 |
Controls
|
Definition
Types
of Risks
Effects
of Risks
Where
to Look for Risks
Handling
Risks
Definition
By
definition, business risk is any threat to achieving an organization’s
business objectives. It is the likelihood that an event or action
may negatively affect the entity.
Types
of Risks
The risk
most often thought of is financial risk, but there are many other
types of threats including having short-sighted goals, ineffective
business processes, or tarnishing the business’ reputation.
Specific types of risks include:
- Reputational
– public image
- Financial
– protecting monetary funds
- Strategic
– goals of the organization
- Operational
– processes that operationalize goals
- Compliance
– laws and regulations
Effects
of Risks
Consider
the following effects to gain an appreciation of how risks may impact
your organization if appropriate actions are not sought:
- Flawed
decisions that were based on incorrect, untimely, incomplete,
or unreliable information.
- Incorrect
record keeping
- Inaccurate
accounting
- Fraudulent
financial transactions
- Financial
loss and exposure
- Negative
publicity
- Noncompliance
with relevant laws and regulations
- Inefficient
or ineffective use of resources
Where
to Look for Risk
Integrated
Internal Control Framework Key Risks
| |
TYPES
OF RISK |
| |
Financial |
Operational |
Strategic |
Compliance |
Reputational |
| CONTROL
ENVIRONMENT |
|
|
|
|
|
- Integrity,
ethics and trust
|
X |
X |
X |
X |
X |
- Competence,
knowledge, skills, determination, training, feedback
|
|
X |
X |
X |
X |
| |
|
X |
|
|
|
| |
|
X |
X |
|
|
| |
|
|
|
X |
|
| |
|
|
|
|
|
| RISK
ASSESSMENT |
|
|
|
|
|
| |
|
X |
X |
|
|
- Risk
identification, prioritization, strategies
|
X |
|
X |
X |
|
| |
|
X |
X |
|
|
| |
|
|
|
|
|
| CONTROL
ACTIVITIES |
|
|
|
|
|
- Security
(people, data, equipment)
|
X |
|
X |
|
X |
- Guidelines,
transaction approval, verification
|
X |
X |
|
X |
|
- Disaster
recovery/business resumption
|
X |
X |
|
|
X |
| |
X |
X |
|
|
X |
| |
|
|
|
|
|
| INFORMATION
AND COMMUNICATION |
|
|
|
|
|
- Operational
information sufficiency, usefulness and timeliness
|
|
X |
|
X |
|
- New
legislation and regulations
|
|
|
|
X |
|
| |
X |
X |
|
|
X |
- Channel
to report improprieties
|
|
|
|
X |
X |
- Staff
suggestions for improvement
|
|
X |
|
|
|
- Emerging
information needs
|
|
X |
X |
X |
|
| |
|
|
|
|
|
| MONITORING |
|
|
|
|
|
| |
|
|
X |
X |
X |
- Review
of financial and operating reports and reconciliations (budget)
|
X |
X |
|
X |
|
- Risk
assessment methodology
|
|
|
X |
X |
|
| |
X |
X |
|
X |
|
- Information
and communication systems
|
X |
X |
X |
X |
|
| X
– Connotes the type of risk that may be applicable to
the particular business objective. It is important to note
that if the control objectives are not addressed appropriately
and in a timely manner, additional risks may occur. |
Handling
Risks
Eliminating
all types of risks is most probably impossible and actually not
desirable because the cost would be extraordinary and unjustifiable.
Therefore, other alternatives to addressing risks such as transferring,
accepting or mitigating the risk should be sought. A cost-benefit
analysis must be performed to determine which type of approach should
be taken.
It is
important to understand that the process of addressing risks is
not stagnant. Business risks increase and change as the operational
environment changes. New technologies, fierce competition, decentralized
accountability, external scrutiny, and cost reductions all present
new risks and continually challenge already implemented solutions.
Controls
Definition
Types
of Controls
Control
Environment
Definition
Controls
are “any action taken by management to enhance the likelihood
that established objectives and goals will be achieved”.
Types
of Controls
Many
types of controls can help management direct their activities, such
as:
- Preventative
Controls are intended to deter inappropriate events from happening.
These are the best types of controls, but they are typically the
most expensive to implement.
-
- Detective
Controls are actions that are taken to detect and correct
undesirable events that have already occurred.
-
- Directive
Controls are to trigger or to encourage a desired event to
occur.
Oftentimes,
the best strategy is a combination and collection of all types of
controls used together that enable an organization to achieve its
goals and objectives.
Control
Environment
The control
environment is the structure and basis for all operational activities
based on the attitudes and actions of upper management regarding
the significance of control within the organization.
Integrated
Internal Control Framework (IICF)
|
