Information guidance - basics of risk management

Internal auditors interact with risk management processes in all organisations. IIA guidance uses a particular version of the language and principles of risk management. This guide gives you overview of the terms and terminology used.  

Responsibility for risk management
Start with objectives
Identify risk events
Assess risks
Risk appetite
Responses to risks
Considerations for responses 
Inherent and residual risks
Action plans
Management monitoring of responses
The risk register
Communication and reporting
Assurance and internal audit's value 
Role of internal audit in risk management 


Responsibility for risk management

An organisation's management team is responsible for running the business. This includes identifying anything that might affect the success of the organisation and taking action to mitigate threats and to exploit opportunities: the stuff of risk management.

Ideally, all the actions and decisions described below as part of risk management will become embedded in the normal direction and management of the organisation and will not be a separate process. However, it is easier to explain the essentials by considering them separately for the moment.

Internal audit is not responsible for the organisation's risk management. The internal auditor should never assume any management responsibility for risk and should avoid being involved in any risk management activities that might compromise their independence or objectivity. 


Start with objectives

The objectives of the organisation provide the starting point for any management of risk.

Managers should not think about risk in the abstract but about events that might affect the organisation's achievement of its objectives. These can be problems to avoid or opportunities to grasp.

Managers should also include all the objectives of the organisation, for example, maintaining financial propriety and standards of financial reporting is as important as meeting this year's strategic objectives.


Identify risk events

Organisations use many different methods to identify risk events, including facilitated workshops, and will often use quite sophisticated tools and techniques to find the root cause of events. These techniques are beyond the scope of this guidance.


Assess risks

Once the events are identified, management must evaluate the risk that each event represents. Again, organisations use different methods but the principles are common: risks are assessed in terms of the expected impact if the event materialises combined with the likelihood that the event will materialise. 

The impact and the likelihood can each be expressed by a qualitative phrase, eg:

  • high, medium or low
  • by a score, say, from 1 to 5

It is helpful to provide guidelines to managers in different parts of the organisation so that they assess risks in a comparable way.

However, there is no reason why risks cannot be assessed on a different basis at different levels of an organisation.

Overseas subsidiaries may assess the impact of the risk events affecting them in relation to their own value as well as in relation to the organisation as a whole.

For example, for an event likely to cause the catastrophic failure of the subsidiary the impact may score 5 out of 5 in the subsidiary's risk register, but only 3 out of 5 in the corporate risk register. 

Risks can be plotted on a chart with impact and likelihood axes as in the diagram below. This allows further analysis and comparison to take place.
 

If an organisation uses a numerical scoring system, the risk can be assigned a combined impact-likelihood score by multiplying the two separate scores.

Some organisations use much more sophisticated methods of assessing risks. These include risk modelling and Value at Risk. These methods may depend upon having data on the consequences and frequency of risk events. 


Risk appetite

It is easy when discussing risk management to give the impression that risk is a bad thing and that all risk must be reduced. However, risk is a part of everyday life and is also the source of success, if managed properly.

For this reason, one of the essential responsibilities of management is to decide whether or not a particular risk is acceptable in their organisation. This is known as comparing the risk to the risk appetite of the organisation.

The risk appetite of the organisation should be discussed and approved at board level. Risk management methodologies sometimes talk about setting the risk appetite as one of the first steps.

This is logical. However, in practice, it can be difficult to set risk appetite until there are some identified risks to discuss. The understanding of the organisation's appetite for risk will evolve as the risk management framework is implemented.

However the risk appetite is determined, comparing the risks to it will help management to decide whether or not the level of risk is acceptable to the organisation. If it is not, then the risk must be managed. 


Responses to risks

The different ways to manage risk may be summarised under four categories: terminate, tolerate, transfer or treat. These are all responses to risks.

  • Terminate: terminate the activity or circumstance that gives rise to the risk.
  • Tolerate: do nothing, or rather, consciously accept the level of risk.
  • Transfer: pass the risk to another party, for example by insurance, hedging or contracting it out.
  • Treat: take action to reduce either the impact or the likelihood that the risk event will materialise.

Sometimes, a fifth kind of response is added:

  • Take: as in 'take the opportunity'. This is important if your risk management framework is to include risk events with favourable impacts as well as those with adverse impacts. 

In practice, the organisation will probably use a mixture of the different kinds of responses to address each risk.


Considerations for responses

Whatever response is chosen, the decision should be implicit and should be taken at the appropriate level of authority. For example, the board should formally accept any risk that will be tolerated.

To decide between responses, the board will need to understand:

  • The size of the risk
  • Nature of the risk ie whether its size is due to its potential impact or to the likelihood that it will crystallise
  • Cost and likely efficacy of the proposed response. For example, if transferring or treating a risk is not possible or will cost too much, perhaps more than the risk, the organisation may decide to tolerate the risk.

However, if the risk is particularly large or if the underlying activity is in fact not particularly important to the organisation, a better decision might be to terminate the underlying activity.

When deciding to transfer a risk, it is important to consider carefully what is being done and if, in fact, the risk is being transferred.

Taking the example of outsourcing, it may not necessarily transfer the risk: it may merely change the person responsible for managing it so that the risk still needs to be treated in some way. Similarly, insurance does not transfer all the risk; only some or most of the cost of impact.

Operational and accounting controls are the treatments with which most internal auditors are most familiar. Contingency and disaster recovery plans can also be seen as a form of treatment, since they seek to reduce the impact on the organisation if the risk event materialises.


Inherent and residual risks

A complete risk management framework should assess a risk as both an inherent risk and a residual risk.

An inherent risk represents the impact and likelihood of a risk event if no responses have been applied to manage the risk.

Residual risk, meanwhile, is the impact and likelihood of a risk event after responses have been applied.

The difference between the inherent risk and the residual risk is the effect of the response. Where quantitative methods are used to assess the risk, this effect can be stated as a number, and can be known as the 'response score' or 'control score'.

Response manages inherent risk to within risk appetite:

 

In a green-field situation, such as a new enterprise or a new project, it may be relatively easy to focus on the inherent risk because there are no existing responses in place.

However, in a continuing organisation introducing risk management for the first time, it can be difficult to disregard existing responses and to focus on the underlying risk.

For example, an inherent risk facing every economic entity is that the invoices it receives are wrong in some way - they could be for goods or services not received or wrongly priced - but most continuing organisations have some existing accounting procedures that are in effect responses to those risks.

Similarly, manufacturing operations face the inherent risk that products will be produced that the wrong size or shape but they will have production control processes to respond to those risks. Therefore, it is not easy to focus on the inherent risk.


Action plans

When discussing managing risks in a new venture, it is often implied that responses will be taken to bring the residual risk within the risk appetite. In a continuing operation, it may be clearer to talk about this happening in two stages:

  1. What is the response score of existing responses?
  2. If these do not bring the risk within the risk appetite, what new actions need to be taken to respond to the risk?

Until these actions are successfully implemented, the organisation is still running a risk that lies outside its risk appetite.


Management monitoring of responses

An essential part of the risk management framework is for management to monitor the framework's operation in order to provide assurance throughout the management organisation and to those responsible for governance that it is operating effectively.

Management will need to have processes for ensuring that the risk management stages such as event identification, risk assessment, selection of responses and risk reporting are working.

In particular, since risks change over time, managers also need to have processes for ensuring that risk registers are being updated for new or changing risks and that internal controls are being adapted and developed where necessary.

Managers also need processes for ensuring that existing risk responses are working to manage the risks as expected and that any agreed actions are being implemented. Given that the Turnbull guidance described a sound system of internal control in terms of a risk management framework, this is the same as that guidance's statement that:

'Management is accountable to the board for monitoring the system of internal control and for providing assurance to the board that it has done so'.

Monitoring controls related to treatment responses may include:

  • A monthly checklist of key controls, signed by the staff responsible, as evidence that important checks have been carried out
  • Management approval of bank reconciliations to check for old, or unusual, items
  • Management checks of outstanding debtor lists, to ensure credit controls are operating effectively

The risk register

The results of all the risk management work will be recorded in some way. There are many ways of doing this and many software solutions to help. The essentials are:

  • A description of the risk event
  • An owner
  • The inherent risk assessment impact and likelihood using the organisation's measurement method, with an inherent risk score if quantitative
  • Information on the responses currently applied to the risk
  • The residual risk assessment, using same method as inherent risk
  • A conclusion whether or not this is acceptable
  • Information on any actions to be taken
  • Monitoring controls to be applied 

Risk registers may be compiled and held in different parts of the organisation.


Communication and reporting

With all of this activity going on in different parts of the organisation, there will need to be a way of consolidating and summarising the information consistently at the different levels of management.  

The communication and reporting processes need to capture and deliver information about the risks and the responses to them and about the results of the monitoring work. The format, frequency and content of reports will differ depending on the nature and culture of the organisation.

The whole process of risk management is complete only when this information arrives at the level of senior management and the board.


Assurance and internal audit value

Management's responsibilities include monitoring the framework and providing assurance to the board. Such management assurance is an essential part of an effective risk management system.

However, the board is likely to want several types of assurance, including objective assurance, for which internal audit is a key source. Other sources include external audit and independent specialist reviews.

Internal audit will normally provide assurances on three areas:

  1. Risk management processes, both their design and how well they are working
  2. Management of those risks classified as 'key', including the effectiveness of the controls and other responses to them
  3. Complete, accurate and appropriate reporting and classification of risks 

Research has shown that board directors and internal auditors agree that the two most important ways that internal audit provides value to the organisation are in providing objective assurance that the major business risks are being managed appropriately and providing assurance that the risk management and internal control framework is operating effectively.

The IIA believes that risk-based internal auditing (RBIA)  is the only way for internal auditors to provide such assurances. RBIA is an approach to internal auditing, not a methodology for managing risks. 

Read our guide to risk based internal auditing


Role of internal audit in risk management

Managers are responsible for managing risks. Internal auditors are responsible for providing assurance on the effectiveness of risk management.

Internal auditors concentrate on providing assurance. They may also help managers to implement or to improve risk management frameworks, processes or behaviours. Internal auditors can coach managers or facilitate a solution. Internal auditors may not take responsibility for deciding the organisation's risk appetite.