The Risk Management Policy provides a framework or Risk Management System for all levels of Company management which should enable, support, and promote:
- Awareness and understanding of real and significant risks and their impact;
- Exercising due diligence when making decisions;
- Exercise of appropriate duty of care;
- Innovation through taking calculated risks in pursuit of business opportunity and excellence; and
- Provision of assurance that risks are managed in accordance with their level of threat or exposure.
The procedure pertains to managing all financial risks. (6 pages, 1344 words)
The Risk Manager is responsible for conducting risk assessment and for identifying the most appropriate method(s) of managing financial risk (also see AC1020 RISK ASSESSMENT).
The Risk Manager is responsible for directing development of the risk management plan and reporting to the CEO and CFO.
The CEO (Chief Executive Officer) and CFO (Chief Financial Officer) are responsible for reviewing and approving the Risk Management Plan.
- Developing a Risk Management System
- Implementing the Risk Management System
- Evaluating the Risk Management System
- Adapting the Risk Management System
Risk Management Policy References Used
- Sarbanes-Oxley Act of 2002
Risk Management Policy Procedure Forms
- Risk Assessment and Management Worksheet Form
Using risk management techniques is an important component in creating the internal control required for compliance with Sarbanes-Oxley (SOX) Section 404. Risk management includes all the activities associated with identifying and reducing risk, as well as coping with negative events should they occur. Identifying risks and creating systems and safeguards to ameliorate them is one way to create a basic internal control system.
There are many ways we can deal with business risk. We’re all familiar with the four classical risk management categories:
- Mitigation, or reduction;
- Transference; and
An example of this is insurance for our businesses, as well as our health, homes, and so on. We’re well aware of the fact that we can’t possibly prevent every natural disaster or workplace accident, so we pay insurance premiums to transfer a portion of the risk to the insuror.
Still another example: purchasing and using safety equipment, combined with regular safety training, will significantly mitigate (or reduce) some of the risk of running your business.
The Stages of Effective Risk Management
Risk management can seem like an overwhelming and daunting task – but only if you try to envision, predict, and prevent every imaginable risk all in one swipe. The trick to successful risk management is to break it down into manageable stages and tasks. Using a continual improvement method, identify and mitigate high priority risks first, and then continually improve your risk management by regularly reviewing and prioritizing risks and addressing them according to your organizational needs.
The Basic Steps of Risk Management Include:
- Understand the Mission
- Perform risk assessment to identify and categorize risks
- Prioritize risks and activities
- Design processes, training, and checks/metrics (controls) for top level risks
- Monitor internal control effectiveness and improve as required
- Repeat steps 2-5
Methodical Risk Assessment Leads to Proper Internal Controls
The first step in conducting effective risk management is understanding the mission. Clearly identifying and articulating the mission makes recognizing the risks to mission success much easier and much more effective. In terms of Sarbanes-Oxley and SOX Section 404 – understanding the mission is easy. The SOX mission is to create accurate financial statements and avoid a material misstatement.
Once you identify the mission, begin risk assessment by listing the possible risks to accurate financial statements (i.e. improperly listing assets). There are several approaches to listing possible risks, but the most effective ones employ a methodical technique. For example, for financial statements a methodical risk assessment approach could be to identify inputs to your financial statements, and then work backwards to consider input sources, processes, etc;, listing possible reasons for incorrect information. It also might be useful to consider typical categories of risk such as system/process problems or weaknesses, human error, and fraud.
Prioritize Risks to Determine Internal Control Activities
When trying to assess possible risks the goal is to be exhaustive. You may end up with a sizable list, but that is an expected risk assessment outcome – don’t let it intimidate you. Think of it as useful information. It is unlikely that you will be able to address all the listed risks from your risk assessment at once. The goal should be to identify high priority risks and focus on those first. Now you are creating an internal control system that complies with Section 404 Sarbanes Oxley.
Creating a matrix or graph of risks by likelihood versus impact is a great tool in finishing the risk assessment task and moving toward risk management. For example, you could have the risk/internal control committee rank every risk item on the list for probability and impact. Then average them and plot them as R1, R2, R3, etc;, as they are plotted on Figure 1. Obviously, after plotting risks, those with highest probability of occurrence and the highest potential impact (or in terms of financial statements – materiality) should be addressed first.
How many risks are addressed at one time depends on the size and capability of the organization. A large organization with lots of resources might focus risk management on the top 12 or 15. A small organization might only be able to set a goal of attending to the top three or top six risks in the first pass.
Managing Risk with Internal Controls
Now that you have identified the most important risks to manage, the next step is to identify the best way to mitigate them. A typical method is to create well-defined processes that help minimize the risk. The process should account for the inputs, outputs, as well as process activities, but the process should also incorporate metrics and check-steps. This builds in the capacity to monitor the process’ effectiveness right into the process itself. Once your process is defined, then it is communicated through policies and procedures, training, and work instructions. Once in place, processes should be monitored by regularly verifying that process checks are functional and that process metrics demonstrate effectiveness. Corrections are made as required. Once these processes are fully operational and demonstrated effective, it is time for Step 6: repeat the risk assessment / risk management process in order to address the next level of risks.