Risk management system
21 October 2015
Every company constantly faces some degree of uncertainty. On the one hand, uncertainty opens up new opportunities for business. On the other hand, it may pose risks to the company.
Risk means that uncertainty may have negative impact on a company's objectives.
More narrowly, risk is a possible loss of resources or income because of a certain event.
An efficient risk management system enables the company management to take decisions under uncertainty and with regard to the associated risks, and at the same time to gain benefits.
According to the COSO "Enterprise Risk Management-Integrated Framework" (ERM), "Risk management is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives".
An efficient risk management system comprises the following:
Characterized by a company's philosophy in relation to risk and risk management, as well as employees' involvement in the risk management process.
An important aspect of a company's philosophy in relation to risk is determination of the risk appetite – i.e., the degree of risk that is considered acceptable by the management.
A company's ethical values and standards of conduct also influence internal environment of risk management.
Identification of risks
It is detection of risks among other potential events affecting a company's goals. Detection and identification of risks should be attached to a company's goals.
It comprises a classification for risk ranking depending on internal and external factors.
The company management determines and approves methods of risk identification. As a rule, these methods are combined with various auxiliary means. Methods of risk identification imply analysis of the past and possible future events.
Constant identification of possible risks creates a basis for their assessment and design of risk treatment policies.
To formalize the process of risk identification, a company may keep a risk register with each risk having its classification features.
The identified risks are assessed regarding their influence on a company's goals. Risk assessment is aimed to design a risk management policy.
The main indicators of risk assessment include likelihood of occurrence and degree of influence.
Inherent and residual risks are assessed. Inherent risk arises when the management takes no measures to change the likelihood or the degree of a risk. Residual risk remains after adoption of a risk treatment policy.
As a rule, a risk assessment methodology comprises both quantitative and qualitative methods. Determination of quantitative risk assessment methods implies design and use of various mathematical models – statistical, probability, comparative, scenario and other.
Results of risk assessment are fixed in documents of the company's risk management system, such as:
- Risk description document, which contains all information on the identified risk – classification features, assessment indicators, risk owner, risk treatment policy etc.
- Risk chart is mostly a graphic representation of the exhaustive list of identified risks arranged in accordance with their likelihood and degree of influence.
The company management decides upon possible measures to bring the identified risks in compliance with the established level of risk appetite.
The following risk treatments are common:
A choice of a risk treatment depends on the position of a risk in the company's risk chart – likelihood of occurrence and the degree of influence.
When deciding upon a risk treatment, the company assesses the balance between benefits and costs of a certain risk treatment.
Once a risk treatment is chosen, a policy to apply the selected risk treatment is designed.
Control over implementation
This component of risk management system is aimed to provide the company management with reasonable assurance that the selected risk treatment is efficiently applied.
It comprises measures and procedures ensuring proper implementation of the selected risk treatment.
There are preventive, search, adjustment, manual and automated control procedures.
Control procedures are implemented at all levels of company management – from top management to immediate performers.
This component determines forms, terms and ways of transfer of information necessary for functioning of the risk management system.
Information infrastructure of the risk management system is to ensure:
- communication within the company, both vertically (between executive and subordinate employees), and horizontally (between various services and subdivisions);
- use of both internal and external data – clients, suppliers, shareholders, regulatory authorities etc.;
- notification of employees on the parameters of the risk management system;
- availability of effective means of data reception, transfer and processing for participants of the risk management system.
Monitoring is a regular assessment of completeness and effectiveness of all components of the risk management system.
Monitoring is aimed to maintain the risk management system in its current state regarding all the changes in business environment, the company's goals and structure, HR changes, new business processes etc.
The scope and frequency of monitoring of risk management depend on significance of risks, importance of risk treatment and the implemented control procedures.
Monitoring methodology may include questionnaires, comparative analysis and preparation of special reports.
An important component of monitoring is updating of internal legal regulatory framework that regulates the enterprise risk management system.
A risk management system affects the company's achievement of its goals, strategic as well. That is why an efficient risk management system poses special requirements and increases the quality level of the company's internal control system.
Regarding the experience of FinExpertiza consultants in projects aimed at design of risk management systems, a risk management system is introduced by the following stages:
|1||Establishment of a risk management committee in the company||Executive body for introduction and functioning of a risk management system|
|2||Determination of the general philosophy and standards for risk management.||
|3||Development of methods and procedures used in risk management for accounting and assessment of risks, as well as accounting and reporting forms of a risk management system.||The company's legal regulatory framework for risk management|
|4||Primary identification, classification, description and assessment of the company's risks. Preparation of risk treatment policies.||
|5||Allocation of functions and responsibilities for implementation of risk treatment policies, control procedures and procedures for monitoring of the risk management system.||
|6||Determination and support of information infrastructure of the risk management system.||Automated risk management systems|
Experts of FinExpertiza can offer you a tool that will enable you to make prudent management solutions under conditions of uncertainty, assess and manage risk appropriately and achieve better results on the market.