Because risk is never predictable with certainty, therefore we must have a corporate level strategy to address a possible event from both positive and unfavorable perspectives. This is the subject of enterprise risk mangement (ERM).
Risk Management is a question of preparation, experience, skills and personaliities. Effective risk management relies on availability and precision of real time info plus the pace in resolving issues.
To establish a risk driven internal control system, one should be clear of what are the enterprise’stargets. These can be short, medium or long-term. Ask what are the risks related with each and every of these goals. A control is risk driven, if it deals with the risks facing an corporation in meeting its goals. Hence, to set up a risk driven system of internal control you need to link the objective, risk and control.
Of cause controls are not fail safe. Thus, no matter how good your control is, it will not be able to address human error, management overrides of control and poor judgment in decision-making.
We all face risk daily and we conquer it either consciously or unconsciously. Risk Management is a matter of preparation, experience, skill and personalities. Effective enterprise risk management and financial risk management depends on the accessibility and accuracy of real-time information plus the speed in resolving issues. Because risk is never predictable with certainty, we must have a strategy to address a possible event from both favourable and unfavourable perspectives.
To put our thoughts on rnterprise risk management into a structured method, we can break it up it into a series of activities
A few of the critical issues in risk management framework are discussed as follows:
Identifying and Measuring Risks
Identifying risks is one of the most important activities in risk mment. Without figuring out the risks, we would not know what steps to take.
There are a few common methods to identify risks. Theseapproaches are :
- SWOT analysis.
- PEST analysis.
- Reliance Model.
- Michael Porter’s five forces.
All these methods can be combined and used simultaneously.
Measuring risk has never been simple and scientific ways of measuring risks may perhapsinclude actuarial science computation and calculation of Beta factor.
Nevertheless, there is a easy way of measuring risk based on two common sense parameters, i.e. the likelihood and impact of the consequences. The magnitude of these measurements can be profiled on a number of scales such as two by two, three by three, or even five by five. These entire scales are acceptable and rely on the level of detail an individual wants to analyse his or her risks.
Enterprise Risk Management Approach.
1. Identifying Risks:
- Techniques e.g. Strengths, Weaknnesses, Threats, Opportunities, PEST, Dependency Model, 5 Forces.
- Modes: Workshop, interview, survey, management report, checklist..
2. Measurement & Prioritization of Risks
3. Strategy Selections : Accept, transfer, eliminate, insuring, control & sharing..
Even though we may be familiar with these modes of on-going review and assessment, the BOD should analyze\assess :
- Has the continuousreviews & evaluation mechanism maintained in pace with the changes of its’ operations?
- Is the level of detail of the data essential for its decision-making and monitoring of the risk and control applicable, sufficient, adequate and timely?
In this case, the Chairman with the support of Chief Executive Officer, Company Secretary and Internal Auditor, would have a vital function to perform in collating thedetails needed for the Board to perform such assessment at the Board level.
The Board of Directors\BOD must obtain information that is not just historical or bottom-line and financia oriented but data that goes beyond assessing the quantitative performance of the firm. In this respect, the Chairman has primary responsibility for organizing data required for the Board to deal with the agenda and for providing this data to directors on a on time basis.
Perform On-Going Reviews and Assessment of Risks and Effectiveness of the System of Internal Control
This is an area where most of the corporations would already have the system in place. Common forms of on-going review and assessment are reviews of budget and variances reports; ISO inspection reports; internal audit reports, and external auditors’ management letter.
Making Enterprise Risk Management and Control Part of Business Culture
Putting in internal control and risk management systems is purely a matter of form. But making risk management and control part of the business culture will change the form into substance.
There is no fixed order of whether the company ought to first put in the enterprise risk management and internal control framework or inculcate the right risk culture in the company and in the people.
Making risk management and control area of the business process is surely a continuous and long-term process. It is also a painful process because it needs change of mindset from all levels of management and staff, and is best achieved through an implementation of a strategic plan. Such a strategic plan cannot be confined to senior managers only. Instead it need to also involve all levels of staff and preferably to include external business partners, for instancegovernment, bankers, suppliers and buyers.
The essential factors the Board should think about in using substitute means of obtaining assurance are:
- Whether such regular review and assurance it obtains are objective; and
- What are the stakeholders’ perceptions on the substitute means used by the BOD?
Some of the alternate means, which can be used, are peer reviews and control self-assessment.
There are positive aspects an internal audit function can bring to an enterprise and their roles in the corporate governance, risk management and internal control are considerable. In making investment decision, institutional investors need to look at the existence of an internal audit function in an firm.
Internal Auditors have a large part to play in corporate governance, enterprise risk management and internal control. Some corporations may favour the internal auditor to remain in their primary role of offering an independent assurance and others may demand them to be more pro active and participate in enterprise risk management.
To summarize, risk management involves every person in the company\enterprise and awareness of the procedures and policies of enterprise risk management.. in addition the BOD have these responsibibilities to play.
- Board should acknowledge its responsibility for the system of internal control and reviewing the adequacy and integrity of such system.
- Whether there is an on-going process of risk management and in place for the year under review.
- Whether the Board reviews the system of internal control frequently and such a review is in accordance with enterprise risk mangement (ERM) guidelines.
- Summarize the process it has applied in reviewing the system of internal control.