By Ernest Owens,2014-11-30 12:43
14 views 0

    Risk management? How to implement Turnbull's proposals and achieve sound internal control

    by Andy Wynne

     01 Nov 2000

    The Turnbull report (issued in September 1999 and available from located internal control clearly within the framework of risk management. It also recognised that: ;profits are, in part, the reward for successful risk-taking in

    business, the purpose of internal control is to help manage and control risk appropriately rather than to eliminate it.;

    Risk management is a developing area and there are an increasing numbers

    of books, papers, periodicals and consultants willing to provide their spin on the topic. The aim of this article is to provide a general introduction to the topic and a framework which it is hoped can be used to understand more clearly the detailed guidance available from other

    sources. It should also be of assistance to students studying for the new syllabus, especially the proposed Paper 2.6 on Audit and Internal Review.

    All managers have to make decisions in the face of uncertainty. Risk is the possibility that they will experience adverse consequences from these decisions, or not successfully exploit the opportunities that become available. The objective of risk management is to enable managers to take risks knowingly, reduce risks where appropriate and strive to prepare

    for a future that cannot be predicted with absolute certainty.

    The risk management cycle

    Risk management is a dimension of good management that requires the following steps:

    ; establish a business framework;

    ; identify all significant risks;

    ; measure risks;

    ; deal with the most important risks;

    ; monitor arrangements.

    Establish a business framework

    A clear business framework should be developed for risk management. This should be documented within a formal risk management policy. This should


    ; the corporate attitude to risk and its risk appetite ; the types

    and levels of risk that are considered acceptable;

    ; responsibilities for risk management ; risk should be considered

    during all management initiatives, but specific risk management

    aspects should be assigned to named managers;

    ; an outline of the formal risk management procedures, review and

    reporting timetables;

    ; procedures to ensure a suitable level of risk awareness and

    communication across the organisation.

    The setting of clear, documented corporate and departmental objectives is a precondition for risk management. Responsibility for risk management rests ultimately with the board (or equivalent) who should retain responsibility for the major risks the organisation faces. However, all levels of managers and staff should be responsible and actually feel they

    have responsibility for the management of risk in their particular area.

    Identify all significant risks

    Effective managers should be aware of the risks in their area of responsibility. However, each organisation will benefit from ensuring that the identification and assessment of risks is conducted in a structured way at each level within its management hierarchy. This should include a top down approach at corporate level; a bottom up approach at departmental or section level; and an analysis of the links between these

    two approaches.

    The senior management team and departmental managers should be responsible for conducting a detailed identification of the risks the organisation faces in achieving its corporate objectives. Meetings should be held with groups of managers at each level within the organisation to:

    ; brainstorm risks facing each activity undertaken;

    ; identify existing controls to mitigate risks and further action

    that is necessary;

    ; identify named managers responsible for each risk and associated

    control action;

    ; agree the monitoring action to be undertaken.

    In some organisations, risk management has developed from the insurance function. However, risk management should be concerned with more than just the insurable risks. It includes all the uncertainties and

    opportunities that an organisation faces. These risks may be analysed as follows:

    ; political/policy;

    ; corporate issues;

    ; personnel issues;

    ; financial;

    ; commercial;

    ; legal/regularity;

    ; health and safety;

    ; operational;

    ; reputational.

    When identifying risks many managers will identify the symptoms of risk. However, to enable risks to be effectively managed the underlying reason for the risk exposure (its cause) will have to be identified.

    Measure risks

    There are two aspects or dimensions to measuring risk:

    ; the impact of the risk ; what is the potential damage that the

    organisation faces?

    ; the likelihood of the risk ; how likely is it that the damage will


    One approach to measuring risks is by assigning monetary values and probabilities to each risk. However, it is more practical to assign

    ratings to each aspect, see Figure 1.

Figure 1:

Level Impact Likelihood Probability

    The organisation would 1 Certain not survive.

    Major impact on the 2 Probable 50% ; 80% achievement of the

    (likely to happen organisation;s each year) business plan and the

    quality of its overall services.

    Significant impact on 3 Possible 25% ; 50% the success of the

    business and quality of (could happen in the its services. next three years)

    Some impact on the

     4 Unlikely organisation;s staff

    and minor effect on its (may happen in the clients. next five years)

    Insignificant impact on 5 Remote less than 5% the organisation

     or its staff.

    The degree of sophistication that is necessary when considering the significance of risks should be carefully considered. The approach adopted should be kept as simple as possible. At one extreme risks could just be assigned to one of the four quadrants in a risk evaluation matrix such as the one included opposite. As a compromise the impact and

    likelihood of a risk could be identified as being high, medium or low.

    A number of organisations have found that control self-assessment type

    workshops are a useful means of identifying and assessing the significance of the risks that the organisation faces. In this case a facilitator can help a group of managers to brainstorm the full range of risks that exist. They will then collectively determine the significance of each of the individual risks.

Deal with the most important risks

    The process of identifying and measuring risks may be referred to as risk profiling. Once the risks have been profiled the most important (perhaps the top 20 at each level within the organisation) should be reviewed to ensure that they are being effectively managed. There are four main ways

    of dealing with risks:

    ; accept;

    ; reduce;

    ; avoid;

    ; transfer.

    Risks may be accepted if they have a low impact or are not likely to occur. Risks with a high impact but low likelihood may be accepted, but plans should be developed to ensure the continuation of the smooth running of

    the organisation if they crystallise.

    Risks may be reduced by improving internal controls by, for example implementing internal audit recommendations. Risks need not, and often cannot, be eliminated, but they should be reduced to a level that is

    acceptable to the organisation.

    If the risk is too great for the organisation and it is not practical to reduce the risk then the risk should be avoided. For example, it may be better for a college to avoid the risk of establishing a new course

    if the demand cannot be assessed clearly.

    Insurance is the usual way of transferring risks especially high impact risks that cannot be accepted. As an alternative the risk may be transferred by contracting out certain functions or through joint


    Monitor arrangements

    Once the key risks of the organisation, department or section have been identified, assessed and appropriate action determined, this process should be monitored and kept under review. A full review of the risks that the organisation faces should be undertaken at least once every three years. In addition, each year the risk management process at each level within the organisation should be formally reviewed. The risks that have crystallised and any changes to the impact or likelihood of each

    significant risk should also be considered.

    One way to achieve this is to combine this process with existing business planning routines such as revising the strategic plan or developing

annual budgets. This could be achieved by requiring managers to complete

    and report risk matrices or maps for their area of responsibilit. An example of a possible format for such a risk matrix is shown.

    Where necessary further action should be agreed to deal with unacceptable outstanding risks. Departments should report to senior management and senior management should report to the Board on the results of this risk review process.


    When an organisation has developed and implemented a comprehensive risk management process it should be in control and have a sound system of

    internal control. According to the Turnbull report: ;A system of

    internal control is... sound to the extent that it provides reasonable assurance that a company will not be hindered in pursuing its business objectives or in the orderly and legitimate conduct of its business by reasonable foreseeable occurrences.;

Report this document

For any questions or suggestions please email