1. Risk management involves identifying, assessing, and responding to risks that could impact an organization. There are two main types of risk - systematic risks that are outside an organization's control and affect wide markets, and unsystematic risks that are specific to an individual organization and can be predicted and controlled.
2. For investments and businesses, key risks include market risk, credit risk, liquidity risk, interest rate risk, and operational risks related to processes and policies. Financial institutions also face risks related to liquidity, markets, derivatives, and accounting practices.
3. The risk management process involves establishing the context, identifying potential risks, assessing their likelihood and impact, and then selecting risk responses such as avoiding,
Original Description:
Reviewer for Risk Management to Coso Framework. MAS 4
1. Risk management involves identifying, assessing, and responding to risks that could impact an organization. There are two main types of risk - systematic risks that are outside an organization's control and affect wide markets, and unsystematic risks that are specific to an individual organization and can be predicted and controlled.
2. For investments and businesses, key risks include market risk, credit risk, liquidity risk, interest rate risk, and operational risks related to processes and policies. Financial institutions also face risks related to liquidity, markets, derivatives, and accounting practices.
3. The risk management process involves establishing the context, identifying potential risks, assessing their likelihood and impact, and then selecting risk responses such as avoiding,
1. Risk management involves identifying, assessing, and responding to risks that could impact an organization. There are two main types of risk - systematic risks that are outside an organization's control and affect wide markets, and unsystematic risks that are specific to an individual organization and can be predicted and controlled.
2. For investments and businesses, key risks include market risk, credit risk, liquidity risk, interest rate risk, and operational risks related to processes and policies. Financial institutions also face risks related to liquidity, markets, derivatives, and accounting practices.
3. The risk management process involves establishing the context, identifying potential risks, assessing their likelihood and impact, and then selecting risk responses such as avoiding,
RISK – probability that future event could impact organization. - Possibility not be able to buy as much with your savings in future - Measured in terms of probability and impact - Represents loss of value due inflation - Exposure to possibility of loss, injury, and other adverse circumstances - Inherent; can be mitigated Risk Associated with Manufacturing, Trading, and Service Concerns MOFB A. Market Risk Systematic Risk VS Unsystematic Risk - Risk faced by investor due to decrease in market value of financial product that may affect the whole market Systematic Risk Unsystematic Risk Product Risk: Complexity, Obsolescence, Research and Development, Packaging, Delivery of -not controllable -controllable Warranties COR&DPDoW -not entirely predictable -predictable Competitor Risk: Pricing strategy, Market share, Market strategy 2MS PS -Macro nature -Micro nature B. Operation Risk -affects large number of organization -directly affects individual organization - Risk of losses caused by failed processes, policies, systems or events that disrupt -cannot be fully assessed and anticipated -assessed in advance with reasonable efforts business operations. 1. Process stoppage 2. Healthy and Safety 3. After sales service failure E.g. Interest Rate Risk, Market Risk, E.g. Compliance Risk, Credit Risk, Operational Risk 4. Environmental 5. Technological Obsolescence 6. Integrity Purchasing Power Risk PsH&SAssEToI Management Fraud Employee Fraud Risk Associated with Investments BDFIrLMPp Illegal acts A. Business Risk C. Financial Risk - Uncertainty about rate of return caused by nature of business - Likelihood of losing money on business or investment decision - Related to sales volatility and operating leverage 1. Interest Rate Volatility 4. Derivative IrvFcLDV Operating Leverage – caused by *fixed OPEX. 2. Foreign Currency 5. Viability *cost OPIN to be more volatile than sales 3. Liquidity B. Default Risk D. Business Risk - Probability that investments will not be returned - Exposure a company or organization has to factor(s) that will lower its profits or lead Degree of default Risk to fail - Closely related to financial condition of company - Anything that threatens company’s ability to achieve its financial goals C. Financial Risk 1. Regulatory Change 4. Regulatory and legal 7. Credit availability - Firm’s capital structure or source of financing 2. Reputation 5. Shareholder relations 8. Business interruptions Risk of DEFAULT: Any risk associated with financing that include company loans. 3. Political 6. Credit rating RcRPR&LSrCrCaBi Financial Leverage: causing firm’s lenders and stockholders to view income streams - Causes NI to vary more than OPIN Risk Associated with Financial Institutions D. Interest Rate Risk A. Financial Risk LCMMlD - Most commonly associated with bond price movements a. Liquidity Risk i. Financial Reporting Risk Rising interest rates, bond prices decline b. Market Risk Adequacy, Completeness Declining interest rates, bond prices rises Currency, Equity, Commodity E. Liquidity Risk c. Credit Risk - Inability to sell investment quickly for cash Counterparty, Trading T-bills: sold immediately with very little concession Commercial: Loans, Guarantees Ordinary equity: can be sold quickly d. Market Liquidity Risk - Liquidity risk for this are more complex Currency rates, Interest rates - Trade on organized and active markets Bond and equity rates F. Management Risk e. Hedged Positions Risk - Risk financial, ethical, or otherwise associated with ineffective, destructive, or f. Portfolio Exposure Risk underperforming management. g. Derivative Risk Areas affected: Product innovation and production methods; financing to acquisitions h. Accounting Information Risk Completeness, Accuracy B. Non-Financial Risk OREIL Process of Risk Management EIR a. Operational Risk a. Establishing Context Systems: Information Processing, Technology. b. Identification of Potential Risk Customer Satisfaction, Human Resources, Fraud and Illegal Acts, Bankruptcy Steps: IorMDaaMiPlarDev b. Regulatory Risk ➢ Identification of risk in selected domain of interest Capital Adequacy, Compliance, Taxation, Changing Laws and Policies ➢ Mapping out the: c. Environmental Risk Social scope of RM Politics, Natural Disasters, War, Terrorism Identity and objectives of stakeholders d. Integrity Risk Basis of evaluations, constraints Reputation ➢ Defining framework for activity and agenda e. Leadership Risk ➢ Mitigation of risks using available technological, human, and organizational Turnover, Succession resources ➢ Planning remaining process Risk Responses ASMAC ➢ Develop analysis of risk in process ISO 31000 – suggests once risk identified and assessed, techniques should be applied to Common risk Identification Methods: COSTR manage risks a. Objective – Based Risk - Family of standards relating to risk management codified by ISO b. Scenario – Based Risk - International Organization for Standardization c. Taxonomy – Based Risk Risk Avoidance – losing out potential gain; avoid possibility of earning d. Common risk checking - Not performing activity that carry risk e. Risk Chart Risk Sharing – sharing with another party the burden of loss or benefit of gain Risk Mitigation – reducing severity of loss c. Risk Assessment – critical to make the best educated decisions in prioritizing Risk Acceptance – accepting loss or benefit of gain from risk implementation of risk management plan Risk Creation ELEMENTS OF RISK MANAGEMENT IADIP RISK MANAGEMENT a. Identification, characterization and assessment of threats. ICAThreats - Process of measuring or assessing risk and developing strategies to manage it b. Assessment of the vulnerability of critical asset to specific threats. Assessment VCA-SThreats - Systematic approach in identifying, analyzing, and controlling areas or events with c. Determination of the risk DoR potential for causing unwanted change d. Identification of ways to reduce those risk. IoW (-)risk - Act or practice of controlling risk: a. Risk planning b. Assessing risk areas c. Developing e. Prioritization of risk reduction measures on a strategy PrioRRmstrat Risk-handling options d. Monitoring risks e. Documenting overall risk management program RpAraDrhoMrDormp AREAS OF RISK MANAGEMENT According to ISO 31000: Most commonly encountered areas of risk management - Identification, assessment, and prioritization of risks — Enterprise Risk Management ERM - Coordinated and economical application of resources to minimize, monitor, and — Risk management activities as applied to project managementRMactsappPM control probability or impact of unfortunate events — Risk management for megaprojects RMfMP - Maximizes realization of opportunities — Risk management of information technology RMofIT — Risk management techniques in petroleum and natural gas RMtechsPetrolNG Basic Principles of Risk Management CABBCB a. Create Value Risk Management Process – framework for action that used to be taken to manage risk b. Address uncertainty and assumption - Method of understanding what risk and opportunities are present c. Be an integral part of organizational process and decision-making. d. Be dynamic, iterative, transparent, tailorable, and responsive to change. STEPS IN RISK MANAGEMENT PROCESS e. Create continual improvement and enhancement capability considering best 1. Set up separate risk management committee chaired by board member available information and human factors. • Creation of a risk management committee at the board level will demonstrate the f. Be systematic, structured, and continually or periodically reassessed. firm's commitment to adopt an integrated company-wide risk management system. 2. Ensure that a formal comprehensive risk management system is in place O Subject to its size, risk profile and complexity of operations, the company should have a • This fully documented formal system will provide clear vision of board's desire foreffective separate risk management function to IDENTIFY, ASSESS, AND MONITOR KEY RISK EXPOSURES. company-wide risk management 3. Assess whether the formal system possesses the necessary element Traditional Risk Management – process that aims to develop consistent understanding of • Key Elements organization’s goal and risks that inhibit its success. o Goals and Objectives o Organization Structure Enterprise Risk Management – aka Company wide-risk management o Risk Language Identification o Risk Management Process and Documentation - consider risks and opportunities across organization, aligns with strategic objectives 4. Evaluate effectiveness of various steps in assessment of comprehensive risks faced by and promotes risk-aware culture. business firm 5. Assess if management developed and implemented suitable risk management strategies and Distinctions between ERM and TRM: (12) evaluate their effectiveness Reactiveness: 6. Evaluate if management has designed and implemented risk management capabilities TRM - Reactive: respond to incidents that have occurred and focus on preventing reoccurrence 7. Assess management's efforts to monitor overall company risk management performance ERM - Proactive: looks forward to prevent risk occuring and to improve continuously firm's capabilities Scope: 8. See to it that best practices as well as mistakes are shared by all TRM - Focuses on insurable and financially tangible risks 9. Assess regularly the level of sophistication of firm's risk management system ERM - Encompasses both insurable and non-insurable risk, and those where the cost is hard to 10. Hire experts when need define (risk damage from brand reputation) Adaptability: ENTERPRISE RISK MANAGEMENT TRM - Standardized, prescribed approaches SEC Code of Governance Recommendation 2.11 and corresponding explanation provide the ff: ERM - Fluid, adaptable, agile - Board should oversee that a sound ERM framework is in place to effectively identify, monitor, Effort: assess, and manage key business risks. TRM - Focus on business units or departments; siloed; can create duplicatory activity ERM - Holistic and enterprise-wide; minimizes duplication Risk management framework should guide the BOARD in identifying units/business lines and Alignment: enterprise-level risk exposures, as well as the effectiveness of risk management strategies. TRM - Limit risk prioritization and alignment across teams ERM - Enable risks that impact multiple departments to be prioritized and tackled in integrated Risk management policy - part and parcel of a corporation’s corporate strategy. way, Board - responsible for defining the company’s level of risk tolerance and providing oversight Integration: over its risk management policies and procedures. TRM - approach, metrics, and reporting inconsistent between teams, sites or departments ERM - approach, metrics, and reporting consistent and integrated across the business. Principle 12 was the one that deals with strengthening the Internal Control System and Identification: Enterprise Risk Management Framework TRM - identifies and tackles risks on case by case basis —> “To ensure the integrity, transparency, and proper governance in the conduct of its affairs, ERM - focuses on root cause risks common to every silo the company should have a strong and effective internal control system and enterprise risk Mitigation: management framework.” TRM - focuses on impact on individual business units or teams ERM - takes into account impact on entire organization Risk Management Framework Mindset: • Subject to corporation’s size, risk profile and complexity of operations, the BOARD TRM - risk averse; focuses on mitigation should establish a separate Board Risk Oversight Committee (BROC) that should be ERM - risk tolerant; takes enterprise wide risk culture responsible for the oversight of a company’s ERM system - to ensure functionality Connection: and effectiveness. TRM - standards and approaches are business-specific and can be simplistic BROC composed of: ERM - aligns with recognized standards like the COSO Framework (internal framework) to • atleast three (3) members; majority of whom should be independent directors ensure risk management approach is in line with best practice including Chairman. Prominence: • Chairman should not be Chairman of the Board or of any other committee. TRM - keeps risk conversations to team or department level ERM - elevates risk discussions to board level • atleast one (1) member of the committee must have relevant thorough knowledge Responsiveness: and experience on risk and risk management. TRM - static checklist of risks and responses ERM - real-time, responsive approach to the changing organization and risk landscape SARBANES-OXLEY ACT OF 2002 - Defines retention period for storing records • It was Enron’s fraudulent behavior why SOX ACT was passed in 2002 - Outlines specific business records that companies need to store (electronic -largest company in US during 2001 communications) Outlines PENALTIES: Sarbanes-Oxley Act- a U.S Federal Law -any company official found guilty of concealing, destroying, or altering documents, with -spearheaded by Senator Paul Sarbanes and Representative Michael Oxley intent to disrupt investigation, will face up to 20 years in prison and applicable fines. -signed into law by President George W. Bush on July 30, 2002 -any accountant who knowingly aids company officials in destroying, altering, or falsifying -aka SOX Act of 2002 and the Corporate Responsibility Act of 2002 financial statements could face up to 10 years in prison -mandated strict reforms to existing securities regulations and imposed tough new penalties Section 806 - Protection for Employees of Publicly Traded Companies who provide Evidence on lawbreakers. of Fraud -aims to protect investors from fraudulent financial reporting by corporations -deals with whistleblower protection. -came in response to financial scandals in early 2000s -mandates protection for whistleblowers, stating that employees and contractors who report fraud or testify about fraud to Department of Labor are protected against retaliation, New law set out reforms and additions in four (4) principal areas: CAIN including dismissal and discrimination. 1. Corporate responsibility Section 902 - Attempts & Conspiracies to Commit Fraud Offenses 2. Accounting regulation -crime for any person to corruptly alter, destroy, mutilate, or conceal any document with 3. Increased criminal punishment intent to impair object’s integrity or availability for use in an offical proceeding. 4. New protections Section 906 - Corporate Responsibility for Financial Reports Management level that SOX act affect STARBE -addresses criminal penalties for certifying a misleading or fraudulent financial reports. - External & Internal auditors -penalties can be upwards of $5 million in fines and 20 years in prison - Top executives - Attorneys (Internal and external) Summary of Sarbanes-Oxley Act 2002 (11 titles) - BOD and their committees TITLE I - Public company accounting oversight board (PCAOB) - Senior managers • consists of 9 sections and establishes PCAOB, provide independent oversight of - Regulators public accounting firms providing audit services. TITLE II - Auditor Independence Sections of SOX Relevant to Compliance • consists of 9 sections and establishes standards for external auditor independence, Section 302 - Corporate Responsibility for Financial Reports to limit conflicts of interest. Financial reports and statement must certify that: • addresses new auditor approval requirements, audit partner rotation, and auditor • Documents have been reviewed by signing officers and passed internal controls reporting requirements within last 90 days. TITLE III - Corporate Responsibility • Documents are free of untrue statements or misleading omissions. • consists of 8 sections and mandates that senior executives take individual • Documents are truthfully represent the company’s financial health and position responsibility for the accuracy and completeness of corporate financial reports • Documents must be accompanied by list of all deficiencies or changes in internal TITLE IV - Enhanced Financial Disclosures controls and information on any fraud involving company employees. • consists of 9 sections and describes enhanced reporting requirements for financial Section 401 - Disclosures in Periodic Reports transactions, including off-balance sheet transactions, pro-forma figures and stock -Financial statements are required to be accurate. transactions of corporate officers. -Financial statements should also represent any off-balance liabilities, transaction, or TITLE V - Analyst Conflicts of Interest obligations • consist of 1 section, includes measures designed to help restore investor Section 404 - Management Assessment of Internal Controls confidence in reporting of securities analysts. -requires management and auditors establish internal controls and reporting methods to TITLE VI - Commission Resources and Authority ensure adequacy of those controls • consists of 4 sections, defines practices to restore investor confidence in securities Section 409 - Real time issuer disclosures analysts. -Companies are required to urgently disclose drastic changes in financial position or TITLE VII - Studies and Reports operations • consists of 5 sections, requires Comptroller General and SEC to perform various Section 802 - Criminal Penalties for Altering Documents studies and report their findings Contains three(3) rules that affect recordkeeping: TITLE VIII - Corporate and Criminal Fraud Accountability - Deals with destruction and falsification of records • consists of 7 sections, referred to as the Corporate and Criminal fraud -personnel within organization need to have clear understanding of their responsibilites and accountability Act of 2002 rules and regulation that govern their actions TITLE IX - White-collar Crime Penalty Enhancements • Human Resources Policies and Procedure • consists of 6 sections, aka White-collar crime penalty enhancement act of 2002 -important elements of IACS is the people who perform and execute established policies and • increases criminal penalties associated with white-collar crimes and conspiracies procedures. TITLE X - Corporate Tax Returns • consists of 1 section B.Entity’s Risk Assessment Process ➢ Risk Assessment - identification, analysis, and management of risks pertaining • Chief executive officers should sign company tax return to preparation of FS. TITLE XI - Corporate Fraud and Accountability ➢ Entity’s risk assessment process - process for identifying and responding to • consists of 7 sections, called as Corporate Fraud Accountability Act of 2002 business risks and results thereof. • identifies corporate fraud and records tampering as criminal offenses and joins -FS purposes: how management identifies risk relevant to preparation of FS that are those offenses to specific penalties. presented fairly…
INTERNAL CONTROL Circumstances where RISKS can arise: CNNRN
-changes in operating environment Internal Control – process designed and affect by those charged with governance, -new personnel management, and other personnel. (Committee of Sponsoring Organization) -new or revamped information systems - Provide reasonable assurance about achievement of entity’s objectives. -rapid growth OBJECTIVES: REC -new technology ✓ Reliability of the entity’s financial reporting. -new business models, products, or activities ✓ Effectiveness and efficiency of operations. -corporate restructurings ✓ Compliance with applicable laws and regulations -expanded foreign operation Others: ASP&DA&CT -new accounting pronouncements ✓ Adherence to management policies ✓ Safeguarding of assets ➢ Application to Small entities: Entity’s risk assessment process is likely to be less ✓ Prevention and detection of fraud and error formal and less structured. ✓ Accuracy and completeness of accounting records -FR objectives may recognized implicitly rather than explicitly. ✓ Timely preparation of financial information C. Information System and Communication Elements/Components CeErapIs&cCaMc Information system - consists of infrastructure (physical and hardware components), software, people, procedures, and data A. Control Environment • Communication & Enforcement of Integrity and Ethical Values AS procedures and records designed and established: -entity’s ethical and behavioral standards and manner in which it communicates and reinforces • Initiate, record, process, and report entity transactions and to maintain them, determine entity’s integrity and ethical behavior accountability for related assets, liability, and equity. • Commitment to Competence • Resolve incorrect processing of transactions -knowledge and skills necessary to accomplish tasks that define employee’s job • Process and account for system overrides or bypasses to controls • Participation by those charge with Governance • Transfer information from transaction processing systems to general ledger -entity’s control consciousness is influenced significantly by those charge with governance • capture information relevant to financial reporting for events and conditions other -over sight and whistle blower mechanism than transactions • Management’s Philosophy and Operating Style • Ensure information required to be disclosed by applicable financial reporting -management’s approach to taking and monitoring business risk, its conservatice or aggresive framework is ACCUMULATED, RECORDED, PROCESSED, SUMMARIZED, and selection from alternative accounting principles appropriately reported in FS • Organizational Structure *Entity’s IS includes use of standard JEs that are required on recurring basis; includes use of -provides overall framework for planning, directing, and controlling operation non-standard JEs to record non-recurring, unusual transactions or adjustments. • Assignment of Authority and Responsibility ➢ Related Business Processes WHY NEED INTERNAL CONTROL? - Develop, purchase, produce, sell and distribute an entity’s products and services. - Ensure compliance with laws and regulations. Internal control - organizational plan - Record information, including accounting and financial reporting information. -all related measures to safeguard assets, ensure accuracy and reliability, promote operation ➢ Information System encompasses methods and records: efficiency, and encourage adherence - Identify and record all calid transactions. - Describe on timely basis the transactions in sufficient details. COSO - Committee of Sponsoring Organization of Tradeway Commission - Measure value of transactions. -composed of representatives from five (5) organizations: - Determine time period where transactions occurred. • American Accounting Association (AAA) - Present transaction and related disclosures in FS properly. • American Institute of Certified Public Accountants (AICPA) • Financial Executives International (FEI) Communication - involves providing understanding of individual roles and responsibilities • Institute of Management Accountants (IMA) pertaining to internal control over financial reporting. - takes such forms as policy manuals, accounting, and FRmanuals, and memoranda. • Institute of Internal Auditors (IIA) - can be made electronically, orally, and through actions of management Coso framework - system used to established internal controls to be integrated in business processes. D. Control Activities - these controls provide reasonable assurance that organization is operating ethically, - policies and procedures that help ensure that management directives are carried out. transaparently and in accordance with established industry standards. 3 major categories of control procedures PrIpcPc Coso Model – defines IC as “process effected by entity’s board of directors, management, and other personnel • Performance review - uses accounting and operating data to assess performance and - designed to provide reasonable assurance of achievement of objectives. (Operations, takes corrective action reporting, Compliance) -personnel at various levels in org may perform this -manager may used for sole purpose of making operating decisions Objectives of Coso Framework • Information processing controls – policies and procedure designed to required a. Operation b. Reporting c. Compliance authorization of transactions and ensure accuracy and completeness of transaction processing. FIVE COMPONENTS OF COSO FRAMEWORK Classification according to scope of system: 1. Application controls – control activities pertain to processing of specific type of A. Control Environment - set of standards, processes and structures provides basis for transaction carrying out internal control across organization. 2. General controls – control activities prevent or detect errors for all accounting B. Risk Assessment - forms the basis for determining how risks will be managed. systems. C. Control Activities - actions established through policies and procedures that help Control Activities related to Processing transactions: ensure risk are minimized. a. Proper authorization of transaction and activities D. Information and Communication b. Separation of duties • Information - obtained by management from both internal and external sources to c. Adequate documents and records support internal control components. d. Access to assets independents e. Checks on performance • Communication - based on internal and external sources used to disseminate important information throughout and outside org, as needed to respond and support meeting requirements and expectations. • Physical Control E. Monitoring Activities - evaluation used to ascertain whether components of internal -physical security of assets control are present and functioning: -authorization for access to compute programs and data files -ongoing evaluations; separate evaluations -periodic accounting and comparison with amounts shown on control records Two Types of Evaluation 17 Principles of Internal Control E. Monitoring Controls A. Control Environment DEEDE -process that entity uses to assess quality of internal control over time. 1. Demonstrated commitment to integrity and ethical values -involves assessing design and operation of control on timely basis and taking corrective action 2. Exercises oversight responsibility as necessary. 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability B. Risk Assessment SIAI 6. Specifies suitable objectives 7. Identifies and analyze risk 8. Assess fraud risk 9. Identifies and analyzes significant change C. Control Activities SSD 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys control activities through policies and procedures D. Information and Communication UCC 13. Uses relevant information 14. Communicates internally 15. Communicates externally E. Monitoring Activities CE 16. Conducts ongoing or separate evaluations 17. Evaluates and communicated deficiencies
BENEFITS OF COSO FRAMEWORK
-enables business procedures to be carried out consistently -often better position to detect fraudulent act -helps them to make existing business processes more efficient LIMITATIONS OF COSO FRAMEWORK -relatively broad in scope -broken into series of rigid categories