Risk and Risk Management Study Notes

Module 10 - Risk and Risk Management

Introduction

  • Date: February 16, 1863

  • Institution: Kansas State University, School of Accountancy

  • Objective: To analyze the importance of risk assessment in achieving business and accounting objectives.

Why Study Risk and Risk Management

  • Business processes and internal controls form the foundation of risk management.

  • The primary question is: How do we select internal controls to better achieve business and accounting objectives?

Importance of Risk Assessment

  • Risk assessment is essential for determining the appropriate internal controls that enable effective business operations.

COSO – Internal Control Framework

  • Definition: Control components are essential elements used to achieve control objectives in an organization.

Understanding Risk

  • Risk Defined:

    • The possibility of an event occurring that may impact the achievement of a business’s strategy and objectives.

  • Risk Management Defined:

    • The process of identifying, assessing, and managing risks to enhance the likelihood of achieving business and accounting objectives.

COSO Overview

  • Definition of COSO (Committee of Sponsoring Organizations):

    • Originally formed in 1985. A joint initiative of five private sector organizations aimed at providing thought leadership in enterprise risk management (ERM), internal control, and fraud deterrence.

  • Current Scope:

    • COSO remains focused on development of frameworks and guidance for organizations in achieving effective risk management.

  • Relevant Organizations:

    • Includes AICPA, the Institute of Internal Auditors North America, American Accounting Association, and others comprising over 600,000 professionals.

Enterprise Risk Management (ERM)

  • ERM Definition (COSO 2004/2017):

    • “Enterprise risk management is a process, affected by an entity’s board of directors, management, and other personnel. It is applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk within its risk appetite, providing reasonable assurance regarding the achievement of entity objectives.”

  • Key Points:

    • Involves corporate governance with direct participation from board of directors.

    • Implemented as part of strategy-setting processes within an organization.

    • Governed by an organization’s risk appetite.

    • Influences organizational culture and values.

Corporate Governance

  • Definition:

    • Corporate governance is defined as the system by which companies are directed and controlled.

  • Responsibilities:

    • The board’s responsibilities include setting the company’s strategic aims, supervising business management, and reporting to shareholders about stewardship.

  • Stakeholders:

    • In publicly traded companies, the owners are represented by a board of directors whom ensure governance.

COSO Enterprise Risk Management Framework

  • Framework Components:

    • Governanace & Culture

    • Strategy & Objective-Setting

    • Performance

    • Review & Revision

    • Information, Communication & Reporting

  • Comprehensive process structure including 20 specific components aimed at integrating risk management into strategic decision-making and performance evaluation.

Components of the ERM Framework

  • Interrelation between ERM and Internal Control Frameworks:

    • Both frameworks are designed to work in conjunction, helping manage risk and internal control structure effectively.

  • Similar Components:

    • Governance and Culture, Risk Assessment, Control Activities, Performance, Information and Communication, and Monitoring functions are outlined in both frameworks.

Performing Risk Assessment (Performance)

  • Steps:

    • Identify Risks

    • Assess Risk Severity

    • Prioritize Risks

    • Implement Risk Responses

    • Develop a Portfolio View

Identifying Risks

  • To manage risks effectively, developing a Risk Inventory is crucial.

    • Methodology for Developing Risk Inventory:

    • Conduct surveys/interviews with stakeholders to reveal perceived risks.

    • Identify risks across key categories based on business and accounting objectives.

Six Categories of Risk

  • Categories and Descriptions:

    • Operational Risk:

    • Relates to day-to-day operations.

    • Involves adherence to processes and procedures.

    • Financial Risk:

    • Directly affects financial outcomes and reporting.

    • Reputational Risk:

    • Concerns public perception influenced by corporate actions.

    • Compliance Risk:

    • Involves adherence to laws and regulations.

    • Strategic Risk:

    • Concerns alignment and effectiveness of business strategy.

    • Physical Risk:

    • Involves damages from natural disasters and unforeseen physical hazards.

Describing Risks in a Risk Inventory

  • Structure of Risk Statement:

    • Two Parts:

    • Issue: The potential triggering event.

      • Example: "A hurricane hits Kansas."

    • Outcome: The resulting event upon the occurrence.

      • Example: "The College of Business will flood."

Evaluating Risk Severity and Prioritization

  • Risk Severity Definition:

    • Evaluation of risk combining likelihood of occurrence and potential impact.

  • Components:

    • Likelihood: Probability of risk occurrence.

    • Impact: Estimated damage from the risk’s manifestation.

  • Significance:

    • Assessing risk severity aids in prioritizing resource allocation for addressing risks.

Measuring Risk Severity

  • Qualitative Measurement:

    • Uses categorical evaluations (high, medium, low) or a numerical scale (typically 1-10).

  • Quantitative Measurement:

    • Develops a risk score reflecting dollar expectations of loss based on probability.

  • Calculation Formula:

    • (RiskScore=Likelihood×Impact)(Risk\,Score\,=\,Likelihood\,\times\,Impact)

Qualitative Evaluation of Risk Severity

  • Risk is categorized on a qualitative high-low scale, leading to the visualization of varying risk levels using a Heat Map.

Heat Map Visualization of Risk Levels

  • Combines likelihood and impact using colors to indicate risk severity across multiple risks denoted from A through F.

Qualitative Risk Assessments

  • Uses categorical values assigned to likelihood and impact for a tolerance of 1-5.

Quantitative Risk Severity

  • Likelihood: Refers to the mathematical probability expressed as a percent or decimal.

  • Impact: Characterizes financial loss sustained each time the risk realizes; called single loss expectancy.

  • Risk Score Calculation:

    • (RiskScore=Likelihood×Impact)(Risk\,Score\,=\,Likelihood\,\times\,Impact)

  • Example Risk Statement: Signifying the inherent risk due to employee training deficiencies leading to potential theft.

  • Calculations Illustrating Risk Prioritization in Quantitative Assessment:

    • Risk by Likelihood and Impact showcasing varying degrees of impact and calculated scores.

Risk Prioritization

  • Importance of Resource Allocation: Organizations must prioritize risks due to limited resources across all dimensions (e.g., equipment, personnel, budget).

  • Risk Response Initiation: Prioritization establishes the foundation for managing risks effectively.

Traditional Risk Responses

  • Four Core Strategies:

    1. Accept Risk: Recognition of risk without action.

    2. Avoid Risk: Total elimination of activities that expose the organization to potential risks.

    3. Mitigate Risk: Implement processes and procedures to reduce risk severity actively.

    4. Transfer Risk: Shift risk burden to third-party entities, such as through insurance or outsourcing.

Review Risk and Performance

  • Definitions:

    • Inherent Risk: Risk present prior to any mitigation actions.

    • Residual Risk: Remaining risk after any responses have been implemented.