ACCA P1 Governance, Risk and Ethics - 2011 - Study text - Emile Woolf Publishing
Подождите немного. Документ загружается.
Paper P1: Governance, risk and ethics
244 © Emile Woolf Publishing Limited
© Emile Woolf Publishing Limited
245
Paper P1
Governance,riskandethics
CHAPTER
11
Controlling risk
Contents
1 Monitoring risk
2 Embedding risk
3 Methods of controlling risk
4 Enterprise risk management
Paper P1: Governance, risk and ethics
246 © Emile Woolf Publishing Limited
Monitoring risk
Role of the risk manager
The role of risk committees
The role of risk auditing
Performing a risk audit
1 Monitoring risk
There is no widely-accepted approach to the management of risk. Each business and
non-business entity develops its own risk management structure according to its
own needs and perceptions. This chapter looks at some of the approaches that
might be used.
1.1 Role of the risk manager
Companies and other entities might appoint one or more risk managers. A risk
manager might be given responsibility for all aspects of risk. Alternatively, risk
managers might be appointed to help with the management of specific risks, such
as:
Insurance
Health and safety
Information systems and information technology
Human resources
Financial risk or treasury risk
Compliance (with specific aspects of the law or industry regulations).
A risk manager is not a ‘line’ manager and is not directly responsible for risk
management. His role is to provide information, assistance and advice, and to
improve risk awareness within the entity and encourage the adoption of sound risk
management practice.
The role of a risk manager might therefore include:
Helping with the identification of risks
Establishing ‘tools’ to help with the identification of risks
Establishing modelling methods for the assessment and measurement of risks
Collecting risk incident reports (for example, health and safety incident reports)
Assisting heads of departments and other line managers in the review of reports
by the internal auditors
Preparing regular risk management reports for senior managers or risk
committees
Monitoring ‘best practice’ in risk management and encouraging the adoption of
best practice within the entity.
Chapter 11: Controlling risk
© Emile Woolf Publishing Limited 247
How effective are risk managers?
The effectiveness of risk managers depends partly on the role of the risk manager
and partly on the support that the risk manager receives from the board and senior
management.
The specific role of the risk manager might give him authority to instruct line
managers what to do. For example, a health and safety manager can insist on
compliance with health and safety regulations. Some risk managers have the
authority to make decisions for the entity: the manager responsible for
insurance, for example, might have the authority to buy insurance cover against
certain risks.
The status of the risk manager depends on the amount of support he receives
from the board and senior management. A culture of risk awareness should be
promoted by the board of directors.
1.2 The role of risk committees
Some entities establish one or more risk committees.
A risk committee might be a committee of the board of directors. This committee
should be responsible for fulfilling the corporate governance obligations of the
board to review the effectiveness of the system of risk management.
A risk committee might be an inter-departmental committee responsible for
identifying and monitoring specific aspects of risk, such as:
- strategic risks/business risks (or particular aspects of these risks)
- operational risk (and internal controls)
- financial risk
- compliance risk
- environmental risk.
Risk committees do not have management authority to make decisions about the
control of risk. Their function is to identify risks, monitor risks and report on the
effectiveness of risk management to the board or senior management.
Internal auditors might be included in the membership of risk committees.
Alternatively, the internal auditors should report to the risk committees.
Similarly, risk managers might be included in the membership of risk committees,
or might report to the committees.
The boards of directors should receive regular reports from these risk committees,
as part of their governance function to monitor the effectiveness of risk management
systems.
Paper P1: Governance, risk and ethics
248 © Emile Woolf Publishing Limited
1.3 The role of risk auditing
Risks should be monitored. The purpose of risk monitoring is to ensure that:
there are processes and procedures for identifying risk, and that these are
effective
there are internal controls and other risk management processes in place for
managing the risks
risk management systems appear to be effective
the level of risk faced by the entity is consistent with the policies on risk that are
set by the board of directors
failures in the control of risk are identified and investigated
weaknesses in risk management processes are identified and corrected.
Risks can be monitored through auditing. Risk auditing involves the investigation
by an independent person (the auditor) of an area of risk management. A risk audit
and assessment can be defined as ‘a systematic way of understanding the risks that
an organisation faces. Because the range and types of risk are many and varied, risk
assessment and audit can be a complicated and involved process’ (David Campbell
in Student Accountant, March 2009).
It is important to recognise however that unlike an external audit, a risk audit is not
a mandatory requirement for companies (although regulators do require companies
in certain industries such as financial services to carry out regular audits or stress
tests).
External auditors should monitor internal controls for financial risks as a part of
their annual audit process. Internal auditors might also carry out checks on
internal financial controls.
However, risk auditing can be extended to other aspects of risk, such as
operational risks, compliance risks and environmental risks. The auditors might
be a part of the internal audit function or risk management function within the
entity. Alternatively, they might be external investigators and auditors from
either an accountancy/consultancy firm or a firm that specialises in the audit of
particular types of risk.
1.4 Performing a risk audit
The advantage of having risk audits performed by internal auditors or risk
managers is that the individuals who carry out the audit should be very familiar
with the company and its systems, procedures and culture. As a result:
The auditor begins with an understanding of relevant technical issues, how the
business operates, the legal and regulatory framework and control systems. He
should therefore be capable of performing highly context-specific risk audits, at a
level of detail that an external auditor may not be able to achieve.
The audit report is likely to be written in a language and using terms that the
company’s management understand, and so may be easier to comprehend than a
report written by an external auditor.
Chapter 11: Controlling risk
© Emile Woolf Publishing Limited 249
The disadvantage of using internal auditors or risk managers for risk audits is the
‘familiarity threat’. Because he is so familiar with the way that systems and
procedures operate, and because he knows the management well, a risk manager
may fail to identify weaknesses in the system. If an external auditor or specialist
consultant carries out a risk assessment, the auditor should be more clearly
independent of management and a familiarity threat should not exist.
(Firms of management consultants may be up-to-date with current approaches to
risk assessments and audits and so may be highly ‘professional’. A potential
problem however is that consultancy firms may have a ready-made solution to a
risk management problem, which they try to impose on all their clients even when
the proposed solution may not be entirely appropriate.)
There are four stages in a risk audit.
Stage 1: Identification. The first step in a risk audit should be to identify what
the risks are in a particular situation, strategy, procedure or system. Risks
change continually in nature. Existing risks may disappear, and new risks may
emerge. It is therefore essential to identify what the current risks are, especially
for companies that operate in a volatile business environment.
Stage 2: Assessment. When the risks have been identified, the next step should
be to assess them. The probability of an adverse event or outcome, and the
impact of an adverse event should be measured. A risk can be assessed by its
expected loss. The expected loss = Probability × Impact.
Stage 3: Review. The auditor should look at the controls that are in place to
manage the risk in the event that an adverse outcome happens. Management
may have taken measures to transfer the risk (for example, to insure certain
risks) or to reduce the risks by introducing control systems and monitoring
systems. The controls for each material identified risk should be audited.
Stage 4: Report. The risk audit should lead to a report to the board of directors
or to management, depending on who commissioned the audit.
Paper P1: Governance, risk and ethics
250 © Emile Woolf Publishing Limited
Embedding risk
The importance of risk awareness throughout an organisation
Embedding risk awareness in the culture of an organisation
Embedding risk awareness in systems and procedures
The role of risk professionals and the need for embedded risk management
2 Embedding risk
2.1 The importance of risk awareness throughout an organisation
Risk managers, risk committees and risk audits can contribute to a culture of risk
awareness, and can help to provide a sound system of risk management. It is
important, however, that throughout the organisation managers and employees are
aware of risk and the need for appropriate risk control.
Managers take decisions that expose the entity to risk. They need to understand the
possible consequences of their decision-making, and should be satisfied that the
risks they have ‘created’ are justified by the expected benefits.
Senior managers are responsible for the management of business risks/strategic
risks. Every employee needs to be aware of the need to contain operational risks.
For example:
All employees must be aware of health and safety regulations, and should
comply with them. A failure to comply with fire safety regulations could result
in serious fire damage. For a manufacturer of food products, a failure in food
hygiene regulations could have serious consequences for both public health and
the company’s reputation.
All employees and managers should understand the need to report incidents
where there have been excessive exposures to risk, and control measures have
failed or have not worked properly.
In some entities, there could be serious consequences of failure to comply with
regulations and procedures. For example in banking, there must be a
widespread understanding of anti money laundering regulations and the rules
against mis-selling of banking products. The consequences for a bank of failures
in compliance could be fines by the regulator and damage to the bank’s
reputation.
2.2 Embedding risk awareness in the culture of an organisation
It was stated in the earlier chapter on internal control that an essential aspect of risk
management and control is the culture within the organisation. The culture within
the organisation is set by the board of directors and senior management (the ‘tone at
the top’), but it should be shared by every manager and employee.
Chapter 11: Controlling risk
© Emile Woolf Publishing Limited 251
Risk awareness is ‘embedded’ in the culture of the organisation when thinking
about risk and the control of risk is a natural and regular part of employee
behaviour.
Creating a culture of risk awareness should be a responsibility of the board of
directors and senior management, who should show their own commitment to the
management of risk in the things that they say and do.
There should be reporting systems in place for disclosing issues relating to risk.
There should be a sharing of risk-related information.
Managers and other employees should recognise the need to disclose
information about risks and about failures in risk control.
There should be a general recognition that problems should not be kept hidden.
‘Bad news’ should be reported as soon as it is identified. The sooner problems
are identified, the sooner control measures can be taken (and the less the damage
and loss).
To create a culture in which problems are disclosed, there must be openness and
transparency. Employees should be willing to admit to mistakes.
Openness and transparency will not exist if there is a ‘blame’ culture.
Individuals should not be criticised for making mistakes, provided that they
own up to them promptly.
The attitude should be that problems with risks will always occur. When they do
happen, the objective should be to take measures to deal with the problem.
Mistake should be analysed in order to find solutions and prevent a repetition of
the problem. Risk management should be a constructive process.
2.3 Embedding risk awareness in systems and procedures
In addition to creating a culture of risk awareness within an entity, it is also
important to establish systems and procedures in which the management of risk is
‘embedded’.
‘Embedding’ risk in systems and procedures means that risk management should be
an integral part of management practice. Risk management must be a core function
which managers and other employees consider every day in the normal course of
their activities. The concept of embedding risk can be compared with a situation
where risk management is treated as an ‘add-on’ process, outside the normal
procedures and systems of management.
There are no standard rules about how risk awareness and risk control can be
embedded within systems and procedures. Each organisation needs to consider the
most appropriate methods for its own purposes.
Paper P1: Governance, risk and ethics
252 © Emile Woolf Publishing Limited
Example
One system for embedding risk awareness in the planning process is a two-stage
process, as follows.
Stage 1. Managers responsible for preparing plans are required to identify the key
risks that could prevent the achievement of their planning targets. This requirement
makes managers consider risks and the measures that are required to control them,
to ensure the achievement of planning targets.
Stage 2. Before plans are finally approved, managers must carry out sensitivity
analysis or scenario analysis, to measure the effects of adverse events or
circumstances. For example, a sales manager preparing a sales plan would be
required to consider the consequences of weak sales demand, or a lack of success in
a new product launch. Similarly a research and development director might be
required to consider the consequences of a failure in a research project or a delay in
the completion of a development project. They must then report the results of their
testing.
Sensitivity analysis or scenario tests make managers consider risks and their
consequences. In addition, they are made aware of the need to control risks, so that
if future events are unfavourable, the risks are contained and the consequences are
not worse than those predicted by their scenario testing.
2.4 The role of risk professionals and the need for embedded risk
management
Risk managers and risk audits have a role in risk management, but they cannot be
effective unless risk is embedded in the culture of the entity and in its systems and
procedures.
The risk management team of an organisation can assist in the development of the
risk management framework and policies. They can teach the team about risk
management so as to ensure that strong reporting and examining structures exist.
However, there are two things that this risk management team cannot do. They
cannot put a corporate culture in place that establishes risk awareness and
transparency. The culture needs to be set and then passed on to all members of staff
by the board of directors or the senior management team. They also cannot be the
only risk managers. The people who created the risks originally – the business
managers – need to be responsible. The risk management team’s main aims should
be to ensure that the right people are managing the right risks and that risk
management is always considered.
Chapter 11: Controlling risk
© Emile Woolf Publishing Limited 253
Methods of controlling risk
Different approaches to controlling risk
Diversification
Risk transfer
Risk sharing
Hedging risks
Risk avoidance and risk retention
The TARA framework for risk management
3 Methods of controlling risk
3.1 Different approaches to controlling risk
There are several different approaches to controlling risks. In a previous chapter, it
was explained how internal controls can be used to control financial risks,
operational risks and compliance risks.
Risk management methods are much more sophisticated in some industries (and in
some countries) than in others. For example, the financial services and banking
industry has developed products (financial derivatives) that can be used to manage
financial risks.
Approaches to the management of business risks that are described in this section
are:
diversification of risks
risk transfer
risk sharing
hedging risks
3.2 Diversification
Risks can be reduced through diversification. Diversification is also called
‘spreading risks’.
The purpose of diversification in business is to invest in a range of different business
activities, and build up a portfolio of different business activities. Each individual
business activity is risky, but some businesses might perform better than expected
just as some might perform worse than expected. Taking the entire portfolio of
different businesses, the good performers will offset the bad performers, and the
portfolio as a whole might provide, on average, the expected returns.