Professional Documents
Culture Documents
Narrative
You will need a copy Essential Guide to Internal Auditing 2nd Edition
of the book as future
reference material
for this presentation. Chapter Three
Managing Risk
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
YOUR CHOICE
Would you chose
one, two or three as
the most appropriate The word risk is taken from the early Italian
response? risicare which means:
1. To dare.
2. To take care.
3. To beware.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
YOUR CHOICE ANSWERED
The best response is
number 1 to dare,
being related to The word risk is taken from the early Italian
choice rather than risicare which means:
fate.
1. To dare.
2. To take care.
3. To beware.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
The Turnbull report
The UKs Turnbull The reports from management to the board should, in
report on corporate relation to the areas covered by them, provide a
governance balanced assessment of the significant risks and the
addressed this idea effectiveness of the system of internal control in
of risk management. managing those risks. Any significant control failings or
weaknesses identified should be discussed in the
reports, including the impact that they have had, could
have had, or may have, on the company and the
actions being taken to rectify them. It is essential that
there be openness of communication by management
with the board on matters relating to risk and control.
Essentials Companion KHS Pickett 2011
Narrative
RISKS
Narrative
RISKS
Narrative
An Exercise
We are simply asking
for ways that risks be
used to generate
opportunities?
Narrative
USING OPPORTUNITIES
How did you get on
with this exercise? In forming your response you should recall the
words we used earlier in this presentation where
risk means To dare, while the competition stands
back.
Essentials Companion KHS Pickett 2011
Narrative
RISKS
Narrative
Structuring Risk
There are many way of
categorizing risks across strategic risk
an organization and each
executive team will have
their own way of programme risk
defining different types
of risk. The British risk
standard provides the project risk
following categories that
are in general usage. financial risk; and
operational risk.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
Benefits of systematic risk management:
More realistic business and project planning.
Before we go further
Actions implemented in time to be effective.
into our model lets
Greater certainty of achieving business goals and project
look at the benefits
objectives.
related to effective
Appreciation of, and readiness to exploit, all beneficial
risk management. In
opportunities.
this case the benefits
Improved loss control.
relate to business
Improved control of project and business costs.
projects which is
Increased flexibility as a result of understanding all
explained on pages
options and associated risks.
62 to 63.
Fewer costly surprises through effective and transparent
contingency planning.
Essentials Companion KHS Pickett 2011 Board Sponsor
Narrative
RISKS
Narrative
Narrative
Assessment
Then work out how big
the risk is and hoe likely
it is to materialise.
The next stage is to assess the
Management need to be significance of the risks that have been
careful in the way they
assess risk and there has
identified. This should revolve around
been some criticism of the two-dimensional Impact, Likelihood
overly optimistic
positions that has been
considerations that we have already
criticized by some. described earlier.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
Management Armed with the knowledge of what risks
are significant and which are less so, the process requires
The next two stages are
the development of strategies for managing significant
to manage the big risks
and review your efforts. risks. This ensures that all key risks are tackled and that
resources are channeled into areas of most concern,
which have been identified through a structured
methodology.
Narrative
An Exercise
Have a go at listing
as many measures as
you can think of.
Narrative
RISKS
1 Terminate 2 Controls
3 Transfer 4 Contingency
5 Take more 6 Communicate
7 Tolerate 8 Commission research
9 Tell someone 10 Check compliance
Essentials Companion KHS Pickett 2011
Narrative
Lets go for the simple INHERENT RISK
answer in Figure 3.5. The
risk appetite defines how
inherent risk is perceived RISK MANAGEMENT STRATEGY AND
and whether there is an CONTROLS
aggressive or more passive
growth strategy in place.
RESIDUAL RISK
Risk tolerance is what is
acceptable after
appropriate controls have
been put in place to MORE RISK ACCEPT RISK MORE CONTROLS
mitigate risk, through an
appropriate risk
management strategy.
Essentials Companion KHS Pickett 2011 Board Sponsor
Narrative
An Exercise
Make a list and
explain why you
have included the
item in your risk
policy.
What would you include in your Risk Policy?
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
The organizations risk management policy may include:
governance, outlining how risk management is governed;
Each risk policy will policy scope, describing the purpose of the policy and who it is aimed at;
describing the high level principles and the benefits of implementing risk
be different and one management; setting out the objectives, including legal and regulatory
version appears requirements, and what it intends to achieve; and providing an explanation of the
here. Pages 74 to 79 relationship with other policies;
Policy applicability, setting out to whom and to what the policy applies;
cover this topic. Risk management process, providing a high level overview and description of the
risk management process adopted by the organization;
Risk appetite, outlining the organizations risk appetite, thresholds and escalation
procedure;
Reporting, describing the purpose, frequency and scope of reporting;
Roles, accountabilities and responsibilities, describing the high level roles,
accountabilities and responsibilities in respect of risk management; and
Variations and dispensations, stating whether variations or dispensations from the
policy are allowed and, if they are allowed, describing the process for requests for
this.
Essentials Companion KHS Pickett 2011 Board Sponsor
S.I.C. ERM Process
Narrative
COSO ERM
ERM is fully defined
by the Committee of A process, effected by an entitys board of
Sponsoring
directors, management and other personnel,
Organzations (COSO)
in their ERM applied in strategy setting and across the
framework that was enterprise, designed to identify potential events
published in that may affect the entity, and manage risk to
September 2004, be within its risk appetite, to provide reasonable
which can be viewed assurance regarding the achievement of entity
in full at objectives.
www.coso.org.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
We need to outline the
Linking risk management,
link between
corporate governance
governance and control
codes, risk
management and
internal control. Have
a look at the next slide Risk Internal
for our approach to Management
this task.
Controls
Essentials Companion KHS Pickett 2011
Narrative
Corporate Governance Codes
Corporate governance codes,
corporate structures and disclosure
arrangements will help promote
good accountability. Within the
Internal Corporate Structures
context of the control framework,
the organization should employ a
Control
process for identifying, assessing
and managing risk. After having Framework Disclosure Arrangements
assessed key risk, they will need to
be managed in line with a defined
risk management strategy. Internal
controls will seek to mitigate
unacceptable levels of risk. The
Risk Internal
strategy for managing risk and
ensuring controls do the job in hand Management Controls
should then be incorporated into an
overall strategy that drives the Corporate
organization towards the Strategies & Review
achievement of its objectives.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
Where does Internal Auditing fit into
To answer this the risk management equation?
question we need to
return to the
definition of internal Internal auditing is an independent, objective
auditing. The final assurance and consulting activity designed to add
part makes clear we value and improve an organizations operations. It
are concerned with helps an organization accomplish its objectives by
risk management, bringing a systematic, disciplined approach to
control and evaluate and improve the effectiveness of risk
governance management, control and governance processes.
processes.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
Where does Internal Auditing fit into the risk
Before we go further management equation?
lets issue a warning
about some of the Internal auditors must be alert to the significant risks that
limitations of the might affect objectives, operations, or resources. However,
internal audit review assurance procedures alone, even when performed with
process per IIA due professional care, do not guarantee that all significant
Attribute standard risks will be identified.
1220.A3. Note that
pages 82 to 85 deal
with the audit role.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
Where does Internal Auditing fit into the risk
IIA Performance management equation?
Standard 2120
makes clear the
audit role in risk The internal audit activity must evaluate the effectiveness
management. and contribute to the improvement of risk management
processes.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
Where does Internal Auditing fit into
IIA Practice Advisory the risk management equation?
2120-1 on Assessing
the Adequacy of Risk Determining whether risk management processes are effective is a
judgment resulting from internal auditors assessment that:
Management Organizational objectives support and align with the organizations
Processes gives an mission.
interpretation of Significant risks are identified and assessed.
Appropriate risk responses are selected that align risks with the
standard 2120. organizations risk appetite.
Relevant risk information is captured and communicated in a timely
manner across the organization,
Enabling staff, management, and the board to carry out their
responsibilities.
Risk management processes are monitored through ongoing
management activities, separate evaluations, or both.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
Risk Management Practices
To close note that the
2009 Walker review of
The report should provide a brief description of how risk is
corporate governance in managed in the business, ideally using examples of material
the UK made clear that risks that arose in the previous reporting period. In
risk management should particular this should focus on the role of the Committee in
assume a higher profile the management of that risk. In addition the report should
in the wake of the 2008 provide a brief statement on the number of meetings in the
reporting period, an attendance record and whether any
Credit Crunch. And
votes were taken. The report should cover the key
internal audits role will responsibilities of the board risk committee and whether
be crucial to this move. these have changed in the reporting period. Finally the
report should briefly record the key areas that the
committee has considered in the reporting period.
Essentials Companion KHS Pickett 2011 Training Slides
Narrative
You will need a copy Essential Guide to Internal Auditing 2nd Edition
of the book as future
reference material
for this presentation. Chapter Three
Managing Risk