Internal Audit & Corporate Risk Management

Risk management has come to be regarded as an essential element of good governance, and as an integral part of internal control.

Definition of risk
Risk can be defined as either: a threat to achieving corporate objectives or outcomes, or an opportunity to enhance or accelerate the achievement of corporate objectives. "The chance of something happening that will have an impact on business objectives." "Risk arises as much from failing to capture business opportunities as it does from a threat that something bad will happen."

Definition of risk management

it is about making the most of opportunities and about achieving objectives once those decisions are made Controlling Risks Transferring Risks Living with Risks.

The Turnbull report

Turnbull stated that a sound system of internal control: Includes both financial and operational controls; Helps to safeguard stakeholder and company assets; Contributes to the management of risks which impact on the achievement of business objectives; Helps to ensure reliability of reports to stakeholders; Is dependent on a regular evaluation of the risks to which a company is exposed.

General Principles of Risk Management & Internal Audit

In some organisations internal audit is directly involved in the risk management function of the business. In other organisations internal audit is involved in reviewing this function.

Risk Management Cycle

establish a business framework identify all risks measure risks deal with risks monitor arrangements.

Risks may be identified from a series of risk categories

political/policy financial health and safety legal/regularity corporate issues commercial operational reputational.

two key aspects of risk:

cause - who or what causes the exposure to happen. This can be a type of person (e.g. staff or public); an event (e.g. fire, flood); or it can be the absence of appropriate action; effect - the logical outcome of the potential risk turning into an actual exposure. This should be described qualitatively (e.g. additional cost, loss of income).

Measuring Risk

Impact
The organisation would not survive Major impact on the achievement of the organisations business plan and the quality of its overall services

Likelihood
Certain Probable (likely to happen each year)

Probability
More than 80% 50% - 80%

Significant impact on the Possible (could success of the business happen in the and quality of its services next three years) Some impact on the organisations staff and minor effect on its clients Insignificant impact on the organisation or its staff Unlikely (may happen in the next five years) Remote

25% - 50%

5% - 25%

Less than 5%

Deal with risks

accept; reduce; avoid; transfer.

Example Format for Risk Matrix

Operational Manager responsible & financial risks

Method of dealing with risk

Action

Monitoring activity & outcome

Role of Internal Audit

It is fundamental that internal audit addresses the organisation's most significant risks. Internal audit will be more effective if its view of the organisation's most significant risk exposures is aligned with that of the organisation's senior managers.

Risk management is a vital aspect or dimension of management and business planning

bottom up risk identification of significant issues at departmental level to ensure that staff are extensively involved in the process and risk management becomes an accepted dimension of planning top down strategic review of risks from the Board's perspective to ensure that all risks to achievement of corporate objectives are identified and action on most significant risks is prioritised.

benefits of adopting a formal approach to corporate risk management

clearly identifying all the significant risks that the organisation faces setting the evaluation of these risks in the context of the organisation's corporate objectives prioritising risks to ensure that management and resources are focused on the critical areas developing a suitable level of risk awareness by managers and staff ensuring a positive attitude to risk management and knowledge of the organisation's policy towards risk.