Transcription
Ethics, Risk,Governance and FraudWorkshopNovember 2019Delegate WorkbookFacilitated by Pro-Active College (Pty) LtdThe views expressed in this workbook are not necessarily reflective of theofficial views of Fasset.1
ContentsChapter 1: Growing need for risk assessment . 61.Risk management principles . 62.Introduction. 73.Best practices . 74.Glossary of terms . 105.Background . 126.Why organizations need risk management . 147.Five lines of assurance . 17Chapter 2: Control environment and tone at the top . 238.Introduction. 239.Applicability . 23Chapter 3: The risk universe . 24Chapter 4: Aligning risk management to strategic planning processes . 2710.Introduction. 2711.Defining risk management strategy. 2712.Alignment between risk management and organizational objectives. 2713.Strategic risk assessment (SRA) . 28Table 1: Strategic risk register layout . 29Chapter 5: Risk Management Policy . 3014.Introduction. 3015.Policy. 3016.Focus areas of a risk management policy . 302
17.Risk categories . 31Chapter 6: Risk identification and assessment . 3518.Introduction. 3519.The purpose of a risk assessment . 3520.The risk assessment process . 3621.Risk context . 3822.Risk management context . 3823.Risk criteria. 3924.Risk Identification . 4025.The risk identification process. 4026.Risk workshops and interviews . 4027.Focus points of risk identification . 4128.How to perform risk identification . 4229.Understand what to consider when identifying risks . 4330.Gather information from different sources to identify risks . 4331.Apply risk identification tools and techniques . 4332.Document the risks identified . 4433.Document your risk identification process . 4434.The outputs of risk identification . 4535.Risk Analysis . 4636.Risk Analysis Methods. 4637.Risk analysis techniques . 4738.Risk assessment . 493
Table 2: Inherent risk ratings . 51Table 3: Likelihood ratings . 5139.Determine the inherent risk rating . 52Table 4: Heatmap – risk rating . 5340.Identify and evaluate existing control effectiveness . 53Table 4: Effectiveness ratings . 5641.Assessing of likelihood and consequence . 56Table 5: Operational risk register . 5742.Document risk assessment process . 5743.Risk assessment considerations. 5844.Outputs. 5845.Risk evaluation . 58Table 6: Risk index . 5946.Treat the risk - risk response . 5947.Developing a risk response strategy . 6048.How to respond to risks? . 6149.Opportunities versus threats . 63Diagram 3: A Sample Value Map . 64Chapter 7: Risk Appetite and Risk Tolerance . 6550.Introduction. 6551.Approach . 6652.Calculating risk appetite. 68Table 7: Risk tolerance . 6953.Risk tolerance statements . 704
54.Graphical depiction of risk appetite . 70Table 14: Risk rating parameters . 7155.Communication of risk appetite. 7156.Risk targets . 72Chapter 8: The role of internal audit in combined assurance . 7357.Role of internal audit . 7358.Ways of coordinating combined assurance. 7359.IIA and 3 lines of defense . 7460.COSO recommendations. 74Chapter 9: Communication and Reporting . 7661.Introduction. 7662.Implementing an efficient and effective risk management reporting system . 7663.Types of risk management reports . 77Table 15: Types of reports to be generate . 825
Risk management – delegate handbookChapter 1: Growing need for risk assessment1. Risk management principlesDuring the last five years several public and private sector enterprises failed. Thequestion that can be asked is whether risk management could have prevented suchfailures. Why is it that some enterprises can survive tough economic decisions andothers fail? This training would attempt to answer some of the questions. Someexamples of failures are included below:A set of guiding principles is indispensable for risk management to be effective in anorganization. According to the ISO 31000 Standards for Risk Management, theseprinciples would include:Risk management creates andprotects valueRisk management is anintegral part of allorganizational processesRisk management contributes to the demonstrableachievement of objectives and improvement ofperformance in, at all levels in the organization, andacross all functions and processes, for example,human health and safety, security, legal ntal protection, product quality, projectmanagement, efficiency in operations, governanceand reputation.Risk management is not a stand-alone activity thatis separate from the main activities and processesof the organization. Risk management is part of theresponsibilities of, not only management, but of allorganizational personnel and an integral part of allorganizational processes, including strategicplanning and all project and change managementprocesses.6
Risk management – delegate handbookRisk management is part ofdecision makingRisk management helps decision makers makeinformed choices, prioritize actions and distinguishamong alternative courses of action, especiallywhere there is a level of uncertainty associated withthe achievement of objectives, and projectedoutcomes, and the risk reward ratios vary for thedifferent decision options.Risk management explicitlyaddresses uncertaintyRisk management explicitly takes account ofuncertainty, the nature of that uncertainty, and howit can best addressed to either optimise valuecreation or minimise value destruction.Risk management issystematic, structured andtimelyA systematic, timely and structured approach to riskmanagement contributes to efficiency and toconsistent, comparable and reliable resultsRisk management facilitatescontinual improvement ofthe organizationOrganizations should develop and implementstrategies to improve their risk managementmaturity alongside all other growth and performanceactivities of their organization.2. IntroductionRisk management is a management discipline with its own set of techniques andprinciples. It is a recognised management science and has been formalised byinternational and national codes of practice, standards, regulations and legislation.Risk management forms part of management's core responsibilities and is an integralpart of the internal processes of an organization. Worldwide managers are simplifyingthe processes and practices of to optimise the cost-benefit thereof, with a greater shiftaway from compliance for the sake of compliance, to a greater focus on the pursuit ofvalue creation opportunities, the achievement of objectives, and the mitigation ofpotential value destruction.3. Best practicesRisk management is a systematic process to identify, evaluate and address riskspro-actively and continuously before such risks can impact negatively on theorganization's service delivery.7
Risk management – delegate handbookWhen properly executed,riskmanagementprovidesreasonable,although not ful in achievingits goals and objectives.TheISO31000 1standards and COSO 2riskmanagementframeworksarerecognised as providingthebestavailablepractice guidance on riskmanagementthisframework is based onmany of the principlescontainedintheseframeworks.Locally the South African King codes on corporate governance3 has been breakingground in this space and is observed as one of the leading governance codescompeting favourably with other international codes, also regarding its reference torisk management and how it should be dealt with within organizations.1 RiskManagement Principles and Guidelines, SANS 31000:2009 Edition 1 / ISO31000:2009Edition 1, all pages.2COSOEnterprise Risk Management – Integrated Framework, Executive Summary, September2004.3TheKing Code of Corporate Governance, chapter 6, Institute of Directors of Southern Africa,2009.8
Risk management – delegate handbookFigure 1: Risk agendaKing III principles address the responsibility of risk, mostly as these pertain to the boardand its subcommittees. Boards should:a. Be responsible for the governance of risk;b. Determine the levels of risk tolerance/appetite;c. Establish a risk committee or audit committee to assist the board in carryingout its risk responsibilities; andd. Delegate to management the responsibility to design, implement and monitorthe risk management plan.King III principles also address the management of risk, whereby the board shouldensure that:a. Risk assessments are performed on a continual basis;b. Frameworks and methodologies are implemented to increase the probabilityof anticipating unpredictable risks; andc. Management considers and implements appropriate risk responses.King III principles address the monitoring, assurance and disclosure of risk, whereby theboard should:a. Ensure continuous risk monitoring by management;b. Receive assurance regarding the effectiveness of risk managementprocesses; andc. Ensure that there are processes in place enabling complete, timely, relevant,accurate and accessible risk disclosure to stakeholders.9
Risk management – delegate handbookKing IV recommends that the board should appreciate that the core purpose of theorganization, its risks and opportunities, strategy, business model, performance andsustainable development are all inseparable elements of the value creation process.Board should:a. Assume responsibility for organizational performance by steering and settingthe direction for the realisation of the core purpose and values through itsstrategy;b. Delegate the formulation and development of short, medium and long termstrategy to management;c. Approve the strategy by considering:i.The timelines and parameters of the short, medium and long term;ii.The risks and opportunities relating to the organizational environment;andiii.The various forms of capital supporting the strategy.d. Oversee whether the organization frequently and continuously assess thenegative consequences of its activities and outputs; ande. Be alert to the general viability of the organization with regard to its capitalresources, its solvency and liquidity and its status as a going concern.4. Glossary of termsAudit CommitteeAn independent committee constituted to review theeffectiveness of control, governance and risk managementwithin the organization.Chief Audit ExecutiveA senior official within the organization responsible for internalaudit activitiesChief Risk OfficerA senior official who is the head of the risk management unit.Combined assuranceIntegrating and optimising all assurance services and functions,so that taken as a whole, these enable an effective controlenvironment, support the integrity of the information used fordecision-making by management, the business and it’scommittees to maximise risk and governance oversight andcontrol efficiencies, and optimise overall assurance to the auditand risk committee, within the organization's risk appetite.Compliance risksCompliance risks include the risk that laws, regulations,policies, procedures and contractual obligations will bebreached. This would typically include risks associated withlegal and regulatory obligations.10
Risk management – delegate handbookExternal risksExternal risks are related to requirements or forces imposed onan organization from outside. The organization cannot controlthe likelihood they will occur; it can only prepare for and respondto them. It includes legal/regulatory, natural hazard, economic,technological, social and demographic risks.Financial risksFinancial risks include the risk of loss of revenue and / orearnings as a result of price volatility, the inability to securefunding capital, increase in bad debts, etc. This would typicallyinclude risks associated with the market, credit; liquidity,solvency and capital availability.GovernanceThe act of directing, controlling and evaluating the culture,policies, processes, laws, and mechanisms that define thestructure by which organizations are directed and managed.Inherent RiskThe exposure arising from risk factors in the absence ofdeliberate management intervention(s) to exercise control oversuch factors.Integrated riskmanagementA continuous, pro-active and systematic process to understand,manage and communicate risk from a organizational-wideperspective in a cohesive and consistent manner. It requires anongoing assessment at every level and in every sector of theorganization, aggregating these results at the executive level,communicating them and ensuring adequate monitoring andreview.Internal AuditAn independent, objective assurance and advisory activitydesigned to add value and improve an organization'soperations. It helps an organization accomplish its objectives bybringing a systematic, disciplined approach to evaluate andimprove the effectiveness of risk management, control, andgovernance processes.King IV reportKing 4 report on corporate governance in South Africa, 2016,and specifically part 6.2: Supplement for organizations.Operational risksOperational risks could include the risk of loss resulting frominadequate or failed internal processes, people and systems, orfrom external events. This would typically include risksassociated with business continuity; fraud; people; processesand systems.11
Risk management – delegate handbookResidual RiskThe remaining exposure after the mitigating effects of deliberatemanagement intervention(s) to control such exposure (theremaining risk after management has put in place measures tocontrol the inherent risk). However risk can also be reduced bytransferring (outsourcing, sharing) of the management of thatrisk. This is extremely important in the business environmentwhere outsourcing is a viable alternative to poor service delivery.RiskRisk is about the uncertainty of events, including the likelihoodof such events occurring and its effects, both positive andnegative, on the achievement of the organization’s objectives.Risks include uncertain events with a potential positive effect onthe organization (i.e. value creation opportunity) not beingcaptured or not materialising.Risk AppetiteRisk appetite can be defined as the amount and type of risk thatan organization is willing to take in order to meet their strategicobjectives. Organizations will have different risk appetitesdepending on their maturity, location, culture and objectives. Arange of appetites exist for different risks and these may changeover time.Risk ManagementSystematic and formalised processes to identify, assess,manage and monitor risks.Risk PolicyThe statement of the overall intentions and direction of anorganization related to risk management.Risk ToleranceThe amount of risk the organization is capable of bearing (asopposed to the amount of risk it is willing to take)Strategic riskStrategic risks are those internal and external events andscenarios that can inhibit an organization’s ability to achieve itsstrategic objectives. This would typically include risks associatedwith governance, the business model and the industry/economic environment.TechnologyComprises the infrastructure, devices, systems and softwarethat is used to record, analyse, report and maintain riskmanagement information, to enable risk management decisionmaking.5. BackgroundOrganizations are bound by their strategic mandate to provide services or productsin the interest of the public good. No organization has the luxury of functioning in a12
Risk management – delegate handbookrisk-free environment and organizations are especially vulnerable to risks associatedwith fulfilling their mandates.a. Risk management is a valuable management tool which increases anorganization’s prospects of success through minimising negative outcomes andoptimising opportunities. Local and international trends confirm that riskmanagement is a strategic imperative rather than an option within highperforming organizations.b. High performing organizations set clear and realistic objectives, developappropriate strategies aligned to the objectives, understand the intrinsic risksassociated therewith and direct resources towards managing such risks on thebasis of cost-benefit principles.c. Organizations should, in accordance with the previously mentioned prescriptsunder 6(a), implement and maintain effective, efficient and transparent systemsof risk management and internal control.d. The underlying intention of (d) above is that organizations should through the riskmanagement process achieve, among other things, the following outcomesneeded to underpin and enhance performance: More sustainable and reliable delivery of services;Informed decisions underpinned by appropriate rigour and analysis;Innovation;Reduced waste;Prevention of fraud and corruption, unauthorised, fruitless and irregularexpenditure;Better value for money through more efficient and effective use ofresources; andBetter outputs and outcomes through improved project and programmanagement.e. Risk management enables an organization to: Increase the likelihood of achieving service delivery objectives;Encourage proactive management;Be continuously aware of the need to identify and treat risk throughoutthe organization;Improve the identification of both opportunities and threats;Comply with relevant legislative and regulatory requirements;Improve stakeholder confidence and trust;Improve governance on business, organizational manager and seniormanagement level by:13
Risk management – delegate handbooki. Establishing a reliable basis for strategic and operational decisionmaking and planning;ii. Efficiently allocating and using resources for risk treatment;iii. Improving operational effectiveness and efficiency; Enhance health and safety performance, as well as environmentalprotection;Improve controls and loss prevention and incident management; andImprove organizational learning.6. Why organizations need risk managementRisk management provides a dedicated focus on risk for the following reasons:6.1 Corporate governanceCorporate governance codes such as King IV expects an organization to implement arisk management plan. As a result of organization failures in the past, stakeholders donot want to be caught unawares by risk events. They expect that internal control andother risk mitigation mechanisms to be based on a thorough assessment of organizationwide risks.Stakeholders require assurance that management has taken the necessary steps toprotect their interests. Board members, managers and stakeholders now want to knowmore about the risks facing an organization. This is understandable in an environmentof complex and challenging service delivery expectations.Figure 2: Risk management and corporate governance14
Risk management – delegate handbook6.2 Planning and organisationThe value of risk management is best leveraged when its principles and techniques areapplied during organizational planning processes and organisation. Given the increasedlevels of volatility and uncertainty, it is vital that plans, particularly multiple year plans,take into consideration a thorough assessment of risks and mitigation strategies.Hence, it becomes clear that planning and risk management are inter-dependent.6.3 Continuous risk assessmentThe risk profile of an organization is changing on an on-going basis. Some risks arecreated by changes initiated by the organization. An example would be where a newCFO has been appointed or where the supplier master-file has been centralised. Otherrisks are the result of changes in society, business, legislation or communities. Anexample is where the credit rating of the country deteriorates, which has a significantimpact on the interest rates, and eventually on the cost of servicing debt. A once a yearrisk assessment will not elevate this to the decision-making level.Even the best management teams will struggle to keep an accurate perspective ofchanging risks when risk management is approached on an informal basis.The risk management plan must provide the organization with the ability to systematicallyidentify new and emerging risks, and the assurance that existing risks are beingaddressed in the best possible way given current resource constraints and otherchallenges.Change is often beyond the control of management, however, the risks it creates needto be managed as effectively as possible.Figure 3 below illustrates continuous monitoring in the form of a robot, changing coloursas risks materialise.15
Risk management – delegate handbookFigure 3: Continuous risk assessment and link to the risk based audit plan6.4 Risk-based internal audit plansInternal audit plans are now based on the outcomes of risk assessments. Internalauditors are increasingly basing their priorities on the risk management plan and givepriority to high-risk assets and processes.Internal audit is well-placed to independently evaluate the adequacy and effectivenessof key controls. The frameworks of internal control used by auditors are usefulcontributions to the risk management plan.Internal audit is a key role player in providing assurance with regards to the effectivenessof risk management.Figure 3 above illustrates the linkage between continuous risk assessment and the riskbased audit plan.6.5 Cultural adjustmentThe essential behaviours of officials charged with responsibility for various activities ofrisk management must change. This requires a shift in the cultural dynamics insofar asit concerns risk management, which can be achieved through awareness and advocacy,communication, coaching, training and linking risk management to performancemeasures. Risk management must be a catalyst for change in behaviour of managers.Managers need to develop competencies to ensure that they make conscious risk-baseddecisions. Rather than viewing risk management and its associated activities as merebureaucracy, managers need to look at it as a powerful driver of service deliveryexcellence.16
Risk management – delegate handbook7. Five lines of assuranceEvery organization has objectives it strives to achieve. In pursuit of these objectives, theorganization will encounter events and circumstances which may threaten theachievement of these objectives. These potential events and circumstances create risksan organization must identify, analyse, assess, and treat. Some risks may be accepted(in whole or in part) and some may be fully or partially mitigated to a point where theyare at a level acceptable to the organization.The Five lines of Assurance (5 LOA) 4, as illustrated below, addresses how specificduties related to risk and control could be assigned and coordinated within anorganization, regardless of its size or complexity. Board members and managementshould understand the critical differences in roles and responsibilities of these duties andhow they should be optimally assigned for the organization to have an increasedlikelihood of achieving its objectives. In particular, 5 LOA clarifies the difference andrelationship between organizations’ assurance and other monitoring activities - activitieswhich can be misunderstood if not clearly defined.Diagram 1: Layers of the five lines of assurance5 LOA enhances the understanding of risk management and control by clarifying rolesand duties. Its underlying premise is that, under the oversight and direction of board andthe organizational manager, three separate groups (or lines of assurance) within theorganization are necessary for effective management of risk and control. Theresponsibilities o
Risk management - delegate handbook 9 Figure 1: Risk agenda King III principles address the responsibility of risk, mostly as these pertain to the board and its subcommittees. Boards should: a. Be responsible for the governance of risk; b. Determine the levels of risk tolerance/appetite;
