risk assessment. coso principles the organisation specifies objectives with sufficient clarity to...
TRANSCRIPT
Risk AssessmentRisk Assessment
COSO PrinciplesCOSO Principles
The Organisation specifies objectives with sufficient clarity to
enable the identification and assessment of risks relating to objectives
identifies risks to achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed
considers the potential for fraud when assessing risks
Identifies change that could significantly impact the system of internal control.
Presentation title here 00.00.00 page 2
Risk & Risk Tolerance Risk & Risk Tolerance
Risks affect an entity's ability to succeed, complete within its industry, maintain its financial strength and positive reputation, and maintain the overall quality of its products services and people.
You cannot reduce risk to ZERO Mgt must determine what level of risk is
acceptable (risk appetite) and understand how much tolerance it has for exceeding its risk levels (risk tolerance) See Coso P53
Presentation title here 00.00.00 page 3
Risk IdentificationRisk Identification
Considers Entity, subsidiary, Division, Operating unit & functional level
Internal & external factors Entity level risks (economic changes) –
para 28 COSO P59.See example para 231 P60 COSO Transaction level risks
Presentation title here 00.00.00 page 4
Identifying RiskIdentifying Risk
PEST analysisPolitical Economical Social Technological
risks/factors
Five Forces Threat from new entrants Threat from substitute products or services Bargaining power of customers and suppliers Competitors Intensity of Rivalry within the Industry
SWOT Strengths, Weaknesses, Opportunities and Threats
Business RiskBusiness RiskProduct-related
◦ Sales price variability◦ Costs – inputs variability◦ Demand variability – economic cycle – product
replacement pipeline◦ Elasticity of demand for product
How can selling price be adjusted for changes in costOperating leverage
The extent to which costs are fixed The higher this level then the higher the business risk Business cannot react efficiently to changes in
circumstances Profitability and ultimately ROE – Return on Equity is
impacted Measured by the Standard Deviation of a
Firms’ ROE
Financial RiskFinancial RiskThe degree to which the Firm is leveraged or financed by Debt
Debt-holders are creditors of the Firm and so have priority in getting paid
Profits must pay operating expenses followed by financial costs before any is available for either re-investment or distribution to equity share-holders
This puts the risk of failure onto the equity share-holders as the debt holders are obligations of the Firm and they take precedence
Increased levels of debt generally leads to an increase in the ROE as there is a demand for higher return to compensate for the additional risk
◦This can have the short-term impact of reducing the share price◦However the standard deviation is greater so that the distribution is flatter
Audit Risk Audit Risk
Audit Risk - The risk that the auditors may give an inappropriate audit opinion on the financial statements
Engagement Risk
Inherent Risk
ControlRisk
Detection Risk
Independence in fact risk
EntityLevel
Account Balance and class of transactions level
Sampling Risk
QualityControlRisk
Inherent Risk Inherent Risk
Entity Level Account Balance and class of
transactions level
• Mgt Integrity• Mgt Experience & Competence• High key personnel turnover• Unusual Pressures on mgt • Nature of Entity's Business (e.g.
technological advancement)• Nature of Industry• Complex Computer System• Qualified opinion in previous
years
• Susceptibility to misstatement or loss
• Complex transaction• High degree of Judgment
Quality of Accounting Systems
• Complex transactions at or near year end
• Non routine transactions
Control Risk
• Not directed to routine transactions• Collusion • Overriding of controls• Controls changing in line with changes in
procedures / business• Changes in 3rd parties carrying out controls• Complex computer systems • Lack of segregation of duties
Trade off between cost and benefit
Risk Response depends on Risk Response depends on Likelihood & Impact Likelihood & Impact How likely is the risk to happen?What is the potential size of the risk (will it be
material)?Then decide to;1.Accept 2.Avoid – exit from activity giving rise to risk (FX
contract) 3.Reduction – action to reduce (enter FX forward
contract) 4.Sharing – insurance, hedging Response will always consider Cost / benefit
Presentation title here 00.00.00 page 11
Risk OF FraudRisk OF Fraud
Presentation title here 00.00.00 page 12
Fraud V ErrorFraud V Error
Directors; Active Role Preventive Detection
Fraud – Intentional (Has motive which is usually financial gain) Error – Unintentional (Mathematical / Clerical Error)
Auditors;• No Prevention Role• Deterrent Role • Detection is based on
“Reasonable Expectation”
Auditor & Director Responsibility with Respect to Fraud
Perception Gap - Public belief that auditor’s responsibility is to prevent and detect fraud and error.
Types of FraudTypes of Fraud
Asset MisappropriationStealing / misusing company
assets
Fraudulent Reporting
Misstating financial reports
Audit Approach to Fraud & ErrorAudit Approach to Fraud & Error
Auditor must consider Risk of material misstatement due to Fraud or Error.
Error is usually easier to identify as if it is a genuine error there will be no attempt to hide it.
However
Due to the intentional act of fraud efforts have usually been made by the
perpetrator to cover their tracks.
Collusion involves two or more individuals
Working together to commit fraud and is even
More difficult for the auditor to detect.
Auditor Considers;• Nature of Business
(susceptibility to misappropriation e.g. Cash Business.
• Laws & Regulations• Indications of Money
Laundering activity• Internal Controls environment • Areas susceptible to
management override• Relate party transactions • Materiality & Complexity of
transactions
The Fraud TriangleThe Fraud TriangleConditions present which indicate Fraud;
• Inventive / Pressure to Create Fraud
Employee – living beyond means, impossible targets, performance related bonus / pay..
Company – performing badly, high market expectations..
• Opportunity for Fraud to Occur
Employee – ineffective/absent controls, management override, absence of internal audit.
Company – Complex overseas transactions
• Rationalisation of the Individual / Company
Tone at the top / no visible harm / no perceived repercussion
The Fraud Triangle (Barclays)The Fraud Triangle (Barclays)Barclays – The Irish Times July 16 2012 (Cormac Butler)
Conditions present which indicate Fraud;
Delay revealing of large losses by “sale” of illiquid assets to an off-shore account
• Incentive / Pressure to Create Fraud
Aggressive Bonus Structure
• Opportunity for Fraud to Occur
Offshore Company (Protium) (creative accounting , control / accounting loophole)
• Rationalisation of the Individual / Company
Traders routinely took bets knowing they could eventually fix the rate they wanted (a form of insider trading and market manipulation) – “Everybody does it” and it will eventually “Fix itself” so no real harm done
Fraud & CAATsFraud & CAATsComputer Assisted Audit Techniques…
..can help auditor more easily analyse increased volumes of material via data manipulation / interrogation – e.g. excel
= powerful audit tool.
Examples include;
• Search for duplicate payments
• Match vendor address / bank details to employee address
• Identify large round sum amounts
• Highlight creditors with debit balances
• Identify scrapped inventory followed by re-orders
The current Environment & fraudThe current Environment & fraudRecession & Financial difficulty usually result in increased fraud as motivation and
opportunity increase.
e.g. Profits not what they were and want to hide this / Want to hide obsolete stocks
• 50% of Irish corporate respondents have confirmed that they have experienced a significant instance of fraud in the past two years, compared to 16% of corporate globally and 21% in Western Europe
• 85% of Irish respondents feel that their board members are increasingly concerned about their own personal liability in terms of fraud, bribery and corruption (in comparison to 76% globally).Ernst & Young 11th Global Fraud Survey
Examples of Lesser known frauds • Fictitious Firm• Inventory theft• Tampering with employee records• Identity theft
Section 6.13 indicates the steps to prevent corporate Fraud
Pay special attention to ..Pay special attention to ..
Changing External Environment
Changing Physical Environment
Changing Business Model
Significant Acquisitions & Divestures
Foreign Operations Rapid Growth New Technology Significant
personnel Changes
Risk Appetite – Central Bank – Risk Appetite – Central Bank – Corporate Governance Code for Corporate Governance Code for credit Institutions & Insurance credit Institutions & Insurance
UndertakingsUndertakings
AgendaAgenda
1.Regulatory Environment2.General Definition of Risk Appetite and Risk Tolerance3.Governance Structure4.Contributors to your Risk Appetite5.Communication of your Risk Appetite6.Principles for Risk Appetite and Tolerance7.How can you make it work in your environment?
Regulatory EnvironmentRegulatory EnvironmentCentral Bank Strategy 2010-2012 Central Bank Strategy 2010-2012
•Strengthen the prudential supervisory framework for financial institutions •Improve the domestic regulatory framework applying to financial institutions.•Ensure that supervisory resources are allocated to areas of greatest risk.•Ensure that new financial institutions entering the market are competently managed and have appropriate business models.•Provide compliance assistance to financial institutions.•Improve compliance through the application of enforcement powers.•Ensure that market participants act in fair and transparent manner.
Central Bank Strategy Central Bank Strategy 2010-20122010-2012
•Focus on insurance firms with the biggest inherent risk profile due to their size, complexity or retail involvement to ensure they have the right level of supervisory cover and engagement.
These firms and their management will be held accountable for their actions.
•Establish a dedicated Enforcement Division with special investigative units established for the first time and led by people at senior level.
General definition of Risk General definition of Risk AppetiteAppetite
Qualitative Statement
Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value’. (COSO)
‘The amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.’
‘The Orange Book: Management of Risk – Principles and Concepts’
Quantitative Statement
• The individual responsibility and assessment of the institution.
General idefinition of Risk General idefinition of Risk AppetiteAppetite
Risk appetite
It is an expression of willingness or capacity to tolerate high or low levels of exposure and volatility in order to achieve strategic objectives.
Group Risk appetite is set by the Board; it reflects shareholder aspirations and takes policyholder and regulator requirements into consideration.
The articulation of Risk appetite provides clarity and sets constraints which support parameters for businesses to work within when setting and agreeing strategy and setting local Risk appetites. It also provides a reference to discuss risk-taking based on an assessment of associated risk and return.
General definition of Risk General definition of Risk AppetiteAppetite
Risk appetite Clarity empowers acceptable risk-taking and maximises the potential for businesses to achieve their strategic objectives.
Constraints prevent businesses from taking unacceptable risks thereby reducing the erosion of value (e.g. through operational losses).
Risk appetite is aligned to key value drivers for the business but as these vary between businesses and regions it is necessary to define Risk appetite at the three levels of the group’s hierarchy, ensuring that these statements are aligned to the group Risk appetite statement.
Risk ToleranceRisk ToleranceRisk tolerance
Risk tolerance is a description of the variance a business will tolerate in relation to deviations from a target or maximum level of risk exposure, and could be for example a limit (e.g. no more than £100m of exposure to AA-rated fixed income securities) or a threshold (e.g. invest a minimum of £100m of economic capital into insurance risk)
This definition contrasts with Risk appetite insofar as Risk appetite sets out statements of desired Risk positions whereas Risk tolerance sets out the specific metrics to which these Risk positions will be managed.
Risk ToleranceRisk Tolerance Risk analysis - In conducting a risk analysis the risks that the business is exposed to are identified and assessed. One of the outputs of this activity is the business’s Risk profile.
Controls - Controls are put in place in order to mitigate potential liabilities and the exposure of the business to risks. Controls are a key mechanism for managing risk and are put in place to provide reasonable assurance that likely unexpected loss or volatility will remain within Risk tolerance. Risk tolerance will also aid assessment of where controls may be disproportionate relative to the underlying risk.
Actions - Actions are put in place to reduce residual risk exposure to within Risk tolerance. Similarly to Planning/ change, Risk tolerance provides the benchmark against which the benefit of such actions can be assessed.
Line management and reporting - Line management provides insight to management of the risks facing the business, which assists manage threats and opportunities to the business. These insights are essential to setting Risk appetite. Risk tolerance is key to the reporting and escalation processes in the business through linking reporting to Risk appetite through Risk tolerance.
•Planning/ change - The Planning/ change process requires that an explicit consideration of risk is incorporated into the strategic change and planning process. Risk appetite provides a benchmark for the acceptance of risk, risk management and risk mitigation across the business
Governance Structure
Top Down – Bottom Up
• Board Responsibility to Set the Risk Appetite• Cannot delegate responsibility• Ensure risk is clearly embedded in policy and procedures• Ensure that the business is managed in accordance with group policies
• Executive Managements responsibility to clearly communicate, manage and monitor this risk appetite.
• Risk/Credit and or Control Committees to feed into the criteria for setting this appetite through regular reporting and monitoring.
• 2nd and 3rd Line of Defence to actively engage with the business on setting risk appetite and vice versa.
Governance Structure
Top Down – Bottom Up
• Implement a working communication plan around Risk Appetite through Risk Management, Compliance and most importantly the management of the busines
• Ensuring there is awareness of the Loss Event process within your department• Ensuring there are no outstanding risk actions• Reporting any Loss / Near Miss Events as and when they arise• Informing the Risk team of any Significant Events as and when they arise• Supporting the identification of any new Risks
Monthly• Have risk as a standing item at team meetings• Report progress on outstanding Actions to Risk TeamQuarterly• Monitor key controls through indicators and record scores and evidence• Coordinate final quarterly assessment of current risks based on operating
effectiveness of controls• Report to Risk Team via RCT on current assessment of risk
3 Lines of Risk Mgt3 Lines of Risk Mgt
1. Business Units
2. Compliance and Risk
3. Internal Audit
How do they feed into the setting of your risk appetite?
Communication of Risk Communication of Risk AppetiteAppetite
Good Communication of your Risk Appetite will ensure the
1. Supporting and providing evidence of the decision-making processes.
2. Demonstrating how each element of the business contributes to the overall risk profile.
3. Showing how different resource allocation strategies can add to or lessen the burden of risk.
4. Supporting the approvals process.
5. Identifying specific areas where risks should be removed.
6. Transparency and consistency of business decisions.
7. Improved understanding of risk-based budgets.
Principles for Risk Appetite Principles for Risk Appetite and Toleranceand Tolerance
The following principles are useful guides to developing Risk appetite and Risk tolerance statements: Risk appetite and Risk tolerance statements should be clear and concise;
The distinction between Risk appetite and Risk tolerance should be made clear;
When setting Risk appetite and Risk tolerance statements, part of this activity should involve consideration of the return the risk is expected to generate by way of earnings, cashflow, value creation and return on capital, the acceptable volatility of this return, and the potential the risk has for loss (earnings, capital, or brand value) by way of impact and probability. This should link to the Business’s value drivers and the KPI’s which are established to monitor them through performance management processes.