Risk Management Framework
7.1 Risk managem ent, or enterprise risk management (ERM) , should be considere d as a key component of organisational strategy, as it reduces the likelihood of potential failures, increases the chances of success, and contributes to an organisation’s sustainable growth and long-term prosperity3 3 . Risk management forms part of the glue that holds corporate governance together.
7.2 Risk management helps to anticipate and manage future events by i ncorporati ng a decision-maki ng process to determine the best way(s) to dea l with potentia l losses a nd pursue potential opportunities. It is an on-going process to identify, evaluate and manage risks. All organisations must accept varying degrees of risks in order to accomplish their missions, and should determine whether the type and the degree of risks they face are maintained within tolerable levels.
Risk management cannot guarantee that risks would not materialise, but it can provide a reasonable basis for managing risk of failure to achieve business objectives.
Protecting Assets and Mitigating Impacts
7.3 The risk management system needs to be flexible enough to handle rapidly changing internal and external environments. To ensure continued effectiveness, it should be re-evaluated thoroughly on a regular basis.
7.4 Organisations may face litigation - even for frivolous reasons. Risk management can provide a series of processes and procedures to enable the organisation to demonstrate that it has followed the appropriate steps in its activities.
It can also serve to provide evidence that could help the organisation to prevail in a lawsuit.
7.5 B oards may consider purchasing insurance to mitigate certain risks.
Insurance can trans fer some of the finan cial con seque n ces of risk to another party but it does not eliminate all negative impacts particularly in non-financial areas.
Common Types of Organisational Risks
34(1) Strategic Risk:
Relating to high-level goals associated with the support of the organisation’s mission
(2) Operational Risk:
Relating to the effective and efficient use of an organisation’s resources and the delivery of its services
(3) Reporting Risk:
Relating to the reliability of the organisation’s reporting procedures (4) Compliance Risk:
Relating to the organisation’s compliance with applicable laws and regulations
Risk Management Programme 7.6 Develo ping a risk managem ent
programme involves:
•
•
Determining the organisation’s risk-taking appetite so as to ascertain the nature of risks which the organisation is willing to take.
Risk management is equally important irrespec tive of the organisation’s risk appetite. An organisation that is more of a risk-taker may put in less stringent controls but it should, however, undergo the same risk mana ge m e nt pra ctice s a s a ris k averse organisation.
Ris k identification co nside rs and articulate s any se rious risks which the organisation faces. The organisation first has to identify risks by examining its functional areas, such as sourcing of funds, community service initiatives and administrative operations. The board should also perform a broader risk analysis based on understanding the
•
It can then identify what type of uncertainties would threaten the organisation’s mission and operational plan.
Evaluating and prioritising risk helps the organisation to make appropriate decisions about when and where to invest its time and resources.
The organisation should develop criteria to prioritise risks according to their impact on the organisation and the likelihood of their occurrence. Not every risk faced is material and critical.
The goal is to create a workable and practical list of significant risks on which to focus risk management efforts.
• Selecting appropriate risk mitigation tools is the process of developing strategies to minimise the possibility of risks materialising and how to handle them if they do occur. When determining the approach, the organisation can choose to change, transfer, avoid or retain the risks.
Monitoring and updating the risk programme a llo ws the organisation to learn from experience. Management should be responsible for reporting risk events and the performance of control to the board on a regular basis.
7.7 A checklist for a risk managem ent framework is at Annex 5.
Internal Control and Audit
Internal Control
7.8 Internal control is a process, overseen by management, designed to provide r easonable assurance r egardi ng the effectivenes s and efficiency of operations in achieving obje ctive s, reliability of financial reporting, and compliance with applicable laws and regulations.35
7.9 Controls help to reduce certain risks to acceptable levels, and to enable management to identify any potential problems on a timely basis. A review should take place at least once a year, covering all key controls, including financial, operational and compliance controls and risk-management functions.
Internal Audit
7.10 Internal audit is a tool used by management to identify and assess on an independent basis p otential risks to the organisation’s operations.
The prima ry fun ctions of inte rna l audits are to review the adequacy of internal controls that are established to ensure compliance with regulations, policies, plans, procedures and business
objec tives. Ensuring
completeness, accuracy and reliability of financial r e portin g, sa fe custody of a sse ts, appraising activities and utilisation of resource s are e qually important functions of internal audit.
All these internal audit functions help assist management in achieving the organisation’s objectives and ensuring the economical, efficient and effective use of resources.
Types of Internal Controls
36Detective: Designed to detect errors or irregularities that may have occurred.
Corrective: Designed to correct errors or irregularities that have been detected.
Preventive: Designed to keep errors or irregularities from occurring in the first place.
•
7.11 Internal auditors provide independent and o bjective adv ice on risks and controls related to business operations, and should not assume a ny e xe cutive re sp onsibilitie s such as preparing, installing or engaging in any transactional processes. The internal auditor should be free of any undue influence from the executive in identify ing areas of audit and selecting audit methodologies. Except for spe cialis t audits which require professional knowledge of other dis cipline s (e.g. quantity surve y in construction projects), internal audit staff should be trained in accountancy and proficient in applying auditing methods, procedures and techniques.
7.14 Audit reports should have restricted circulation and should not normally be issued to others without the approval of the Head of I nternal Audit a nd the knowledge of the auditee. Every year, the internal auditor should submit both an annual audit plan and a report setting out the conclusions and recommendations arising from the internal audit direct to the Audit Committee (or bo ard if no Audit Committee exists) for information.
7.15 The US Institute of Internal Auditors’
best practice requires that the internal audit function itself should be reviewed at least once every five years.