Risk and Risk Management Study Notes

Overview of Risk and Risk Management

  • Importance: Understanding risk is vital to select internal controls that align with business and accounting goals.

COSO Internal Control Framework

  • COSO: A framework for internal control, key for risk assessment.
  • Risk Assessment: Core component responding to identified risks.

Definitions

  • Risk: Potential for events impacting business strategy and objectives.
  • Risk Management: Identifying, assessing, and managing risks to achieve objectives.

Enterprise Risk Management (ERM)

  • Definition (COSO 2004/2017): Process for identifying and managing risks aligned with corporate strategy, guided by risk appetite.

Corporate Governance

  • Definition: Framework directing company operations, ensuring accountability through the board of directors.
  • Roles: Set strategic aims, supervise management, report to shareholders.

ERM Framework Components

  • Focus on governance, culture, strategy, risk assessment, monitoring, and communication.
  • Components include:
    • Board Risk Oversight
    • Risk Identification & Assessment
    • Risk Responses & Performance Monitoring

Categories of Risk

  • Operational: Daily operations related risks.
  • Financial: Risks affecting financial performance and reporting.
  • Reputational: External perceptions impacting business.
  • Compliance: Adherence to laws and regulations.
  • Strategic: Effectiveness of business strategy.
  • Physical: Risks from natural disasters.

Risk Assessment Process

  • Steps to Assess Risk:
    • Identify risks through Risk Inventory.
    • Evaluate and prioritize risks based on severity, likelihood, and impact.

Risk Severity Measurement

  • Qualitative: Categorical scales (high/low) for likelihood and impact.
  • Quantitative: Numerical assessments of risk based on expected loss.

Risk Response Strategies

  • Four Response Types:
    • Accept: Acknowledge and understand risks without action.
    • Avoid: Eliminate risk by changing operations.
    • Mitigate: Reduce likelihood and/or impact through controls.
    • Transfer: Shift risk to third parties (e.g., insurance).

Reviewing and Monitoring Risks

  • Inherent Risk: Risk level pre-response.
  • Residual Risk: Remaining risk after mitigation efforts.