Risk, Strategy, and Objective-Setting - pdfcoffee.com internal-auditing-4th-edition-5-pdf-free

RISK MANAGEMENT 4-9 7. Considers risk and business context. The organization considers potential

effects of business context on risk profile.

• An organization needs to understand its full business context, including the external environment, internal environment, and both external and internal stakeholder expectations.

• After understanding the business context, management can determine how that business context affects the organization's risk profile.

8. Defines risk appetite. The organization defines risk appetite in the context of creating, preserving, and realizing value.

• The exposure draft describes risk appetite as "the types and amount ofrisk, on a broad level, an organization is willing to accept in pursuit of value."

4· 10 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

12. Identifies risk in execution. The organization identifies risk in execution that impacts the achievement of business objectives.

• The organization first identifies new, emerging, and changing risks to the achievement of it strategy and business objectives.

• This process includes identifying both opportunities that may help achieve business objectives and threats that can make it more difficult to achieve, or prevent achieving, such objectives.

• All such opportunities and threats are captured in a risk universe.

13. Assesses the severity of risk. The organization assesses the severity of risk

• Risks in the organization's risk universe are assessed to determine the severity to the achievement of the strategy and business objectives. This assessment may be done at different levels of the organization.

• Severity measures are chosen based on the business context of the various risks.

• Inherent, targeted, and residual risk levels are determined.

Risk in Execution

• Risk appetite is incorporated into decision-making and can help align resource allocation with the mission, vision, and core values.

9. Evaluates alternative strategies. The organization evaluates alternative strategies and impact on risk profile.

• Strategy should align with the organization's mission, vision, and core values.

• Strategy should also align with the organization's risk appetite.

• As part of strategy setting, it is important to understand the implications of the chosen strategies in terms of the relevant risks that may rise from a given strategy.

10. Considers risk while establishing business objectives. The organization considers risk while establishing the business objectives at various levels that align and support strategy.

• Business objectives should be measurable, observable, attainable, and relevant.

• By aligning business objectives to strategy, such objectives will support the organization's achievement of its mission and vision.

• The organization should set performance measures and targets to monitor performance and support the achievement of business objectives.

11. Defines acceptable variation in performance. The organization defines acceptable variation in performance relating to strategy and business objectives.

• There are a range of possible outcomes, and it is important to define the variation in performance that is considered acceptable.

• Acceptable variation in performance is sometimes referred to as risk tolerance.

The risk appetite should be endorsed by the board.

Once defined, the risk appetite should be communicated throughout the organization.

A measurement of considerations such as likelihood and impact of events or the time it takes to recover from events.

Severity

The boundaries of acceptable outcomes related to achieving business objectives.

Tolerance

The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.

Risk Appetite

RISK MANAGEMENT 4-11 -Accept

- Avoid - Pursue - Reduce - Share

Risk Responses

---

The risk remaining after management has taken explicit or targeted action to alter the risk's severity.

Residual Risk

The risk to an entity in the absence of any explicit or targeted actions that management might take to alter the risk's severity.

Inherent Risk Inherent risk represents the level of risk before management's application of

direct or focused actions to alter its severity.

, Targeted risk is the level management prefers to assume in the pursuit of strategy and business objectives.

Residual risk represents the level of risk after management's application of actions to alter its severity.

• It is common to depict residual risk in a graphical way that supports discussion of risk among management and the board.

14. Prioritizes risks. The organization prioritizes risks as a basis for selecting responses to risks.

• Criteria should be established to provide consistency among the assessment of multiple risks.

• Risks may be assessed using either quantitative and/or qualitative criteria.

• Risks are prioritized based on the application of such criteria and consideration of the organization's risk appetite.

15. Identifies and selects risk responses. The organization identifies and selects risk responses.

• Management evaluates appropriate risk responses, based on the nature and amount of the risk. Responses can be to:

Accept the risk at its current level and take no action to affect its severity. Such a response indicates the severity is within the organization's risk appetite.

· Avoid the risk by divesting or otherwise removing it from the organization's risk profile. This response indicates the severity may be outside the organization's risk appetite and there is no cost-effective response to bring it within the risk appetite.

Pursue or exploit the risk because taking on such a risk may be advantageous to the organization and may be necessary to achieve a particular business objective.

Reduce the risk through application of controls or other risk mitigation activities. Such a response indicates the impact of the risk may go beyond the organization's risk appetite and actions are necessary to reduce the potential impact.

Share or transfer the risk, which may include outsourcing, insuring, or hedging the risk. This option is best when others can manage the risk more effectively or efficiently than the organization can.

• After considering the risk response options, including the costs and benefits of each, a risk response is chosen and deployed.

16. Develops portfolio view. The organization develops and evaluates a portfolio view of risk.

• Since risks do not occur in isolation, management should understand, develop, and analyze a view on the entire portfolio ofrisk. This allows management and the board to consider the type, severity, and interdependencies ofrisks and how they may, individually or in aggregate, affect performance.

4·12 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

Written internal documents (for example, briefing documents, dashboards, and presentations).

21. Reports on risk, culture, and performance. The organization reports on risk, culture, and performance at multiple levels of and across the entity.

• For reporting purposes, management should identify the appropriate users of reports and their roles relative to risk management.

• Attributes for reporting to each type of user should be determined.

• Communications may be in the form of:

Electronic messaging (for example, emails, social media, and text messages).

External/third-party materials (for example, industry or trade journals and media reports).

Informal/oral (for example, discussions and meetings), public events (for example, roadshows, town hall meetings, and professional conferences).

Training and seminars (for example, live or online training, webcasts, and workshops).

• Having relevant information by itself is not sufficient; it must also be put to use to enable informed decision-making.

• The quality of information must be maintained. Quality information is accessi- ble, accurate, appropriate, current, reliable, and has integrity.

• Data requirements are established and data is then managed relative to those requirements.

19. Leverages information systems. The organization leverages the entity's information systems to support ERM.

• Effective information systems provide information to decision-makers when they need it, which will help sustain effective risk management.

• Information systems must be changed in an appropriately controlled manner to continue meeting the needs of the business.

20. Communicates risk information. The organization uses communication channels to support ERM.

• Periodic communications are necessary with both the board and key stakeholders.

18. Uses relevant information. The organization uses information that supports ERM.

Risk Information, Communication, and Reporting

• The performance of the organization should be monitored to determine how risk has manifested and impacted strategy and business objectives compared to the risk appetite.

• As part of this monitoring, management and the board should assess whether the organization's current capabilities are sufficient to achieve the desired level of performance.

17. Assesses risk in execution. The organization assesses operating performance results and considers risk.

RISK MANAGEMENT 4-13 Senior managers in charge of the various organizational units have respon-

sibility for managing risks related to their specific units' objectives. They The CEO is ultimately responsible for the effectiveness and success of ERM. One of the most important aspects of this responsibility is ensuring that a positive and ethical tone is set. The CEO influences the composition and conduct of the board, provides leadership and direction to senior managers, and monitors the organization's overall risk activities in relation to its risk appetite. When evolving circumstances, emerging risks, strategy implementation, or anticipated actions indicate potential misalignment with risk criteria, the CEO takes the necessary actions to reestablish alignment.

• Management. Management is responsible for carrying out all activities of an organization, including ERM. In fact, management is responsible for aspects of all five components of ERM. However, these responsibilities will vary, depend- ing on the level in the organization and the organization's characteristics.

ERM Roles and Responsibilities

The board of directors, management, risk officers, financial officers, internal auditors, and, indeed, every individual within an organization contribute to effective ERM. The roles and responsibilities of each of these groups align with those discussed in chapter 3. While many of the ERM responsibilities were mentioned in the previous discussion of the COSO ERM principles, an overall description of these responsibilities follows.

• Board of directors. While the board has some role throughout all aspects of ERM, most of its responsibilities relate to the risk governance and culture component. The board's primary role relates to principle #1, its risk oversight responsibility. The board also helps management establish the governance and operating models, define culture and desired behaviors, demonstrate commit- ment to integrity and ethics, and assign accountability and authority for risk management.

23. Monitors ERM. The organization monitors ERM performance.

• The results of monitoring are used to pursue improvement in risk management.

22. Monitoring substantial change. The organization identifies and assesses internal and external changes that may substantially impact strategy and business objectives.

• Monitoring should be integrated into business processes.

• Monitoring should include the internal environment, external environment, and culture.

Monitoring ERM Performance

• The types ofreporting should be determined (for example, portfolio view, cultural assessment, root causes, sensitivity analyses, performance indicators, trend analyses).

The reporting frequency should be established.

4-14 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

• Internal auditors. The internal audit function plays an important role in evaluating the effectiveness of-and recommending improvements to- ERM. The IIA's International Standards for the Professional Practice of Internal Auditing specify that the scope of the internal audit function should encompass governance, risk management, and control systems. This includes evaluating the reli- ability of reporting, effectiveness and efficiency of operations, and compliance with laws and regulations. In carrying out these responsibilities, the internal audit function assists management and the board by examining, evaluating, reporting on, and recommending improvements to the adequacy and effectiveness of the organization's ERM.

• Other individuals in the organization. In reality, ERM is the responsibility of everyone in an organization and therefore should be an integral part of everyone's job description, both explicitly and implicitly. This is important because:

• Financial executives. Finance and accounting executives and their staffs are responsible for activities that cut across the organization. These executives often are involved in developing organizationwide budgets and plans,

and tracking and analyzing performance from operations, compliance, and reporting perspectives. They play an important role in preventing and detect- ing fraudulent reporting, and influence the design, implementation, and monitoring of the organization's internal control over financial reporting and the supporting systems.

• Risk officer. Some organizations have established a separate senior management position to act as the centralized coordinating point to facilitate ERM. A risk officer-referred to in many organizations as a chief risk officer (CRO)- typically operates in a staff function working with other managers in establishing ERM in their areas of responsibility. The CRO has the resources to help effect ERM across subsidiaries, businesses, departments, functions, and activities. This individual may have responsibility for monitoring risk management progress and assisting other managers in reporting relevant risk information up, down, and across the organization.

Staff functions, such as accounting, human resources, compliance, or legal, also have important supporting roles in designing and executing effective ERM practices. These functions may design and implement programs that help manage certain key risks across the entire organization.

convert the organization's overall strategy into ongoing operations activities, identify potential risk events, assess the related risks, and implement actions to manage those risks. Managers guide the application of the organization's ERM components relative to and within their spheres of responsibility, ensuring the application of those components is consistent with the board's and management's levels of acceptable variation in performance. They assign responsibility for specific ERM procedures to managers of the functional processes. As a result, these managers usually play a more active role in devising and executing particular risk procedures that address the unit's objectives, such as techniques for risk identification and assessment, and in determining specific risk management strategies, for example, developing policies and procedures for purchasing goods or accepting new customers.

A senior management position established by many companies that acts as the centralized coordination point to facilitate risk management activities.

Chief Risk Officer

RISK MANAGEMENT 4-15

Other external parties. Finally, other outside stakeholders may impact an organization's ERM activities:

Customers, vendors, business partners, and others who conduct business with an organization are an important source of information used in ERM.

Creditors can provide oversight or direction influencing how organizations achieve their objectives. For example, debt covenants may require organizations to monitor and report information differently than they otherwise might.

Financial analysts, rating agencies, news media, and other external parties can influence risk management activities. Their investigative and monitoring activities can provide insights on how others perceive the organization's performance, industry and economic risks, innovative operating or financing strategies, and industry trends. Management must consider the insights and observations of these parties and, if necessary, adjust the corresponding risk management activities.

Providers of outsourced services are becoming a more prevalent way for organizations to delegate their day-to-day management of certain noncore functions. The external parties discussed above may directly influence an organization's ERM activities; however, using outside service providers may result in a different set of risks and responses than if the organization did not outsource any functions. Although external parties may execute activities on behalf of the organization, management cannot abdicate its responsibility to Legislators and regulators. Legislators and regulators can affect the ERM approach of many organizations, either through requirements to establish risk management mechanisms or systems of internal controls (for example, the U.S.

Sarbanes-Oxley Act of 2002) or through examinations of particular entities (for example, by federal and state bank examiners). Legislators and regulators may establish rules that provide the impetus for management to ensure that risk management and control systems meet certain minimum statutory and regulatory requirements. Also, they may conduct regulatory examinations that provide information useful to the organization in applying ERM, and recommendations to management regarding needed improvements.

Independent outside auditors. An organization's independent outside auditors can provide both management and the board of directors an informed, independent, and objective risk management perspective that can contribute to an organization's achievement of its external financial reporting and other objectives. Findings from their financial statement audits may relate to risk management deficiencies, analytical information, and other recommendations for improvement that can provide management with valuable information to enhance its risk management program related to financial reporting risks.

While not every individual may be considered a risk owner per se, virtually all individuals play some role in effecting ERM, ranging from producing information used in identifying or assessing risks, to executing the strategies and actions needed to manage those risks.

All individuals are responsible for supporting the information and communication flows that are an integral part of, and inherent in, ERM.

4-16 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

• Design of framework for managing risk, which ensures the foundation is set for effective risk management processes. This involves:

Understanding the organization and its context.

Establishing a risk management policy.

Dalam dokumen pdfcoffee.com internal-auditing-4th-edition-5-pdf-free 1 (Halaman 138-145)