Introduction to Risk Management

• Risk means “the possibility that something unpleasant or unwelcome will happen”.
• A risk is an uncertain event which may occur in the future.
• The word ‘risk’ derives from the early Italian “risicare”, which means ‘to dare’.
• In this sense, risk is a choice rather than a fate. The actions we dare to take, which depend on how
free we are to make choices, are what the story of risk is all about.
• Note that not all risk is bad, some level of risk must be taken in order to progress / prevent
stagnation.
• Risk is defined in financial terms as the chance that an outcome or investment's actual gains will
differ from an expected outcome or return.
• Risk includes the possibility of losing some or all of an original investment.
• A risk may prevent or delay the achievement of an organization’s or units objectives or goals.
• ‘Risk’ is dynamic and subject to constant change.
• A risk is not certain – Its likelihood can only be estimated.

Classification of Risks
Internal Risks
 Human Risks
 Equipment and Information Technology Risks
 Other Internal Risks
External Risks
 Competition and Market Risks
 Business Environment Risks
Human Risks
Death
 Owner
 Employee
Illness
 Short term
 Long term
 Indefinite
Theft and fraud
 Product and inventory theft
 Time sheet fraud
 Accounting and cash fraud
Low morale, dissatisfaction
 Failure to perform
 Sabotage of systems, equipment or customers
 Equipment and Information Technology Risks
Equipment breakdowns
 New equipment integration
 Worn older equipment
 Damage to vehicles
Information technology downtime
 Lack of backup or recovery system
 Updates and repairs
 Power and connectivity (physical damage and outdated systems)
 Lack of administrative controls

Other Internal Risks

Physical plant repairs
 Breaks in lines or utilities
 Routine maintenance
Incidents
 Work related injuries
 Damage to others’ property by employees
 Damage to your property by others
Cash flow changes
 Unexpected costs
 Loss of credit lines
 Expenses to establish lines of credit

External Risks
Competition and Market Risks
 Loss of clients or customers
 Loss of employees
 Decrease in sales prices/fluctuating markets
 Increases in vendor costs
 Oil or gasoline price increases
 Fixed cost changes (e.g., rent)
Business Environment Risks
 Laws
 Weather
 Natural Disaster
 Community

Risk Appetite
• Risk appetite is the amount of risk an individual or organization is willing to take on.
• This tends to be situational. For example, an individual may be comfortable taking health risks
but extremely adverse to financial risk.
• Likewise, an organization may take on one type of risk and be adverse to another type of risk.
 Types of Risk Appetite
Risk-seeker
• This refers to an attraction to risk.
• This includes individuals who are comfortable with high risk but are only willing to take
calculated risks that are rational.
• For example, an investor who buys stocks that are equally likely to go up 2x or fall 49% within a
month.
Risk-neutral
• Comfort with risk that is taken for a good reason such as risks that are taken rationally based on
an analysis of risk-reward.
• For example, an individual who makes a risky career choice who knows it may be a difficult path
is willing to face this risk to reach a goal they feel is important.
Risk adverse
• A tendency to prefer the safest choices in every list of options.
• In some cases, efforts to avoid risk can create larger secondary risks.
• The classic example of this is an investor who avoids all risk who fails to preserve the value of
their wealth due to inflation.
What is Risk Management?
• Risk Management is the name given to a logical and systematic method of identifying,
analysing, treating and monitoring the risks involved in any activity or process.
• Risk Management is a methodology that helps managers make best use of their available
resources
• Risk Management practices are widely used in public and the private sectors, covering a wide
range of activities or operations. These include: Finance and Investment, Insurance, Health Care,
Public Institutions and Governments
Risk Management
• It is a process to:
– Identify all relevant risks
– Assess / rank those risks
– Address the risks in order of priority
– Monitor risks & report on their management
Risk Management – why do we need it?
• Identifying areas of threat to the business
• Assessing the potential impacts and managing these
• Growth and continued existence of the business
• Promotes good management
• May be a legal requirement depending upon industry or sector
• Resources available are limited – therefore a focused response to Risk Management is needed
How is Risk Management used?
• The Risk Management process steps are a generic guide for any organisation, regardless of the
type of business, activity or function.
• There are 7 steps in the RM process. The basic process steps are:
1. Establish the context
2. Identify the risks
 3. Analyse the risks
4. Evaluate the risks
5. Treat the risks
6. Monitoring and review
7. Communication & consultation

Risk Management Process

1. Establish the context
 The strategic and organisational context in which risk management will take place.
 For example, the nature of your business, the risks inherent in your business and your priorities.
2. Identify the risks
 Defining types of risk, for instance, ‘Strategic’ risks to the goals and objectives of the
organisation.
 Identifying the stakeholders, (i.e.,who is involved or affected).
 Past events, future developments.
 Risk Identification – what are the threats and uncertainties associated with my organization’s or
units objectives?
 Separate out the risk into its cause & possible effect
 Be concise & clear
 Do not concentrate on symptoms only
3. Analyse the risks
 How likely is the risk event to happen? (Probability and frequency?)
 What would be the impact, cost or consequences of that event occurring? (Economic, political,
social?)
4. Evaluate the risks
 Rank the risks according to management priorities, by risk category and rated by likelihood and
possible cost or consequence.
 Determine inherent levels of risk.
5. Treat the risks
 Develop and implement a plan with specific counter-measures to address the identified risks.
 Consider:
 Priorities (Strategic and operational)
 Resources (human, financial and technical)
 Risk acceptance, (i.e., low risks)
 Document your risk management plan and describe the reasons behind selecting the risk and for
the treatment chosen.
 Record allocated responsibilities, monitoring or evaluation processes, and assumptions on
residual risk.
6. Monitor and review
 In identifying, prioritising and treating risks, organisations make assumptions and decisions based
on situations that are subject to change, (e.g., the business environment, trading patterns, or
government policies).
 Risk Management policies and decisions must be regularly reviewed.
  Risk Managers must monitor activities and processes to determine the accuracy of planning
assumptions and the effectiveness of the measures taken to treat the risk.
 Methods can include data evaluation, audit, compliance measurement.
Strategic Risk Management
Risk Management
• A company must inevitably assume some level of risk to generate returns on investments that will
be satisfactory to its stockholders.
• The key to successful risk management is maintaining a good balance between risk and reward,
which involves carefully weighing potential profits against potential problems or threats to
operational stability.
• Business risk cannot be totally eliminated, but steps can be taken to mitigate the negative impact.
• A large part of risk management is an understanding of potential risks and having contingency
plans in place to deal with problems that may arise.
Definition of Strategic Risk Management
• “… a process, effected by an entity's board of directors, management and other personnel, applied
in a strategic setting and across the enterprise, designed to identify potential events that may
affect the entity, and manage those events within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Company Issues
Risks that the company need to be addressed properly:
1. Financial and Cash Flow Risk
2. Operational Risk
3. Governance & Compliance Risk
4. Reputational Risk
5. Strategic Risk
6. Marketplace-related Risks
7. International Risk
Financial and Cash Flow Risk
• Numerous business risks are associated with financing and cash flow. A company may be unable
to obtain the necessary financing for an expansion project.
– Reduction in funding
– Failure to safeguard assets
– Poor cash flow management
– Lack of value for money
– Fraud / theft
– Poor budgeting
Operational Risk
• These risks result from failed or inappropriate policies, procedures, systems or activities e.g.
– Failure of an IT system
– Poor quality of services delivered
– Lack of succession planning
 – Health & Safety risks
– Staff skill levels
– No process to track contractual commitments
Governance & Compliance Risk
• Lack of oversight by Board
• Segregation of duties not defined formally
• Ensuring compliance with funders terms and conditions
• Compliance with applicable legislation
– Safeguarding of vulnerable individuals
– Taxation Law
– Data Protection
– Health & Safety Law
Reputational Risk
• Organization engages in activities that could threaten it’s good name
– Through association with other bodies
– Staff / members acting in a criminal or unethical way
• Poor stakeholder relations
Strategic Risk
• Engages in activity at variance with its stated objectives
• Fails to engage in an activity that would support its stated objectives
Marketplace-related Risks
• The marketplace in which the company operates is a primary source of risk.
• Many marketplace-related risks cannot be directly controlled; they can only be managed and
dealt with as best as possible.
International Risk
• Lastly, if a company does business internationally, then there are several other potential risks:
political problems, changes in tariffs or import/export laws, and risks associated with fluctuating
currency exchange rates.
• While currency exchange rate risk can sometimes be managed through hedging activity in the
foreign exchange market, events of a legal or political nature are often unpredictable and not
amenable to risk management strategies.
 5 Basic Methods for Risk Management
Avoidance
 Risk avoidance is not performing any activity that may carry risk.
 Avoidance is a method for mitigating risk by not participating in activities that could harm the
company.
Retention
 Retention is the acknowledgment and acceptance of a risk as a given.
 Usually, this accepted risk is a cost to help offset larger risks down the road, such as opting to
select a lower insurance plan that carries a higher deductible rate.
Sharing
 Sharing risk is often implemented through employer-based benefits that allow the company to
pay a portion of insurance premiums with the employee.
 In essence, this shares the risk with the company and all employees participating in the insurance
benefits.
Transferring
 The use of health insurance is an example of transferring risk because the financial risks
associated with health care are transferred from the individual to the insurer.
Loss Prevention and Reduction
 This method of risk management attempts to minimize the loss, rather than completely eliminate
it.
 While accepting the risk, it stays focused on keeping the loss contained and preventing it from
spreading.

Tools for Risk Management

• First, the risk matrix and secondly, the risk register.
• Using these tools enable all participants to
– focus more closely on the same issues;
– enables subjectivity to be exercised methodically;
– simplifies and makes attractive what would otherwise be a difficult task; and
– ensures there is a record being kept of the judgements made which can be refined over
time.
Risk Matrix
• Risk is usually defined as the possibility that an event will occur and adversely affect the
achievement of objectives.
• It is measured in terms of the degree of likelihood that the event might occur, coupled with the
probable impact should the event occur.
• So an individual risk may be plotted graphically using a graph, sometimes known as a risk map or
matrix.
Quadrant A
• A risk judged to be within quadrant A of the
graph is very likely to occur and to have a large
impact on the organisation.
– Overlaid upon a judicious application of
control approaches appropriate to the
mitigation of risks plotted as being
within the other quadrants of the graph,
there must be constant attention to the
mitigation of this threat by top
management, with review by the board.
Quadrant B
• A risk within quadrant B is not very likely to occur but will have a large impact on the
organisation were it to occur.
• There are alternative control approaches here.
– The organisation may seek to terminate this risk, for instance by having duplicate data
centres in different geographic regions, so that a physical disaster or a withdrawal of staff
at one location will enable essential data processing to continue at the other location.
– Alternatively, or additionally, the organisation may develop and test a contingency plan,
thereby putting in place the exceptional measures that will be followed contingent upon
the threat materialising.
Quadrant C
• A risk plotted as being within quadrant C is one that is very likely to occur, perhaps repeatedly,
in the absence of measures to mitigate the risk, but is unlikely to have a large impact on the
business.
– An example might be invoicing with incorrect unit prices. Clearly it is necessary to get
these things right first time, and so organisations largely depend on control procedures
(what COSO calls “control activities”) to achieve this.
Quadrant D
• A risk in quadrant D has been judged not very likely to occur and of no great likely
significance if it does.
– It is likely to be enough to develop and apply monitoring measures which are largely
intended to check that the threat remains within this quadrant and so does not require
other mitigation approaches to contain the threat.
– Monitoring may be a matter of management reviewing exception reports, of software
monitoring exceptions and trends over time, of the compliance function reviewing
processes and outturns, and so on.
Sophisticated Illutration of a Risk Matrix
• Threats plotted on the graph are given a score by multiplying their horizontal and vertical
positions together.
• The score determines the seriousness of the risk and colour coding is applied to give a visual
representation of the degree of criticality.
• When colour coding is used it is conventional to apply a traffic light approach of “red”, “amber”
and “green”; but this depends mainly on the organisation.
Risk Register
• The risk register approach is less visual in its representation, but is widely used to create and
maintain a record of threats and their management at all levels and in all parts of the organisation.
• The risk register allows a more detailed description of the approaches being taken to manage
risks.
Parts of a Risk Register
• Risk Description – Clear description of risk, its cause & consequence
• Controls / Actions already in place – List what is actually happening now which reduces the
impact of a risk or its likelihood
• Impact – scale of 1 to 5 (1 = minor, 5 = catastrophic)
• Likelihood – scale of 1 to 5 (1 = remote, 5 = unavoidable)
• Weighting – Its Risk Ranking: a calculated figure i.e. impact x likelihood
• Risk Owner – The administrative unit, management position or group who are in the best
position to manage the risk on an on-going basis
• Further Actions Required – The controls / solutions which have yet to be acted upon which
could reduce the impact or likelihood of a risk
• Date – The expected date as to when the actions shown under further actions required will be in
place & effectively addressing the risk

Identification of Risk
• Financial Risk - unplanned losses or expenses
• Service Delivery/Operational Risk - lapses in continuity of operations
• HR Risk – Employment practices; retention
• Strategic Risk – untapped opportunities
• Reputational Risk – damage to relationship with community at large (loss of revenue)
• Legal/Compliance Risk – noncompliance with statutory or regulatory obligations
• Technology/Privacy Risk – threats to and breaches in IT security
• Governance Risk – wide-spread non-compliance with policies and standards
• Physical Security/or Hazard Risk – harm or damage to people, property or environment
Risk Assessment – Consider Impact and Likelihood to Prioritize Risks
Impact - level of damage sustained when a risk event occurs
 5 Critical: Threatens the success of the project
 4 Serious: Substantial impact on time, cost or quality
 3 Moderate: Notable impact on time, cost or quality
 2 Minor: Minor impact on time, cost or quality
 1 Insignificant: Negligible impact
Likelihood of a risk event occurring
 5 Expected: Is almost certain to occur
 4 Highly Likely: Is likely to occur
 3 Likely: Is as likely as not to occur
 2 Not Likely: May occur occasionally
 1 None/Slight: Unlikely to occur

Why Risk Management May Fail

• Limitations of scope
• Lack of top management support
• Did not engage all stakeholders
• Failure to share information
• RM not embedded within planning & management system
Tips for Success
• Involve all levels of staff & management in the process
• Check controls are relevant & effective
• Ensure risk owner takes responsibility for management of risks under their control
• Focus on risk cause, not its symptoms
Internal Control
• Internal control is broadly defined as a process, effected by the entity’s board of directors,
management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
– Effectiveness and efficiency of operations.
– Reliability of financial reporting.
– Compliance with applicable laws and regulations.
• Internal control is the integration of the activities, plans, attitudes, policies and efforts of the
people of an organization working together to provide reasonable assurance that the organization
will achieve its mission.
• In simple terms, internal control is what we do to see that the things we want to happen will
happen and the things we don’t want to happen won’t happen.
Internal Controls Are Common Sense
 What do you worry about going wrong?
 What steps have been taken to assure it doesn’t?
 How do you know things are under control?
You exercise internal control principles in your personal life when you:
 Lock-up valuable belongings
 Balance your checkbook
 Keep your ATM/debit card PIN number separate from your card
 Make travel plans

Internal Control and Everyday Tasks

Telephone Calls
• What can go wrong:
– Unauthorized calls
– No one to answer telephones
– Wrong information given
• Internal Controls:
– Utilize voice mail
– Provide staff with training, reference materials and updated information
– Policy on telephone use
Data Entry
• What can go wrong:
– Erroneous Entries
– Unauthorized entries and overrides
– Data not up-to-date
• Internal Controls:
– Provide staff with data entry training and reference manuals; proof data reports against
actual records
– Use passwords, change passwords periodically, test access privileges periodically
– Ensure all transactions are authorized
Supplies and Equipment
• What can go wrong:
– Theft or misuse
– Running out of supplies
– Equipment breakdown
• Internal Controls:
– Secure storage area; perform periodic inventories for equipment; follow procedures for
surplus equipment
– Provide training on use of equipment
– Follow manufacturers’ recommended maintenance schedules
– Periodically check supply levels
What is the Purpose of Internal Controls
 Compliance with applicable laws and regulations.
 Accomplishment of the entity’s mission.
 Relevant and reliable financial reporting.
 Effective and efficient operations.
 Safeguarding of assets.

Who is Responsible for Internal Control?

– Everyone in an organization has responsibility for internal control.
– Senior management sets the “tone at the top” that affects integrity, ethics and other
factors of a positive control environment.
– Senior management is responsible for establishing the control environment and
communication systems within the organization.
– These two components provide executive management with the greatest opportunity to
postively impact internal control
Your role as an employee is accomplished by:
– Fulfilling the duties and responsibilities established in your job description
– Meeting applicable performance standards
– Attending education and training programs to increase awareness and understanding
– Taking all reasonable steps to safeguard assets against waste, loss, and unauthorized use
– Reporting breakdowns in internal control systems to your supervisor

Five Components of Internal Control System

 Monitoring
• Assess internal control performance
 Control Activities
• Tools that help prevent or reduce risk
 Risk Assessment
• Identification and analysis of relevant risks to achievement of objectives
 Control Environment
• Sets the tone for the organization
• The foundation for all other components of internal control
Internal Control System
1. Control Environment
 Foundation for all other standards of internal control.
 Pervasive influence on all the decisions and activities of an organization.
 Effective organizations set a positive “tone at the top”.
 Factors include the integrity, ethical values and competence of employees, and, management’s
philosophy & operating style.
2. Risk Assessment
 Risks are internal & external events (economic conditions, staffing changes, new systems,
regulatory changes, natural disasters, etc.) that threaten the accomplishment of objectives.
 Risk assessment is the process of identifying, evaluating, and deciding how to manage these
events…
 What is the likelihood of the event occurring?
 What would be the impact if it were to occur?
 What can we do to prevent or reduce the risk?
3. Control Activities
 Control Activities are the tools, both manual and automated, that help prevent or reduce
the risks that can impede accomplishment of the organization’s mission.
 Tools - policies, procedures, processes designed and implemented to help ensure that
management directives are carried out.
 Help prevent or reduce the risks that can impede the accomplishment of objectives.
 Occur throughout the organization, at all levels, and in all functions.
 Commonly used control activities includes documentation, approvals and authorizations,
supervision, verifications, reconciliations, reporting, security of assets, reviews of
operating performance, and segregation of duties.
4. Communication & Information
 Pertinent information must be captured, identified and communicated on a timely basis.
 Effective information and communication systems enable the organization’s people to exchange
the information needed to conduct, manage, and control its operations.
5. Monitoring
 Internal control systems must be monitored to assess their effectiveness…
 Are they operating as intended?
 Ongoing monitoring is necessary to react dynamically to changing conditions…
 Have controls become outdated, redundant, or obsolete?
 Monitoring occurs in the course of everyday operations, it includes regular management &
supervisory activities and other actions personnel take in performing their duties.

Five Key Internal Control Activities

1. Separation of Duties
2. Documentation
3. Authorization & Approvals
4. Security of Assets
5. Reconciliation & Review
Five Key Internal Control Activities
1. Separation of Duties
• Divide responsibilities between different employees so one individual doesn’t control all aspects
of a transaction.
• Reduce the opportunity for an employee to commit and conceal errors (intentional or
unintentional) or perpetrate fraud.
2. Documentation
• Document & preserve evidence to substantiate:
– Critical decisions and significant events...typically involving the use, commitment, or
transfer of resources.
– Transactions…enables a transaction to be traced from its inception to completion.
– Policies & Procedures…documents which set forth the fundamental principles and
methods that employees rely on to do their jobs.
3. Authorization & Approvals
• Management documents and communicates which activities require approval, and by whom,
based on the level of risk to the organization.
• Ensure that transactions are approved and executed only by employees acting within the scope of
their authority granted by management.
4. Security of Assets
• Secure and restrict access to equipment, cash, inventory, confidential information, etc. to reduce
the risk of loss or unauthorized use.
• Perform periodic physical inventories to verify existence, quantities, location, condition, and
utilization.
• Base the level of security on the vulnerability of items being secured, the likelihood of loss, and
the potential impact should a loss occur.
5. Reconciliation & Review
• Examine transactions, information, and events to verify accuracy, completeness, appropriateness,
and compliance.
• Base level of review on materiality, risk, and overall importance to organization’s objectives.
• Ensure frequency is adequate enough to detect and act upon questionable activities in a timely
manner.

Types of Control Activities

Controls fall in to two categories:
1. Preventive Controls - Designed to prevent an error or exception from occurring
2. Detective Controls - Detective controls are designed to identify an error or exception after it has
occurred.
By a show of hands, which type of control is more effective? Preventive or Detective?
 Answer is that an ounce of prevention is better than a pound of cure.
1. Preventive controls
– Written policies and procedures
• Employees know what is expected of them
• Reference material
• Training material
• Consistency & continuity
– Segregation of duties
– Physical control of assets
– Transactions are authorized and approved
– Supporting documentation

2. Detective controls
– Inventory counts
– Reconciliations
• Correct
• Routine
• Timely
• Reviewed by a person outside of the process
– Monitoring that policies are being followed

Examples:
• Preventive controls:
– Approval for purchase greater than P50,000
– Passwords for access to important files
– Petty cash held in lockbox
– Security and surveillance systems
– Pre-numbered checks

• Detective controls:
– Supervisor review & approval
– Report run showing user activity
– Reconcile petty cash
– Physical inventory count
– Review missing/voided checks