P5 How Organisation's manage risk 2.3
means of managing risk using responses and controls
- Created by: mumuna
- Created on: 23-05-13 14:26
Risk responses - see annex
Risk responses are means by which organisation chooses to manager individual risk: Challenge is risk are tolerated but impact note fully recognised Treat - TAKE ACTION TO REDUCE IMPACT OR LIKELIHOOD introduce control such as checking by manager then finance team check staff expense claims Transfer - TRANSFERE RISK IN PART OR WHOLE TO OTHER ORG -contract out services (building and maintenance) or outsource (contract mgmt function/IAS) Terminate - STOP end activity using alternative or refusing to deliver good to area not pleasant Tolerate - CARRY OUT NO FURTHER CONTROLS, AS COST OF CONTROLS ARE EXCESSIVE OR WHAT IS THERE IS SUFFICENT e.g. staff stationary theft accept risk as low value/ shop tolerating small amount of shoplifting Take Opportunity - AFTER CONSIDERING E.G. FIXING MORTAGE RATE ON ENERGY PRICE TARIFF - which may save consumer money SEE TABLE
*CONTROLS TO MANAGE RISKS INCL ACRES
CONTROL DEFINE AS
ANY ACTION BY MANAGEMENT, THE BOARD AND OTHER PARTIES TO ENHANCE RISK MANAGEMENT AND INCREASE THE LIKELIHOOD ESTABLISHED OBJECTIVES AND GOALS WILL BE DELIVERED
ACTION TAKEN BY MANAGEMENT TO PLAN,ORGANISE AND DIRECT PERFOMANCE OF SUFFICIENT ACTIONS TO PROVIDE REASONABLE ASSURANCE THAT FOLLOWING WILL BE ACHIEVED
ACCOMPLISHMENT OF OBJECTIVES AND GOALS
COMPLIANCE WITH POLICIES PLANS AND PROCEDURED
RELIABILITY AND INTEGRITY OF INFORMATION
ECONOMICAL AND EFFICIENT USE OF RESOURCES
SAFEGUARDING OF ASSETS
CONTROL FRAMEWORKS - COSO
Individual risk require a range of response to be managed effectively. Internal control is considered essential for good management as it helps organisations meet their objectives. The IIA defines control as 'any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved'.
One of the most influential models is the so-called COSO- THE COMMISSION OF SPONZORING ORGANISATION OF THE TREADWAY COMMITTEE) Internal Control Framework, shown below. The framework consists of five inter-related components:
- control environment - ethical value, integrity, competence & sustainable strucure e.g. policies and processes, reporting and learning environment SETTING TONE AT TOP
- risk assessment - mechanism to identify, analyse and manage risks ID & ANALYSE RELEVANT RISKS
- control activities - policies and procedures est by mgmt to ensure obj achieved ACTIVITIES TO ADDRESS IDENTIFIED RISKS E.G MOHICAN
- information and communication - system that enables mgmt to ,ACTVITIES TO COMMUNICATE IDENTIFIED RISK
- Monitoring. REVIEWING AND MANAGING CONTROL SYSTEMS
A PRACTICAL TOOL TO EVALUATE ORG CONTROLS IS BASIS OF IA WORK PLACE
COSO PT 1
COSO Internal Control framework
COSO PT 2
COSO describes the control environment as setting 'the tone of an organisation, influencing the control consciousness of its people'. Whilst COSO does not use the term culture, its description of the control environment infers culture.
More precisely, the control environment consists of the high-level parameters that influence the organisation's culture.
The IIA defines the control environment as 'the attitude and actions of the board and management regarding the importance of control within the organisation' (emphasis added).
The parameters include integrity, ethical values, Management's philosophy and operating style, Organisational structure, and Human resource policies and practices.
Control processes
These are the daily routines, checks and balances that make the organisation function. The IIA definition is:
COSO PT 3
"The policies, procedures and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process".
CONTROLS IN PRACTICE - MODELS AND TYPES
Control processes
These are the daily routines, checks and balances that make the organisation function. The IIA definition is:
"The policies, procedures and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process".
The table illustrates two alternative ways of categorising controls, with some examples.
Conclusion - Why manage risk tbc
Catergorisations useful to help decide control to put in place, some may fall in more than one category Training is preventative as well as detective. Training is directive as well as corrective
If not satisfied level of inherent risk exceeds or higher than risk appetite than it should consider implementing risk responses to redeude this level of inherent risk to a residual risk level that equates to Org's appetite for that risk. Challenge for mgmt to select most appropriate response
Overall purpose is to reduce inherent risk (those risk which occur before action is taken) to organisaton to leve equal with its risk appetite. Those controls are a mechanism for managing such risk. They are only effective is the people in an org take responsiblity for it management, and that it is continually reviewed, monitored and maintained. This will help an organisation to ensure it process are working effectively.
Comments
No comments have yet been made