What is Risk Management?
Risk management is the process of risk identification, risk assessment, risk responses, control testing, information & communication & control monitoring that form part of the life of a business.
Effective risk management process includes implementation of adequate controls to mitigate the identified risk in the business process. It promotes the potential to reduce risk occurrence and its potential impact. The Internal Audit activity must include evaluate the effectiveness and contribute to the improvement of risk management processes.
COSO Risk Management Framework can be defined in the following steps:
- Risk identification
- Risk assessment
- Risk responses
- Control testing
- Information & communication
- Control monitoring
Key Consideration for Risk Management
Enterprise risk management (COSO ERM framework consists of 5 key components)
- Governance & Culture
- Information, Communication & Reporting
- Strategy & Objective Setting
- Review & Revision
Types of Risks Categories
- Strategic Risk (External Risks)
- Strategic Risk (Internal Risks)
- Financial Risk
- Operational Risk
- Market Risk
- Credit Risk
- Competition Risk
- Reputational Risk
- Information Technology Risk
- People Management Risk
- Regulatory Compliance Risk
Key benefits of Risk Management:
- Promotes a safe and secure work environment within the company for all stakeholders.
- Enhance the business operations stability , regulatory compliance & also decreasing legal liability.
- Provides security to business environment from external threats.
- Protects organisations from financial loss, incorrect financial reporting or management frauds.
- Promotes good corporate governance process.
Risk Management Strategies
Following are the step for risk management process:
- Identification of context – Business environment needs to be understood in the following context:
- Laws & regulations
- Capital project
- Business Processes
- Market risks
- Risk identification – Risk identification process includes the following steps:
- Event inventory
- Questionnaires & Surveys
- Leading events indicators & escalation triggers
- Facilitated workshops & interviews
- Process flow analysis
- Loss event data methodologies
- SWOT Analysis
- What if Analysis
- Risk analysis – Risk analysis is to understand the risk impact & its likelihood rating and consequences in case of occurrence. Business objectives should be determined after conducting risk analysis.
- Risk assessment and evaluation – It includes the following steps:
- Assessing the significance of the events
- Assessing the risk ranking
- Understand the risk map
- Risk prioritization
- Risk Modeling
- Risk impact
- Risk mitigation – Organization assess their risk ranking and risk mitigation steps by implementing the adequate controls. Controls are further tested for its adequacy and effectiveness to mitigate the identified risks.
- Risk Responses – Risk response is the process to manage the risk within the organization. It includes risk acceptance, risk reduction, risk avoidance & risk transfer due to which risk is addressed accordingly.
- Risk monitoring – Under this step the following activities are considered:
- Tracks identified risks,
- Evaluate current risk plans,
- Monitors residual risks,
- Identifies new risks
- Communicate – Risk identification methodology, risk response treatment, risk monitoring activities & overall risk management activities should be communicated among staff, stakeholders & employees.