Professional Documents
Culture Documents
Compiled Notes CH 11 15
Compiled Notes CH 11 15
RISK MANAGEMENT
RISK
Risk is not the harm itself. It is merely a possibility that harm will occur. What causes harm
is hazard.
Example: COVID-19 virus – hazard; probability that a certain person may be infected –
risk
The concept of risk does not always relate to harm. Risk can likewise create opportunities.
The concept of risk must be distinguished from uncertainty. Risk can be measured. You
may be able to tell possible outcomes and the chances that each outcome will occur. All
that is unknown is the actual outcome. Uncertainty means that you do not know all the
possible outcomes and/or the chances of each outcome occurring.
On Shareholders
When the company’s risk profile changes, shareholders may sell their shares, resulting to
a lower share price.
On Creditors
They are concerned on whether the company can fulfill its obligations and limit the risk of
default. Otherwise, they can deny credit, charge higher interest, file actions in court that could lead
the company into liquidations, or ask for collateral.
On Employees
They are concerned about the threats to their job- salary, promotion, benefits, satisfaction,
job itself. If the business fails, employees may lose their jobs.
INTRODUCTION
Effective corporate governance cannot be attained without the organization mastering the
art of risk management.
DEFINITION
RISK MANAGEMENT
1. Create value
2. Address uncertainty and assumptions
3. Be an integral part of the organizational processes and decision-making
4. Be dynamic, iterative, transparent, tailorable, and responsive to change
5. Create capability of continual improvement and enhancement considering the best
available information and human factors
6. Be systematic, structured, and continually or periodically reassessed
a. Objective-based risk
b. Scenario-based risk
c. Taxonomy-based risk
d. Common-risk checking
e. Risk charting
3. Risk assessment – assessment of the potential severity of risks and the probability of their
occurrence
a. risk identification
b. risk analysis
c. risk evaluation
Risks with high probability of occurrence but lower loss v. risks with high loss but lower
probability of occurrence
a. Business Risk – uncertainty about the rate of return caused by the nature of the business
- Causes: uncertainty about the firm’s sales and operating expenses
d. Interest Rate Risk – gives rise to uncertainty about the cost of the debt
f. Management Risk
a. Market Risk – risk of gain or loss due to movement in the market value of an asset – a
stock, bond, loan, foreign exchange, or commodity – or a derivative contract linked to these
assets
i. Product Risk
- Complexity
- Obsolescence
- Research and Development
- Packaging
- Delivery of Warranties
b. Operations Risk
i. Process Stoppage
ii. Health and Safety
iii. After Sales Service Failure
iv. Environmental
v. Technological Obsolescence
vi. Integrity
- Management Fraud
- Employee Fraud
- Illegal Acts
d. Business Risk
i. Regulatory Change
ii. Reputation
iii. Political
iv. Regulatory and Legal
v. Shareholder Relations
vi. Credit Rating
vii. Capital Availability
viii. Business Interruptions
i. Financial
ii. Non-Financial
Credit risk – occurs when a counter party is unable or unwilling to fulfill its contractual obligation
Currency risk – the possibility of gain or loss due to future changes in exchange rates
Political risk – risk that political action will affect the position and value of an organization
Technological risk – failure of system due to tampering of data access to critical information,
nonavailability of data, and lack of controls
Probity risk – risk of unethical behavior by one or more participants in a particular process
1. Risk Avoidance – includes not performing an activity that could carry risk
2. Risk Reduction or Optimization – involves reducing the severity of the loss or the
likelihood of the loss from occurring
3. Risk Sharing – sharing with another party the burden of loss or the benefit of gain, from a
risk, and the measures to reduce a risk
4. Risk Retention – accepting the loss or benefit of gain from a risk when it occurs
SEC Code of Governance Recommendations 2.11 and 3.4 and their corresponding
explanations
- To provide a clear vision of the board’s desire for an effective company-wide risk
management
4. Evaluate the effectiveness of the various steps in the assessment of the comprehensive risks
faced by the business firm.
5. Assess if management has developed and implemented the suitable risk management
strategies and evaluate their effectiveness.
- Strategies may include avoidance, reduction, transfer, exploitation and retention of risks.
9. Assess regularly the level of sophistication of the firm’s risk management system.
Identify significant risks both within and outside the organization in order to avoid
unnecessary surprises.
Examples of significant risks: loss of a major customer, failure of a key supplier,
appearance of a significant competitor
People behave differently and inconsistently when making decisions involving risk.
For a more structured analysis, define the categories into which risks fall.
Opportunity cost associated with risk: Avoiding a risk may mean avoiding a potentially
big opportunity.
Sometimes, the greatest risk is to do nothing.
Upon identification of risks, they can be ranked according to their potential impact and the
likelihood of their occurrence in order to highlight
TYPES OF RISK CATALYSTS (those that can change and trigger risks)
1. Technology – new hardware, software or system configurations; traffic congestion change
introduced by the Metro Manila Development Authority (MMDA) Chair
2. Organizational change – new management structures or reporting lines, new strategies,
commercial agreements like mergers
3. Processes – new products, markets, and acquisitions
4. People – hiring new employees, poor succession planning, weak people management,
behavior - laziness, fraud, human error
5. External factors – changes in regulation and political, economic, or social developments;
economic disruption brought by the pandemic
Assessment of risk differs from one company to another. For example, there are risks that
can be solved using past experience. There are also those that are harder to assess or
quantify. When a company is focused on meeting short-term expectations, risks with little
likelihood of occurrence in the next five years may not be so important to such company.
Once the inherent risks in a decision are understood, the priority is to exercise control.
Share information, prepare and communicate clear guidelines, and establish control
procedures and risk measurement systems.
Can also be reduced or mitigated by sharing them – ex: acceptable service agreements from
vendors
The ethos of an organization should recognize and reward behavior that manages risk.
Guide Questions
- Where are the greatest areas of risk relating to the most significant strategic decisions?
- What level of risk is acceptable for the company to bear?
- What is the overall level of exposure to risk? Has this been assessed and is it being
actively monitored?
- What are the costs and benefits of operating effective risk management controls?
Finance – lifeblood of a business. It heavily influences strategies and decisions at every level.
1. Improving Profitability
B. Assessment of Market Entry and Exit Barriers – assessment of how easy or difficult it
is to either enter or leave a market
When markets are difficult or costly for competitors to enter and relatively easy and
affordable to leave, firms can achieve high, stable returns, while still being able to leave
for other opportunities.
D. Controlling Costs – achieved by focusing on the big items of expenditure, being aware
of costs, maintaining a balance between costs and quality, using budgets for dynamic
financial management, developing a positive attitude to budgeting, eliminating waste
Guide Questions
- Are the most effective and relevant performance measures in place to monitor and
assess the effectiveness of financial decisions?
- Is there a positive attitude to budgets and budgeting?
- What are the least profitable parts of the organization? How will they improve?
- How efficiently is cash managed? Do your strategic business decisions take account of
cash considerations, such as time value of money?
Companies establish goals and objectives and then assess the risks of achieving those objectives. As a response to the
assessed risk, the company may design and implement internal control to have a reasonable assurance that the objectives will be
achieved.
Assessment of control risk and consideration of internal control are important steps in the audit process.
Control risk – risk that the entity’s internal control may not detect or prevent a material misstatement
Internal Control
- process designed and effected by those charged with governance, management, and other personnel to provide reasonable
assurance about the achievement of the entity’s objectives with regard to (1) reliability of financial reporting (financial
reporting objective), (2) effectiveness and efficiency of operations (operational objective), and (3) compliance with
applicable laws and regulations (compliance objective)
b. Internal control is effected by those charged with governance and management, and by other personnel.
Responsibility of the management: to establish a control environment and maintain policies and procedures
to assist in achieving the entity’s objectives
Responsibility of those charged with governance: to ensure the integrity of accounting and financial
reporting systems through oversight of management
c. Internal control can be expected to provide reasonable assurance of achieving the entity’s objectives.
Only reasonable assurance, not absolute assurance (because of inherent limitations that may affect the
effectiveness of internal control)
Examples of limitations: usual requirement that the cost of internal control should not exceed the expected
benefits to be derived, reality that human judgment in decision making can be faulty and subject to bias
Internal control can help But internal control cannot
1. Achieve organizational, operational, and 1. Ensure organizational success
financial goals
2. Prevent loss of resources 2. Ensure absolute protection of assets
3. Support reliable financial reporting 3. Ensure the reliability of financial reporting
4. Support compliance with laws, regulations, 4. Ensure absolute compliance with laws,
and internal policies and procedures to avoid regulations, and policies and procedures
damage to reputation and other
consequences
Achievement of objectives depends not only on management decisions but also on competitor’s actions and other factors outside
the entity.
Internal Control System – all the policies and procedures (internal controls) adopted by the management of an entity to assist in
achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including
adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial information.
Internal control structures vary from one company to the next, depending on factors such as size of the business,
nature of operations, geographical dispersion of activities, and organizational objectives.
A. Control Environment – overall attitude, awareness, and actions of directors and management regarding the internal control
system and its importance in the entity
A strong control environment does not, by itself, ensure the effectiveness of the internal control system.
2. Commitment to competence
The entity should consider the level of competence required for each task and translate it to requisite knowledge
and skills.
3. Participation by those charged with governance
The entity must have an audit committee, which will be responsible for overseeing the financial reporting policies
and practices of the entity.
5. Organizational structure
This provides a framework for planning, directing, and controlling the entity’s operations.
Risk Assessment – identification, analysis, and management of risks pertaining to the preparation of financial statements
The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless of size, but the risk
assessment process is likely to be less formal and less structured in small entities than in larger ones.
Information system – consists of infrastructure (physical and hardware components), software, people, procedures, and
data
- encompasses methods and records that
1. Identify and record all valid transactions
2. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial
reporting
3. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial
statements
4. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting
period
5. Present properly the transactions and related disclosures in the financial statement
The SEC Code of Corporate Governance provides that companies should maintain a comprehensive and cost-efficient
communication channel for disseminating relevant information.
Communication – continual, iterative process of providing, sharing, and obtaining necessary information.
- can be made electronically, orally, or through the actions of management.
- can take such forms as policy manuals, accounting and financial reporting manual, and memoranda.
D. Control Activities – policies and procedures that help ensure that management directives are carried out, for example,
that necessary actions are taken to address risks that threaten the achievement of the entity’s objectives
Examples
a. comparing actual performance with budgets, forecasts, and prior period performance
b. investigating performance indicators based on operating and financial data
c. reviewing functional or activity performance
2. Information Processing Controls – policies and procedures designed to require authorization of transactions and to
ensure the accuracy and completeness of transaction processing
3. Physical Controls – controls that encompass the physical security of assets, authorization for access to computer
programs and data files, and the periodic counting and comparison with amounts shown on control records
Examples
a. Petty cash should be kept locked in a fireproof safe.
b. Cash received by retail clerks should be entered into a cash register to record all cash received.
c. Accounts receivable records should be stored in a locked, fireproof safe. If the records are computerized, adequate
backup copies should be maintained and access to the master files should be restricted via passwords.
d. Raw material inventory should be retained in a locked storeroom with a reliable and competent employee controlling
access.
e. Perishable tools should be stored in a locked storeroom under control of a reliable employee.
f. Manufacturing equipment should be kept in an area protected by burglar alarms and fire alarms and kept locked when
not in use.
g. Marketable securities should be stored in a safety deposit vault.
4. Segregation of Duties – assigning the responsibilities of authorizing transactions, recording transactions, and maintaining
custody of assets to different people
- purpose: to reduce the opportunities of allowing any person to be in a position to both perpetrate and conceal
errors or fraud in the normal course of the person’s duties
E. Monitoring of Controls – process that an entity uses to assess the quality of internal control over time
- involves assessing the design and operation of controls on a timely basis and taking corrective action as necessary
- accomplished through
1. Ongoing monitoring activities – built into the normal recurring activities of an entity
- include regularly performed supervisory and management activities
- example: continuous monitoring of customer complaints
The 2013 Framework sets out 17 principles representing the fundamental concepts associated with each component.
Because these principles are drawn directly from the components, an entity can achieve effective internal control by applying all
principles. All principles apply to operations, reporting, and compliance objectives.
FRAUD – an intentional act involving the use of deception to obtain an unjust or illegal advantage
– involves motivation to commit it and a perceived opportunity to do so
TYPES OF MISSTATEMENTS
A. Misstatement arising from misappropriation of assets
- occurs when a perpetrator steals or misuses an organization’s assets
- also known as employee fraud because it usually involves employees
- can also involve management who are usually more able to disguise or conceal misappropriations in ways that
are difficult to detect
- often accompanied by false or misleading records or documents in order to conceal the fact that the assets
are missing or have been pledged without proper authorization
Misappropriation – an act of using or disposing of another’s property as if it were one’s own or of devoting
it to a purpose or use different from that agreed upon
Examples
♥ embezzling cash receipts – misappropriating collections on accounts receivable
♥ stealing entity’s assets such as cash, inventory, and intellectual property – stealing scrap for resale, colluding
with a competitor by disclosing technological data in return for payment
♥ causing the company to pay for goods or services that were not received – payments to fictitious vendors
and employees, kickbacks paid to purchasing agents in return for inflating prices
♥ using an entity’s assets for personal use – using entity’s assets as collateral for a personal loan
B. Misstatement arising from fraudulent financial reporting
- results from an intentional manipulation of reported financial results to misstate the economic condition of the
organization
- also known as management fraud because it usually involves members of the management or those charged
with governance
- can be caused by efforts of management to manage earnings in order to deceive financial statement users by
influencing their perceptions as to the entity’s performance and profitability
Examples
♥ manipulation, falsification, or alteration of records or documents
♥ misrepresentation in or intentional omission of the effects of transactions from records or documents
♥ recording of transactions without substance
♥ intentional misapplication of accounting principles relating to amounts, classification, manner of presentation,
or disclosure
The risk of auditor not detecting a material misstatement resulting from management fraud is
greater than for employee fraud.
Reason: The management is frequently in a position to directly or indirectly manipulate
accounting records, present fraudulent financial information, or override
control procedures designed to prevent similar frauds by other employees.
CORRUPTION
- improper use of power
- usually uncovered through tips or complaints from third parties
Examples
1. Conflicts of interest – an undisclosed personal economic interest in a transaction that adversely affects
the organization or its shareholders
♥ Employees hiring someone close to them over another more qualified applicant
♥ Transfer of knowledge to a competitor by an employee who intends to join the competitor’s company
2. Kickbacks
♥ Preferentialtreatment of customers in return for a kickback
♥ Kickback to employees by a supplier in return for the supplier receiving favorable treatment
3. Bribery – offering, giving, receiving, or soliciting anything of value to influence an outcome
♥ Payment to government officials to obtain a benefit (ex: tax inspectors)
♥ Payment of agency/facilitation fees (bribes) in order to secure a contract
4. Extortion – offering to keep someone from harm in exchange for money or other considerations
Blackmail – offering to keep information confidential in return for money or other considerations
Examples
1. inadequate or non-transparent explanations for unusual transaction, variances, or results
2. large adjustments made after period end
3. absence of underlying documentation supporting the transaction
4. creation of fictitious reconciling items to create the appearance that accounts are in balance,
when they are not
5. discovery of falsification of documents, dates, contractual terms, or other business records
EXAMPLE
Fraud Incentive Opportunity Rationalization
1. Customer fraud
2. Cybercrime
3. Asset misappropriation
4. Bribery and corruption
5. Accounting/financial statement fraud
6. Procurement fraud
7. Human resources fraud
8. Deceptive business practices
9. Anti-competition law infringement
10. Money laundering and sanctions
11. Intellectual property theft
12. Insider trading
13. Tax fraud
FRAUD PREVENTION
- involves action to discourage fraud and limit the exposure when it occurs
- principal mechanism: internal control
FRAUD DETECTION
- involves whistleblowing, internal and external tip-off, law enforcement investigation, change of personnel/duties,
corporate security, risk management, and internal and external audit.
M G T 2 0 9
Errors & irregularities
This chapter presents the errors and fraudulent activities that could result when there is poor internal control.
Commonly committed by managers to achieve high profits, to obtain bonuses, to retain the respect
of senior managers, or to even keep their jobs
b. Misappropriation of Assets
Skimming – act of withholding cash receipts without recording them
- examples: when a cashier in a retail store does not ring up a transaction and takes the cash,
recording sales at an amount lower than the invoice amount
Lapping – technique used to conceal the fact that cash has been abstracted
- the shortage in one customer’s account is covered with a subsequent payment made by another
customer
Float – gap between the time the check is deposited or added to an account and the time
the check clears or is deducted from the account it was written on
Entities normally design controls to prevent these errors from occurring or to detect errors if they
do occur.
When such controls exist, auditors test the controls to assess their effectiveness.
If the controls are not effective, auditors should perform substantive tests to determine that the
financial statements do not contain material misstatements that arose because of possible errors.
Example of substantive test: contacting customers to confirm that accounts receivable
balances are correct