Internal Audit - Risk Management

Risk

The positive or negative effect of uncertainty on objectives

Risk Management

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.

Risk Assessment

The identification and analysis of risks relevant to the achievement of an organization's objective

Risk Appetite

The types and amount of risk an organization is willing to accept in the pursuit of its strategies and business objectives

Risk Tolerance

Acceptable Variations in performance related to achieving business objectives

What does the risk profile tell us?

The higher level of performance we try to achieve, the more risk that is encountered

Who has the responsibility of risk management?

Senior management and the board

How does the board do risk management?

Boards have an oversight function. They determine that risk management processes are in place, adequate, and effective

How does management do risk management?

Ensures that sound risk management processes are functioning

Risk management processes may be:

Formal or informal, quantitative or subjective, or embeddded in business units or centralized

How are risk management processes designed?

To fit the organization's culture, management style, and objectives

Risk commitee

A group of people who oversee an organization's risk management practices and strategy

What are the responsibilities of the risk commitee?

Risk management, risk governance, and risk mitigation

Risk management

Overseeing the organization's risk management policies, procedures, and controls

Risk governance

Ensuring that risk management practices align with the organization's goals and regulatory requirements

Risk mitigation

Creating a framework to help the organization avoid major losses

Chief Risk Officer

A member of management assigned primary responsibility for enterprise risk management processes

Who is ultimately responsible for ERM and achievement of strategy and business objectives?

The CRO

When is the CRO most effective?

When supported by a specific team with the necessary experience and expertise related to organization-wide risk

Who determines if risk management processes are effective?

The internal audit function

What is included in advisory roles of internal audit?

Identifying, evaluating, and implementing risk management methods and controls

What must the CAE understand?

Management's and the board's expectations of the internal audit function in risk management

COSO definition of ERM

The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value

Enterprise Risk Management (ERM)

- Recognizes both culture and capabilities

- Must be applied in practice

- Integrated with strategy setting and its execution

- Manages risk to strategy and business objectives

- Linked to creating, preserving, and realizing value

What shows effective integration of an ERM?

- Improves decision making

- Enhances performance

What can ERM do?

- Increase the range of opportunities

- Identify and manage risk entity wide

- Increase positive outcomes

- Reduce performance variability

- Improve resource deployment

- Enhance enterprise resilience

Mission

The entity's core purpose, which establishes what it wants to accomplish and why it exists

Vision

The entity's aspirations for its future state or what the organization aims to achieve over time

Core Values

The entity's beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of the organization

Strategy

The organization's plan to achieve its mission and vision and apply its core values

Business Objectives

Those measurable steps the organization takes to achieve its strategy

COSO ERM Premise

Every organization exists to provide value to its shareholders, which is why ERM applies to all organizations regardless of size or function

What are the framework principles of COSO? (5)

- Governance and culture

- Strategy and Objective-setting

- Performance

- Review and Revision

- Information, communication, and reporting

What are the six risk identification methods?

- Interviews

- Surveys

- Workshops

- Data Analytics

- Process Analysis

- Brainstorming

Risk Assessment definition

The identification and analysis of risks relevant to the achievement of an organization's objectives. The significance or risks is typically assessed in terms of impact and likelihood.

What are the categories of risk responses?

- Accept (risk retention)

- Avoid (exiting a business)

- Pursue (exploit)

- Reduce (internal controls)

- Share (insurance, joint ventures, etc)

What does the COSO ERM framework provide criteria for assessment of?

ERM Culture, capabilities, and practices together effectively managing risks to strategy and business objectives

What are some limitations of ERM?

- Faulty human judgement

- Cost-benefit considerations

- Simple errors or mistakes

- Collusion

- Management override of ERM practices

What are the steps in performing an engagement risk assessment?

1. Identify and assess risks

2. Identify key controls

3. Evaluate key controls

What are the three types of risk assessments?

ERM, Audit Wide, and Engagement

Inherent Risk (gross risk)

combination of internal and external factors in their pure, uncontrolled state

Residual Risk (net risk)

Portion of inherent risk remaining after management executes risk responses

What is the organizational change cycle?

Occurs in a series of phases, seperated by transformation periods called breakpoints.

What characterizes a transition to a new cycle in the organization change cycle?

A period of renewal, and frequently is initiated by re-engineering efforts.

What are the four phases of the organizational change cycle?

forming, storming, norming, performing

ISO 31000

Provides organizations with guidelines and principles for risk management

Purpose of risk management in the ISO 31000

Value creation and protection

ISO 31000 Principles (8)

- Integrated

- structured and comprehensive

- Customized

- Inclusive

- Dynamic

- Best available information

- Human and cultural factors

- Continual improvement

Integrated

Risk management is integrated into all organizational activities

Structured and comprehensive

The risk management approach needs to be stuctured and comprehensive

Customized

The risk management framework and process should be customized to organizational objectives

Inclusive

Appropriate involvement of stakeholders enables informed risk management

Dynamic

Risk management foresees, recognizes, and reacts to changing risks

Best available information

Risk management considers past, current, and future information and any related limitations of such information

Human and cultural factors

Human behavior and culture affects all facets and each level of risk management

Continual Improvement

Learning and experience constantly improve risk management

ISO 31000 Framework areas (6)

- Leadership

- Integration

- Design

- Implementation

- Evaluation

- Improvement