Scribd
Upload
56 views42 pages

ACT1110 Fundamental Concepts of Risk Management

The document discusses risk management frameworks and processes. It defines risk management and explains frameworks from COSO and ISO 31000. It then outlines the key components of the COSO Enterprise Risk Management framework and describes the risk management process, including risk identification, assessment, prioritization, and response.

Uploaded by

Haidee Flavier Sabido
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
56 views42 pages

ACT1110 Fundamental Concepts of Risk Management

The document discusses risk management frameworks and processes. It defines risk management and explains frameworks from COSO and ISO 31000. It then outlines the key components of the COSO Enterprise Risk Management framework and describes the risk management process, including risk identification, assessment, prioritization, and response.

Uploaded by

Haidee Flavier Sabido
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 42

ACT1110

Fundamental Concepts of
Risk Management
a) Explain different definitions of Risk and Risk Management
b) Discuss globally accepted frameworks on risk management internal control (i.e.,
COSO, ISO 31000, CoCo, COBIT)
c) Discuss the Risk Management Process according to COSO

Learning Objectives
OBJECTIVES CONTROLS
Defined, intended Increase the likelihood of
outcomes achieving objectives

RISKS
Possibility of an event occurring that will have an impact on the
achievement of objectives

GOVERNANCE
Ensure entity effectively and efficiently directs toward meeting the
objectives

Overview
Illustration
Objective
Wake up at 4:30am to go to school as early as possible
Risk
Oversleeping
Insomnia
Controls
Set up alarm clock
Drink milk or take herbal sleeping medicine
Inform other people
Governance
Parents advise you before you sleep
Sermon

Illustration
What is risk?
Risk
The possibility of an event occurring that will have an impact on the achievement
of objectives. Risk is measured in terms of impact and likelihood.

If realized (or if it happens) , would Occurring over a


affect the company. predefined time period
Factors that define
impact rating
- Financial effect
- Reputation
- Ability to achieve key
objectives

Definition of Terms
Residual Risk
after a risk response

Opportunity
event will occur and positively affect the achievement of objectives

Risk Appetite
amount of risk is willing to accept in pursuit of value

Risk Tolerance
specific maximum risk that an organization is willing to take regarding each
relevant risk

Definition of Terms
Risk should read as if something went wrong and what the impact of this would
be

Example:
Unauthorized changes are made to the payroll master data resulting in payments to
fictitious employees

Risk should not be:


- A negative control or absence of control
- A process

Recognition
Risk Management
A process to identify, assess, manage, and control potential events or situations to
provide reasonable assurance regarding the achievement of the organization's
objectives

Definition of Terms
COSO ERM - Integrated
Framework
- Enterprise Risk Management (ERM) -
Integrated Framework
- Published by the Committee of
Sponsoring Organizations of the
Treadway Commission (COSO)
- A structure which Defines essential
components, suggests a common
language, and provides clear direction
and guidance for enterprise risk
management.

Risk Management
Framework
COSO was established initially to sponsor research into the causes of fraudulent financial reporting.

Risk Management
Framework
Enterprise Risk Management
- a process, effected by an entity's board
of directors, management and other
personnel, applied in strategy setting and
across the enterprise, designed to identify
potential events that may affect the
entity, and manage risks to be within its
risk appetite, to provide reasonable
assurance regarding the achievement of
entity objectives.

Risk Management
Framework
Risk Management
Framework
Risk Management
Framework
RISK MANAGEMENT OBJECTIVES
1. Strategic – high-level goals, aligned
with and supporting its mission

2. Operations – effective and efficient use


of resources

3. Reporting – helps ensure accuracy,


completeness and reliability of internal
and external company reports of both
financial and non-financial nature.

4. Compliance – compliance with


applicable laws and regulations.

Risk Management
Framework
ENTITY AND UNIT LEVEL COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
ISO 31000:2018 Risk
Management – Guidelines
- Published by the International
Organization for Standardization (ISO)
- Provides principles and guidelines for
effective risk management.
- Standards that Provide foundations for
discussing risk management and
undertaking a critical review of an
organization’s risk management process

Increase the likelihood of achieving objectives, improve the identification of opportunities


and threats and effectively allocate and use resources for risk treatment.

Risk Management
Framework
International Organization for Standardization

Risk Management
Framework
1. Risk Identification
- Performed for the entire entity
- Audit/ Risk Universe
- Brainstorming, SWOT (strengths, weaknesses, opportunities, threats),
scenario analysis

Risk Management Process


1. Risk Identification
- Performed for the entire entity
- Audit/ Risk Universe
- Brainstorming, SWOT, scenario analysis
Accounting Liquidity
Capital
and and Market Tax
structure
reporting credit
Market Sales and
Dynamics Marketing

Major Supply
initiatives Financial Chain
reporting

Mergers,
Acquisitions, Information
and Technology
divestiture
Strategic Audit Universe Operations

Planning
People/
and
Human
Resource
Resources
Allocation
Compliance
Governance Hazards

Communication Physical
and investor Code of Assets
Regulatory Legal
Relations Conduct

Risk Management Process


2. Risk Assessment and Prioritization
- Probabilities and potential effects of the risk events identified are used to
prioritize risks

Involves
- Estimate significance/impact
- Assess likelihood
- Consider means to manage

Risk Modeling
- Qualitative methods – listing, ranking and mapping
- Quantitative methods – probabilistic models, weighted

Risk Management Process


2. Risk Assessment and Prioritization
Heat Map
Overall risk assessment

►High ►M ►H ►H
Impact
►Moderate ►L ►M ►H

►Low ►L ►L ►M

► Low ► Moderate ► High

Likelihood

Risk Management Process


3. Risk Response

Risk Avoidance
ends the activity
Ex. Risk of having a pipeline sabotaged can be avoided by selling the pipeline

Risk Retention
accepts the risk
Ex. self-insurance; sinking funds

Risk Management Process


3. Risk Response

Risk Reduction
lowers the level of risk
Ex. Risk of system penetration can be reduced by maintaining a robust information
security function within the entity

Risk Sharing
transfer some loss potential
Ex. Risk of car crash can be accepted through insurance

Risk Exploitation
pursue a high return on investment
Ex. Risk of winning or losing a lottery

Risk Management Process


4. Risk Monitoring
- Tracks identified risks
- Evaluates current risk response
- Monitors residual risks
- Identifies new risks

Risk Management Process


Practice Question
Which of the following is the correct order of steps in the risk
management process?

1. Identify risks
2. Monitor risk responses
3. Formulate risk responses
4. Assess and prioritize risks
5. Identify context

A. 5, 1, 4, 3, 2.
B. 1, 4, 3, 2, 5.
C. 1, 3, 5, 4, 2.
D. 1, 5, 4, 3, 2.

THE CORRECT
Practice Question ANSWER IS..
A chief audit executive is reviewing the following enterprise-wide
risk map:

Which of the following is the correct prioritization of risks,


considering limited resources in the internal audit activity?
A. Risk B, Risk C, Risk A, Risk D.
B. Risk C, Risk A, Risk D, Risk B.
C. Risk C, Risk A, Risk B, Risk D.
D. Risk A, Risk B, Risk C, Risk D.

THE CORRECT
Practice Question ANSWER IS..
Which risk response reflects a change from acceptance to sharing?
A. An insurance policy on a manufacturing plant was not renewed.
B. Management purchased insurance on previously uninsured
property.
C. Management sold a manufacturing plant.
D. After employees stole numerous inventory items, management
implemented mandatory background checks on all employees.

THE CORRECT
Practice Question ANSWER IS..
Many organizations use electronic funds transfer to pay their
supplier instead of issuing checks. Regarding the risk associated
with issuing checks, which of the following risk management
techniques does this represent?
A. Avoiding
B. Transferring
C. Controlling
D. Accepting

THE CORRECT
Practice Question ANSWER IS..
Inherent risk
A. The risk when management has not taken action to reduce the
impact or likelihood of an adverse event
B. The risk after management takes action to reduce the impact or
likelihood of an adverse event
C. A potential event that will adversely affect the organization
D. Risk response

THE CORRECT
Practice Question ANSWER IS..
Questions
Thank you

You might also like