Wednesday, March 2, 2016

Simple Risk Management in Four Steps

Risk Management is noting but Risk Assessment plus Risk Treatment. Risk Assessment exercises should be undertaken regularly (for example: quarterly) in order to check if internal controls/safeguards are still fit for purpose or not? 

The 1st question that you have yourself is Do the controls detect and prevent errors and problems in our existing operations environment? The 2nd question would be: Will controls help to reduce of impact of new risks? (Risk Mitigation). 

The key point is that you should look at the Risk Management as an-ongoing process. It means that you must review exposure to new and emerging risks continually. So risk management cycle would have these steps:

1. Risk Identification: 
Regularly consider the nature & extent of internal & external risks.

2. Risk Evaluation:
Develop a process to evaluate identified risks, consider the impact that risks may have on operations, and then assess the probability of a risk materialization.

3. Managing the Risk:
Ensure controls are sufficient to detect and/or prevent the problems and understand that internal controls reduce risks.

4. Monitoring of Controls:
Make sure that you have proper procedures to monitor the effectiveness of internal control regularly and ensure controls are up to date and are capable of mitigating new risks.

Now we can walk through all above-mentioned steps by an example: 

1. Risk Identification 

As an example you may face such risks in an organization:

a. Delays in investment
b. Incorrect payment of invoices to suppliers
c. Loss of independent compliance audit
d. IT Failure

2. Risk Evaluation

We follow a quantitative approach to evaluate risk here. In the risk evaluation step you need to rank the impact of that risk to your business and also calculate the likelihood of that event. 
Use this formula to calculate/score the risk: 

Risk (R) = Likelihood (L)* Impact (I) 

For example for the items in section 2 we may have:

Score of risk a = likelihood of a * impact of a = 6 * 7 = 42
Score of risk b = likelihood of b * impact of b = 2 * 4 = 8
Score of risk c = likelihood of c * impact of c = 3 * 7 = 21
Score of risk d = likelihood of d * impact of d = 2 * 9 = 18

We choose a number between 0 to 9 for likelihood as well as for the impact. You can adpot any range. 

3. Managing the risk

Now you have to make sure that the risks are mitigated by using proper controls (Risk Mitigation). You have to check the existing safeguards and add more if needed. 
These are the potential controls for the risk a to risk d which already mentioned in section 1:

Controls for risk a: 
  • Director of investment should monitor the time between fund receipt to investment. 
  • Investment department should monitor investment protocols for delays in investing funds.

Controls for risk b:
  • Accounting department should schedule weekly arrangements with the suppliers to check and authorize payments of invoices. 
  • Accounting department should review expenses against budget.

Control for risk c:
  • Maintain separation of company and auditor.

Controls for risk d:
  • Presence of up-to-date, certified and tested Disaster Recovery Plan.
  • Presence of up-to-date, certified and tested Business Continuity Plan.

4. Monitoring of controls

You should monitor/audit your systems and test them on a regular basis at planned intervals. For example you can choose the following timeline:
  • Test risk a: Quarterly
  • Test risk b: Semiannually
  • Test risk c: Biannually
  • Test risk d: Quarterly

Labels: , , ,