2. What is
Risk?
An event or action that causes a possible threat to
the achievement of an organization’s/function’s
objectives
Risk is just an expensive substitute for information
Unwarranted Business
Exposures are not Risks….
3. Risk Assessment
Risk Assessment is a three step process of risk analysis
and evaluation involving the determination of
Management optimistic
1
The level of impact or outcome of risk
Consequence
2
The likelihood of risk getting realised
Probability
3
The nature of the risk
Auditors quite sceptical
Inherent Risk
Resolving the differences in perception of
risk crucial for an effective control
evaluation…
4. Risk Assessment
• Where
do you devote considerable internal effort in order to control?
• What areas receive considerable management reporting?
• Where have you devoted significant resources?
• What are the analysts and rating agencies most interested in?
• What wouldn’t you want on the front page of the newspaper?
• What are key obstacles to taking advantage of opportunities?
• What is impeding growth?
A “WHAT CAN GO WRONG
ANALYSIS” prior to field work
will provide focus and
•What do people complain about within the organization?
judgement to the auditor on
• If you could fix one thing at the company, what would it be where to deploy his resources
• What do your competitors do better?
• What keeps you up at night?
5. Risk Assessment - Comprehensive
EXTERNAL RISKS
Capital Availability
Competitor
Customer Needs
Economy
Financial Markets
Industry
Legal
Natural Hazard/Catastrophe
Public Relations
Regulatory
Terrorism
Sovereign/Political
Technological Innovation
INTERNAL RISKS
Strategic
Operational
Financial
Process
Business Model
Business Portfolio
Delivery Channels
Intellectual Property
Marketing/
Advertising
Alignment
Business Interruption
Capacity
Change Response
Compliance
Contract Commitment
Customer Satisfaction
Cycle Time
Efficiency
Environmental
Health & Safety
Knowledge
Management
Measurement
Partnering
Collateral
Physical Security
Product/Service
Development
Product/Service Liability
Product/Service Failure
Product/Service Pricing
Relationship
Management
Sourcing
Strategy
Implementation
Supply Chain
Transaction
Processing
Resource Allocation
Social Responsibility
Counterparty
Credit
Equity
Management
Information
Organization
Structure
Product Life Cycle
Concentration
Default
Marketplace
Planning
Commodities
Comprehensive
risk assessment is
very crucial to
priorities controls
evaluation across
various risk
categories
Accounting Information
Budgeting & Forecasting
Completeness/Accuracy
Investment Evaluation
Investor Relations
Pension Fund
Regulatory Reporting
Relevance
Taxation
Human Capital
Integrity
Technology
Financial Instruments
Foreign Exchange
Accountability
Change Readiness
Communications
Competencies/Skills
Empowerment
Hiring/Retention
Leadership
Outsourcing
Performance Incentives
Succession Planning
Training/Development
Conflict of Interest
Employee Fraud
Ethical Decisionmaking
Illegal Acts
Management Fraud
Third-Party Fraud
Unauthorized Acts
Access
Availability
Data Integrity
e-Commerce
Infrastructure
Reliability
Technological
Capacity
Interest Rate
Liquidity
Modeling
Opportunity Cost
Right Description of risk
is also crucial e.g.
Employee Overtime V/s
Liquidated damages
7. Risk Evaluation and Quantification
Supplier concentration risk
Potential Impact
Likelihood of failure
Supplier A
Sales Dependency
200 $ Mln
10% of Budgeted Sales for FY 10-11
Margin of such sales
40 $ Mln
13% of Target EBIDTA for FY 10-11
50%
ABC Ltd Overall
Budgeted Sales
2000 $ Mln
Mitigation
Impact X Likelihood =
Adequate stock to support change over
time
Share manufacturing facility
•
Value at Risk
Alternative supplier development
•
300 $ Mln
•
•
Target EBIDTA
Outright market purchase of end
product
100 $ Mln of sales i.e. 5% of sales
Transfer
20 $ Mln of EBIDTA i.e. 6.5% of EBIDTA
•
Assessment of likelihood is dependent on suppliers financial status, its exposure to economic
factors, plant location, relations with supplier, competitors activities, disruption at its premises,
contractual agreements, previous default history among other factors.
BI and LOP Policy
•
Supplier extension clause
To evaluate
risks one needs
to be fully
aware of the
impact the
risk.. Preferably
in financial
terms
8. Risk Management Strategies – Some tools
Strategic
Risks- fully managed
internally by the
organisation
Operations
• Elimination
/Termination
• Avoidance
Organisation's
Risks
Financial
Risk
Capacity /
Appetite
Risks - Cannot be
managed by Organisation
and needs to be
transferred
Compliance
Business is
exposed to
multiple risks
Risks - Partly managed
internally by the
organisation
Ability to manage
risk depends on
Risk Appetite /
capacity
• Tolerate / Acceptance
• Mitigation and
Monitoring
• Transfer
Significant portion of risks
can be transferred through
contractual / insurance
9. Internal Control Framework
Governance /
Oversight Control
Audit Committee, Risk
Council
Administrative
Controls
Policies, Guidelines, SOPs
Management
Controls
Self
Assessment, Questionnair
e based
Monitoring Controls
On Ground process
controls
MIS, KPIs, Reports, Risk
Radar. Reviews
SOD, IT, Access
Internal Audit, SOX, Risk
Management, Compliance
Predictive or
Detective
Whistle
Blower, Independent
Forum
Extended Controls
Customer, Vendor, Regulat
or, Bank Controls
External Controls
influencing internal
controls
There is a world beyond Risk and
Control Matrix (RCM)….
10. In our journey can we help Business to embrace
Risk…… with greater understanding
Your greatest
growth
opportunities are
your greatest risks reversed