Identifying and Assessing

Risks: Risks and the risks

management process

Risks
Definition: risks are the opportunities and dangers
associated with uncertain future events
Risks can have an adverse (downside exposure) or
favourable impact (upside potential) on the
organizations objectives

Why incur risks?

To generate higher returns a business may have to take
more risk in order to be competitive.
Conversely, not accepting risk tends to make a business
less dynamic, and implies a follow the leader strategy.
Incurring risk also implies that the returns from different
activities will be higher benefit being the return for
accepting risk.
Benefits can be financial decreased costs, or intangible
better quality information.
In both cases, these will lead to the business being able to
gain competitive advantage.
This is sometimes referred to as 'entrepreneurial risk'.

Threats to auditor independence

Self-interest: Auditor could benefit from financial
interests in client
Advocacy: Auditor promotes an auditor clients
position or opinion
Intimidation: Auditor is subject to intimidation
Familiarity: Auditor becomes too friendly with client
by working for client for a number of years
Self-review: Auditor in position of reviewing work
they have been responsible for

Exercise
Which of the following are independence issues?
(1) Working as an audit junior on the statutory audit of a major bank with
whom you have your mortgage.
(2) Taking on a large new client whose fees will make up 90% of your
total revenue.
(3) Taking on a large new client whose fees will make up 10% of your
total revenue.
(4) Working as an audit partner and accepting a gold Rolex as agift.
(5) Performing an internal audit review of controls that you put in place
in your previous role.
(6) Working as an external auditor at a company where you have a
close personal relationship with a person who has a junior role in the
marketing department.
(7) Taking on the audit for a company with which your firm has recently
been involved in a share issue.

Roles in risk management and

internal control
Ensuring adequacy and effectiveness of internal control
system: BOD
Setting internal control policies and monitoring
effectiveness of internal control system: Senior executive
management
Establishing specific internal control policies and
procedures: Heads of business units
Operating and adhering to internal control: All employees

Protection of independence
The internal auditors should be independent of
executive management and should not have any
involvement in the activities or systems that they audit.
The head of internal audit should report directly to a
senior director or the audit committee. In addition,
however, the head of internal audit should have direct
access to the chairman of the board of directors, and to
the audit committee, and should be accountable to the
audit committee.
The audit committee should approve the appointment
and termination of appointment of the head of internal
audit.

Reporting on internal controls to

shareholders
Shareholders, as owners of the company, are entitled
to know whether the internal control system is
sufficient to safeguard their investment.
To provide shareholders with the assurance they
require, the board should, at least annually, conduct a
review of the effectiveness of the groups system of
internal controls and report to shareholders that they
have done so.
Companies that are more open with their disclosures
regarding internal controls may benefit from
increased shareholder satisfaction as they know their
assets are being well looked after.

Reporting on internal controls to

shareholders
By reporting on their internal controls, a company
opens itself to additional scrutiny by shareholders
(and other interested parties) which may improve
corporate governance.
The knowledge that their work will be reported on
externally may help regulate the work of the audit
committee.
By making the chair of the audit committee
available for questions at the AGM, the company
demonstrates that it has nothing to hide, therefore
increasing shareholder confidence.

Roles of audit committee

Key roles of audit committee are oversight,
assessment, review of other functions and systems in
the company
Review of internal control systems
Oversee work of internal audit
Monitor integrity of financial statements
Review work of external audit

Responsibilities of audit
committee
Responsibilities of audit committee in relation to internal
control:
review the companys internal financial controls
review all the companys internal control and risk
management systems, unless the task is taken on by a
separate risk committee or the full board
give its approval to the statements in the annual report
relating to internal control and risk management
receive reports from management about the effectiveness
of the control systems it operates
receive reports on the conclusions of any tests carried out
on the controls by the internal or external auditors.

Responsibilities of audit
committee
Responsibilities of audit committee in relation to
internal audit:
Review and assess the annual internal audit work plan
Approve the appointment and termination of head of
internal audit
Preserve independence
Check efficiency of internal audit
Ensure recommendations are actioned
Ensure accountable to the audit committee
Monitor and assess effectiveness of internal audit

Responsibilities of audit
committee
Responsibilities of audit committee in relation to external
auditor:
have the primary responsibility for making a
recommendation to the board on the appointment,
reappointment or removal of the external auditors
oversee the selection process when new auditors are
being considered
approve (though not necessarily negotiate) the terms of
engagement of the external auditors and the
remuneration for their audit services
have annual procedures for ensuring the independence
and objectivity of the external auditors

Responsibilities of audit
committee
review the scope of the audit with the auditor, and
satisfy itself that this is sufficient
make sure that appropriate plans are in place for
the audit at the start of each annual audit
carry out a post-completion audit review.

Responsibilities of audit
committee
Define and explain risk in the context of corporate
governance
Define and describe management responsibilities in
risk management
Explain the dynamic nature of risk assessment
Explain the importance and nature of management
responses to changing risk assessments
Explain risk appetite and how this affects risk policy

Questions
Define and explain risk in the context of corporate
governance
Describe management responsibilities in risk
management
Explain the dynamic nature of risk assessment
Explain risk appetite and how this affects risk policy
Distinguish between strategic and operational risk
The importance and nature of business and financial
risks

Factors influence strategic

risks
The types of industries/markets within which the business operates.
The state of the economy.
The actions of the competitors and the possibility of mergers and
acquisitions.
The stage in the products life cycle, higher risks in the introductory and
declining stages.
The dependence upon inputs with fluctuating prices, such as oil.
The level of operating gearing the proportion of fixed costs to total costs.
The flexibility of production processes to adapt to different specifications
or products.
The organizations research and development capacity and ability to
innovate.
The significance of new technology.
The quality of leadership at board level.
Relationships with suppliers.

Factors influence operational

risks

Losses from internal control system or audit

inadequacies.
Non-compliance with regulations or internal
procedures.
IT failures.
Loss of key personnel.
Fraud.
Business interruptions.

Importance and nature of

business and financial risks
Business risks are strategic risks that threaten the survival of
the whole business. Such as risk from competitor activity,
risk of low sales demand, economic risks, political and legal
risks and so on.
Strategic risks are risks that are related to the fundamental
decisions that the directors take about the future of the
organization. E.g. mergers and acquisition, environmental
factor, product portfolio.
Financial risk is one of many types of business risks. The
ultimate risk that any company faces is the risk that it will
not continue as a going concern.
This include capital structure risk i.e. risk that LT sources will
not be available, overtrading, fraud, currency risk, interest
rate risk, market risk, credit risk, liquidity risk.

Impact upon stakeholders

involved in business risks
Organizations attitudes to risks will be influenced by the
priorities of their stakeholders and how much influence
the stakeholders have.
Stakeholders who have significant influence may try to
prevent an organization bearing certain risks.
Shareholders: want steady income from dividend vs.
concerned with LT capital gain. Difference in risk
tolerance.
Debt providers: 1) are concerned about threats to the
amount the organization owes 2) can take various actions
with potentially serious consequences
Employees: Are concerned about threats to their job
prospects and ultimately threats to the job themselves

Impact upon stakeholders

involved in business risks
Suppliers: Suppliers can provide short-term financing.
Need to build LT relationship
Customers: are concerned with threats to their
getting the goods or services that they have been
promised. Need to build LT relationship
Wider community: Governments, regulatory and other
bodies are particularly concerned with risks that the
organization does not act as a good corporate citizen.
Governments can impose tax increases or regulation
or take legal action.
Pressure groups tactics can include publicity, direct
action, sabotage or pressure on governments.

Severity and probability of risk

events
Risk management is about identifying and assessing
levels of risk.
Risks can be measured as quantified amounts,
although sometimes they are assessed in
qualitative terms (judgment).
For each identified risk, an assessment should
consider the probability or frequency of the risk
event and its likely impact (severity) if it occurs.

Severity and probability of risk

events
Risk map and risk dashboard: graphic means of assisting
management with the understanding and assessment of
risks.
The risk map is a simple 2x2 matrix, where one side of the
matrix represents probability and the other side represents
impact.
Based on the assessment of risk
It can be useful for management to prioritize risk
A dashboard can also be used to indicate the current
exposures to the risk (residual risk) and risk appetite of the
company for accepting exposures to the risk.
Residual risk should never be greater than the companys
risk appetite for that risk.

External reporting on internal

control
Because of the corporate accounting scandals over
the past ten years, there is stricter requirements on
external reporting.
These requirements is meant to address the concerns
of shareholders and other stakeholders that
management has exercised proper control.
The board should disclose as a minimum in the
accounts,
the existence of a process for managing risks,
how the board has reviewed the effectiveness of the
process and
that the process accords with requirements

Sources of risk information

The organizations code of conduct.
The internal auditors assessment of risks.
The audit committees assessment of the
effectiveness of internal control.
External auditors report on weaknesses in the
accounting and internal controls.
The results of a control self-assessment process by
line management and staff.

As low as reasonably possible

(ALARP)
Business is risky, therefore, businesses try to reduce most of
the significant risks, rather than eliminate them.
The general principle is that the higher the level of risk, the
less acceptable it is.
However, there are many risks which cannot be avoided
completely, for example, hazardous activities where there is a
risk of injury or loss of life (e.g. an oil rig, or factory or farm).
Risk like these need to be reduced ALARP. For example, by
installing protective shielding, issuing safety equipment like
hats or protective glasses.
The level of risk mitigation is a trade-off between the cost and
the assessment derived from the risks likelihood and impact

Related and correlated risk factors

This has to do with the correlation coefficient between
two risks
If positive correlation, the risks will increase or
decrease together
E.g. There is a strong correlation between reputation
risk and business risk (risks of serious fault found in
the products)
Correlation of risks is important in considering the
costs and benefits of risk management
E.g. major expenditure on controls may reduce risk but
would increase financial risks. How?
Example of negative correlation?