Risk management? How to implement Turnbull's proposals and achieve sound internal control
by Andy Wynne
01 Nov 2000
The Turnbull report (issued in September 1999 and available from http://www.icaew.co.uk/internalcontrol) located internal control clearly within the framework of risk management. It also recognised that: ;profits are, in part, the reward for successful risk-taking in
business, the purpose of internal control is to help manage and control risk appropriately rather than to eliminate it.;
Risk management is a developing area and there are an increasing numbers
of books, papers, periodicals and consultants willing to provide their spin on the topic. The aim of this article is to provide a general introduction to the topic and a framework which it is hoped can be used to understand more clearly the detailed guidance available from other
sources. It should also be of assistance to students studying for the new syllabus, especially the proposed Paper 2.6 on Audit and Internal Review.
All managers have to make decisions in the face of uncertainty. Risk is the possibility that they will experience adverse consequences from these decisions, or not successfully exploit the opportunities that become available. The objective of risk management is to enable managers to take risks knowingly, reduce risks where appropriate and strive to prepare
for a future that cannot be predicted with absolute certainty.
The risk management cycle
Risk management is a dimension of good management that requires the following steps:
; establish a business framework;
; identify all significant risks;
; measure risks;
; deal with the most important risks;
; monitor arrangements.
Establish a business framework
A clear business framework should be developed for risk management. This should be documented within a formal risk management policy. This should
; the corporate attitude to risk and its risk appetite ; the types
and levels of risk that are considered acceptable;
; responsibilities for risk management ; risk should be considered
during all management initiatives, but specific risk management
aspects should be assigned to named managers;
; an outline of the formal risk management procedures, review and
; procedures to ensure a suitable level of risk awareness and
communication across the organisation.
The setting of clear, documented corporate and departmental objectives is a precondition for risk management. Responsibility for risk management rests ultimately with the board (or equivalent) who should retain responsibility for the major risks the organisation faces. However, all levels of managers and staff should be responsible and actually feel they
have responsibility for the management of risk in their particular area.
Identify all significant risks
Effective managers should be aware of the risks in their area of responsibility. However, each organisation will benefit from ensuring that the identification and assessment of risks is conducted in a structured way at each level within its management hierarchy. This should include a top down approach at corporate level; a bottom up approach at departmental or section level; and an analysis of the links between these
The senior management team and departmental managers should be responsible for conducting a detailed identification of the risks the organisation faces in achieving its corporate objectives. Meetings should be held with groups of managers at each level within the organisation to:
; brainstorm risks facing each activity undertaken;
; identify existing controls to mitigate risks and further action
that is necessary;
; identify named managers responsible for each risk and associated
; agree the monitoring action to be undertaken.
In some organisations, risk management has developed from the insurance function. However, risk management should be concerned with more than just the insurable risks. It includes all the uncertainties and
opportunities that an organisation faces. These risks may be analysed as follows:
; corporate issues;
; personnel issues;
; health and safety;
When identifying risks many managers will identify the symptoms of risk. However, to enable risks to be effectively managed the underlying reason for the risk exposure (its cause) will have to be identified.
There are two aspects or dimensions to measuring risk:
; the impact of the risk ; what is the potential damage that the
; the likelihood of the risk ; how likely is it that the damage will
One approach to measuring risks is by assigning monetary values and probabilities to each risk. However, it is more practical to assign
ratings to each aspect, see Figure 1.
Level Impact Likelihood Probability
The organisation would 1 Certain not survive.
Major impact on the 2 Probable 50% ; 80% achievement of the
(likely to happen organisation;s each year) business plan and the
quality of its overall services.
Significant impact on 3 Possible 25% ; 50% the success of the
business and quality of (could happen in the its services. next three years)
Some impact on the
4 Unlikely organisation;s staff
and minor effect on its (may happen in the clients. next five years)
Insignificant impact on 5 Remote less than 5% the organisation
or its staff.
The degree of sophistication that is necessary when considering the significance of risks should be carefully considered. The approach adopted should be kept as simple as possible. At one extreme risks could just be assigned to one of the four quadrants in a risk evaluation matrix such as the one included opposite. As a compromise the impact and
likelihood of a risk could be identified as being high, medium or low.
A number of organisations have found that control self-assessment type
workshops are a useful means of identifying and assessing the significance of the risks that the organisation faces. In this case a facilitator can help a group of managers to brainstorm the full range of risks that exist. They will then collectively determine the significance of each of the individual risks.
Deal with the most important risks
The process of identifying and measuring risks may be referred to as risk profiling. Once the risks have been profiled the most important (perhaps the top 20 at each level within the organisation) should be reviewed to ensure that they are being effectively managed. There are four main ways
of dealing with risks:
Risks may be accepted if they have a low impact or are not likely to occur. Risks with a high impact but low likelihood may be accepted, but plans should be developed to ensure the continuation of the smooth running of
the organisation if they crystallise.
Risks may be reduced by improving internal controls by, for example implementing internal audit recommendations. Risks need not, and often cannot, be eliminated, but they should be reduced to a level that is
acceptable to the organisation.
If the risk is too great for the organisation and it is not practical to reduce the risk then the risk should be avoided. For example, it may be better for a college to avoid the risk of establishing a new course
if the demand cannot be assessed clearly.
Insurance is the usual way of transferring risks especially high impact risks that cannot be accepted. As an alternative the risk may be transferred by contracting out certain functions or through joint
Once the key risks of the organisation, department or section have been identified, assessed and appropriate action determined, this process should be monitored and kept under review. A full review of the risks that the organisation faces should be undertaken at least once every three years. In addition, each year the risk management process at each level within the organisation should be formally reviewed. The risks that have crystallised and any changes to the impact or likelihood of each
significant risk should also be considered.
One way to achieve this is to combine this process with existing business planning routines such as revising the strategic plan or developing
annual budgets. This could be achieved by requiring managers to complete
and report risk matrices or maps for their area of responsibilit. An example of a possible format for such a risk matrix is shown.
Where necessary further action should be agreed to deal with unacceptable outstanding risks. Departments should report to senior management and senior management should report to the Board on the results of this risk review process.
When an organisation has developed and implemented a comprehensive risk management process it should be in control and have a sound system of
internal control. According to the Turnbull report: ;A system of
internal control is... sound to the extent that it provides reasonable assurance that a company will not be hindered in pursuing its business objectives or in the orderly and legitimate conduct of its business by reasonable foreseeable occurrences.;