3 - Risk Management and Internal Control System Revised
3 - Risk Management and Internal Control System Revised
3 - Risk Management and Internal Control System Revised
Fundamental Concepts of
Risk Management and Internal Control System
a) Explain different definitions of Risk and Risk Management
b) Discuss globally accepted frameworks on risk management internal control (i.e.,
COSO, ISO 31000, CoCo, COBIT)
c) Discuss the Risk Management Process according to COSO
d) Explain the definition of Controls and Internal Control
e) Differentiate roles and responsibilities to Risk Management and Internal Control
System
Learning Objectives
Risk defined
Risk is the possibility of something bad happening.
Risk involves uncertainty about the
effects/implications of an activity with respect to
something that humans value, often focusing on
negative, undesirable consequences.
Risk implies future uncertainty about deviation from
expected earnings or expected outcome. Risk
measures the uncertainty that an investor is willing
to take to realize a gain from an investment.
9 types of investment risk
1. Market risk
• The risk of investments declining in value because of economic developments or
other events that affect the entire market. The main types of market risk are equity
risk, interest rate risk and currency risk.
1. Equity risk – applies to an investment in shares.
• The market price of shares varies all the time depending on demand and supply. Equity risk is
the risk of loss because of a drop in the market price of shares.
2. Interest rate risk – applies to debt investments such as bonds.
• It is the risk of losing money because of a change in the interest rate. For example, if the
interest rate goes up, the market value of bonds will drop.
3. Currency risk – applies when you own foreign investments.
• It is the risk of losing money because of a movement in the exchange rate.
2. Liquidity risk
• The risk of being unable to sell your investment at a fair price and get your money
out when you want to. To sell the investment, you may need to accept a lower
price. In some cases, such as exempt market investments, it may not be possible to
sell the investment at all.
3. Concentration risk
• The risk of loss because your money is concentrated in 1 investment or type of
investment. When you diversify your investments, you spread the risk over
different types of investments, industries and geographic locations.
9 types of investment risk
4.Credit risk
• The risk that the government entity or company that issued the bond will run into financial difficulties and won’t
be able to pay the interest or repay the principal at maturity. Credit risk applies to debt investments such as bonds.
You can evaluate credit risk by looking at the credit rating of the bond. For example, long-term Canadian
government bonds have a credit rating of AAA, which indicates the lowest possible credit risk.
5.Reinvestment risk
• The risk of loss from reinvesting principal or income at a lower interest rate. Suppose you buy a bond paying
5%. Reinvestment risk will affect you if interest rates drop and you have to reinvest the regular interest payments
at 4%. Reinvestment risk will also apply if the bond matures and you have to reinvest the principal at less than 5%.
Reinvestment risk will not apply if you intend to spend the regular interest payments or the principal at maturity.
6.Inflation risk
• The risk of a loss in your purchasing power because the value of your investments does not keep up with inflation.
Inflation erodes the purchasing power of money over time – the same amount of money will buy fewer goods and
services. Inflation risk is particularly relevant if you own cash or debt investments like bonds. Shares offer some
protection against inflation because most companies can increase the prices they charge to their
customers. Share prices should therefore rise in line with inflation. Real estate also offers some protection because
landlords can increase rents over time.
7.Horizon risk
• The risk that your investment horizon may be shortened because of an unforeseen event, for example, the loss of
your job. This may force you to sell investments that you were expecting to hold for the long term. If you must sell
at a time when the markets are down, you may lose money.
8.Longevity risk
• The risk of outliving your savings. This risk is particularly relevant for people who are retired, or are nearing
retirement.
9.Foreign investment risk
• The risk of loss when investing in foreign countries. When you buy foreign investments, for example, the shares of
companies in emerging markets, you face risks that do not exist in Canada, for example, the risk of nationalization.
The 5 Components
There are at least five crucial components that must
be considered when creating a risk management
framework. They include:
1. Risk identification
2. Risk measurement and assessment
3. Risk mitigation
4. Risk reporting and monitoring
5. Risk governance
Risk Identification
• The first step in identifying the risks a company
faces is to define the risk universe. The risk
universe is simply a list of all possible risks.
Examples include IT risk, operational risk,
regulatory risk, legal risk, political risk, strategic risk,
and credit risk.
• After listing all possible risks, the company can then
select the risks to which it is exposed and
categorize them into core and non-core risks.
• Core risks are those that the company must take in
order to drive performance and long-term growth.
• Non-core risks are often not essential and can be
minimized or eliminated completely.
Risk Measurement
• Risk measurement provides information on the quantum
of either a specific risk exposure or an aggregate risk
exposure, and the probability of a loss occurring due to
those exposures. When measuring specific risk exposure
it is important to consider the effect of that risk on the
overall risk profile of the organization.
• Some risks may provide diversification benefits while
others may not. Another important consideration is the
ability to measure an exposure. Some risks may be easier
to measure than others. For example, market risk can be
measured using observed market prices, but measuring
operational risk is considered both an art and a science.
Risk Mitigation
• Having categorized and measured its risks, a
company can then decide on which risks to
eliminate or minimize, and how much of its core
risks to retain.
• Risk mitigation can be achieved through an outright
sale of assets or liabilities, buying insurance,
hedging with derivatives, or diversification.
Risk Reporting and Monitoring
• It is important to report regularly on specific and
aggregate risk measures in order to ensure that risk
levels remain at an optimal level.
• Financial institutions that trade daily will produce daily
risk reports.
• Other institutions may require less frequent reporting.
• Risk reports must be sent to risk personnel who
have that authority to adjust (or instruct others to
adjust) risk exposures.
Risk Governance
• Risk governance is the process that ensures all
company employees perform their duties in
accordance with the risk management framework.
• Risk governance involves defining the roles of all
employees, segregating duties and assigning
authority to individuals, committees and the board
for approval of core risks, risk limits, exceptions to
limits and risk reports, and also for general
oversight.
OBJECTIVES CONTROLS
Defined, intended Increase the likelihood of
outcomes achieving objectives
RISKS
Possibility of an event occurring that will have an impact on the
achievement of objectives
GOVERNANCE
Ensure entity effectively and efficiently directs toward meeting the
objectives
Overview
Illustration
Objective
Wake up at 4:30am to go to school as early as possible
Risk
Oversleeping
Insomnia
Controls
Set up alarm clock
Drink milk or take herbal sleeping medicine
Inform other people
Governance
Parents advise you before you sleep
Sermon
Illustration
What is risk?
Risk
The possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood.
Definition of Terms
Risk
after a risk response
Opportunity
event will occur and positively affect the achievement of objectives
Risk Appetite
amount of risk is willing to accept in pursuit of value
Risk Tolerance
specific maximum risk that an organization is willing to take regarding each
relevant risk
Definition of Terms
Risk should read as if something went wrong and what the impact of this
would be
Example:
Unauthorized changes are made to the payroll master data resulting in
payments to fictitious employees
Recognition
Risk Management
A process to identify, assess, manage, and
control potential events or situations to provide
reasonable assurance regarding the achievement
of the organization's objectives
Definition of Terms
COSO ER
The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) ERM framework is
one of two widely accepted risk management
standards organizations use to help manage
risks in an increasingly turbulent,
unpredictable business landscape
COSO ERM - Integrated
Framework
- Enterprise Risk Management
(ERM) - Integrated Framework
- Published by the Committee of
Sponsoring Organizations of the
Treadway Commission (COSO)
- Defines essential components,
suggests a common language, and
provides clear direction and
guidance for enterprise risk
management.
Risk Management
Framework
ISO 31000:2018 Risk Management –
Guidelines
- Published by the International
Organization for Standardization (ISO)
- Provides principles and guidelines for
effective risk management.
- Provides foundations for discussing risk
management and undertaking a critical
review of an organization’s risk
management process
Risk Management
Framework
1. Risk Identification
- Performed for the entire entity
- Audit/ Risk Universe
- Brainstorming, SWOT, scenario analysis
Accounting
Capital
and and Market Tax
structure
reporting credit
Major Supply
initiatives Financial Chain
reporting
Mergers,
Acquisitions, Information
and Technology
divestiture
Planning
People/
and
Human
Resource
Resources
Allocation
Compliance
Governance Hazards
Communication Physical
and investor Assets
Relations Code of
Regulatory Legal
Conduct
Involves
- Estimate significance/impact
- Assess likelihood
- Consider means to manage
Risk Modeling
- Qualitative methods – listing, ranking and mapping
- Quantitative methods – probabilistic models, weighted
►High ► M ► H ► H
Impact
►Moderate ► L ► M ► H
►Low ► L ► L ► M
► Low ► Moderate ► High
Likelihood
1. Identify risks
2. Monitor risk responses
3. Formulate risk responses
4. Assess and prioritize risks
5. Identify context
A. 5, 1, 4, 3, 2.
B. 1, 4, 3, 2, 5.
C. 1, 3, 5, 4, 2.
D. 1, 5, 4, 3, 2.
THE CORRECT
Practice Question ANSWER IS..
A chief audit executive is reviewing the following enterprise-wide
risk map:
THE CORRECT
Practice Question ANSWER IS..
Which risk response reflects a change from acceptance to sharing?
A. An insurance policy on a manufacturing plant was not renewed.
B. Management purchased insurance on previously uninsured
property.
C. Management sold a manufacturing plant.
D. After employees stole numerous inventory items, management
implemented mandatory background checks on all employees.
THE CORRECT
Practice Question ANSWER IS..
Many organizations use electronic funds transfer to pay their
supplier instead of issuing checks. Regarding the risk associated
with issuing checks, which of the following risk management
techniques does this represent?
A. Avoiding
B. Transferring
C. Controlling
D. Accepting
THE CORRECT
Practice Question ANSWER IS..
Inherent risk
A. The risk when management has not taken action to reduce the
impact or likelihood of an adverse event
B. The risk after management takes action to reduce the impact or
likelihood of an adverse event
C. A potential event that will adversely affect the organization
D. Risk response
THE CORRECT
Practice Question ANSWER IS..
What is control?
Control
Any action taken by management, the board and other parties to manage risk
and increase the likelihood that established objectives and goals will be achieved.
Direct responsible
Guidance, direction and
oversight
Frontline Personnel – minimum of
what is expected
Auditor– evaluate and monitor
Definition of Terms
Internal Control
A process effected by an entity’s board of directors, management and other
personnel designed to provide reasonable assurance of the achievement of
objectives.
Definition of Terms
CoCo Internal Control
Framework
- Guidance on Control (commonly
referred to as CoCo based on its original
title Criteria of Control)
- Published by the Canadian Institute of
Chartered Accountants (CICA)
Internal Control
Framework
Turnbull Report
- Guidance on Risk Management, Internal Control and
Related Financial and Business Reporting
- Published by the Financial Reporting Council (FRC)
of the UK
- The committee which wrote the report was
chaired by Nigel Turnbull of The Rank Group plc.
- The report informed directors of their
obligations under the Combined Code with
regard to keeping good "internal controls" in
their companies, or having good audits and
checks to ensure the quality of financial
reporting and catch any fraud before it becomes
a problem. Revised guidance was issued in
2005. The report was superseded by a further
FRC guidance issued in September 2014.
Internal Control
Framework
COBIT 2019 Framework
COBIT is a framework for the governance and
management of enterprise information and
technology, aimed at the whole enterprise.
Enterprise I&T means all the technology and
information processing the enterprise puts in place
to achieve its goals, regardless of where this happens
in the enterprise. In other words, enterprise I&T is
not limited to the IT department of an organization,
but certainly includes it.
COBIT 2019 Framework
- Control Objectives for Information and Related
Technology (COBIT)
- Created by ISACA for optimizing enterprise IT
governance
Internal Control
Framework
COSO Internal Control – Integrated
Framework 2013
Objectives of Internal Control
A. Operations
- To achieve entity’s mission
- Safeguard of assets
B. Reporting
- Reliable, timely, and transparent financial and nonfinancial
information
- Prepared for use by the organization and stakeholders
C. Compliance
- Laws, rules, and regulations that set minimum standards of
conduct
Internal Control
Framework
Components and Principles
Internal Control
Framework
Roles and Responsibilities
Practice Question
The policies and procedures helping to ensure that management
directives are executed and actions are taken to address risks to
achievement of objectives describes
A. Risk assessments
B. Control environments
C. Monitoring
D. Control activities
THE CORRECT
Practice Question ANSWER IS..
Which of the following control models is fully incorporated into the
broader integrated framework of enterprise risk management
(ERM)?
A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
D. COBIT.
THE CORRECT
Practice Question ANSWER IS..
Which of the following is the common name for Internal Control:
Guidance for Directors on the Combined Code?
A. CoSO
B. Turnbull Report
C. CoCo
D. COBIT
THE CORRECT
Practice Question ANSWER IS..
Which of the following are elements of the control environment?
A. Integrity and ethical values
B. Organizational structure
C. Assignment of authority and responsibility
D. All of the answers are correct
THE CORRECT
Practice Question ANSWER IS..
The COSO framework treats internal control as a process designed
to provide reasonable assurance regarding the achievement of
objectives related to
A. Effectiveness and efficiency of operations
B. Reliability of financial reporting
C. Compliance with applicable laws and regulations
D. All of the answers are correct
THE CORRECT
Practice Question ANSWER IS..
Questions