UNDERSTANDING YOUR ORGANIZATION

CHAP 1: INTRODUTION TO RISK MANAGEMENT

RISK MANAGEMENT

A scenario Life is full of uncertainty

You have made an appointment with your acquaintances to go out for dinner next week. Question: What could happen so that you are not able to meet with your friends? What do you need to do to ensure that you are able to meet with them? What could go wrong" that would prevent a company from achieving our business objectives = Risk

Overview of Risk Management

What is risk? One of the first hurdles in thinking about risk is the plethora of definitions and meanings of the term risk. Risk is one of those terms seen a dozen times in the daily newspaper with a dozen different meanings and interpretations. Depend on who you asked:

Did know about risk - IT Expert, Environmentalist, Banker, Safety expert and so fort will give different interpretation about risk definition Dont know about risk will assume those interpretation come from different world

But, these different worlds make up parts of the same

universe the risk management universe

Definition of Risk
The possibility of an event occurring that will have an

impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. (ISPPIA)
Risk is the chance of something happening or not

happening that will have an influence upon the achievement of business objectives. (Turnbull)
Risks

are uncertainties about events and/or their outcomes which, if they occur, would have a material affect on the goals and objectives of the organization either negatively (threats/ downside) or positively (opportunities/upside).

Definition of Risk
Risks arise from uncertainties, are inherent, and arise

at any time. Inherent and Residual Risk Inherent risk is the underlying risk before any controls are applied to mitigate the risk Residual risk is the risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to risk It is important that managers get out of an only downside risk mentality. Risk is not only bad things happening, but also good things not happening. Companies are now seeing opportunities from focusing on risk and control, rather than purely focusing on controls.

Risk Element
Risk arises out of uncertainty. If you are deciding on a course of action, your need to manage risk arises out of this uncertainty and therefore the three elements of risk you need to consider are: Likelihood : the likelihood indicates the chance of occurrence (the likelihood of something happening which you may or may not want to happen). Severity/Impact : the severity of the consequence indicates the gravity of damage Scenario : a risk scenario is the sequence of events leading from the cause to the consequence. risk scenarios describe undesirable situations, causes describe single events or circumstances activating dormant problems, consequences describe the +/-ve effects on the enterprise resources consequence
cause

cause

event

event
consequence

Definition of Risk Management

Risk is everywhere, anytime and derives directly

from unpredictability.
Risk management is a proactive and an on-

going process involving the identification, assessment, control, monitoring and reporting of risk exposures.
Risk management consists of a systematic

process of assessing and then dealing with risk.

Risk Management Framework/Model

Risk Management Framework/Process

Definition of Risk Management

Risk management is an iterative process consisting of steps,

which when taken in sequence, enable continual improvement in decision-making. It is the logical and systematic method of identifying, analyzing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimize losses and maximize opportunities. (Australian/New Zealand Standard on Risk Management AS/NZS 4360)
Risk management provides us with a framework for dealing

with and reacting to such uncertainty and structured systems for identifying and analyzing potential risks, and devising and implementing responses appropriate to their impact. The responses generally draw on strategies of risk prevention, risk transfer, impact mitigation or risk acceptance

Definition of ERM
Enterprise risk management is a process, affected by an entity's board of directors, management, and other personnel, applied in a strategy setting across the enterprise. The process is designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, and provide reasonable assurance regarding the achievement of entity objectives.( COSO ERM)

Risk Management Assumptions

All entities exist to add value to stakeholders

All entities face uncertainty

Value is created, preserved, or eroded by

management decisions ERM is an enabler of the management process Interrelated to governance Interrelated to performance management

ERM Framework

Benefits of Risk Management

Aligns risk appetite and strategy Links growth, risk, and return Enhances risk response decisions Minimizes operational surprises and losses

Benefits of Risk Management

Effective risk management helps build an organization that exhibits the following key features:
key stakeholders,

such as the board and senior management. are in a position to confidently make informed decisions relating to the trade-off of risk and reward; daily business decisions at the departmental/divisional level are made within the context of the organization tolerance towards risk; the risks relating to the value of the organizations intangible assets, such as its customer base, suppliers, intellectual and knowledge capital, process and systems, are acknowledged and optimized as fully as its physical and financial assets;

Categories of Risk
Strategic Operational Financial Compliance

Standards
Performance Standard 2110 - Risk Management

The internal audit activity should (must) assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems

Performance Standard 2110.A1 - Assurance

The internal audit activity should (must) monitor and evaluate the effectiveness of the organization's risk management system

Implication & Action Plan

Implications

Risk management is a critical business process and must be in the auditable universe Risk management is linked to strategy, vision, and values and interdependent on governance