STUDY UNIT TWO

RISK MANAGEMENT
2.1 RISK MANAGEMENT TECHNIQUES
1. Risk Management
a. Risk management is “a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of
the organization’s objectives”

* The internal audit activity must evaluate the effectiveness and contribute to the
improvement of risk management processes

2. The Risk Management Process – Overview

Step 1 – Identify risks. Every risk that could affect achievement of objectives
Risk identification must be performed for the entire entity
Step 2 – Assess risks. Must be assessed its probability and potential effect
Step 3 – Prioritize risks. May appoint a risk committee to review the risks identified
Step 4 – Formulate risk responses. Risk committee proposes adequate response strategies
All must be aware of the importance of the risk response
Step 5 – Monitor risk responses. The manager of an operating unit is in the best position to
monitor the effects of the chosen risk response strategies
Analyzing risks and responses are among the normal
duties of internal auditors

3. Responsibility for Aspects of Organizational Risk Management

1) Risk management is a key responsibility of senior management and the board
Boards Oversight function Risk management processes are
in place, adequate, and effective
Management Ensures that sound risk management
processes are functioning
CAE Must understand management’s and CAE has formal discussions with
the board’s expectations of the management and the board
internal audit activity in risk about their obligations for
management understanding, managing, and
monitoring risks
Internal audit activity Directed to examine, evaluate,
report, or recommend
improvements.
Consulting role in identifying,
evaluating, and implementing
risk management methods and
controls.
2) CAE’s role
a. CAE has formal discussions with management and the board about their obligations
for understanding, managing, and monitoring risks
b. The CAE must understand management’s and the board’s expectations of the internal
audit activity in risk management
 c. The understanding is codified in the charters of the internal audit activity and the
board
3) The internal audit activity’s role
a. Senior management and the board determine the internal audit activity’s role in
risk management based on factors such as (a) organizational culture,
(b) abilities of the internal audit activity staff, and (c) local conditions and
customs.
a) That role may range from no role; to auditing the process as part of the
audit plan; to active, continuous support and involvement in the process;
to managing and coordinating the process.
i) But assuming management responsibilities and the threat to internal
audit activity independence must be fully discussed and board approved
4) Risk management processes
Formal or informal (big or small company)
Quantitative or subjective
Embedded in business units or centralized
Designed to fit the organization’s culture, management style, and objectives.

4. Importance of Internal Audit’s Role in Risk Management

A. Determining whether risk management processes are effective is a judgment
resulting from the internal auditor’s assessment that:
1. Organizational objectives support and align with the organization’s mission;
2. Significant risks are identified and assessed;
3. Appropriate risk responses are selected that align risks with the organization’s risk
appetite; and
4. Relevant risk information is captured and communicated in a timely manner across
the organization, enabling staff, management, and the board to carry out their
responsibilities

* Risk management processes are monitored through ongoing management activities,

separate evaluations, or both

B. The internal audit activity must evaluate risk exposures relating to the organization’s
governance, operations, and information systems regarding the:
Achievement of the organization’s strategic objectives;
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets;
Compliance with laws, regulations, policies, procedures, and contracts

* The internal audit activity must evaluate the potential for the occurrence of fraud and
how the organization manages fraud risk.
5. Elements of Risk Management
a. Risk management processes include risk identification, risk analysis, and appropriate
risk response.
Risk identification All potential risks should be considered
Risk analysis This process may be formal or informal.
(significance of an event, event’s likelihood)
The seriousness of a risk and its likelihood are inversely related
Risk response Risk avoidance, Risk retention, Risk reduction, Risk sharing
Ranking and validating risk Risk is the possibility of an event that affects the achievement of
priorities objectives
Risk is measured in terms of impact and likelihood

2.2 ENTERPRISE RISK MANAGEMENT

1. The COSO ERM Framework
a. The purpose is to provide a basis for coordinating and integrating all
of the entity’s risk management activities
b. Enterprise risk management is a process, effected by an entity’s board of directors,
management, and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives

2. ERM Glossary
Risk the possibility that an event will occur and negatively affect the achievement
of objectives
Inherent risk the risk in the absence of a risk response
Residual risk the risk after a risk response
Risk appetite the amount of risk an entity is willing to accept in pursuit of value
An opportunity the possibility that an event will occur and positively affect the
achievement of objectives
Risk management (1) identifying potential events that may affect the entity
(2) managing the associated risk to be within the entity’s risk appetite.
* Risk management should provide reasonable assurance that entity objectives are
achieved.

3. ERM Capabilities
Consideration of risk appetite and strategy
Risk response decisions
Reduction of operational surprises and losses
Multiple and cross-enterprise risks
Response to opportunities
Use of capital

4. ERM Components
Internal environment Sets the tone of the entity
Objective setting (1) a process is established and
(2) objectives are consistent with the mission and the risk appetite
Event identification Internal and external events affecting the organization
that may create opportunities or risks
Risk assessment likelihood and impact as a basis for risk management
The assessment considers inherent risk and residual risk
Risk responses 1. Reduce the impact or likelihood of adverse events.
2. Be consistent with the entity’s risk tolerances & appetite
Control activities Policies & procedures to ensure the effectiveness of risk responses
Information and Identifies, captures, and communicates relevant and timely information
communication
Monitoring 1. Ongoing management activities or separate evaluations
2. The full ERM process is monitored
5. Entity Objectives
1) Strategic objectives are consistent with and support the entity’s mission.
2) Operations objectives address effectiveness and efficiency.
3) Reporting objectives concern reliability.
4) Compliance objectives relate to adherence to laws and regulations.
6. Event Identification
7. Strategies for Risk Response
Risk avoidance Ends the activity from which the risk arises Selling the pipeline
Risk retention Accepts the risk of an activity Self-insurance (Low impact, low
potential)
Risk reduction Lowers the level of risk associated with an Maintaining a robust
activity information security function
Risk sharing Transfers some loss potential to another Insurance, hedging, and
party entering into joint ventures
Risk exploitation Seeks risk High return on investment

8. Responsibilities
Board of Directors An oversight role Determine that risk management
processes are in place, adequate, and
effective
Senior Management Sets the tone at the top Ensure that sound risk management
processes are functioning
Risk Committee and To coordinate the entity’s risk The individuals most familiar with entity
Chief Risk Officer management activities processes.
Internal Auditing to evaluate the effectiveness a) Entity objectives support and are
and contribute to the consistent with its mission
improvement, of risk b) Significant risks are identified and
management processes assessed
i) Appropriate risk responses are
selected that are consistent with risks
and the entity’s risk appetite.
ii) Relevant risk information is captured
and promptly communicated
across the entity, enabling staff,
management, and the board to
carry out their responsibilities.

9. ERM Matrix
a. Objectives
1) Strategic
2) Operations
3) Reporting
4) Compliance
b. Components
1) Internal environment
2) Objective Setting
3) Event Identification
4) Risk Assessment
5) Risk Response
 6) Control Activities
7) Information and Communication
8) Monitoring
c. The components are criteria for the effectiveness of ERM.
1) No material weaknesses should exist, and risk should be within the risk appetite.
2) When ERM is effective regarding all of the objectives, the board and
management have reasonable assurance that
(a) Reporting is reliable
(b) Compliance is achieved
(c) the extent of achievement of strategic and operations objectives is known.
3) The components operate differently in different organizations. For example, they
may be applied in a less formal way in smaller organizations
10. ERM Limitations
1) Faulty human judgment,
2) Cost-benefit considerations,
3) Simple errors or mistakes,
4) Collusion
5) Management override of ERM decisions
11. Internal Audit’s Role in ERM
a. BOD: Overall responsibility for ensuring that risks are managed
b. Management: Primarily responsible for identifying and managing risks
c. CRO: a member of management assigned primary responsibility for ERM processes
* most effective when supported by a specific team with the necessary expertise
and experience related to organization-wide risk

Core assurance roles a) Giving assurance on risk management processes

(provide assurance) b) Giving assurance that risks are correctly evaluated
c) Evaluating risk management processes
d) Evaluating the reporting of key risks
e) Reviewing the management of key risks
Legitimate internal audit roles a) Facilitating identification and evaluation of risks
(may be performed as b) Coaching management in responding to risks
consulting engagements, given c) Coordinating ERM activities
safeguards against loss of d) Consolidating the reporting on risks
independence and objectivity) e) Maintaining and developing the ERM framework
f) Championing establishment of ERM
g) Developing a risk management strategy for board approval
* Should not undertake roles that threaten its independence and objectivity
a) Setting the risk appetite
b) Imposing risk management processes
c) Managing assurance on risks
d) Making decisions on risk responses
e) Implementing risk responses on management’s behalf
f) Being accountable for risk management
12. ISO 31000
a. A publication of the International Organization for Standardization. The Practice Guide
Assessing the Adequacy of Risk Management Using ISO 31000 presents an alternative
ERM framework with many similarities to the COSO model

b. The Practice Guide describes three approaches to providing assurance on the risk
management process.
 1. Process determines whether each
element element has been implemented
2. Key principles determines the extent to which
risk management
3. Maturity determines where risk Risk management performance
model management is on the maturity and progress in executing the risk
curve and whether management plan should be
(a) it is progressing as expected linked with a performance
(b) adds value measurement system
(c) meets organizational needs

13. Turnbull – an internal control framework: The United Kingdom