Risk

Various types of Risk 

Organisations are usually more comfortable with their efectiveness in manageing comlaince and financial risk than they are with thier capabilities in managing strategy and operational risk . This reflects a historical focus on comliance and financial risk based on traditional approach to internal control and risk management . Companies , usually do not have a comprehensive plan to identify and address all key risks accorss the organisation , in the broader buisness environment . They may have missed examining their entire value chain includin supliers , customers , competitors , business associates, and ther key stake holders - to define emerging risk and identify opportunities .    

The wider spectrum of risk could be categorised in to financial , operaitonal strategic and complaince .

Strategic Risk

• Planning and resource allocation ( e.g org.structure , strategy,budegting )
• Communications and Investor relations ( e.g media, investor and emplyee communication)
• major initiatives and capital programs ( e.g new prod.development ,vision, planning , execution ,monitoring)
• Competitive market dynamics ( e.g completitive pricing, market share, brand building)
• M&A and divestment ( valuation, due diligence ,integration to achieve synergy)
• Macro market dynamics ( e.g econimic , social ,political)  

Operational Risk

• Information tech.( e.g IT management ,IT security, availability )
• physical assests( real estate,property /plant /eqpt.)
• sales & marketing ( e.g advertising, pricing, customer support-pre and post sales) 
• People ( e.g recruitment , retention ,development) 
• Reserch & Development e.g market reserch, product design & development /testing
•  supply chain ( e.g planning ,inventory & distribution/warehousing)
•  Hazards ( e.g natural events,terrorist act )

Financial Risk

• Accounting & Reporting ( e.g acctg,reporting,internal financial controls, ERP post implementation issues)
• market ( e.g interest rate,currency )
• Liquidity & Credit( e.g cash management , hedging )
• Tax ( e.g tax strategy & planning, indirect taxes, transfer pricing)

Complaince Risk

• Governance ( Board,audit committee , ton at the top)
• Regulatory ( e.g labor, welfare , excise,customs ,VAT ,other commercial tax.IT, companies Act.)
• Legal ( e.g contracts, IPP)
• Code of conduct ( e.g ethics , fraud) 

Fraud Risk Management

Among the modern business risk , fraud risk has been considered to be one of the most prominent business risk which may seriously hinder the pace of growth . There are numerous such cases have happened recently which has made succefull companies become sick or almost redundant . 

Fraud continues to be a prominent issue and has become increasingly important in the eyes of regulators- both in India and abroad. Given the nature of fraud and its cross border implications, it is not surprising that enforcement of fraud penulty is increasingly global in its nature and regulators are co-operating with each other to procecute fraud perpetrators including Sr. executives . Satyam is the case right in front of us.  

The recent response from CEO revealed that over 20% choose evaluation of operational and financial controls as a measure for protecting against fraud. This clearly shows that the respondednts view these areas as fraud theats. Identifyinga nd responding to incedence of fraud continues to be a challenge for even more sofisticated organisations .

Fraud detection , fraud assements and fraud investigations are three key aspects of a comprehensive anti-fraud program and internal auditors paly an immenent role in ensuring that an organisation has the right control framework to identify and respond to these threats.

Internal auditors undertake the follwoing to undertake fraud risk assessment and mitigstion thereof

1. Identify the potential inherent fruad risk 

2. Assess the likely hood and significance of the occurance of identifed fraud risk 

3. Evaluate the people and departments most liekly to commit fraud and there likely methods . 

4. Evaluate whether identifed controls are operating effectively and efficiently .

5.Identify and map exisiting and preventive and detective controls to relevant fraud risk

6. Identfy and evaluate residual fraud risk resulting from ineffective or non-existent controls

7. Respond to residual fraud risk .

How does Internal Audit address the risk of Fraud ?

1. Evaluate operational control to mitigate fraud risk

2.Evaluate financial control to mitigate fraud risk

3. Assess  the risk of fraud at business units being audited and perform audit to address it .

4. assess whether the companies overall fraud mitigation programs are effective 

5.Conduct financial fraud investigations when called upon to do so by the management 

6.Conduct operation fraud investigations when called upon to do so by the management 

7. Report fradulent activity directly to the audit committee . 

8. Run fraud detection software accross all transaction in all business units .

Building a Common risk language 

Many companies are slow to detect and react to know risk , a delay that threatens their competitiveness . To shorten risk detection and reaction time, companies should eliminate the barriers to timely and efficient risk management efforts by ensuring that the same risk  language is spoken throughout the organisation .

 Company wide definitions , prioraties , procedures and communciaiton chanels should be clearly defined .  As a result , companieis will be better able to create and protect value and gain a competitive advantage .

Detecting and reacting

Cos. have learnt the hard way that they have to reduce the detection time of a new risk related events  and trends . The flexibility of each org. is limited ; a co. cannot instantly adapt its practices and process once it find a new risk /opportunity event . Early detection is therefore essential ; it provides an org. with precious extra time to react . Cos. know equally well that a short reaction time is also necessary if they are to deal swiftly and adequately with new events and trends.

language confusion dominates risk 

A fast response to new , risk-related events requries that the same risk mgmt. language is spoken throughout the co. A common risk language is much more and agreed set of symbols for communication . A common language in an org. means shared definitions , company wide priorities ,a  common culture of risk awareness and accountability and clear procedures for measuring , monitoring, communicating and dealing with identifed risk .

Diferrent units and sections in an org. will view risk from various perspectives . An essential part of the risk mangement consists of the development and translation of a language that everybody in the org. understands . Only this common language will allow an organisation to define , measure , and prioraties different risk and compare them on a common risk dashboard .

Gaining consencus on the main risk

In order to detect and react to the new events quickly , an org. should know what it is looking for . This may seem obvious but , in fact many cos. have not clearly defined what thier main risks are . Even Board members more often than not disagree among themselves about the most relevant risk their co. faces .

A leading consulting firm have measured to what extent managers of a co. agree on the main risk through a risk consencus index ( RCI) .

Calculating RCI

Members of the sample group are asked indiviually to anme the 3 most improtant risk for their org., imagine the sample consist of 5 board members and they all name 3 identical or very simillar risk . Once the answers are in, the RCI is calculated as follows

RCI = no. of respondants X 3- different risk mentioned X100%

---------------------------------------------------------------------

(respondentsX3) - 3

In  that case , the numeratior of the fraction would be 12 , since (5X3)- 3 =12

the denominator would also be 12 .

So perfect concensus.!!

Imagine the other extreme . None of the 5 Board members identifies any risk mentioned by any of the others i.e among the 5 of them , they would mention 15 risk . In  that case , the numerator of the fraction would be 0 , since 5 X3 - 15 = 0 The score would be 0% i.e an absolute lack of consencus .

The RCI shows to what extent a sample group has the same view on what the most improtant risk for an org. are .It is expressed as  percentage ; a higher percentage means more concensus.

Implementing RM - a comprehensive road map

We take a deep look into 7 key challenges and explore which is best suited to the needs of a company to establish an effective RM framework . The aaproach is more likely to produce faster success and value and help increase the chances for broad acceptance and support for risk-focused initiatives and ERM in future .

The seven challenges are

1. Establish a simple , relevant framework

2. Establish a clear and consise view of risk

3.Protect what matters most

4. Avoid enterprise listing of risk 

5. Seek to know what you dont know 

6.Conduct risk assessment as an embedded activity 

7.Enable Internal Audit coverage across key risk areas . 

We shall elaborate each of these challenges now . 

1. Establish a simple , relevant framework

A risk framework should offer a robust foundation ofreference for companies interetesd in implementing ERM . There are a number of RM , complaince and ERM framework that have been developed over the years to meet the various needs and challenges faced by the companies in recent times . Although most companies may ultimately need to customise a framewrk best suited to their needs

Critical success factors in selecting , building and customising a framework includes:

• focus on areas where early tangible value is most likely to result 
• relevance and value to process owners
•  clear alignment to exisitng internal control , RM and business processes
• use of clear , consistent and familiar language describing risk .

2. Establish a clear and consise view of risk

A key risk summery report can help directors understand , in a palatable and action oriented form , the key risk facing the company . Executives managers can better understand , track and oversee the status of key risk , and fucntional head /line managers can  better prioratise focus and report the status of key risk facing the co. Given the vlaue and improtance of risk summery reprot , we provide suggested elements . These elements can be the starting for audit directors or executives to outline their own requirments and draw a reprot customised to their own comapnies .

Key Risk Summery Report - suggested elements

1. Risk type - financial /operational/complaionce/strategic
2. Risk Description
3. Overall rating - impact/likelihood/control effectiveness
4. Monitoring approach and results
5.Key risk management activities
6.Gaps /issues/actions
7.Risk owner
8.process, initiatives and objects affected .  

3. Protect that which matters most

The risk that matters most are those which , if realised , would have the greatest negetive impact on value. Unfortunately , risk assessments for many companies tend to focus only at the process level . although important , it may be difficult to ascertain if the company 's key business risks are truely addressed through an approach confined to process.

For publicly traded companies, risks to shareholder value , in particular , are of primary importance , identifying these risks , and ensuring they are properly managed within the perview of the board and management and are appropriate monitored , is the first task .

In fact risk assessment should go beyound process risk & control risk . Business risk is what required to be assessed.

Management Discussion and Analysis (MDA) which describes the current and future business risk  and the company's preparedness to address thse risk  could be the basis for buiiding a simple framework to guide formation of risk assessment process

Apart from business risk , the second component -the core business operation comprises those assets and related process in the company , that generate or support the largest portion of revenue nad /or profits .

By focusing on both future growth opportunites and current business operations , a truely comprehensive ERM process can be developed which matters most to achieve shareholders value .

4. Avoid enterprise list management

An unfortunate output of many ERM initiatives is a long and unwieldy list of risks that focuses little on guiding and driving responsive action . In fact , "enterprise list management " is cited by many corporates as one of the stumbling blog in implementing an effective ERM process.

Most companies use criteria to assess risk on two dimensions- impact and likelihood. While these criteria help in analysising and prioratising  within a list , they do not focus on actions or response. Broadly speaking , there are two kinds of responsive action to an identifed risk . They are Monitoring and enhancement  .

Monitoring : If management feels that a risk is effectively and efficiently controlled  and as a result , the risk exposure is at an acceptable tolerance level , then monitoring of related controls and risks may be the best course of action . options can include internala duit , control self assessment and continous IT based  controls at transaction and process level . Internal Audit should focus on areas where inherent risk is the highest and management has accepted monitoring as a response. For low- level risk recommended for monitoring , CSA may prove to be a better option especially if the controls have been tested by internal audit.

Enhance : If management feels there is room to improve how a risk is managed or controled , then enhancing the level of monitoring through better use of technology , business process re-engineering  etc . could be thought of implmenting.  Internal audit can facilitate here in advising management for enhancement of controls through these recommended course of action .

The final objective is to strick a  good balance between risk and control on a continuous basis .

5. Seek to know what you dont know

"The risk that keeps me awake at night are the ones that I dont know " is a common sentiment shared by CEOs and others with primary responsibiloty for managing and running business . This is specially relevant today as experienced by some companies as a surprise event recently as also companies who are undergoing synergies and structural changes.

There are a number of techniques that may broden the reach , and quality of risk assessment inputs without necessarily streching the budget . These include - Surveys , workshops , Analytics, Discoverability , Disclosure ,Experience & insight  etc.

Lets us discuss a little bit on each of them .

Surveys:Surveys are an efficient approach to gather risk inputs from across a company and even beyound , frm customers and suppliers . They can be executed via e-mail or a web based technology , allowing results to be readily aggregated , analysed and reported. To help increase the focus and relevance of the responses , ask simple , open ended questions ," what are the top 3 risk to achieving the strategic goals and objectives set forth by the company ?"   In order to increase the candour of response , consider engaging a third party to gather independent and unbiased results anonymously . Finally , consider targeting levels of the org. most likely to have early insites on risk ; sales , customer service , and even manufacturing areas can often provide these insites .

Workshops : Propoerly executed , a 3 to 4 hoirs workshop can help produce  a risk profile that drives appropriate action , accountabililty , and follow through . Softer benefits of greater risk awareness and communication are also significant .

Data Analytics: Application of analytical techniques to support risk assessment is increasing . As with any tool , the key to success is an awareness of available technique and tools , how and when to apply them  and how to use the results. There are a number of data analytical tools like IDEA, ACL are available . While selecting tools , the existing ERP system structure also should be kept in mind to ascertain whether the selected tool is compatible to the ERP structure so that data extraction is possible .

Discoverability : If a wide net is cast  with the hope of revealing new risk and trends , and significant new risk are revealed and documneted , they should be suitably acted upon . If not , there may be legal implications . Consult with your legal advisor - whether internal or external . For expample , if there is serious threat to Patent and IP infringment case is unearthed.

Disclosure : Insome cases , risk that may be revealed and documented as part of a broader risk assessment process could require subsequent disclosure depending on change in business , its processes and environment .   In response ,  the relevant committee should provide input to and participate in the risk assessment process , as appropriate .

Experience and insite : Insome cases , it may be difficult to recognise risk that have  not yet been experienced within the business . Inthis case , external benchmarks and/or outside assistance form those with risk insite and experience in similar industry , or risk area can be invaluable . While looking for bench mark it may be ideal at itmes to look into business environment  and socio -political sceanario of the region/country before accepting the data for analysis purpose .

6.Conduct risk assessment as an embedded activity 

Although it is common for ERM initiatives to start with a large and comprehensive risk assessment process, the process often stops there due to lack of resources, interest and /or percieved value or complexity . To avoid these dead end , risk assessment should evolve into a consistent, simple embedded activity within the company's strategic , business budget and audit planning processes rather than executed as a significant , stand alone activity .

Many of the key building blocks for establishing a consistent , embedded approach are

• a focus on risk to stakeholders /shareholders value
• consistent , action oriented risk assessment criteria
• common reporting language

Incorporating these building blocks into exisiting planning processes can and should be a relatively straight forward process . In fact , many company;s have benefited the most by keeping the process simple and the list of key risk coming out of a particular process relatively short .

Formation of Risk Committee

In order to promote an active risk dialogue between executive and company levels , and to continually foster the consistent applicstion of risk assessment approaches and leverage the output , companies should consider forming a risk commitee . These commitees take on various forms ranging from higly formal to a more casual approach , depending on the needs of the org.

Importantly the commitee, once formed , should meet enough to ensure that key risk issues are discused and communicated on a timely basis . For many companies, a quarterly meeting should suffice.

7.Enable Internal Audit coverage across key risk areas

The IA function is one of the powerful mechanism to understand the full spectrum of key risk facing the company , monitor the effectiveness of related controls and risk management processes. In addition , it is often the only function with the requisite skill set and mandate to contact an entity -wide assessment .

It may be increasingly difficult , however , for internal audit to conduct a thorough risk asserssment , let alone to develop audit plans that are truely risk-based and cover the full spectrum of the company 's most significant risks.  Although most IA functions would like nothing better than to conduct a comrprehensive risk assessment to support their audit planning process , they face many practical challenge , as following

• insufficient involvent and insight into org. strategic and buisness planning process - a key area where the risk of supporting future growth opportuniteis and stakeholders value impacts may be identified .
• lack of adequate time and skill sets to conduct an organisation wide risk assessment exercise .
• increasing  pressure to focus on org. financial risk reporting process , thereby compromising on other key business risks. 

To address these challenges, the following proactive steps are taken by progressive companies .   

• Acting as facilitator : Although Internala udit may face challenges to conduct enterprise wide risk assessment exercise , they act as a facilitator to the various process woners /business heads of the  management group  who are responsible for risk assessment in thier respective areas of busienss . 
• Outsourcing and teaming :  If due to resource or skill constraint , the job of risk assessment is outsourced , IA can team with that group to faster the process of risk assessment and also help in co-ordinating the whole process .
• Rotation and cross training: In order to retain talent and develop future leaders , many organisation rotate  managers from other fucntional areas to internal audit to add a flare to Audit and also to take up business risk areas for audit . Similarly , audit personnel are also placed in fucntional /business areas to understand functional perspective so that they can add true value once they are brought back into audit functions .