Risk Management Procedure | AC1030

Risk Management Procedure

The Risk Management Procedure provides a framework or Risk Management System for all levels of company management which should enable, support, and promote:

• Awareness and understanding of real and significant risks and their impact;
• Exercising due diligence when making decisions;
• Exercise of appropriate duty of care;
• Innovation through taking calculated risks in pursuit of business opportunity and excellence; and
• Provision of assurance that risks are managed in accordance with their level of threat or exposure.

The procedure pertains to managing all financial risks. (6 pages, 1344 words)

Risk Management Responsibilities:

The Risk Manager is responsible for directing development of the risk management plan, conducting risk assessment and for identifying the most appropriate method(s) of managing financial risk (also see AC1020 RISK ASSESSMENT), and reporting to the CEO and CFO .

The CEO (Chief Executive Officer) and CFO (Chief Financial Officer) are responsible for reviewing and approving the Risk Management Plan.

Risk Management Definitions:

Risk appetite – Amount of capital an individual or organization is willing to lose in order to generate a potential profit.

Risk management – Process of combining a risk assessment with decisions on how to address that risk.

Risk management system – Comprehensive framework for measuring, monitoring, and managing risk to (a) achieve an enterprise-wide view of the investment and risk profile, (b) increase return on risk, and (c) establish an appropriately focused risk culture.

Risk threshold – Amount/level of risk an organization is willing to bear in order to achieve a target rate of return.

Risk tolerance – Organization’s ability to handle declines in the value of its portfolio.

Risk Management Procedure Activities

• Developing a Risk Management System
• Implementing the Risk Management System
• Evaluating the Risk Management System
• Adapting the Risk Management System

Risk Management Procedure References

• Sarbanes-Oxley Act of 2002

 

 

Using risk management techniques is an important component in creating the internal control required for compliance with Sarbanes-Oxley (SOX) Section 404. Risk management includes all the activities associated with identifying and reducing risk, as well as coping with negative events should they occur. Identifying risks and creating systems and safeguards to ameliorate them is one way to create a basic internal control system.

There are many ways we can deal with business risk. We’re all familiar with the four classical risk management categories:

• Avoidance;
• Mitigation, or reduction;
• Transference; and
• Acceptance.

An example of this is insurance for our businesses, as well as our health, homes, and so on. We’re well aware of the fact that we can’t possibly prevent every natural disaster or workplace accident, so we pay insurance premiums to transfer a portion of the risk to the insuror.

Still another example: purchasing and using safety equipment, combined with regular safety training, will significantly mitigate (or reduce) some of the risk of running your business.

The Stages of Effective Risk Management

Risk management can seem like an overwhelming and daunting task – but only if you try to envision, predict, and prevent every imaginable risk all in one swipe. The trick to successful risk management is to break it down into manageable stages and tasks. Using a continual improvement method, identify and mitigate high priority risks first, and then continually improve your risk management by regularly reviewing and prioritizing risks and addressing them according to your organizational needs.

The Basic Steps of Risk Management Include:

1. Understand the Mission
2. Perform risk assessment to identify and categorize risks
3. Prioritize risks and activities
4. Design processes, training, and checks/metrics (controls) for top level risks
5. Monitor internal control effectiveness and improve as required
6. Repeat steps 2-5

Methodical Risk Assessment Leads to Proper Internal Controls

The first step in conducting effective risk management is understanding the mission. Clearly identifying and articulating the mission makes recognizing the risks to mission success much easier and much more effective. In terms of Sarbanes-Oxley and SOX Section 404 – understanding the mission is easy. The SOX mission is to create accurate financial statements and avoid a material misstatement.

Once you identify the mission, begin risk assessment by listing the possible risks to accurate financial statements (i.e. improperly listing assets). There are several approaches to listing possible risks, but the most effective ones employ a methodical technique. For example, for financial statements a methodical risk assessment approach could be to identify inputs to your financial statements, and then work backwards to consider input sources, processes, etc.; listing possible reasons for incorrect information. It also might be useful to consider typical categories of risk such as system/process problems or weaknesses, human error, and fraud.

Prioritize Risks to Determine Internal Control Activities

When trying to assess possible risks the goal is to be exhaustive. You may end up with a sizable list, but that is an expected risk assessment outcome – don’t let it intimidate you. Think of it as useful information. It is unlikely that you will be able to address all the listed risks from your risk assessment at once. The goal should be to identify high priority risks and focus on those first. Now you are creating an internal control system that complies with Section 404 Sarbanes Oxley.

Creating a matrix or graph of risks by likelihood versus impact is a great tool in finishing the risk assessment task and moving toward risk management. For example, you could have the risk/internal control committee rank every risk item on the list for probability and impact. Then average them and plot them as R1, R2, R3, etc;, as they are plotted on Figure 1. Obviously, after plotting risks, those with highest probability of occurrence and the highest potential impact (or in terms of financial statements ” materiality) should be addressed first.

How many risks are addressed at one time depends on the size and capability of the organization. A large organization with lots of resources might focus risk management on the top 12 or 15. A small organization might only be able to set a goal of attending to the top three or top six risks in the first pass.

Managing Risk with Internal Controls

Now that you have identified the most important risks to manage, the next step is to identify the best way to mitigate them. A typical method is to create well-defined processes that help minimize the risk. The process should account for the inputs, outputs, as well as process activities, but the process should also incorporate metrics and check-steps. This builds in the capacity to monitor the process’ effectiveness right into the process itself.

Once your process is defined, then it is communicated through policies and procedures, training, and work instructions. Once in place, processes should be monitored by regularly verifying that process checks are functional and that process metrics demonstrate effectiveness. Corrections are made as required. Once these processes are fully operational and demonstrated effective, it is time for Step 6: repeat the risk assessment / risk management process in order to address the next level of risks.