Enterprise Risk Management Approach in Establishing the System of Internal Control.

Because risk can never be predicted with certainty, thus we must have a corporate level strategy to address a possible event from both positive and unfavorable perspectives. This is the subject of enterprise risk mangement (ERM).

Enterprise Risk Management is a matter of preparation, experience, skills and personaliities. Effective enterprise risk management is dependent on availability and precision of real time info as well as the speed in resolving issues.

To establish a risk driven internal control system, one must  be crystal clear of what are the organization’sgoals. These can be short, medium or long-term. Ask what are the risks linked with each of these aims. A control is risk driven, if it addresses the risks facing an enterprise in satisfying its goals. Hence, to establish a risk driven system of internal control you will need to link the goal, risk and control.

Of cause controls are not fail safe. Thus, no matter how good your control is, it will not be able to address human error, management overrides of control and poor judgment in decision-making.

We all face risk each day and we overcome it either consciously or unconsciously. Risk Management is a matter of preparation, experience, skill and personalities. Effective enterprise risk management and financial risk management depends on the accessibility and accuracy of real-time information plus the speed in resolving issues. Because risk is never predictable with certainty, we must have a strategy to address a possible event from both favourable and unfavourable perspectives.

To put our thoughts on risk management into a structured method, we can break it up it into a series of activities

Some of the critical issues in risk management framework are discussed as follows:

Identifying & Measuring Risks

Identifying risks is one of the most crucial activities in enterprise risk management. Without understanding the risks, we would not know what steps to take.

There are a few common methods to identify risks. Thesemethods are :

1. SWOT analysis.
2. PEST analysis.
3. Reliance Model.
4. Michael Porter’s five forces.

All these approaches can be combined and used simultaneously.

Measuring risk has never been simple and scientific ways of measuring risks mayinvolve actuarial science computation and calculation of Beta factor.

However, there is a simple method of measuring risk based on 2 common sense parameters, i.e. the likelihood and impact of the consequences. The magnitude of these measurements can be profiled on a number of scales such as two by two, three by three, or even five by five. These entire scales are acceptable and rely on the level of detail an individual wants to analyse his or her risks.

Enterprise Risk Management  Approach.

1. Identifying Risks:

• Techniques e.g. Strengths, Weaknnesses, Threats, Opportunities, PEST, Dependency Model, 5 Forces.
• Modes: Workshop, interview, survey, management report, checklist..

2. Measurement & Prioritization of Risks

3. Strategy Choices : Accept, transfer, eliminate, insuring, control & sharing..

Although we may be acquainted with these modes of on-going review and evaluation, the board of directors must analyzeassess :

• Has the on-going reviews and evaluation mechanism kept in pace with the changes of its’ operations?
• Is the standard of detail of the facts essential for its decision-making and checking of the risk and control applicable, sufficient, adequate and on time?

In this instance, the Chairman with the support of Chief Executive Officer, Company Secretary and Internal Auditor, would have a vital role to perform in collating theinfo required for the Board to perform such evaluation at the Board level.

The Board of DirectorsBOD must receive info that is not just historical or bottom-line and financia oriented but facts that goes beyond assessing the quantitative performance of the business. In this respect, the Chairman has primary responsibility for organizing information required for the Board to address the agenda and for providing this info to directors on a on time basis.

Perform On-Going Reviews and Assessment of Risks and Effectiveness of the System of Internal Control

This is an area where most of the firms would already have the system in place. Common forms of on-going review and evaluation are reviews of budget and variances reports; ISO inspection reports; internal audit reports, and external auditors’ management letter.

Making Risk Management and Control Part of Business Culture

Setting up internal control and enterprise risk management systems is purely a matter of form. But making risk management and control part of the business culture will change the form into substance.

There is no fixed order of whether the organization ought to first put in the enterprise risk management and internal control framework or inculcate the suitable risk culture in the firm and in the people.

Making risk management and control area of the business process is definitely an on going and long-term process. It is also a painful process simply because it needs transformation of mindset from all levels of management and staff, and is best realizedattained through an implementation of a strategic plan. Such a strategic plan cannot be limited to senior management only. Instead it need to also involve all levels of employessworkers and preferably to include external business associates, such as government, bankers, suppliers and buyers.

The critical factors the Board should take into account in using substitute means of obtaining assurance are:

• Whether such regular review and assurance it obtains are objective; and
•  What are the stakeholders’ perceptions on the substitute means used by the BOD?

Some of the alternate means, which can be used, are peer reviews and control self-assessment.

There are benefits an internal audit function can bring to an corporation and their roles in the corporate governance, risk management and internal control are considerable.  In making investment decision, institutional investors need to look at the existence of an internal audit function in an company.

Internal Auditors have a great part to play in corporate governance, risk management and internal control. Some firms may favour the internal auditor to remain in their main role of offering an independent assurance and others may want them to be more pro active and take part in risk management.

To summarize, enterprise risk management involves everybody in the companyenterprise and awareness of the methods and rulesof risk management.. in addition the Board have these responsibibilities to play.

• Board should acknowledge its responsibility for the system of internal control and reviewing the adequacy and integrity of such system.
• Whether there is a continuous process of enterprise risk management and in place for the year under review.
• Whether the Board reviews the system of internal control routinely and such a review is in accordance with enterprise risk mangement (ERM) guidelines.
• Summarize the process it has applied in reviewing the system of internal control.

Incoming search terms for the article:

• Published News Upcoming News Submit a New Story Groups human perception