on control systems places great emphasis on how control systems deal with risk. • Risk is a condition in which there exists a quantifiable dispersion in the possible results of any activity. • Hazard is the impact if the risk materialises. • Uncertainty means that you do not know the possible outcomes and the chances of each outcome occurring. • In other words, risk is the probability, hazard is the consequences, of results deviating from expectations. However, risk is often used as a generic term to cover hazard as well. Types of risk 1. Fundamental risks are those that affect society in general, or broad groups of people, and are beyond the control of any one individual. For example there is the risk of atmospheric pollution which can affect the health of a whole community but which may be quite beyond the power of an individual within it to control. 2. Particular risks are risks over which an individual may have some measure of control. For example there is a risk attached to smoking and we can mitigate that risk by refraining from smoking. 3. Speculative risks are those from which either good or harm may result. A business venture, for example, presents a speculative risk because either a profit or loss can result. 4. Pure risks are those whose only possible outcome is harmful. The risk of loss of data in computer systems caused by fire is a pure risk because no gain can result from it. Risk and business • A key point to emphasise is that risk is bound up with doing business. • The basic principle is that 'you have to speculate to accumulate'. • It may not be possible to eliminate risks without undermining the whole basis on which the business operates, or without incurring excessive costs and insurance premiums. • Therefore in many situations there is likely to be a level of residual risk which it is simply not worth eliminating. There are some benefits to be derived from the management of risk, possibly at the expense of profits such as: • Predictability of cash flows • Limitation of the impact of potentially bankrupting events • Increased confidence of shareholders and other investors.
*However boards should not just focus on managing negative risks,
they should also seek to limit uncertainty and to manage speculative risks and opportunities in order to maximise positive outcomes and hence shareholder value. Risk and corporate governance • One obvious link between risk and corporate governance is the issue of shareholders' concerns, about the relationship between the level of risks and the returns achieved, being addressed. • A further issue is the link (or lack of it) between directors' remuneration and risks taken. • If remuneration does not link directly with risk levels, but does link with turnover and profits achieved, directors could decide that the company should bear risk levels that are higher than shareholders deem desirable. • It has therefore been necessary to find other ways of ensuring that directors pay sufficient attention to risk management and do not take excessive risks. • Corporate governance guidelines therefore require directors to: - Establish appropriate control mechanisms for dealing with the risks the organisation faces - Monitor risks themselves by regular review and a wider annual review - Disclose their risk management processes in the accounts Nature of enterprise risk management COSO FRAME WORK • There are various frameworks for risk management, but we shall be looking in particular at the framework established by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). • COSO published guidance on internal control– Integrated Framework in 1992. It published wider guidance on Enterprise Risk Management in 2004. In 2006 COSO issued Internal Control over Financial Reporting – Guidance for Smaller Companies. • This guidance was designed to supplement the guidance in Internal Control – Integrated Framework, in the light of the requirement in section 404 of the Sarbanes-Oxley legislation for management of public companies to assess and report on the effectiveness of internal control over financial reporting. • Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. COSO states that enterprise risk management has the following characteristics. a) It is a process, a means to an end, which should ideally be intertwined with existing operations and exist for fundamental business reasons. b) It is operated by people at every level of the organisation and is not just paperwork. It provides a mechanism for helping people to understand risk, their responsibilities and levels of authority. c) It is applied in strategy setting, with management considering the risks in alternative strategies. d) It is applied across the enterprise. This means it takes into account activities at all levels of the organisation from enterprise-level activities such as strategic planning and resource allocation, to business unit activities and business processes. It includes taking an entity level portfolio view of risk. Each unit manager assesses the risk for his unit. e) It is designed to identify events potentially affecting the entity and manage risk within its risk appetite, the amount of risk it is prepared to accept in pursuit of value. The risk appetite should be aligned with the desired return from a strategy. f) It provides reasonable assurance to an entity's management and board. Assurance can at best be reasonable since risk relates to the uncertain future. • Senior management ultimately consider these unit risks and also interrelated risks. Ultimately they will assess whether the overall risk portfolio is consistent with the organisation's risk appetite. • Risk apetite is the amount of risk an organization is willing to accept in pursuit of strategic objectives. • It is geared to the achievement of objectives in a number of categories, including supporting the organisation's mission, making effective and efficient use of the organisation's resources, ensuring reporting is reliable, and complying with applicable laws and regulations. *An approach based on objectives contrasts with a procedural approach based on rules, codes or procedures. A procedural approach aims to eliminate or control risk by requiring conformity with the rules. However a procedural approach cannot eliminate the possibility of risks arising because of poor management decisions, human error, fraud or unforeseen circumstances arising.