risky risky
enterprise risk management
introduces the importance of integrating strategy setting and performance with risk management
risk identification, risk assessment, risk prioritization, response planning, risk monitoring
The basic steps in risk management are:
risk prioritization
deciding which risks to address and in what order
Risk Identification
Management, with oversight from the board of directors, analyzes the company’s internal business, external environment, business processes, existing controls, and any other areas of potential risk to identify all possible risk events that might adversely impact or otherwise prevent the company from achieving its objectives.
Risk Identification
The _______ process should take place at all levels of the organization. Within each business unit, key employees in areas such as operations, finance and accounting, IT, and unit management should be tapped to take part in the identification of risks in their respective areas. When properly executed, the process of risk identification identifies risks that have a reasonable probability of occurring and impacting operations within a foreseeable period of time.
Internal Events
Capital investments made to support strong customer demand, improve customer satisfaction, reduce downtime, and so forth.
Technological change creating the need for new processes and changed processes.
Personnel events such as work stoppages, employee fraud, or the loss of key employees.
External Events
Economic events, both domestic and international, such as a recession or international trade events leading to currency and other price fluctuations.
Natural disasters such as fires, floods, hurricanes, earthquakes, or volcanoes.
Political events such as new regulations, changes in tax laws, and results of elections.
Social factors such as changing demographics.
Technological change creating opportunities for new products or services to offer.
Enterprise risk management
emphasizes that risk identification must be considered in light of the overall strategic goals of the business, the threats and opportunities the business faces, and the strengths and weaknesses within the business as a whole, as well .
Brainstorming sessions, Event inventories and loss event data, Interviews and self-assessment, Facilitated workshops, SWOT analysis, Risk questionnaires and risk surveys, Scenario analysis, Technology
The IMA’s Statement on Management Accounting, Enterprise Risk Management: Tools and Techniques for Effective Implementation (SMA:ERMT) lists the following techniques for identifying risks: (8)
Brainstorming sessions
are meetings in which employees, management, or staff members are invited to discuss the risks they encounter in their particular fields and to develop solutions through dialogue and idea sharing
can be limited to selected organization units
however, the results of the brainstorming work can be used by other units to identify their own risks
Event inventories and loss event data
can be used in brainstorming sessions to provide the participants with risks to consider. Event inventories are detailed listings of potential events common to companies within a particular industry or to a particular process or activity common across industries. Loss event data could be a database on actual loss events that have taken place for a specific industry or an archive of actual events experienced by the company that only the longer-tenured management can recall. An archive of actual events that have occurred can serve as a resource of “lessons learned.”
Event inventories
are detailed listings of potential events common to companies within a particular industry or to a particular process or activity common across industries.
Loss event data
could be a database on actual loss events that have taken place for a specific industry or an archive of actual events experienced by the company that only the longer-tenured management can recall
lessons learned
An archive of actual events that have occurred can serve as a resource of “__________.”
Interviews and self-assessment
Each unit assesses its risk management capability and submits its self-assessment to the risk management coordinator, who could be the chief financial officer, the controller, the chief operating officer, or the chief risk officer. The coordinator follows up with inter views to clarify issues. After the information has been completed, a cross-functional team might participate in a facilitated workshop to discuss it.
Facilitated workshops
involve a facilitator leading a discussion about events that may affect the achievement of the entity’s objectives, in order to identify the most critical risks. Alternatively, the workshop might focus on just one unit and on identifying that unit’s most critical risks. Workshops can be limited to management or they can include employees, customers, suppliers, or other stake holders in order to draw on the accumulated knowledge and experience of management, staff, and other stakeholders through structured discussions.
Workshops
can be limited to management or they can include employees, customers, suppliers, or other stakeholders in order to draw on the accumulated knowledge and experience of management, staff, and other stakeholders through structured discussions.
SWOT analysis
is used for formulating strategy
Strengths and weaknesses
are internal and include the company’s culture, structure, financial resources, and human resources.
Opportunities and threats
are external and are usually not under the control of management in the short run. They include political, societal, environmental, and industry risks.
Risk questionnaires and risk surveys
are other sources of information to identify potential risks by providing a list of questions relating to specific risks, both internal and external. Questionnaires can help management think through its risks by providing a list of questions relating to specific risks. Other information might come from customer satisfaction surveys or other customer comments, or from exit interview comments made by departing employees. Information from customer satisfaction surveys and employee exit interviews should be captured and reviewed in order to identify any situations that might represent risks. A risk survey may be used instead of a questionnaire. A risk survey is more open-ended, for instance asking each participant to list the five most important risks to achieving the company’s strategic objectives.
Questionnaires
can help management think through its risks by providing a list of questions relating to specific risks.
risk survey
is more open-ended, for instance asking each participant to list the five most important risks to achieving the company’s strategic objectives
Scenario analysis
involves “what if” questions. Managers consider various scenarios that could occur and how they would impact the business. Potentially, a number of risks can be present within a single event, and the total impact could be substantial.
Technology
can be used internally and externally to communicate. Companies with an intranet can encourage managers to post their risk management practices such as checklists on the intranet for use by other units
can be used externally to scan the internet for risks related to the company’s products, services, and reputation.
intranet
is a communications network similar to the internet, but access to it is restricted to a limited number of authorized individuals such as employees of the organization.
Risk assessment
is the process of analyzing and quantifying identified risks from three perspectives: the likelihood of the risk’s occurring, the potential impact or the relative significance of the event if it does occur, and the interrelationship of the risks on a unit-by-unit or total organization basis.
Inherent risk, Residual risk
Risk assessment focuses on two kinds of risk:
Inherent risk
the level of risk that resides with an event or process prior to management taking a mitigation action (SMA:ERMF)
the potential for waste, loss, unauthorized use, or misappropriation due to the nature of the activity itself (U.S. Office of Management and Budget (OMB))
is risk related to the very nature of the activities the company undertakes in the normal course of business
Management cannot do anything about the existence of _____ risk; however, it can take steps to address and, where appropriate, mitigate the effects of ___ risk.
company’s size
is an essential part of its nature, and yet this inherent quality is the source of all kinds of risks
Residual risk
The level of risk that remains after management has taken action to mitigate the risk
after all prudent measures have been taken, some risk will always remain
Capital investments, technological change, personnel events
Examples of Internal events (3)
Economic events, natural disasters, political risks, social factors, technological change
Examples of external events (5)