Risk Management and Control
1 Introduction to risk management
1.1 What is risk
“Risk is the effect of uncertainty on objectives”
- Links risk to objectives
- Effect may be negative, positive or a deviation from expectations
- Risk may be considered to be related to: a loss, an opportunity, the presence of an uncertainty for an
organization
ISO Guide 73 = risk classification system for analyzing/evaluating risks based on impact
Hazard or pure risks
- Only result in negative outcomes
- Associated with a source of potential harm of situation with the potential to undermine objectives
- Operational risk: normal efficient operations may be disrupted by loss, damage, breakdown, theft
- Often insurable
Examples:
- People: lack of skilled people and resources, unexpected absence of key personnel
- Premises: damage, insufficient premises
- Assets: theft of loss of physical assets
- Suppliers: delivery of defective goods
- IT: failure of systems, hacker
Hazard tolerance: manage risks to the lowest level that is cost-effective and in compliance with law
Control or uncertainty risks
- Give rise to uncertainty: difference between plans and real outcome
- Extremely difficult to quantify
- Often associated with project management: difficult to predict and control, unknown and unexpected
Control management = reducing the uncertainty and minimizing the potential consequences
> companies are averse to risk, but have to accept a level of uncertainty
Opportunity or speculative risks
- When companies deliberately take risks (market or commercial) in order to achieve a positive return
- Often financial, normal with development of new strategies
- Risk appetite: different for every company
2 kinds: associated with taking an opportunity & associated with not taking the opportunity
Opportunity management = maximize the benefits of taking entrepreneurial risks
> link between opportunity management and strategic planning: maximize the likelihood of a significant
positive outcome from investments in business opportunities
Examples: moving business to new location, diversifying into new products
There is no universal classification for risks (there is no right or wrong), choose one that is most suitable
o Impact: hazard, control, opportunity risks
o Time scale: impact in ST (operations), LT (strategy)
o COSO: strategic operations, reporting, compliance
o FIRM risk scorecard: Financial, Infrastructure, Reputational and Marketplace
Risk management and control – 2024 1
,1.2 What is control
Control mechanisms = all arrangements and procedures in place to ensure that business objectives may be met
Two important dimensions: formal vs. informal control
COSO Classification (in order of best to worst control):
- Preventive: limit the possibility of any undesirable outcome
- Corrective: limit the scope for loss and reduce any undesirable outcomes that have been realized
- Directive: designed to ensure that a particular outcome is achieved, giving directions to people on how
to ensure that losses do not occur: both prevents risks from occurring and detects risks when they occur
- Detective: designed to identify occasions of undesirable outcomes having been realized (after event)
Some traditional control mechanisms: authorization, supervision, segregation of duties, procedure manuals
1.3 Development of Enterprise Risk Management (ERM)
Historically, the term RM was used to describe an approach related to only hazard risks
Early 2000: ERM emerged as an attempt to manage enterprise risks in an integrated way
September 2014: COSO (Committee of Sponsoring Organizations of the Treadway Commission) defined ERM:
“ a process, effected by an entity’s board of directs, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives “
ERM is constantly developing: 2009: ISO Guide 73: definitions of common terminology
1.4 Corporate governance en regulatory context
Corporate governance = the way organizations are directed and controlled, a set of codes, regulations, standards
- Facilitate accountability and responsibility for efficient and effective performance an ethical behavior
- Obligations placed on the board of an organization
- Protect executives and employees, ensure stakeholder confidence
RM is an integral part of CG, most countries have placed CG requirements: comply or explain of full compliance
CG in Belgian context: Code Lippens, Code 2009, Code Bysse
Almost all organizations use the Code as a framework, only 44% provides a description of the internal control
and risk management system => huge variation in details of description, quality of information
Sarbanes-Oxley Act (SOX) 2002: sets new or enhanced standard for all US companies as a reaction to a number
of accounting scandals
1.5 Control responsibilities
Internal control
= a process effected by the board, management and other personnel (at every level of the organization),
designed to provide reasonable assurance regarding the achievement of objectives in
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Risk management and control – 2024 2
, Objectives of internal control (IIA)
- Accomplishment of objectives and goals
- Efficient use of resources
- Compliance with policies, plans, laws, regulations
- Safeguarding of assets and prevention of fraud
- Reliable financial and operational reporting
Internal audit
- Working independent for the board of directors
- Validation of the controls and procedures in place to manage risks > tries to give reasonable
assurance to the board that their control works
- Monitoring the effectiveness of the ERM processes (designed and implemented by management)
- Only responsible for reporting (internal control: responsible for activities and their execution)
- Focus on operational audit, continuous, future oriented
- Responsibilities:
o Giving assurance on the risk management processes
o Giving assurance that risks are correctly evaluated
o Evaluating the reporting of key risks
o Reviewing the management of key risks
External audit
- Performed by people independent of the company, works for the stakeholders (3rd party)
- Expert opinion on the financial statements
- Focus on financial audit, periodic, past oriented
Senior management
- Responsible for day-to-day management of risk and risk reporting to the board
- CFO or CRO
- Role of CRO: compliance champion, modeling expert, strategic controller, strategic advisor
Board of directors
- Not responsible for day-to-day management of risks
- Responsible for strategy, policies, values and risk appetite (willingness to take risk)
- Oversight responsibility that ERM processes are comprehensible, in line with strategy and functioning
The three lines of defence
Board
Audit committee
Senior management
Operational Management Risk management compliance Internal audit= 3rd line External
Internal controls = 1st line = 2nd line Audit
How is RM working?
Responsibility of CEO, CFO.. Risk manager, no direct link to
operational
Risk management and control – 2024 3
