A holistic view of risk
Two standards are generating new and specific responsibilities for the internal audit department in relation to risk management within organisations. One is the Sarbanes-Oxley Act, which is the reference guide for the risk management framework published by the Committee of Sponsoring Organizations (COSO), and the other is the Institute of Internal Auditors’ (IIA) International Standard for the Professional Practice of Internal Audits. At the same time, the standard ISO (ISO-IEC Guide 73) introduces some new elements to the process of risk management.
Together, these new requirements are driving a ‘holistic’ or ‘comprehensive’ view of risk, pushing forward the evolution of enterprise risk management (ERM). And it is slowly but surely bringing the old ‘fragmented’ or ‘silo’ view of risk management, which has governed companies for decades, to an end. The following are some of the typical processes for managing different types of risk within an organisation.
Process for pure risks
Risk management for pure risks is defined as the process of decision-making in relation to the mitigation of the adverse effects that a company could suffer if an accidental event were to occur that could jeopardise the accomplishment of the company’s strategic objectives.
This process is generally managed by a company’s risk and insurance management department (management of the retention programme, the insurance programme, etc.), the human resources department (personal risk related to the employee benefit programme, etc.), security and protection department (physical security, occupational risk, etc.), legal consultancy (contracts, legal mark) and any other department with responsibilities in that process.
Process for speculative risks
The risk management process for dealing with speculative risks (or financial risks) is defined as the process of decision-making in relation to the handling and control of those events that could cause a variation in the organisation’s profit or loss.
This process is generally carried out by financial, treasury, trading and markets departments, and usually relates to strategies or hedging using financial tools such as derivatives, forwards, swaps, futures, options, structured products, etc. It is important to remark that the characteristics and use of these financial tools is regulated by IAS 39 (International Accounting Standard 39, Financial Instruments: Recognition and Measurement) and also byFA S 133 (Financial Accounting Standard Board Statement No. 133, Accounting Derivative Instruments and Hedging Activities).
Integrated process: ERM approach
ERM is defined as a decision-making process that relates to the management and control of the impact that the organisation could face as a result of an event or a number of events, as well its consequences. In general, this process is the responsibility of the chief risk officer (CRO).
Internal audit and risk management
According to the IIA, the internal audit function can be defined as: “An independent and objective activity of assurance and consultancy conceived to aggregate value and improve operations of a company...It helps a company to accomplish its objectives giving a systematic and organized focus and to appraise and to improve the efficiency of the management processes of the risk, control and governance management.”
The internal audit function has specific responsibilities (as outlined in the International Standard for the Professional Practice of Internal Audits) in relation to the process of risk management within organisations, including:
Standard 2110—Risk management
Internal audit activity should assist the company through the identification and appraisal of the significant risk exposures and the contribution to the improvement of the control and risk management systems.
Standard 2110 A1
Internal audit activity should supervise and appraise the efficiency of the risk management system of the company. Standard 2110 A2 The internal audit activity should appraise the risk exposures related to the government, operational and information system risks of the company in relation to the following:
• Trustworthiness and integrity of the financial and operational information
• Information effectiveness and efficiency
• Asset protection, and
• Accomplishment of the legislation, regulations and contracts.
Standard 2600—Decision on risk acceptance by the top management
When the executive audit board considers that the board of directors accepted a residual risk that can be unacceptable to the organisation, it should discuss it with the top management. If the residual risk is not resolved, the executive audit director and the top management should inform the board of this situation and ask for a solution.
In general, an audit of a company’s risk management process is intended to answer the following questions:
• Are the company’s biggest exposures properly identified?
• Are the consequences of an event properly determined and appraised?
• Are the risk control techniques in place the most convenient?
• Does the company have an adequate contingency plan or crisis management plan?
• Is the risk financing programme aligned with the needs and the commitment of the shareholders?
• Is the risk management function and other related areas capable of undertaking and following ERM?
The intention of an audit of the risk management process is to identify which processes add value and to help identify areas for improvement, helping the company to accomplish its objectives in relation to pure and speculative risks and exposures. More specifically, the objectives of the risk management audit process are to:
• Evaluate the strategies, criteria, techniques and tools used in the process
• Evaluate the risk management function in relation to its responsibilities inside the process, and
• Recommend strategies, criteria and tactics that improve the protection, reduce the costs, increase the return on the investment in the risk management function as well as other related functions and improve the risk management process in general.
When identifying which risk management processes to audit, companies should consider whether the audit will help achieve both the audit objectives and risk management objectives. Risk in this instance is commonly defined as the possibility that an event happens and adversely affects the success of the objectives.
The SOX influence
The principle of auditing risk processes is reinforced by the Sarbanes-Oxley Act, which has been in force in the US since July 2002. It was designed as a reaction to the largest accounting scandals in some of the most prominent North American companies in US corporate history. The Act established new standards and accounting practices as well as introducing civil and penal sanctions for the directors and executives of organisations involved in offences against this Act. It is important to note that this Act extends to anycompany listed on the US Securities and Exchange Commission, even if it is not a US company.
The Act gives new and specific responsibilities to the audit committees of organisations and establishes how to regulate:
• The accuracy of the information to be published by organisations in their financial reports, and
• The effectiveness of the internal controls of the business processes.
In relation to the effectiveness of the internal controls, there should be a subsystem that controls the risk management process of the organisation and additionally provides a benchmark against which to appraise it. Considering that the objective of the Act is to ensure that published financial information is correct, it should therefore reflect the totality of the internal processes, including the risk management process. In other words, it should reflect the organisation’s enterprise risk management approach.
An effective risk management approach should identify and manage all the potential threats that could jeopardise the successful accomplishment of the objectives of an organisation. This is true enterprise risk management and contrasts sharply with the traditional view of looking at risk in a ‘silo by silo’ approach. But for ERM to be successful, it needs a risk management function that manages the processes involved as well as an internal audit function that assures and supports it.
As pointed out by T.L. Barton et al in Making Enterprise Risk Management Pay Off: “Effective Risk Management it is not optional in the 21st century, the stakeholders will demand it and the board of directors will adopt it.” Had the top management of the major banks, financial institutions and companies in general been more careful in considering and implementing an ERM culture, it is likely that the impact of this current recession would have been less severe and easier to overcome.
Jorge Daniel Luzzi is the director of corporate risk management at Pirelli & C. SpA and is a board member of the Federation of European Risk Management Associations (FERMA). Its web address is: www.ferma.eu
The risk management process
The risk management process is defined as a decisionmaking process in relation to the management of the risks that the company is exposed to. This process is composed of seven steps:
• Identification of the exposures
• Risk assessment
• Selection of the risk control techniques
• Selection of the risk financing techniques
• Risk management programme structuring
• Risk management programme implementation, and
• Risk management programme monitoring, maintenance and improvement.
The classic theory of risk divides it into the following two categories:
• Pure risk, and
• Speculative risk.
Pure risk (also known as accidental risk or hazard risk) is defined as the risk related to loss exposures generated by accidental events that can generate only two results when they occur:
• Losses, or
• No losses.
According to the Insurance Institute of America (AICPCUIIA), pure risks are divided into the following four groups:
• Liabilities, and
Speculative risk (also known as financial risk or uncertain risk) is the risk related to events that can generate the following three results when they occur:
• No losses, no profits, or
According to the International Organization of Securities Commissions (IOSCO), speculative risk is divided into the following seven groups:
• Systemic, and