MODULE 9
compensating controls are necessary to prevent improper human intervention with computer
EFFECT OF COMPUTERS ON INTERNAL CONTROL
The goals of asset safeguarding, data integrity, system effectiveness and system efficiency,
can be achieved only if an organization's management sets up a system of internal control.
Controls help to ensure that financial statement assertions are valid, and they do so in part by
making computer fraud harder to accomplish and easier to detect. Use of computers does not
affect the basic objectives of internal control, however, it affects how these objectives must
be achieved.
Traditionally, major components of an internal control system include:
a. separation of duties,
b. clear delegation of authority and responsibility,
c. recruitment and training of high-quality personnel,
d. a system of authorization,
e. adequate document and record,
f. physical control over assets, and
g. records management supervision,
h. independent checks on performance and
i. periodic comparison of recorded accountability with assets.
These components must still exist in a computer system. However, the use of computers
affects the implementation of these internal control components in several ways. In essence,
they have adopted and adapted to fit in with the computer environment.
Segregation of Duties
Because of the ability of computers to process data efficiently, there is a tendency to combine
the performance of many data processing functions. In a manual or mechanical system, these
combinations of functions may be considered incompatible from a standpoint of achieving
strong internal control. For example, in a manual system the function of recording cash
receipts is generally segregated from responsibility for posting entries to the subsidiary
accounts receivable. Because one of these procedures serves as a check upon the other,
assigning both functions to one employee would enable the employee to conceal his or her
own errors. A properly programmed computer, however, has no tendency or motivation to
conceal its errors and may record these transactions simultaneously. Therefore, what appears
to be an incompatible combination of functions may be combined in a computer system
without weakening internal control.
When apparently, incompatible functions are combined in the computer system,
processing. A person with the opportunity to make unauthorized changes in computer
programs or data files is in a position to exploit the concentration of data processing functions
in a computer system. For example, a computer system used to process accounts payable
may be designed to approve a vendor's invoice for payment only when that invoice is
supported by a purchase order and receiving report. An employee able to make unauthorized
changes to data or programs in that system could cause unsubstantiated payments to be
made to specific vendors.
Computer programs and data files cannot be changed without the use of computer equipment.
When changes are made, however, there may be no visible evidence of the alteration. Thus,
the organization of the information systems department should prevent its personnel from
having inappropriate access to equipment, programs, or data files. This is accomplished by
providing definite lines of authority and responsibility, segregation of functions, and clear
definition of duties for each employee in the department. The organization of the information
system department varies from one company to another in terms of reporting responsibility,
relationships with other departments, and responsibilities within the department.
Delegation of Authority and Responsibility
In a manual system, accounting personnel should not prepare the initial record of business
transactions, have custody of non-accounting-related assets, or authorize transactions.
Similarly, data processing personnel should not prepare the initial record of a business
transaction, have initiated custody of assets unrelated to data processing, or have the
authority to authorize transactions. If data processing personnel were permitted to initiate the
recording of transactions, they could enter transactions that did not occur or enter transactions
that reversed or altered transactions initiated by others.
When personnel have access to assets and can initiate the recording of transactions, they
can assets without approval and remove them from the books by initiating an entry or
authorizing a transaction. Preventing data processing personnel from having custody of
assets unrelated to data processing helps to establish the existence and completeness
assertions. Finally, if data processing personnel were permitted to authorize transactions, they
could authorize fictitious transactions.
A clear line of authority and responsibility is an essential control in both manual and computer
systems. In a computer system, however, delegating authority and responsibility in an
ambiguous way might be difficult because some resources are shared among multiple users.
For example, one objective of using a database management system is to provide multiple
users with access to the same data, thereby reducing the control problems that arise with
maintaining redundant data, when multiple users have access to the same data and the
integrity of the data is somehow violated, it is not always easy to trace who is responsible for
corrupting the data and who is responsible for identifying and correcting the error. Some
organizations have attempted to overcome these problems by designating a single user as
the owner of the data. This user assumes ultimate responsibility for the integrity of the data.
Authority and responsibility lines have also been blurred by the rapid growth in end-user
computing. Because high-level languages are more readily available, more users are
developing, modifying, operating, and maintaining their own application systems instead of
having this work performed by information systems professionals. Although these
developments have substantial benefits for the users of computing services in an
organization, unfortunately, they exacerbate the problems of exercising overall control over
computing use.
Competent and Trustworthy Personnel
Substantial power is often vested in persons responsible for the computer-based information
systems developed, implemented, operated, and maintained within organizations. For
example, a systems analyst might be responsible for advising management on the suitability
of high-cost, high-technology equipment. Similarly, a computer operator sometimes takes
responsibility for safeguarding critical software and critical data during execution of or backup
of a system. The power vested in the personnel responsible for manual systems.
Unfortunately, ensuring that an organization has competent and trustworthy information
systems personnel is a difficult task. In many countries and across many years, well trained
and experienced information systems personnel have been in short supply. Therefore,
organizations sometimes have been forced to compromise in their choice of staff. Moreover,
it is not always easy for organizations to assess the competence and integrity of their
information systems staff. High turnover among these staff has been the norm. Therefore,
managers have had insufficient time to evaluate them properly. In addition, the rapid evolution
of technology inhibits management's ability to evaluate an information system employee's
skills. Some information systems personnel also seem to lack a well-developed sense of
ethics, and some seem to delight in subverting controls.
Adequate Documents and Records
The traditional accounting records of an organization consist of source documents, journals,
and ledgers. These records capture the economic essence of transactions and provide an
audit trail of economic events. The audit trail enables the auditor to trace any transaction
through all phases of its processing from the initiation of the event to the financial statements.
In computer systems, documents might not be used to support the initiation, execution, and
recording of some transactions. For example, in an online order entry system, customers
orders received by telephone might be entered directly into the system. Similarly, some
transactions might be activated automatically by a computer system. For example, an
inventory replenishment program could initiate purchase orders when stock levels fall below
a set amount. Thus, no visible audit or management trail would be available to trace the
transactions.
The absence of a visible audit trail is not a problem for auditors, provided that systems have
been designed to maintain a record of all events and the record can be easily accessed. In
well-designed computer systems, audit trails are often more extensive than those maintained
in manual systems. Unfortunately, not all computer systems are well-designed. Some
software, for example, does not provide adequate access controls and logging facilities to
ensure preservation of an accurate and complete audit trail. When this situation is coupled
with a decreased ability to separate incompatible functions, serious control problems can
arise.
The obligation to maintain an audit trail exists in an IT environment just as it does in manual
setting. Some computer systems maintain no physical source documents. Journals and
ledgers often do not exist in the traditional sense. Instead, records of transactions and other
economic events are fragmented across several normalized database tables. Audit trails may
take the form of pointers, hashing techniques, indexes, or embedded keys that link record
fragments between and among database tables. To meet their responsibilities, auditors must
understand the operational principles of the database management systems in use and the
effects on accounting records and audit trails of alternative file structures.
Physical Control over Assets and Records
The purpose of physical control over assets and records is to ensure that only authorized
personnel have access to the firm's assets. Computer systems differ from manual systems,
however, in the way they concentrate the information systems assets and records of an
organization. For example, in a manual system, a person wishing to perpetrate a fraud might
need access to records that are maintained at different physical locations. In a computer
system, however, all the necessary records can be maintained at a single site - namely, the
site where the computer is located. Thus. the perpetrator does not have to go to physically
disparate locations to execute the fraud.
Data consolidation exposes the organization to losses that can arise from computer abuse or
a disaster. For instance, a fire that destroys a computer room could result in the loss of all
major master master files in an organization. If the organization does not have suitable
backup, it might be unable to continue operations.
Adequate Maintenance Supervision
Achieving adequate segregation of duties often presents difficulty for small organizations.
Management must compensate for the absence of segregation controls with close
supervision.
In a manual system, management supervision of employees activities is relatively
straightforward because the managers and the employees are often at the same physical
location. In computer systems, however, data communications facilities can be used to enable
employees to be closer to the customers they serve. Thus, supervision of employees might
have to be carried out remotely. Supervisory controls must be built into the computer system
to compensate for the controls that usually can be exercised through observation and inquiry.
Computer systems also make the activities of employees less visible to management.
Because many activities are performed electronically, managers must periodically access the
audit trail of employee activities and examine it for unauthorized actions. Again, the
effectiveness of observation and inquiry as control is decreased.
In an IT environment, supervision must be more elaborate than in manual systems for the
following reasons
1. It is difficult for management to assess the competence of prospective employees
because of an exceedingly complex and rapidly changing technological environment
requiring highly specialized skills.
2. Management's concern over the trustworthiness of data processing personnel in high-
risk areas. Some systems professionals are given positions of authority that permit
direct and unrestricted access to the organization's programs and data. The
combination of technical skill and opportunity in the hands of the individual who may
lack integrity and honesty could mean a significant exposure to the organization.
3. Management's inability to adequately observe employees in an IT environment
because data processing personnel may be distributed throughout areas and perform
their functions remotely via telecommunications links. Supervisory controls must
therefore be designed into the computer system to compensate for the lack of direct
supervision.
Independent Checks on Performance
In manual, independent checks are carried out because employees are likely to forget
procedures, make genuine mistakes, become careless, or intentionally fail to follow prescribed
procedures. Checks by an independent person help to detect any errors or irregularities. If the
program code in a computer system is authorized, accurate, and complete, the system will
always follow the designated procedures in the absence of some other types of failure like a
hardware or systems software failure. Thus, independent checks on the performance of
programs often have little value. Instead, the control emphasis shifts to ensuring the veracity
of program code. Insofar as many independent checks on performance are no longer
appropriate, auditors must now evaluate the controls established for program development,
modification, operation, and maintenance.
Through independent verification procedures, management can assess:
1. The performance of individuals
2. The integrity of the transaction processing system
3. The correctness of data contained in accounting records
Comparing Recorded Accountability with Assets
Periodically, data and the assets that the data purports to represent should be compared to
determine, whether incompleteness or inaccuracies in the data exist or whether shortages or
excesses in the assets have occurred. In a manual system, independent staff prepare the
basic data used for comparison purposes. In a computer system, however, software is used
to prepare this data. For example, a program can be implemented to sort an inventory file by
warehouse location and to prepare counts by inventory item at the different warehouses. If
unauthorized modifications occur to the program or the data files that the program uses, an
irregularity might not be discovered - for example, pilfering of inventory from a particular
warehouse bin. Again, internal controls must be implemented to ensure the veracity of
program code, because traditional separation of duties no longer applies to the data being
prepared for comparison purposes
Management Authorization for Operating Personal Computers
Management can contribute to the effective operation of stand-alone personal computers by
prescribing and enforcing policies for their control and use. Management's policy statement
include:
• management responsibilities;
• instructions on personal computer use;
• training requirements;
• authorization for access to programs and data;
• policies to prevent unauthorized copying of programs and data;
• security, back-up and storage requirements;
• application development and documentation standards;
• standards of report format and report distribution controls;
• personal usage policies
• data integrity standards;
• responsibility for programs, data and error correction, and
• appropriate segregation of duties
Physical Security - Equipment
Because of their physical characteristics, personal computers are susceptible to theft, physical
damage, unauthorized access or misuse. This may result in the loss of information stored in
the personal computer, for example, financial data vital to the accounting system.
One method of physical security is to restrict access to personal computers when not in use
by using door locks or other security protection during non-business hours. Additional physical
security over personal computers can be established, for example, by fastening the personal
computer to a table using security cables. In cases where personal computers are used to
process critical stand alone applications, additional physical security can be established by:
• Locking the microcomputer in a protective cabinet or shell; or
• Using an alarm system that is activated any time the personal computer is
disconnected or moved from its location.
Physical Security - Removable and Non-removable Media
Programs and data used on a personal computer can be stored or removable storage media
or non-removable storage media. Diskettes, compact disks and backup tapes can be removed
physically from the personal computer, while hard disks are normally sealed in the personal
computer or in a stand alone unit attached to the personal computer. When a personal
computer is used by many individuals, users may develop a casual attitude toward the storage
of application diskettes, computer disks, backup tapes for they are responsible. As a result,
critical diskettes, compact disks, or backup may be misplaced, altered without authorization
or destroyed.
Control over removable storage media can be established by placing responsibility for such
media under personnel whose responsibilities include duties of software custodians or
librarians. Control can be further strengthened when a program and data file check-in and
check-out system is used and designated storage locations are locked. Such internal controls
help ensure that removable storage media are not lost, misplaced or given to unauthorized
personnel. Physical control over non removable storage media is probably best established
with locking devices.
Depending on the nature of the program and data files, it is appropriate to keep current copies
of diskettes, compact disks or back-up tapes and hard disks in a fireproof container, either on-
site, off-site or both. This applies equally to operating system and utility software and back-up
copies of hard disks.
Programs and Data Security
When personal computers are accessible to many users, there is a risk that programs and
data may be altered without authorization.
Because personal computer operating system software may not contain many control and
security features, there are several internal control techniques which can be built into the
application programs to help ensure that data are processed and read as authorized and that
accidental destruction of data is prevented. These techniques, which limit access to programs
and data to authorized users include:
• Segregating data into files organized under separate file directories;
• Using hidden and secret file names
• Employing passwords
• Using cryptography
• Using antivirus software programs
The use of file directory allows the user to segregate information on removable and non-
removable storage media. For critical and sensitive information, this technique can be
supplemented by assigning secret file names and “hiding” the files.
When a system has multiple users or shares information across networks, basic operating
system security controls and logical access controls are necessary. The addition of simple
security features, such as passwords and access control, enables secure use of a single
resource by multiple users. Controlled use requires a detailed definition of who has access
rights to specific systems, specific resources (such as files or programs), and specific
capabilities (such as read only, read and write and delete).
Cryptography can provide an effective control for protecting confidential or sensitive programs
and information from unauthorized access and modification by users. It is generally used when
sensitive data is transmitted over communication lines, but it can also be used on information
processed by a personal computer. Cryptography is the process of transforming programs
and information into an unintelligible form. Encryption and decryption of data require the use
of special programs and a code key known only to those users to whom the programs or
information is restricted.
Directories and hidden files, user authentication software and cryptography can be used for
personal computers that have both removable and non-removable storage media. For
personal computers that have removable storage media, an effective means of program and
data security is to remove diskettes and compact disks from the personal computer and place
them in custody of the users responsible for the data or the file librarians.
An additional access control for confidential or sensitive information stored on non-removable
storage media is to copy the information to a diskette or compact disk and delete the files on
the non removable storage media. Control over the diskette or compact disk can then be
established in the same manner as over other sensitive or confidential information stored on
diskettes or compact disks. The user should be aware that many software programs include
an erase or delete function, but that such a function may not actually clear erased or deleted
files from the hard disk. Such functions may merely clear the file name from the hard disk s
directory. Programs and data are in fact removed from the hard disk only when new data is
written to the old files or when special utility programs are to clear the files.
Viruses now represent the most common threat to any computer security. Users may allow
their email programs or their operating systems to load and execute attachments. As such,
antivirus software programs should be installed in personal computers and updated
continuously to include new virus definitions that are detected. Virus scans should be run on
every workstation daily and set to scan all files. Screen saver based virus scanners can help
with this task.
Considerations should be given to disabling the ability of workstations to boot from diskettes
or compact disks to avoid boot-sector viruses.
Because many macro viruses are shared through email, a virus solution should be installed
to scan incoming email attachments including the ability to scan compressed and archived
files. All programs installed should be scanned before initial execution.
Software and Data Integrity
Personal computers are oriented to end-users for development of application programs, entry
and processing of data and generation of reports. The degree of accuracy and dependability
of financial information produced will depend on the internal controls prescribed by
management and adopted by users, as well as on controls included in the application
programs. Software and data integrity controls may ensure that processed information is free
of errors, and that software is not susceptible to unauthorized manipulation (i.e., that
authorized data are processed in the prescribed manner).
Data integrity can be strengthened by incorporating internal control procedures such as format
and range checks and cross checks of results. A review of purchased software may determine
whether it contains appropriate error checking and error trapping facilities. For user developed
software, including electronic spreadsheet templates and database applications,
management may specify in writing the procedures for developing and testing application
programs. For certain critical applications, the person who processes the data may be
expected to determine that appropriate data were used and that calculations and other data
handling operations were performed properly. The end-user could use this information to
validate the results of the application.
Adequate written documentation of applications that are processed on the personal computer
can strengthen software and data integrity controls further. Such documentation may include
step-by-step instructions, a description of reports prepared, source of data processed, a
description of individual reports, files and other specifications, such as calculations.
If the same accounting application is used at various locations, application software integrity
and consistency may be improved when application programs are developed and maintained
at one place rather than by each user dispersed throughout an entity.
Hardware, Software and Data Back-Up
Back-up refers to plans made by the entity to obtain access to comparable hardware, software
and data in the event of their failure, loss or destruction. In a personal computer environment,
users are normally responsible for processing, including identifying important programs and
data files to be copied periodically and stored at a location away from the personal computers.
It is particularly important to establish back-up procedures for users to perform on a regular
basis. Purchased software packages from third-party vendors generally come with a back-up
copy or with a provision to make a back-up copy.
The Effect of Personal computers on the Accounting System and Related Internal
Controls
The effect of personal computers on the accounting system and the associated risks will
generally depend on:
• The extent to which the personal computer is being used to process accounting
applications;
• The type and significance of financial transactions being processed; and
• The nature of files and programs utilized in the applications
MODULE 10
INTERNAL CONTROL PRINCIPLES AND MODEL
Inherent in these control objectives are four modifying principles that guide designers and
auditors of internal control systems.
Management Responsibility
This concept holds that the establishment and maintenance of a system of internal control is
a management responsibility. Although the FCPA supports this principle, SOX legislation
makes it law!
Methods of Data Processing
The internal control system should achieve the four broad objectives regardless of the data
processing method used (whether manual or computer based). However, the specific
techniques used to achieve these objectives will vary with different types of technology.
Limitations
Every system of internal control has limitations on its effectiveness. These include
1) the possibility of error—no system is perfect,
2) circumvention—personnel may circumvent the system through collusion or other
means,
3) management override— management is in a position to override control procedures
by personally distorting transactions or by directing a subordinate to do so, and
4) changing conditions—conditions may change over time so that existing effective
controls may become ineffectual.
Reasonable Assurance
The internal control system should provide reasonable assurance that the four broad
objectives of internal control are met. This reasonableness means that the cost of achieving
improved control should not outweigh its benefits. The limitations and reasonable-assurance
principles include:
1) attempts at unauthorized access to the firm’s assets (including information);
2) fraud perpetrated by persons both in and outside the firm;
3) errors due to employee incompetence,
4) faulty computer programs,
5) corrupted input data;
6) mischievous acts, such as unauthorized access by computer hackers and threats from
computer viruses that destroy programs and databases.
Some weaknesses are immaterial and tolerable. Under the principle of reasonable assurance,
these control weaknesses may not be worth fixing. Material weaknesses in controls, however,
increase the firm’s risk to financial loss or injury from the undesirable events. The cost of
correcting these weaknesses is offset by the benefits derived.
The PDC Model
Three levels of control: preventive controls, detective controls, and corrective controls. This is
called the PDC control model.
Preventive Controls
Prevention is the first line of defense in the control structure. Preventive controls are passive
techniques designed to reduce the frequency of occurrence of undesirable events.
Preventive controls force compliance with prescribed or desired actions and thus screen out
aberrant events. When designing internal control systems, an ounce of prevention is most
certainly worth a pound of cure. Preventing errors and fraud is far more cost-effective than
detecting and correcting problems after they occur. The vast majority of undesirable events
can be blocked at this first level. For example, a well designed data entry screen is an example
of a preventive control. The logical layout of the screen into zones that permit only specific
types of data, such as customer name, address, items sold, and quantity, forces the data entry
clerk to enter the required data and prevents necessary data from being omitted.
Aberrant = departing from an accepted standard
Detective Controls
Detection of problems is the second line of defense. Detective controls are devices,
techniques, and procedures designed to identify and expose undesirable events that elude
preventive controls. Detective controls reveal specific types of errors by comparing actual
occurrences to pre-established standards. When the detective control identifies a departure
from standard, it sounds an alarm to attract attention to the problem. For example, assume
that because of a data entry error, a customer sales order record contains the following data:
Before processing this transaction and posting to the accounts, a detective control should
recalculate the total value using the price and quantity. Thus, this error above would be
detected.
Corrective Controls
Corrective actions must be taken to reverse the effects of detected errors. There is an
important distinction between detective controls and corrective controls. Detective controls
identify undesirable events and draw attention to the problem; corrective controls actually fix
the problem. For any detected error, there may be more than one feasible corrective action,
but the best course of action may not always be obvious. For example, in viewing the
preceding error, your first inclination may have been to change the total value from PHP1,000
to PHP 100 to correct the problem. This presumes that the quantity and price values in the
record are correct; they may not be. At this point, we cannot determine the real cause of the
problem; we know only that one exists.
Linking a corrective action to a detected error, as an automatic response, may result in an
incorrect action that causes a worse problem than the original error. For this reason, error
correction should be viewed as a separate control step that should be taken cautiously.
The PDC control model is conceptually pleasing but offers little practical guidance for
designing or auditing specific controls.
MODULE 11
Risk management
Risk management is the process of identifying, assessing and controlling threats to an
organization's capital and earnings. These risks stem from a variety of sources including
financial uncertainties, legal liabilities, technology issues, strategic management errors,
accidents and natural disasters.
Risk management encompasses the identification, analysis, and response to risk factors that
form part of the life of a business. Effective risk management means attempting to control, as
much as possible, future outcomes by acting proactively rather than reactively. Therefore,
effective risk management offers the potential to reduce both the possibility of a risk occurring
and its potential impact.
Risk Management Structures
Risk management structures are tailored to do more than just point out existing risks. A good
risk management structure should also calculate the uncertainties and predict their influence
on a business. Consequently, the result is a choice between accepting risks or rejecting them.
Acceptance or rejection of risks is dependent on the tolerance levels that a business has
already defined for itself.
If a business sets up risk management as a disciplined and continuous process for the
purpose of identifying and resolving risks, then the risk management structures can be used
to support other risk mitigation systems. They include planning, organization, cost control, and
budgeting. In such a case, the business will not usually experience many surprises, because
the focus is on proactive risk management.
Response to Risks
Response to risks usually takes one of the following forms:
• Avoidance: A business strives to eliminate a particular risk by getting rid of its cause.
• Mitigation: Decreasing the projected financial value associated with a risk by lowering
the possibility of the occurrence of the risk.
• Acceptance: In some cases, a business may be forced to accept a risk. This option is
possible if a business entity develops contingencies to mitigate the impact of the risk,
should it occur.
identified risks in order of priority. Because it is not possible to mitigate all existing risks,
prioritization ensures that those risks that can affect a business significantly are dealt with
more urgently.
2. Assess the risks
In many cases, problem resolution involves identifying the problem and then finding an
appropriate solution. However, prior to figuring out how best to handle risks, a business should
locate the cause of the risks by asking the question, “What caused such a risk and how could
it influence the business?”

When creating contingencies, a business needs to engage in a problem-solving approach.
The result is a well-detailed plan that can be executed as soon as the need arises. Such a
plan will enable a business organization to handle barriers or blockage to its success because
it can deal with risks as soon as they arise.
Importance of Risk Management
3. Develop an appropriate response - Control Risk
Once a business entity is set on assessing likely remedies to mitigate identified risks and
prevent their recurrence, it needs to ask the following questions: What measures can be taken
to prevent the identified risk from recurring? In addition, what is the best thing to do if it does
recur?

Risk management is an important process because it empowers a business with the 4. Develop preventive mechanisms for identified risks
necessary tools so that it can adequately identify and deal with potential risks. Once a risk
Here, the ideas that were found to be useful in mitigating risks are developed into a number
has been identified, it is then easy to mitigate it. In addition, risk management provides a
of tasks and then into contingency plans that can be deployed in the future. If risks occur, the
business with a basis upon which it can undertake sound decision-making.
plans can be put to action.
For a business, assessment and management of risks is the best way to prepare for
Summary
eventualities that may come in the way of progress and growth. When a business evaluates
its plan for handling potential threats and then develops structures to address them, it Our business ventures encounter many risks that can affect their survival and growth. As a
improves its odds of becoming a successful entity. result, it is important to understand the basic principles of risk management and how they can
be used to help mitigate the effects of risks on business entities.
In addition, progressive risk management ensures risks of a high priority are dealt with as
aggressively as possible. Moreover, the management will have the necessary information that 5 Basic Methods for Risk Management
they can use to make informed decisions and ensure that the business remains profitable.
As people begin to age, they usually encounter more health risks. Managing pure risk entails
Risk Analysis Process the process of identifying, evaluating, and subjugating these risks—a defensive strategy to
prepare for the unexpected. The basic methods for risk management—avoidance, retention,
Risk analysis is a qualitative problem-solving approach that uses various tools of assessment
sharing, transferring, and loss prevention and reduction—can apply to all facets of an
to work out and rank risks for the purpose of assessing and resolving them. Here is the risk
individual's life and can pay off in the long run. Here's a look at these five methods and how
analysis process:
they can apply to the management of health risks.
1. Identify existing risks

Risk identification mainly involves brainstorming. A business gathers its employees together
so that they can review all the various sources of risk. The next step is to arrange all the
Avoidance
Avoidance means not participating in activities that could harm you; in the case of health,
smoking is a good example.
Avoidance is a method for mitigating risk by not participating in activities that may incur injury,
sickness, or death. Smoking cigarettes is an example of one such activity because avoiding
it may lessen both health and financial risks.
According to the American Lung Association, smoking is the leading cause of preventable
death in the U.S. and claims more than 480,000 lives per year.1 Additionally, the U.S. Centers
for Disease Control and Prevention notes that smoking is the No. 1 risk factor for getting lung
cancer, and the risk only increases the longer that people smoke.2
Life insurance companies mitigate this risk on their end by raising premiums for smokers
versus nonsmokers. Under the Affordable Health Care Act, also known as Obamacare, health
insurers are able to increase premiums based on age, geography, family size, and smoking
status. The law allows for up to a 50% surcharge on premiums for smokers.3
Retention
Retention acknowledges the inevitability of certain risks, and in terms of health care, it could
mean picking a less expensive health insurance plan that has a higher deductible rate.
Retention is the acknowledgment and acceptance of a risk as a given. Usually, this accepted
risk is a cost to help offset larger risks down the road, such as opting to select a lower premium
health insurance plan that carries a higher deductible rate. The initial risk is the cost of having
to pay more out-of-pocket medical expenses if health issues arise. If the issue becomes more
serious or life-threatening, then the health insurance benefits are available to cover most of
the costs beyond the deductible. If the individual has no serious health issues warranting any
additional medical expenses for the year, then they avoid the out-of-pocket payments,
mitigating the larger risk altogether.
Sharing
Sharing risk can be applied to how employer-based benefits are often more affordable than if
an individual gets their own health insurance.
Sharing risk is often implemented through employer-based benefits that allow the company to
pay a portion of insurance premiums with the employee. In essence, this shares the risk with
the company and all employees participating in the insurance benefits. The understanding is
that with more participants sharing the risks, the costs of premiums should shrink
proportionately. Individuals may find it in their best interest to participate in sharing the risk by
choosing employer health care and life insurance plans when possible.
Transferring
Transferring risk relates to healthcare in that the cost of the care is transferred to the insurer
from the individual, beyond the cost of premiums and a deductible.
The use of health insurance is an example of transferring risk because the financial risks
associated with health care are transferred from the individual to the insurer. Insurance
companies assume the financial risk in exchange for a fee known as a premium and a
documented contract between the insurer and individual. The contract states all the
stipulations and conditions that must be met and maintained for the insurer to take on the
financial responsibility of covering the risk.
By accepting the terms and conditions and paying the premiums, an individual has managed
to transfer most, if not all, the risk to the insurer. The insurer carefully applies many statistics
and algorithms to accurately determine the proper premium payments commensurate to the
requested coverage. When claims are made, the insurer confirms whether the conditions are
met to provide the contractual payout for the risk outcome.
Loss Prevention and Reduction
Loss prevention and reduction are used to minimize risk, not eliminate it—the same concept
is used in healthcare with preventative care.
This method of risk management attempts to minimize the loss, rather than completely
eliminate it. While accepting the risk, it stays focused on keeping the loss contained and
preventing it from spreading. An example of this in health insurance is preventative care.
Health insurers encourage preventative care visits, often free of co-pays, where members can
receive annual checkups and physical examinations. Insurers understand that spotting
potential health issues early on and administering preventative care can help minimize
medical costs in the long run. Many health plans also provide discounts to gyms and health
clubs as another means of prevention and reduction in order to keep members active and
healthy.
MODULE 12
What is the risk assessment?
Risk assessment is the process of evaluating risks to workers' safety and health from
workplace hazards. whether the hazards could be eliminated and, if not; ... what preventive
or protective measures are, or should be, in place to control the risks.
Definitions
Hazards - A hazard can be anything - whether work materials, equipment, work methods or
practices – that has the potential to cause harm.
Risks - A risk is the chance, high or low, that somebody may be harmed by the hazard.
Risk assessment
Risk assessment is the process of evaluating risks to workers' safety and health from
workplace hazards. It is a systematic examination of all aspects of work that considers:
➔ what could cause injury or harm;
➔ whether the hazards could be eliminated and, if not;
➔ what preventive or protective measures are, or should be, in place to control the
risks.
What Are the Types of Risk Assessments and When to Use Them?
There are several different types of risk assessments used by health and safety (H&S)
professionals and those with H&S responsibilities. You may decide to use only one of these,
or you may use several different types for different purposes. Different approaches to risk
assessments can even be used within a single assessment.
● Qualitative Risk Assessments
Most risk assessments will fall under this category. When carrying out a qualitative
assessment, the assessor will use their personal judgement to identify hazards around the
workplace, assess risks and plan control measures.
Risks may be classed as high, medium or low-level after the assessor has considered both
the probability and severity of the risk in question.
● Quantitative Risk Assessments
This type of risk assessment uses quantitative tools and techniques to measure the level of
risks. A risk matrix may be used so that a value can be assigned to the likelihood and severity
of risks. For example, you might use a 3×3 matrix with the following values:
3×3 Risk Matrix — Probability
Highly Unlikely = 1
Likely = 2
Highly Likely = 3
3×3 Risk Matrix — Severity
Slight = 1
Serious = 2
Major = 3
To calculate the level of risk, the following equation can then be used:
Risk = Severity x Likelihood
You can see this type of risk matrix used in our risk-assessment template.
There are also other options for risk matrices, such as the 5×5 matrix. The values you use will
depend on personal preference and the variability you need in risk levels.
● Generic Risk Assessments
Generic risk assessments assess the hazards and risks involved in work tasks and activities.
They can be used in different locations and by different companies for activities that are the
same/similar, so they’re often used as risk-assessment templates. This allows you to reduce
duplication in your risk-management processes.
However, when using a generic risk assessment, it’s important to note that every workplace
and activity will be slightly different, and any differences can affect the accuracy and relevancy
of these risk assessments. To ensure generic assessments are relevant and that they’re going
to be effective at mitigating risks, you need to review them and adjust or update them
accordingly.
● Site-Specific Risk Assessments
These are the most important types of risk assessments, as they’re carried out for a specific
activity in a specific location. This means they’re completely relevant and should be effective
at eliminating or controlling risks and keeping people safe. Think of these risk assessments
like taking a deep dive into the health and safety of different activities and work sites.
These assessments may be completed after carrying out generic risk assessments to gain a
better understanding of hazards and risk-control methods in the workplace.
You’re legally required to take reasonable steps to mitigate risks and protect people from
harm. Site-specific risk assessments can help you plan and implement control measures
proportionate to the level of risk.
As the most thorough method of risk assessment, they can help you keep your workforce and
members of the public safe and protect your business from the legal liability and reputational
damage that comes with health and safety breaches.
● Dynamic Risk Assessments
Dynamic risk assessments are carried out on the spot, during unforeseen circumstances. If
there are sudden, significant changes to the health and safety of the workplace or work
activities, written risk assessments may not be applicable. Risks may need to be considered
on the spot to assess whether it’s safe for work to continue.
One thing all of the risk assessments above have in common is that they should be completed
following the five steps to risk assessments process.
Remember
Whatever risk-assessment process you adopt, it is always advisable to engage with your
workforce when completing risk assessments, as they may know of the workable solutions
needed to complete tasks safely
What are the five steps to risk assessment?
The Health and Safety Executive (HSE) advises employers to follow five steps when carrying
out a workplace risk assessment:
Step 1: Identify hazards, i.e. anything that may cause harm.
Employers have a duty to assess the health and safety risks faced by their workers. Your
employer must systematically check for possible physical, mental, chemical and biological
hazards.
This is one common classification of hazards:
● Physical: e.g. lifting, awkward postures, slips and trips, noise, dust, machinery,
computer equipment, etc.
● Mental: e.g. excess workload, long hours, working with high-need clients, bullying,
etc. These are also called 'psychosocial' hazards, affecting mental health and
occurring within working relationships.
● Chemical: e.g. asbestos, cleaning fluids, aerosols, etc
● Biological: including tuberculosis, hepatitis and other infectious diseases faced by
healthcare workers, home care staff and other healthcare professionals.
Step 2: Decide who may be harmed, and how.
Identifying who is at risk starts with your organisation's own full- and part-time employees.
Employers must also assess risks faced by agency and contract staff, visitors, clients and
other members of the public on their premises.
Employers must review work routines in all the different locations and situations where their
staff are employed. For example:
Home care supervisors must take due account of their client's personal safety in the home,
and ensure safe working and lifting arrangements for their own home care staff.
In a supermarket, hazards are found in the repetitive tasks at the checkout, in lifting loads,
and in slips and trips from spillages and obstacles in the shop and storerooms. Staff face the
risk of violence from customers and intruders, especially in the evenings.
In call centers, workstation equipment (i.e. desk, screen, keyboard and chair) must be
adjusted to suit each employee.
Employers have special duties towards the health and safety of young workers, disabled
employees, night workers, shift workers, and pregnant or breastfeeding women.
Step 3: Assess the risks and take action.
This means employers must consider how likely it is that each hazard could cause harm. This
will determine whether or not your employer should reduce the level of risk. Even after all
precautions have been taken, some risk usually remains. Employers must decide for each
remaining hazard whether the risk remains high, medium or low.
Step 4: Make a record of the findings.
Employers with five or more staff are required to record in writing the main findings of the risk
assessment. This record should include details of any hazards noted in the risk assessment,
and action taken to reduce or eliminate risk.
This record provides proof that the assessment was carried out, and is used as the basis for
a later review of working practices. The risk assessment is a working document. You should
be able to read it. It should not be locked away in a cupboard.
Step 5: Review the risk assessment.
A risk assessment must be kept under review in order to:
● ensure that agreed safe working practices continue to be applied (e.g. that
management's safety instructions are respected by supervisors and line managers);
and
● take account of any new working practices, new machinery or more demanding work
targets.
How should my employer deal with hazards?
The basic rule is that employers must adapt the work to the worker. The key aims of risk
assessment are to:
➔ prioritise the risks – i.e. rank them in order of seriousness; and
➔ make all risks small – the two main options here are to:
◆ eliminate the hazard altogether; or
◆ if this is not possible, control the risks so that harm is unlikely.
The basic approach is also known as a 'hierarchy of control' because it sets out the order in
which employers must approach risk management:
1. Substitution (i.e. try a risk-free or less risky option).
2. Prevention (e.g. erect a machine guard, or add a non-slip surface to a pathway).
3. Reorganise work to reduce exposure to a risk. A basic rule is to adapt the work to
the worker.
In an office, ensure chairs and display screen equipment (DSE) are adjustable to the
individual, and plan all work involving a computer to include regular breaks. For
monotonous or routine work, introduce work variety and greater control over work. In
call centres, introduce work variety by providing work off the phones and varying the
type of calls handled.
4. As a last resort, issue personal protective equipment (PPE) to all staff at risk, and
make sure they are trained in when and how to use this equipment, such as
appropriate eye protection, gloves, special clothing, footwear.
5. Provide training in safe working systems.
6. Provide information on likely hazards and how to avoid them.
7. Provide social and welfare facilities, such as washing facilities for the removal of
contamination, or a restroom.
How often should a risk assessment take place?
The Health and Safety Executive (HSE) says risk should be assessed "every time there are
new machines, substances and procedures, which could lead to new hazards."
An employer should carry out a risk assessment:
● whenever a new job brings in significant new hazards. If there is high staff turnover,
then the way new staff do their work should be checked against the risk assessment,
and training provided in safe working practices if necessary;
● whenever something happens to alert the employer to the presence of a hazard –
for example, an unusual volume of sickness absence, complaints of stress and
bullying, or unusually high staff turnover;
● in response to particular changes to the level of risk to individual employees – for
example, where an employee returns to work after a period of long-term sickness
absence; or

● Where an employee is pregnant or breastfeeding and her work might involve a risk
to her or her unborn child’s health and safety.