL
▪ The orderly and efficient conduct of its business - including
adherence to internal policies
▪ Assets’ safeguarding
▪ Prevention and detection of fraud and error
▪ Timely preparation of financial information
▪ Accuracy and completeness of the accounting records
IMPORTANT OF INTERNAL CONTROL & RISK MANAGEMENT
1. The risks it faces are continually changing
A sound internal control system requires a thorough and regular
evaluation of the nature and extent of the risks to which the
company is exposed
2. Effective financial controls, maintenance of proper accounting records
Ensure that the company is not unnecessarily exposed to avoidable
financial risks and that financial information is reliable
3. A key role in the management of risks in fulfilling business objectives
Contributes to safeguarding the shareholders' investment and the
company's assets.
4. Facilitates the effectiveness and efficiency of operations
Ensure the reliability of internal and external reporting and assists
compliance with laws and regulations
FEATURES OF A SOUND SYSTEM OF INTERNAL CONTROL
1. An ICS encompasses the policies, processes, tasks, behaviors and
other aspects of a company.
⊹ facilitate its effective and efficient operation.
⊹ ensure the quality of internal and external reporting. ⊹ ensure
compliance with applicable laws and regulations, and also internal
policies.
2. A company's s ICS will reflect its control environment which
encompasses its organizational structure. The system will include:
⊹ control activities.
⊹ information and communications processes.
⊹ processes for monitoring the continuing effectiveness of the
system of internal control
3. The system of internal control should: FRAMEWORK 2013
⊹ be embedded in the operations of the company. 1. In 2013, COSO updated the framework by adding 17 principles. These
⊹ capable of responding quickly to evolving risks to the business. principles sit within 5 components to help explain the fundamentals
⊹ include procedures for reporting immediately to appropriate levels of behind them and to help make framework more principle-based.
management any significant control failings or weaknesses. 2. COSO have emphasized that the additional detail is not meant to make
4. A sound system of internal control reduces, but cannot eliminate, the it a tick list but more to make the components clearer and therefore
possibility of poor judgement in decision making; human error; control easier to apply.
processes being deliberately circumvented by employees and others; 3. It is intended to apply to all types of organisations, from profit seeking,
management overriding controls; and the occurrence of unforeseeable to governmental and not for profit
circumstances.
5. A sound system of internal control therefore provides reasonable, but
COMPONENTS OF AN ICS + 17 PRINCIPLES
not absolute assurance that a company will not be hindered in achieving
its business objectives, or in the orderly and legitimate conduct of its
1. CONTROL ENVIRONMENT
business, by circumstances which may reasonably be foreseen
The principles that underpin the control environment component are:
EFFECTIVE ICS CONSIST OF 5 INTEGRATED ELEMENTS:
A. The organisation shows a commitment to ethical values.
B. The board has appropriate expertise and oversees the five
1. CONTROL ENVIRONMENT
The control environment can be thought of as management's
competencies.
attitude, actions and awareness of the need for internal controls.
C. Management must establish an appropriate organisational
2. RISK ASSESSMENT
structure to help achievement of the objectives
Controllable risks – for these risks internal control procedures can be
D. Human resource policies and practices to help attract, develop and
retain suitable talent
established.
E. Accountability of employees for their areas of responsibility
Uncontrollable risks – Uncontrollable risks could be risks that are
caused by the external environment that the company operates in.
2. RISK ASSESSMENT
Company may be able to minimize the risk in other ways outside the
A. Clear objectives to allow risk identification and assessment
internal control environment
B. That risk identification and analysis does take place across the entity
3. CONTROL ACTIVITES
C. The potential for fraud arising in pursuit of the stated objectives
Once controllable risks have been identified, actual specific control
must be considered
activities can be undertaken to reduce those risks. There is a huge
D. The internal controls system must be reviewed for changes in the
variety of control activities that companies can adopt at all levels of
external environment
management and in all parts of the organization. - The typical
processes that could be used are:
3. CONTROL ACTIVITIES
● organisation structure.
A. Select appropriate controls to mitigate the risks to the achievement
● contracts of employment
of objectives
● policies
B. Specific controls over technology are included
● discipline and reward system.
C. Policies and procedures establish how the controls are
● performance appraisal and feedback
implemented
4. INFORMATION AND COMMUNICATION
4. INFORMATION & COMMUNICATION
In order to operate the internal controls, a good information system
A. Appropriate information is generated and used to assess controls
must be set up. The information provided must be:
B. The information is communicated appropriately internally to
• Timely.
support the internal control process
• Accurate (and therefore reliable).
C. The information is communicated to appropriate external parties
• Understandable.
• Relevant to the actions being taken.
5. MONITORING
5. MONITORING
A. Appropriate evaluations of the controls are carried out
A very good internal control system must be monitored. If the system
B. Any issues with controls are communicated to appropriate people
is not monitored, it will be very difficult to assess whether it is out of
(including the board where necessary
control and needs amendment.
OPERATIONAL FEATURES – 3 FEATURES OF A SOUND ICS CHAPTER 4B – ICS & RM (2) SALES CYCLE
1. Embedded within operations and not treated as a separate exercise
2. Able to respond to changing risks within and outside the company CATEGORIES OF CONTROL PROCESS RISKS CONTROL PROCEDURED
3. Includes procedures for reporting control failings or weaknesses 1. FINANCIAL CONTROLS Sales is Invoiced sales maybe Review receivables ledger
Express financial targets and spending limits recorded inaccurately recorded for credit balances
Example: budgetary control, inventory cycles, payroll
THE DETAILS OF CONTROLS – MOSSPAPA Perform receivables ledger
2. NON-FINANCIAL QUALITATIVE CONTROLS
reconciliation
The day-to-day controls over most employees in organisations
MANAGEMENT CONTROL Example: employee training, management control
Top level reviews. BOD or senior mgt might call for a performance report Computer controls
3. NON-FINANCIAL QUANTITATIVE CONTROLS
on the progress of the org towards its goals. Activity controls. At dept or Focus on target against which performance can be measured and
divisional level, mgt should receive reports that review performance or Cash Incorrect amounts Agree cash receipt back to
monitored received may be received the invoice
highlight exceptions. Functional reviews should be more frequent than Example: balanced scorecard, tqm quality measures
top level reviews, on a daily, weekly or monthly basis.
Customer may not Review aged debt listing
SALES CYCLE OBJECTIVES OF CONTROLS pay for goods and investigate
ORGANIZATION 1. Sales are made to valid customers
1. The separation of an org’s activities and operations into dept or 2. Sales are recorded accurately Review aged debt listing
responsibility centres, with a clear division of responsibilities. 3. All sales are recorded regularly, phone when
2. Delegation of power 4. Cash is collected within a reasonable period overdue by 30 days,
3. Establishing reporting lines another letter at 45 days,
4. Coordinating the activities of different dept final letter threatening legal
SALES CYCLE
action at 60days
PROCESS RISKS CONTROL PROCEDURED
SUPERVISION Receive an Orders may not be Confirm order back to the cust
oversight of the work of other individuals, by someone in a position of order recorded accurately Cash Cash maybe Customer statements
responsibility and help to ensure that individuals do the tasks they are All new cust subject to credit recorded incorrectly recorded
Orders may be taken check or recorded against Regular banking
required to and perform them properly.
from cust that are unable the wrong customer
to pay Perform regular credit checks account Reconciliation of banking to
SEGREGATION OF DUTIES cash receipts records
Most accounting transactions can be broken down into three separate Goods are Goods may not be Check inventory system before
Cash received may be
duties: authorisation or initiation of the transaction, the handling of the dispatched to dispatched for orders issuing order
customer made stolen Segregation of duties
asset that is the subject of the transaction, and the recording of the Automatic re-ordering system
transaction. Incorrect goods may be linked to a customer order
sent to customers leading system CONTROL IN OTHER DEPARTMENTS
PHYSICAL CONTROL to loss of goodwill CONTROLS OVER HR
Use sequentially numbered
measures and procedures to protect physical assets against theft or Recruitment policies (application form, checking the qualification)
Goods may not be cust order pads
unauthorised access and use dispatched for orders References being taken up prior to appointment Continuous training
made Get the customer to sign a Eligibility to work in a country
AUTHORISATION & APPROVAL copy GDN and return to the co. Contract of employment
Incorrect goods sent to
established to ensure that a transaction must not proceed unless an
cust
authorised individual has given his approval, possibly in writing. CONTROLS OVER THE DISTRIBUTION DEPT
PERSONNEL Invoice is Invoices may be missed Check that all goods delivered Signed goods received and goods despatched notes
applied to the selection and training of employees, to make sure that raised incorrectly sent to wrong notes match an invoice Regular inventory counts.
suitable individuals are appointed to positions within the org; individuals cust. Monitored CCTV cameras around the distribution depot Security guards at
The copy of the invoice is
should have the appropriate qualities, experience and qualifications; Credit notes may be signed as it is matched to the
exits
individuals are given induction and training. raised incorrectly, missed original order and GDN and
or to cover cash being customer price list EVALUATION OF AN INTERNAL CONTROL SYSTEM
ARITHMETIC & ACCOUNTING misappropriated 1. Developing an adequate control system
Authorized by manager and
Recording transactions properly in the accounting system Being able to 2. Limitations of internal control systems
sequence check done on a
trace each transaction through the accounting records Checking regular basis. 3. Cost v. benefits
arithmetical calculations, such as double-checking the figures in an
invoice before sending it to a customer or approving it for payment to
make sure that they are correct
EVALUATION OF AN INTERNAL CONTROL SYSTEM
1. Developing an adequate control system
need to ascertain the objectives of the system in question. EX:
the system may be human resources and its objectives are
many, which include sourcing, recruiting, training, and
retaining quality staff.

Research should be conducted regarding the current systems

in place (if any) and communication with employees
(questionnaires and interviews, for example) would help to
collect useful information.

Inputs to the process should be identified to check whether

they meet the intended objective (or create the desired
output). EX: the objective of retaining quality staff will not be
met if, a review process is not carried out when well-trained
but unhappy staff repeatedly leave the company. In order to
work out whether the system currently works, the company
should use a benchmark, EX: HR may set a target labour
turnover figure. If this is met or surpassed, then action should
be taken since it demonstrates that the current system is not
effective at retaining a certain level of staff
2. COST V. BENEFITS
The benefits of maintaining the system must outweigh the costs of
operating it. However, it can be difficult to quantify the costs and
benefits as they are often not direct cash costs.
● Costs of an internal control system will include:
❖ time of management involved in the design of the system
❖ Implementation:
- costs of IT consultants to implement new software
- training all staffs in new procedures maintenance of
system:
- software upgrades
- monitoring and review
● Benefits are to be found in the reduction of the risks and
achievement of business objectives

3. LIMITATIONS OF ICS
A. A good internal control system cannot turn a powerful manager into
a good one.
B. The system can only provide reasonable assurance regarding the
achievement of objectives - all ICS are at risk from mistakes or errors.
C. Internal control systems can be bypassed by collusion and
management override.
D. Controls are only designed to cope with routine transactions and
events.
E. There are resource constraints in the provision of internal control
systems, limiting their effectiveness.