intosai gov 9130 e
TRANSCRIPT
-
8/13/2019 Intosai Gov 9130 e
1/39
INTOSAI GOV 9130The International Standards of Supreme Audit Institutions, ISSAI, areissued by the International Organization of Supreme Audit Institutions,INTOSAI. For more information visit www.issai.org
Guidelines for Internal ControlStandards for the
Public Sector Further Informationon Entity Risk
Management
I N T O S A I
-
8/13/2019 Intosai Gov 9130 e
2/39
INTOSAI P ro fe s s iona l S t anda rds Commi t t e ePSC Secretariat
Rigsrevisionen Landgreven 4 P.O. Box 9009 1022 Copenhagen K Denmark
Tel.:+45 3392 8400 Fax:+45 3311 0415 E-mail: [email protected]
I N T O S A I
EXPERIENTIA MUTUA
OMNIBUSPRODEST
EXPERIENTIA MUTUA
OMNIBUS PRODEST
INTOSAI General Secretariat - RECHNUNGSHOF(Austrian Court of Audit)
DAMPFSCHIFFSTRASSE 2A-1033 VIENNA
AUSTRIATel.: ++43 (1) 711 71 Fax: ++43 (1) 718 09 69
E-MAIL: [email protected];WORLD WIDE WEB: http://www.intosai.org
http://www.intosai.org/http://www.intosai.org/ -
8/13/2019 Intosai Gov 9130 e
3/39
3
INTOSAI Internal Control Standards Subcommittee
F. VANSTAPELSenior President of the Belgian Court of Audit
Regentschapsstraat 2 Rue de la Rgence 2B-1000 BRUSSELS
BELGIUM
Tel : + 32 2 551 8111Fax : + 32 2 551 8629
E-mail : [email protected]
-
8/13/2019 Intosai Gov 9130 e
4/39
4
G uidelines for InternalControl Standards forthe Public Sector
Further Information on Entity Risk Management
Preface
The 1992 INTOSAI Guidelines for Internal ControlStandards were conceived as a living document reflectingthe vision that standards should be promoted for the design,implementation, and evaluation of internal control. Thisvision involves a continuing effort to keep these guidelinesup-to-date.
The 17th INCOSAI (Seoul, 2001) recognized a strong needfor updating the 1992 guidelines and agreed that theCommittee on Sponsoring Organisations of the TreadwayCommissions (COSO) integrated framework for internalcontrol should be relied upon. Subsequent consultationresulted in a further expansion to address ethical values and
provide more information on the general principles ofcontrol activities related to information processing.
The updated Internal Control Guidelines were issued in2004 and should also be viewed as a living document
-
8/13/2019 Intosai Gov 9130 e
5/39
5
which over time will need to be further developed andrefined to embrace the impact of new developments such asCOSOs Enterprise Risk Management framework 1 .Accordingly, this addition to the Guidelines has been
produced to cover current thinking on risk management, asset out in COSO's ERM framework . As this paper is
intended primarily for public sector readers the termentity is used in place of Enterprise which has a particular private sector association.
The additional information provided here is the result of the joint effort of the members of the INTOSAI InternalControl Standards Subcommittee. This update has beencoordinated by a Task Force set up among thesubcommittee members with representatives of the SAIs ofFrance, Hungary, Bangladesh, Lithuania, the Netherlands,Oman, the Ukraine, Romania, the United Kingdom, theUnited States of America and Belgium (chair).
Franki VANSTAPELSenior President of the Belgian Court of AuditChairman of the INTOSAI Internal Control StandardsSubcommittee
1 Enterprise Risk Management - IntegratedFramework (COSO - September 2004)
-
8/13/2019 Intosai Gov 9130 e
6/39
6
Introduction
The underlying premise of the COSO Entity Risk Management framework is that every entity exists to provide value for its stakeholders. In the public sector,general expectations are that public servants should servethe public interest with fairness and manage publicresources properly. Effectively the stakeholders are the
public and their elected representatives.
All entities face uncertainty and the challenge formanagement is to determine how much uncertainty toaccept as it strives to obtain best value for stakeholders. Itis also important to note that uncertainty presents both riskand opportunity, with the potential to erode or enhancevalue or, in public sector terms to service the public interestmore or less well. The aim of entity risk management is toenable management to effectively deal with uncertainty andits associated risk and opportunity, enhancing the capacityto build value, to deliver more effective services moreefficiently and economically, and to target them whilsttaking into account values such as equity and justice.
The INTOSAI Guidelines for Internal Control Standards for the Public Sector sees internal control as providing anoverarching conceptual framework through which an entitycan be managed to achieve its objectives. The COSO ERM framework and other similar models take this a stagefurther in that the entity can be directed on the basis ofidentifying future risks and opportunities to refineobjectives and design internal controls to minimise risk andmaximise opportunity.
As well as extending the definition of functions covered bythe corporate governance regime entity risk managementrequired a change in the way organisations think aboutachieving their objectives. This is because to be effective,
-
8/13/2019 Intosai Gov 9130 e
7/39
7
entity risk management is an ongoing process applied instrategy setting, effective across and affected by all levelsand every business unit of an entity and which is designedto identify all events that will affect the organisation'sability to achieve its objectives.
This document outlines a recommended framework forapplying the principles of entity risk management in the public sector and provides a basis against which entity riskmanagement can be evaluated. However, it is not intendedto replace or supplant the Guidelines for Internal ControlStandards for the Public Sector but rather is designed to
provide complementary additional information to be usedalongside those standards where member states consider itto be appropriate to do so. Nor, is it intended to limit orinterfere with duly granted authority related to developinglegislation, rule-making or other discretionary policy-making in an organisation.
In conclusion, it should be clearly stated that this documentincludes additional guidelines for corporate governancestandards. The guidelines do not provide detailed policies,
procedures and practices for implementing a best practicecorporate governance regime, nor are they expected to besuitable for all organisations in all regulatory environments.However, the addendum provides an addition to the broadframework within which entities can develop regimes to
best help them maximise the services provided tostakeholders.
-
8/13/2019 Intosai Gov 9130 e
8/39
8
How is this document structured?
The supplement is structured in a similar manner to theINTOSAI Guidelines for Internal Control Standards forthe Public Sector. In the first chapter the concept of Entityrisk management is defined and its scope is delineated. Inthe second chapter the components of Entity riskmanagement are presented and the extensions to theinternal control standards highlighted.
-
8/13/2019 Intosai Gov 9130 e
9/39
9
C hapter 1: W hat is Entity Risk Management
1.1 Definition
1.1.1 COSO's Entity Risk Management: Integrated Framework states that Entity risk managementdeals with risks and opportunities affecting valuecreation or value preservation defined as follows:
"Entity risk management is a process effected by
an entity's board of directors, management andother personnel, applied in strategy setting andacross the Entity, designed to identify potentialevents that may affect the entity and manage riskto be within its risk appetite, to provide reasonableassurance regarding the achievement of entityobjectives." (COSO ERM model 2004)
1.1.2 In the public sector the terms value creation andvalue preservation do not have as much directrelevance as in the private sector. However, thedefinition is purposefully broad to cover as manysectors and types of organisations as feasible. As
such it is possible to substitute service creationand preservation for value creation and preservation for the definition to be fullyapplicable to public sector entities.
-
8/13/2019 Intosai Gov 9130 e
10/39
10
1.2 Identifying the Mission
1.2.1 The starting point for Entity risk management isthe entity's established mission or vision. Withinthe context of this mission, management shouldestablish strategic objectives, select strategies toachieve these objectives and set supportingaligned objectives that are cascaded throughoutthe organisation.
1.3 Setting Objectives
1.3.1 The INTOSAI Guidelines on Internal ControlStandards states that objectives can be sub-dividedinto four categories (although most objectives willfall into more that one category). These are:
Strategic - high level goals, aligned with andsupporting the entities mission
Operational executing orderly, ethical,economical, efficient and effective operations;and safeguarding resources against loss,misuse and damage
Reporting - reliability of reporting includingfulfilling accountability obligations
Compliance - compliance with applicablelaws and regulations and being able to act inaccordance with Government policy
1.3.2 Objectives in the first two categories are notentirely within an entity's control so any riskmanagement system can only provide reasonableassurance that these risks are being managed
-
8/13/2019 Intosai Gov 9130 e
11/39
11
satisfactorily, but should enable management to beaware of the extent to which these objectives are
being met in a timely fashion. However,objectives relating to reliability of reporting andcompliance are within an entity's control soeffective Entity risk management will usually givemanagement assurance that these objectives are
being met.
1.4 Identifying Events - Risks andOpportunities
1.4.1 Once objectives have been set Entity riskmanagement requires an organisation to identifyevents that might have an impact on theachievement of those objectives. Events can havea negative impact, a positive impact or both.Events with a negative impact represent risks,which can hinder the entity's ability to achieve itsobjectives. These risks can arise due to internaland external factors. Figure 1, below, sets outmany of the risks which government entities face
there may well be other risks relevant to particular entities.
1.4.2 Events with a positive impact may offset negativeimpacts or represent opportunities. Opportunitiesare the possibility that an event will occur that willenhance the entity's ability to achieve itsobjectives or enable the entity to achieveobjectives more efficiently. As well as seeking tomitigate risks management should formulate plansto seize opportunities.
-
8/13/2019 Intosai Gov 9130 e
12/39
12
1.5 Communication and Learning
1.5.1 Determining whether an entity's Entity riskmanagement is "effective" is a fundamental part ofthe process. Management need to make a
judgement on whether the components of Entityrisk management are present and operatingeffectively; namely that there are no materialweaknesses and that all risks have been broughtwithin acceptable parameters given the entity'srisk appetite. Where Entity risk management iseffective management will understand the extentto which objectives in all four categories arealigned with the mission and are being achieved.Effective top down and bottom up communicationthroughout the entity is essential to facilitate this
process.
1.6 Limitations
1.6.1 No matter how well designed and operated thesystem is, Entity risk management cannot providemanagement with absolute assurance regardingthe achievement of general objectives. Instead,this supplement recognises that only a reasonablelevel of assurance is obtainable.
1.6.2 Reasonable assurance equates to a satisfactorylevel of confidence that objectives will beachieved or that management will be made awarein a timely fashion if objectives are unlikely to be
achieved. Determining how much assurance isrequired to reach a satisfactory level of confidenceis a matter of judgement. In exercising that
judgement management will need to consider theentity's risk appetite and events that may impacton achievement of objectives.
-
8/13/2019 Intosai Gov 9130 e
13/39
13
1.6.3 Reasonable assurance reflects the notion thatuncertainty and risk relate to the future, which no-one can predict with certainty. In addition, factorsoutside an entity's control or its influence, such as
political factors, can impact on its ability toachieve its objectives. In the public sector, factorsoutside an entity's control can even change coreobjectives at quite short notice. Limitations alsoresult from the following realities: that human
judgement in decision making can be faulty; that breakdowns can occur because of human failuressuch as simple errors or mistakes; that decisionson responding to risk and establishing controlsneed to consider the relevant costs and benefits;and that controls can be circumvented by collusion
between two or more people and management canoverride the control system. These limitations
preclude management from having absoluteassurance that objectives will be achieved. Figure1 sets out some of the risks might typically face.It is intended to be illustrative rather thanexhaustive.
-
8/13/2019 Intosai Gov 9130 e
14/39
Figure 1: Some Typical Risks that Government Entities
Face?
Economic changes such as
lower economic growth
reduce tax revenue and
opportunities to provide a
iderran e ofservices or
Failure to
innovate
leading to
Loss or
misappropriation
of funds through
fraud or
Environmental
damage caused
by failure of
regulations or
Inconsistent
policy
objectives
resulting in
Project delays
cost overruns
and
inadequate
Inadequate
skills or
resources to
deliver
services as
Failure of
contractors,
partners or other
government
agencies to provide
Failure to evaluate
properly pilot
projects before a
new service is
introduced may
result in problems
Failure to
measure
performance
Technical risk
failure to keep pace
with technical
developments, or
investment in
inappropriate or
Inadequate
service plans
to maintain
continuity of
Failure to
monitor
implementation
Achieving Service
Delivery
14
-
8/13/2019 Intosai Gov 9130 e
15/39
15
1.7 Link between Internal Controland Entity Risk Management
1.7.1 In many respects entity risk management may beregarded as a natural evolution of the internalcontrol model. Most organisations will seek tofully apply the internal control model beforeimplementing the concepts inherent within Entityrisk management. Internal control is an integral
part of entity risk management. The entity riskmanagement framework encompasses internalcontrol, but in addition, forms a more robustconceptualisation of how an entity's businessdecisions should fall out of its core mission andassociated objectives and provides a tool formanagement to help them to determine what thecorrect response to a particular event should be.The ERM model goes further than the INTOSAIInternal Control Guidelines in a number of areas,in particular:
the categories of objectives are broader, andalso include more complete reporting, non-financial information, strategic objectives;
it expands the risk assessment component andintroduces different risk concepts, such as riskappetite, risk tolerance, risk response; and
it emphasises the importance of independentdirectors on the board and elaborates on their
roles and responsibilities.
-
8/13/2019 Intosai Gov 9130 e
16/39
16
C hapter 2:
C omponents of Entity Risk Management
Entity risk management consists of eight interrelatedcomponents. These are derived from the way thatmanagement runs a business and are integrated with the
management process. The components are: Internal environment Objective setting Event identification Assessing risks Risk response Control activities Information and communication Monitoring
In applying the components of Entity risk management, anentity should consider the entire scope of its activities at alllevels of the organisation. Management should alsoconsider new initiatives and projects using the Entity riskmanagement framework.
-
8/13/2019 Intosai Gov 9130 e
17/39
17
Applying Entity Risk Managementacross the Entity
Management is required to take a portfolio view of risk. Ineffect all levels of management will need to consider theevents that may impact on their areas of activity and feedthem up to senior management. This assessment can bequalitative or quantitative. Senior management should usethese assessments running through all levels and businessareas of the entity to build up an entity level assessment ofthe overall risk portfolio of the organisation.
Importance of People
Entity risk management is implemented and made to workeffectively by an entity's management and other personnel.It is accomplished by what individuals within anorganisation do and say. Similarly, Entity riskmanagement affects people's actions. Each employee is anindividual with different competencies and understanding.Entity risk management seeks to provide the mechanismsto enable members of staff to understand risk in the contextof the entity's objectives.
Members of staff should know their responsibilities and thelimits of their authority. Accordingly a clear and conciselinkage needs to exist between an individual's duties andthe way that they are carried out. Senior management
primarily provide oversight. However, they also providedirection, approve strategies and approve certaintransactions and policies thereby playing a vital role in
enforcing organisational culture.
-
8/13/2019 Intosai Gov 9130 e
18/39
18
2.1 Risk Environment/Context
2.1.1 The risk environment/context encompasses thetone of an organisation, influencing the riskconsciousness of all of its people and, is the basisfor all other components of Entity riskmanagement, providing discipline and structure.Internal environment factors include an entity'srisk management philosophy; its risk appetite;oversight by the management board; integrity andethical values; competence of staff; and the waymanagement assigns authority and responsibilityand organises and develops staff.
2.1.2 An entity's risk management philosophy is the setof shared beliefs and attitudes which set out howthe entity considers risk in everything it doesfrom strategy setting to day to day operationalactivities. It influences culture and operatingstyle including how risks are identified, the kindof risks accepted and how they are managed. Anentity's risk management philosophy should becaptured in policy statements, oral and writtencommunications to stakeholders and staff and indecision making. Irrespective of the method ofcommunication it is of critical importance thatsenior management reinforce the philosophy, notonly through communicating policies, butthrough everyday actions.
2.1.3 Risk appetite is the amount of risk on a broadlevel that an entity is willing to accept in seeking
to achieve its objectives. It reflects the riskmanagement philosophy and in turn influencesthe entity's culture and operating style. Riskappetite can be considered quantitatively orqualitatively. It should be considered in strategysetting, where the desired return from a strategy
-
8/13/2019 Intosai Gov 9130 e
19/39
19
should be aligned with the risk appetite, that isthe willingness to accept or tolerate risk.
2.1.4 In addition, when identifying the riskenvironment and selecting an appropriate riskappetite, public sector entities need to consider
the "extended Entity". The opinions andexpectations of sponsoring and sponsoredorganisations, be they other government bodiesor legislation setters, and the opinions of partnerorganisations can give a clear steer as to asuitable risk management philosophy and riskappetite.
2.1.5 An entity's senior management is a critical part ofthe internal environment and significantlyinfluences its elements. It is a truism thatorganisational culture can be set or be fatallyundermined by the "tone at the top". The senior
management's independence from executivemanagement, experience and stature of members,extent of involvement and scrutiny, and theappropriateness of its activities all play a role.Members of top executive management can be
part of senior management, but for the internalenvironment to be effective it is advisable that thesenior management team contain someindependent outside members. This is becausesenior management must be prepared to holdexecutive management to account by questioningand scrutinising activities and being prepared to
present alternative views.
2.1.6 Management's integrity and ethical valuesinfluence the way strategy and objectives areimplemented. Because an entity's goodreputation is so valuable, the standards of
behaviour must go beyond mere compliance with
-
8/13/2019 Intosai Gov 9130 e
20/39
20
minimum legal standards. Ethical behaviour andmanagement integrity are by-products ofcorporate culture, which includes ethical and
behavioural standards and how this iscommunicated and enforced. Top management
plays a key role in determining the corporateculture. An undue emphasis on short term resultsas opposed to achieving the overall mission canfoster an inappropriate internal environment.
2.1.7 Formal codes of conduct are important to and thefoundation of the promotion of an appropriateethical tone. Upward communication channels(or formal whistleblowing procedures) whereemployees feel comfortable bringing relevantinformation to the board are also important.However, a written code of conduct does not byitself ensure that procedures are being followed,even if all employees have to evidence that theyare aware of the behaviours expected of them.Equally important to compliance are resulting
penalties to employees who violate the code.Messages sent by senior management quickly
become embodied in corporate culture, so "doingthe right thing" when faced with tough businessdecisions quickly become embodied throughoutthe entity.
2.1.8 Competence reflects the knowledge and skillsneeded to perform assigned tasks. It needs to besupported by human resources practices
pertaining to employing and promotingappropriate individuals, induction, training anddealing with poor performance. Managementneeds to specific competency levels for particulartasks and translate those into appropriate jobdescriptions for specific posts. It is important to
-
8/13/2019 Intosai Gov 9130 e
21/39
21
recognise that a trade-off can exist betweencompetence and cost.
2.1.9 An entity's organisational structure provides theframework to plan, execute, control and monitorits activities. The organisational structure
adopted will be suitable to business needs. Someare centralised, others decentralised, someorganised by geographical location and others byfunction. Whatever the structure, an entityshould be organised to enable effective riskmanagement and to carry out its activities so as toachieve its objectives.
2.1.10 Assignment of authority and responsibilityinvolves the degree to which individuals andteams are authorised to and encouraged to useinitiative to address issues and solve problems aswell as the limits to their authority. The key
challenges are to ensure that all personnelunderstand the entity's objectives and how theiractions contribute to the achievement of thoseobjectives and only to delegate to the extentrequired to achieve objectives. Responsibility isas important as authority. The internalenvironment is greatly influenced by the extent towhich individuals recognise they will be heldaccountable. This holds true all the way to thechief executive.
2.2 Objective Setting
2.2.1 Objectives are set at a strategic level, establishinga basis for lower level operations, reporting andcompliance objectives. Every entity faces avariety of risks from external and internal sourcesand a precondition to effective event
-
8/13/2019 Intosai Gov 9130 e
22/39
22
identification, risk assessment and risk responseis the establishment of objectives. Objectivesmust be established before management canidentify and assess risks to their achievement andtake the necessary actions to mitigate those risks.Objectives are aligned with an entity's riskappetite, which drives risk tolerance levels for theentity.
2.2.2 An entity's mission sets out in broad terms whatthe entity aspires to achieve. Management setsstrategic objectives formulates strategy andestablishes related operations. Strategicobjectives are high-level goals aligned with andsupporting the entity's mission. The strategyimplemented to achieve the mission and therelated objectives tend to be more dynamic thanthe mission and will be adjusted to take accountof changing conditions.
2.2.3 Despite the diversity of objectives across entities,there are certain broad categories that can beapplied. All objectives will fall into one or moreof the following:
Operations objectives - These pertain to theeffectiveness and efficiency of the entity'soperations, including performance goals andsafeguarding resources against loss. Whenused in conjunction with public reporting, anexpanded definition of "safeguarding ofresources/assets" can be used: dealing with
preventing or detecting and correcting themisappropriation of public funds. Theoperations objectives need to reflect the
particular environment in which the entityfunctions. As operations objectives are thefocal point for directing allocated resources if
-
8/13/2019 Intosai Gov 9130 e
23/39
23
they are not clear or not well conceived,resources may be misdirected.
Reporting objectives - These pertain to thereliability of reporting and may involve bothfinancial and non-financial data. Although
reporting objectives also relate to information prepared for external parties, the keyobjective of reliable reporting is to providemanagement accurate and completeinformation appropriate for its intended
purpose. Without accurate and completeinformation it is very difficult formanagement to make good decisions.
Compliance objectives - These pertain toadherence to relevant laws and regulations.The requirements may relate to markets, theenvironment, employee welfare etc. Some
entities will also need to comply withinternational compliance objectives.
2.2.4 Effective entity risk management providesreasonable assurance that an entitys operational, reporting and compliance- objectivesare being achieved.
2.2.5 Risk appetite, established by management and the board of directors, is a guidepost in settingstrategy and assessing the relative importance ofobjectives. Effectively risk appetite is the levelof risk an entity is prepared to accept in providing
value (in the form of public services) tostakeholders. Usually any of a number ofdifferent strategies can be designed to achieve thedesired mission, each having different risks.Management should select the strategy and
-
8/13/2019 Intosai Gov 9130 e
24/39
24
associated objectives that best fit in with the riskappetite.
2.2.6 Risk tolerances are the acceptable levels ofvariation relative to the achievement ofobjectives. They can be measured through
performance targets. Often performance targetsare best measured in the same units as the relatedobjectives. Operating within risk tolerances
provides management greater assurance that theentity remains within its risk appetite and willachieve its objectives
2.3 Event Identification
2.3.1 Management identifies potential events that, ifthey occur, will affect the entity. Events need to
be classed as to whether they representopportunities or whether they might adverselyaffect the entity's ability to successfullyimplement strategy and achieve objectives(risks). When identifying events managementconsiders a variety of internal and externalfactors that could give rise to risks andopportunities, in the context of the full scope ofthe entity.
2.3.2 An event is an incident or occurrence emanatingfrom internal or external sources that affectsimplementation of strategy or the achievement ofobjectives. Events may have a positive ornegative impact or both. Events range from theobvious to the obscure and the effects from theinconsequential to the highly significant.However, to avoid overlooking events, eventidentification is best made apart from the
-
8/13/2019 Intosai Gov 9130 e
25/39
25
assessment of the likelihood of the eventoccurring and its impact.
2.3.3 Management needs to understand the key classesof internal and external factors driving the events.External factors can include but are not limited to
those arising from changes in the politicalenvironment, the social and technologicalenvironment and economic issues affecting eitherthe entity itself or its suppliers. Internal factorsstem from choices that management makes aboutthe way it will function. This can include theinfrastructure of the entity, how many locations itoperates in, the skills and competence of
personnel and how business information systemsoperate.
2.3.4 Event identification techniques look both to the past and to the future. Techniques that focus on
past events can consider matters such as annualreports and accounts, payment default historiesand internal reports. Techniques that focus onfuture events can consider factors such as shiftingdemographics, new market conditions andexpected changes in the political environment.Techniques vary widely in their level ofsophistication and automation and can be focusedon a top down or bottom up view of events.
2.3.5 Events do not often occur in isolation. One eventcan trigger another and events can occurconcurrently. Management should understand
how events relate to one another. By assessingthe relationships, it may be possible to determinewhere risk management efforts are best directed.
2.3.6 It may also be useful to group potential eventsinto categories. By aggregating events
-
8/13/2019 Intosai Gov 9130 e
26/39
26
horizontally across the entity and verticallywithin operating units, management can gain anunderstanding of relationships between events.Grouping events can also give some guidance asto what the most cost effective responses could
be. Although each entity will develop its ownmethod of grouping events there are standardtools such as PEST Market Analysis 2 that canserve as a basis.
2.4 Assessing Risks
2.4.1 Assessing risks allows an entity to consider theextent to which potential events have an impacton the achievement of objectives. Managementshould assess events from two perspectives -impact and likelihood - using a combination ofquantitative and qualitative techniques. The
positive and negative impacts of events can beassessed either individually or by category fortheir impact across the entity. Risks should beassessed on both an inherent and a residual basis.
2.4.2 Although the term "risk assessment" sometimeshas been used in conjunction with a one-timeactivity, in the context of Entity risk
2 PEST analysis is a useful tool for understanding andassessing the impact of external factors on the achievementof entity objectives. PEST is an acronym for Political,Economic, Social and Technological factors
-
8/13/2019 Intosai Gov 9130 e
27/39
27
management, the risk assessment component is acontinuous and iterative interplay of actions thattake place throughout the entity. The objective ofassessing risks is to identify which events areimportant enough and significant enough to bethe focus of management attention.
2.4.3 Uncertainty of potential events needs to beevaluated from the perspectives of likelihood andimpact. Likelihood represents the possibility thatan event will occur in a given period of time,whilst impact represents the scale of the effectthat the event will have on the entity's ability toachieve its objectives. The period of time overwhich management assesses likelihood should beconsistent with the time horizon of the relatedstrategy and objectives. The most important risksare those with a high likelihood of occurrenceand high impact. Conversely the least importantrisks are those with a low likelihood ofoccurrence and low impact. The balance ofmanagement focus should be on the high
probability, high impact risks (see Figure 2 below). The end result of the process will be toassign each risk a rating for both likelihood andimpact. Some entities use a high-low rating,others a "traffic light" system of red, amber andgreen and others a quantitative measure such as a
percentage score.
-
8/13/2019 Intosai Gov 9130 e
28/39
Figure 2: Simple Risk Assessment and Response Matrix
High Impact/
Low likelihood
Contingency Plan
High Impact/
High likelihood
Control Procedures
Low Impact/
Low likelihood
Tolerate
Low Im
High likelihood
Control Procedures
pact/
Significance
Probability
2.4.4 Risk assessment methodology can be quantitativeor qualitative. It can be based on objective orsubjective methods. Nor does an entity need toemploy common assessment techniques across all
business areas. However, management needs to be aware of human bias when assessing risks andneeds to ensure that all relevant members of staffhave a common understanding of what the ratingterminology for assessing risk means. If this isnot done it will be difficult for seniormanagement to assess the relevant importance ofdifferent risks.
2.4.5 Once risks have been assessed the risk prioritiesfor the entity should emerge. If the risk exposureis unacceptable given the risk appetite of theentity, the risk should be classed as high priorityor "key risk". The key risks should be givenregular attention at the highest level of the entity.Specific risk priorities will change over time as
28
-
8/13/2019 Intosai Gov 9130 e
29/39
29
the objectives of the entity changes, the riskenvironment changes and key risks are addressed.
2.4.6 Risk assessment as outlined above pertains to
that
ph.
t on
2.5.1 Having assessed the relevant risk, management
ating the
.
e an entity
2.5.2 Risk responses fall within the following
Sharing/Risk Transfer - Reducing the risk
This
inherent risk. Inherent risk is the risk to anentity in the absence of any actions that
management may take to alter the event'slikelihood or impact. Residual risk is the risk remains after considering management's riskresponse, which is outlined in the next paragraThe advantage of this method is that it allowsentities to identify risks that are taking upmanagement time that could be better spenother issues (e.g. because the inherent risk has alow probability of occurring).
2.5 Risk Response
decides how it will respond. Ways to addressidentified risk include risk transfer, risktreatment, terminating activities and toler risk. In considering its response, managementassesses the effect on likelihood and impact, aswell as the costs and benefits of each response,with the aim of selecting a response that bringsthe residual risk within the desired risk toleranceManagement should also identify anyopportunities that are available and tak wide, portfolio view of risk.
categories:
likelihood or impact by transferring orotherwise sharing a portion of the risk.
-
8/13/2019 Intosai Gov 9130 e
30/39
30
might be done by conventional insurance or by paying a third party to take the risk inanother way. This option is particularlyuseful when mitigating financial risks, risassets and for outsourcing activities.However, most risks will not be fullytransferable. In particular, it is general
possible to transfer reputational risk even ifthe delivery of a service is contracted out.
ks to
ly not
Reduction/Risk Treatment - By far theed in
nd in
Avoidance/Terminating the Activity - Exiting
e
Acceptance/Tolerate - No action is taken to
e the
realised.
greatest number of risks will be addressthis way. Action is taken to reduce the risklikelihood or impact or both. This typicallyinvolves a myriad of everyday businessdecisions including control proceduresdiscussed in more detail in section 2.6 aInternal Controls - Integrated Framework.
the activities giving risk to the risk. Whilst public sector entities are rarely likely to beable to avoid delivering a core programmeelement, avoidance may be a useful responswhen considering whether a new method ofservice delivery is appropriate or consideringwhether to continue with a specific project.
mitigate risk likelihood or impact. Thisresponse suggests that no cost effectiveresponse was identified that would reduc
impact and likelihood to an acceptable levelor that the inherent risk is already within risk tolerances. Tolerating the risk can of course
be supplemented by contingency planning tohandle the impacts that will arise if the risk is
-
8/13/2019 Intosai Gov 9130 e
31/39
31
2.5.3 Thema s but also, within the sameapproach, identifying opportunity. In any
not
2.5.4 the
decide how best to manage the risk, selecting ao
2.5.5 that
might result from a response. Here it is helpful
d
2.5.6
implementation plan. A critical part of every
ERM model stresses not just anticipating andnaging risk
situation management should look to consideropportunities or events with a positive impact not
just consider risk or events with a negativeimpact. There are two aspects to this: firstlywhether or not at the same time as mitigatingthreats, an opportunity arises to exploit a positiveimpact; and secondly, considering whether or circumstances have arisen that, whilst notgenerating threats, offer positive opportunities.
Management should evaluate the effects of various methods of addressing the risk, then
response or combination of responses designed t bring both risk likelihood and impact within risk tolerances. The selected response need notnecessarily result in the least amount of residualrisk, but if the response would result in a residualrisk that still exceeds risk tolerances,management will need either to reconsider theresponse or to reconsider risk tolerances.
Evaluating alternative responses to inherent risk requires consideration on additional risks
for senior management to consider responsesfrom a portfolio perspective as this gives them anoverview of the overall risk response profile andenables them to consider whether the nature antypes of residual risks remaining are those that fitwith the overall mission and risk appetite.
Once management selects the preferred methodof addressing the risk it needs to develop an
-
8/13/2019 Intosai Gov 9130 e
32/39
32
implementation plan is control activities to ensurethat the risk response is carried out effectivel
Control Activities
y.
2.6
proceduresment's risk responses
are carried out. Control activities occur
ontains
2.6.2 hich an
entity seeks to achieve its business objectives.
s.
2.6.3
appropriately, in respect to certain objectives,
ronse
2.6.4 sh, there will be
differences in risk responses and related controlactivities. Even if two entities had the same
2.6.1 Control activities are the policies andthat help ensure that manage
throughout the organisation, at all levels and inall functions. As the Guidelines for InternalControl Standards for the Public Sector cdetailed information on setting up effectivecontrols, this addendum does not intend to doanything more than put internal controls into thecontext of Entity risk management.
Entity risk management sees control activities asan important part of the process by w
Control activities are not performed simply fortheir own sake or because it seems the "rightthing to do", but rather serve as mechanisms for managing the achievement of business objective
Whilst control activities generally are establishedto ensure that risk responses are carried out
control activities themselves are the riskresponse. The selection or review of controlactivities needs to include consideration of theirelevance and appropriateness to risk respand the related objectives.
Because each entity has its own set of objectiveand implementation approac
-
8/13/2019 Intosai Gov 9130 e
33/39
33
objectives and made similar decisions on howthey should be achieved the resulting controlactivities would be likely to be different. This is
because different management teams will havdifferent risk appetites and risk tolerances.
However, in the context of risk management allcontrol procedures fit into four broad categories
e
2.6.5
:
greater the impact of the risk on the ability to
thatese are
itical thatan undesirable event (such as a security
tifyrred
ent". However, the presence ofappropriate detective controls can also
ed.
achieve some recovery either of funds orserviceability against loss or damage.
Preventive controls are designed to limit the possibility of a risk maturing and anundesirable outcome being realised. The
achieve the entity's objectives, the moreimportant it becomes to implementappropriate preventative controls.
Directive controls are designed to ensurea particular outcome is achieved. Th
particularly important when it is cr
breach) is avoided so are often used tosupport the achievement of complianceobjectives.
Detective controls are designed to idenwhether undesirable outcomes have occu"after the ev
mitigate the risk of undesirable outcomesoccurring by creating a deterrence effect.
Corrective controls are designed to correctundesirable outcomes that have been realisThey could also act as a contingency to
-
8/13/2019 Intosai Gov 9130 e
34/39
34
2.7 n
2.7.1 Thereqcon ents of
the Public Sector contains detailed informations,
Informati
2.7.2 at
objectives, for example, the focus on strategicives requires more output and outcome
information. In addition the use to which this
2.7.3
up the entity.
I formation and Communication
re is little difference between the qualityuirements of data used to support internaltrol objectives and the quality requirem
data used to support Entity risk management. Asthe Guidelines for Internal Control Standards for
on information and communication requirementthis addendum does not intend to do anythingmore than put these requirements into the contextof Entity risk management.
on
Entity risk management specifically requires than entity capture a greater range of informationthan is necessary to achieve internal control
object
data is put is slightly different. Historical dataallows the entity to track actual performanceagainst targets, plans and expectations and can
provide early warnings of potential events thatrequire management attention. Present dataallows management to take a real-time view of existing risks within a business unit/process andidentify variations from expectations. This canallow the entity to determine whether it isoperating within risk tolerances.
Pertinent information should be identified,captured and communicated in a form andtimeframe that enable staff to carry out theirresponsibilities. Effective communication alsooccurs, flowing down, across and
-
8/13/2019 Intosai Gov 9130 e
35/39
35
All personnel should receive a clear messagfrom senior management that Entity riskmanagement responsibilities must be takenseriously. They need to understand their ownrole in the Entity risk management process aswell as how this relates to the work of others.Personnel must have means of communicsignificant information to an appropriate levmanagement. There also needs to be effectivecommunication with external stakeholders.
Having the right people with the rightinformation, on time and at the right place, isessential to effecting entity risk management.
e
atingel of
2.7.4
ica
2.7.5
ppropriate personnel to carry out theircommunication must take place in a
broader sense, disseminating corporate culture,
2.7.6
sld include a clear
statement of the entity's risk management bout
th and
Commun tion
Communication is inherent in informationsystems. As well as providing information to
enable aduties,
dealing with expectations, covering theresponsibilities of individuals and groups, andother relevant matters.
Management provides specific and directedinternal communication that addresses
behavioural expectations and the responsibilitieof personnel. This shou
philosophy and approach. Communication a
processes and procedures should align wiunderpin the desired culture. Communicationshould convey:
The importance and relevance of Entity riskmanagement
-
8/13/2019 Intosai Gov 9130 e
36/39
36
The entity's objectives
The entity's ris k appetite and risk tolerances
ilities of personnel in
2.7.7 s tocom ased information to their line
an
issrecognise proble uch
2.7.8 .
sistleblowing hotline) are
necessary. Because of its importance, effectivee of
2.7.9
with stakeholders about the way in which the
A common language for identifying andassessing risks
The roles and responsibeffecting and supporting the components ofrisk management.
There also needs to be methods for employeemunicate risk b
m nagement and across the organisation. Front-li e employees who deal with critical operating
ues every day are often best placed toms as they arise. For s
information to be reported there must be openchannels of communication and a clear-cutwillingness to listen. If the corporate culture isone of "shooting the messenger", members of
staff will not communicate problems to theirsuperiors and risks may not be identified in atimely fashion.
In most cases normal reporting lines are theappropriate channels of upward communicationHowever, there are some circumstances wherealternative channels of communication (such asome form of wh
Entity risk management requires the existencan alternative communication channel direct tosenior management and available for all staff touse without fear of repercussion.
There needs to be appropriate communication notonly within the entity, but with the outside aswell. It is important to externally communicate
-
8/13/2019 Intosai Gov 9130 e
37/39
37
entity is managing risk to give them assurancethat the entity will deliver what is expected and tomanage expectations of what can be delivered.
2.8
2.8.1
gluations or a
two. Deficiencies in theent system need to be
reported to an appropriate level of management,
2.8.2
ective
tivities may becomeless effective or lapse altogether. Management
This is particularly important in relation to risksthat affect the public and where the public dependon their government to manage the risk for them.The seriousness in which communication withexternal parties is taken and the honesty of suchcommunication also sends important messagesthroughout the entity and can have a significantimpact on organisational culture.
Monitoring
Entity risk management should be monitored toassess the functioning of its components overtime. This can be accomplished through ongoinmonitoring activities, separate evacombination of theEntity risk managem
with serious matters reported to seniormanagement or the board in order for the entityto improve its processes.
The objectives of an entity may change overtime. The portfolio of risks faced and theirrelative importance is also likely to change overtime. Risk responses that were once eff may become irrelevant or impossible toimplement, and control ac
needs to constantly monitor the effectiveness oftheir risk management system in order todetermine whether it is still appropriate andeffective.
-
8/13/2019 Intosai Gov 9130 e
38/39
38
2.8.3
ated
nt makes the decision to undertake acomprehensive evaluation of the risk
d bes
health
Evaluations of the effectiveness of riskmanagement will vary in scope and frequency,depending on the significance of groups of risksand the importance of risk responses and relcontrols in managing those risks. Whenmanageme
management framework, attention shouldirected to addressing every aspect of the procesincluding strategy setting. However, regularmanagement activities such as updating riskregisters and organisational or functional "checks", also form part of monitoring the riskmanagement process.
-
8/13/2019 Intosai Gov 9130 e
39/39
Bibliography
Australian Standard for risk management (Standards Australia, 2004)
Entity Risk Management - Integrated Framework (COSO, 2004)
Integrated Risk Management Framework (Treasury Board of Canada Secretariat, 2001)
Internal Control - Integrated Framework (COSO, 1992)
Risk Management Standard (ARMIC, IRM & ALARM, 2002)
The Orange Book: Management of Risk - Principles and Concepts (HM Treasury, 2004)