You have a risk management process, even if you don’t think about it. Maybe it’s an informal and verbal process, but the type of business you accept and how you deliver products and services is closely tied to your business strategy and the risk management process it requires.
The formal risk management process, which is organized and systematic, considers the following components:
- Risk response: management’s selection of a response to risk may be risk avoidance, risk acceptance, risk reduction, or risk sharing (including insurance)
- Control activities: policies and procedures established and executed to ensure that the responses to risk as specified by management are carried out
- Information and communication: information captured and disseminated so employees can carry out their responsibilities
- Monitoring: tracking the development of events as well as tracking the progress of the process itself
Risk response refers to the measures taken to deal with risk. These measures fall into four categories:
- Accept: No action is taken to affect the likelihood or impact of the risk. For example, market price fluctuations affecting the company’s core business activities (real estate prices, commodity prices, etc.) may be accepted as an integral part of the company’s business model. That is, shareholders wish to be exposed to the risk and rewards of price fluctuations; that is why they invest in the company.
- Transfer: Through insurance, financial instruments or a similar contract, the company can transfer the exposure to risk or share it with another party. For example, a foreign exchange option or forward may be contracted to eliminate the risk to accounts receivable collections from foreign exchange fluctuations.
- Reduce: The company takes some action to reduce the likelihood or impact of the risk. For example, a new safety program may be entered into to reduce the likelihood of industrial accidents.
- Avoid: The company eliminates the risk by exiting a business activity. For example, a company may sell an overseas subsidiary to eliminate various risks that distract it from its core business.
For major risks, the company would consider a range of possible responses. Note that the traditional response to risk management—insurance—is just one of many possible responses. An organization must consider the costs and benefits of the various alternatives. Opportunities might be identified in the course of this analysis; events that have a positive potential impact may need to be passed back to the objective-setting process that precedes this risk response phase.
In reviewing and analyzing possible responses to risk, an organization must consider the effects of both the likelihood and the impact of the risk. For example, a business continuation plan for a data centre may reduce the impact of the risk of a terrorist attack, but will not alter the likelihood. Relocating the data centre to a rural area may, however, affect the likelihood of an attack.
In many cases, an organization’s responses to risk may alter other risks, making this analysis an iterative process.
Risk response is analyzed within a particular business. For large entities with multiple businesses, senior management must consider the aggregate risk profile of the entire organization. For example, management of three businesses within a larger entity may each conclude that a one percent risk of a $1 million loss is acceptable. Management of the entire organization may determine that the risks are correlated, so that if one business loses $1 million, the others are likely to do so. Therefore, the enterprise as a whole is accepting a roughly one percent risk of losing $3 million, which might or might not be acceptable. The converse situation is also possible, whereby individual businesses accept too little risk from the perspective of the overall entity.
Control activities are the policies and procedures established and executed to ensure that the responses to risk as specified by management are carried out. Control activities apply to all types of objectives: strategic, operational, reporting and compliance. However, many controls will satisfy requirements for more than one type of objective. Operations controls may also ensure reliable reporting and compliance, for example.
COSO’s Enterprise Risk Management – Integrated Framework provides an example of the link between objectives, risk responses and controls:
For the objective, “Meet or exceed sales targets,” risks include having insufficient knowledge of external factors such as current and potential customers’ needs. To reduce the likelihood of occurrence and impact of the risk, management establishes buying histories of existing customers and undertakes new market research initiatives. These actions serve as focal points for the establishment of control activities. Control activities might include tracking the progress of the development of customer buying histories against established timetables, and taking steps to ensure the accuracy of reported data. In this sense, control activities are built directly into the management process.
In selecting control activities, management considers how they interrelate. A company might rely on a single control activity to address multiple risk responses. For example, a performance indicator that measures staff turnover may provide evidence of the effectiveness of management’s response to such risks as competitor recruiting, and lack of effectiveness of staff incentive and training and development programs.
Control activities have two elements: a policy that specifies what should be done and a procedure that describes how it should be done. Policies and procedures may be oral or written. Controls can be preventive (prevent problems or errors) or detective (identify problems or errors). The management process including supervision and review, as well as the organization structure itself, will constitute important controls.
I’ll discuss the latter aspects of a formal risk management process, information, communication and monitoring, in a future post.
To get an idea of the process, ask yourself these questions:
- How is risk management integrated with our planning and strategic planning process?
- Have we identified our primary risks?
- Are our primary risks appropriate given our strategy?
- What processes do we have in place for identifying new risks and deciding what to do about them?
- How have we improved our risk assessment in the past 12 months?
- Do executives and senior financial managers understand risk assessment? (Is it covered in training, discussion at conferences, meetings, part of goal-setting and evaluation, etc.?)
- How should we improve our risk assessment process?
For more detailed information and sample policies, take a trial of Finance and Accounting PolicyPro, published by First Reference.
In April 2012, COSO announced that it expects to release an updated version of its Internal Control – Integrated Framework during early 2013. The updated ICIF will likely more closely integrate internal control with risk management. According to COSO, the new framework:
…is intended to help organizations improve performance with greater agility, confidence and clarity. The final framework is expected to enable organizations to adapt to increasing complexity and pace of change, to mitigate risks to the achievement of objectives and to provide reliable information to support sound decision making.
Thus we can see internal control principles converging with those of risk management.
Jeffrey D. Sherman, BComm, MBA, CIM, FCA