Professional Documents
Culture Documents
1
Outcomes
2
The COSO framework for internal control
3
Risks in a business
• Definition of business risk per ISA 315.12(b): “risk resulting from significant
conditions, events, circumstances, actions or inactions that could adversely affect
the entity’s ability to achieve its objectives and execute its strategies, or from the
setting of inappropriate objective and strategies”
• Basically circumstances (external or internally “created”) that could knock the entity’s
profitability if not properly addressed
• And possibly even make it fail
• Note how risks are worded in the textbook – see p. 129, for example
• Just about all of them ends with “resulting in financial losses for the entity”
4
Risk management
5
Risk management
Types of risk
Reputational
Strategic risk Compliance risk Operational risk Information risk Financial risk
risk
• Risks relating to: • Risks relating to • Risks relating to • Risks relating to: • Risk relating to:
• What is sold compliance with the ability to • The information • The granting of
• Where it is sold laws and other execute plans needed to do credit
• How it is sold regulations business • The capital
• The structure
safeguarding of
such
information
Impact of social
media!
6
Risk management
• Evaluating risk
• Response will be determined by:
• Probability – the likelihood of the bad thing happening
• Consequences – the impact if it does happen
• Risk appetite and risk tolerance
• See p. 117
7
Risk management
8
King IV
10
King IV
11
King IV
12
King IV
13
Disclosures
Risk info from Woolworths’s integrated report
Risk oversight
14
Disclosures
Risk info from Woolworths’s integrated report
• Reporting on risks
• External reporting on meta risks – see slide
17
• Internal reporting on group risk profile
• Internal reporting on entity risk profiles
• Internal reporting on business unit risk
registers
15
Disclosures
Risk info from Woolworths’s integrated report
Combined assurance
16
Disclosures
Risk info from Woolworths’s integrated report
• Top strategic risks (at group level)
1. David Jones performance
2. Fashion, beauty and home performance
3. Treasury and balance sheet With a likelihood rating
4. Cost of doing business (almost certain, likely,
5. Real estate optimisation possible, unlikely, or rare) for
6. Cyber risk each risk
7. South African socio-political environment
8. Digital disruption
9. Organisational change and talent management
10. Brand reputation
17
Disclosures
Risk info from Woolworths’s integrated report
• For each of the 10 risks, the following is then provided:
Influenced by
Mitigations
18
Business risk and the auditor
19
Business risk and the auditor
Business risks
are like the gunk
Controls work
like a filter
20
The Chief Risk Officer, per Wikipedia
“The chief risk officer (CRO) or chief risk management officer (CRMO) of a firm or corporation is the executive accountable for
enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various
segments… CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and
reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk
Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and
technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the
organization and industry. The CRO works to ensure that the firm is compliant with government regulations…and reviews
factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations,
including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the
organization and works diligently with senior management such as Chief Executive officer and Chief Financial Officer.
The role of the Chief Risk Officer (CRO) is becoming increasing important in financial, investment, and insurance sectors…
James Lam, a noted risk professional, is credited as the first person to coin the term. Lam is the first person to hold that
position at GE Capital in 1993. The position became more common after the Basel Accord, the Sarbanes-Oxley Act, the
Turnbull Report.”
21
Executive perspectives on top risks for 2023 (and 2032),
per Protiviti’s Annual Risk Survey
For 2023 For 2032
1. Organization's succession challenges and ability to attract and retain top talent in a 1.Organization's succession challenges and ability to attract and retain top talent in a tightening talent
2. Economic conditions in markets we currently serve may significantly restrict growth 2.Adoption of digital technologies may require new skills in short supply
opportunities 3.Rapid speed of disruptive innovations enabled by new and emerging technologies and/or other
22