April 25, 2020

AUD 1201 Internal Audit &

Entity’s Control Environment
 Learning Objectives
ISO 31000 Standard
Risk Management: Principles and Guidelines
 Outline
 Overview of ISO 31000 Standard
 Components of the Standard
 Overview
ISO 31000 is an international standard that provides
principles and guidelines for effective risk
management.
 Published in 2009 (revised in 2018)

Generic approach:
 not specific to any industry or sector
 can be applied to any type of risk (financial, technological,
natural, project)
 can be applied to any type of organization
 Overview
Provides foundations for discussing risk management and
undertaking a critical review of an organization’s risk
management process
 Overview
In scope:

1. Definition and terms relevant to risk management

2. A set of principles that inform effective risk management
3. Recommendations for establishing a risk management
framework
4. Recommendations for establishing a risk management
process
 Overview
Does not include:

1. Detailed instructions / guidance on how to manage specific

risks

2. Advise relevant to any specific domain

3. Any elements related to certification

 Provides guidance rather than requirements, so is “not
intended for the purpose of certification”
 Components of the Standard
The standard comprises three main elements:
1. Risk management process
 How are risks identified, analyzed and treated?

2. Risk management framework

 the overall structure and operation risk management across the
organization
 Similar to the plan/do/check/act (PDCA) cycle

3. A set of Principles which guide risk management activities

 DEFINITION OF RISKS
The Standard provides new definition of risk as the effect of
uncertainty on the possibility of achieving the organization’s
objectives, highlighting the importance of defining objectives before
attempting to control risks, and emphasizing the role of uncertainty

 An effect is a deviation from what was expected, which can be positive or

negative

 Uncertainty is a lack of information or knowledge concerning an event,

its consequences or its likelihood.
 DEFINITION OF RISK
 Makes the role of objectives explicit: an activity is only undertaken to
reach some goal. Objectives can be financial, health and safety,
environmental goals. They can apply at a strategic level, or per project,
per product, per site.

 This definition leads to more transparency in discussion with

stakeholders because objectives (possibly competing) are made explicit.
ILLUSTRATION OF RISK
Corrective actions

Objective

Unexpected
perturbations

Start

t0 t1
 ILLUSTRATION OF RISK
 The organization establishes its objectives; at time (t), it wants to be at
position (O – objectives)

 It establishes an action plan to move from its current position to position

(O).

 The presence of uncertainty means that unexpected perturbations can

cause deviations from the plan defined at time. If unchecked, these would
mean that the organization does not achieve its objective of reaching
position objectives.

 This is risk, the effect of uncertainty on the possibility of reaching your

objectives.
 ILLUSTRATION OF RISK
 The risk management activity consists of trying to anticipate and
looking out for deviations from the plan, and implementing
corrective actions so that the organization’s objectives are reached
despite the unexpected perturbations.
 TYPE OF BUSINESS RISKS
Assessment of all potentially serious risks inherent in the strategies and
business processes are part of internal control and are essential for
evaluating the relevance and reliability of information and its context.

Business risks can be classified in many ways:

1. External Environment Risks

2. Business Process and Asset Loss Risks

3. Information Risks
 TYPE OF BUSINESS RISKS
Business risks exist throughout an enterprise and must be managed
individually and in the aggregate.

1. External Environment Risks

threats from broad factors external to the business including
substitute products, catastrophic hazard loss, and changes in
customers’ tastes and preferences, competitors, political environment,
laws/regulations, and capital and labor availability.

2. Business Process and Asset Loss Risks

threats from ineffective or inefficient business processes for
acquiring, financing, transforming, and marketing goods and services,
and threats of loss of firm assets including its reputation.
 TYPE OF BUSINESS RISKS
TYPE OF BUSINESS RISKS
3. Information Risks
threats from poor-quality information for decision-making within the
business (i.e., the risk of being misinformed about real-world
conditions due to using measurement methods that are not relevant,
from careless or biased application of measurement methods or their
display, or from incomplete information).
 New Notions: ISO 31000 Standards
TYPE OF BUSINESS RISKS
 RISK APPETITE
CONCEPT OF RISK APPETITE
The Standard introduces the (sometimes controversial) notion risk
appetite, or the level of risk which the organization accepts to take
on in return for expected value.
 RISK APPETITE
CONCEPT OF RISK APPETITE
 Risk appetite: the amount and type of risks that an organization is
prepared to pursue, retain or take in pursuits of its objectives.

 Represents a balance between the potential benefits or innovation (and

risk) and the threats that change inevitably brings

 Helps to guide people within the organization on the level of risk

permitted and encourage consistency of approach across an
organization

 Generally expressed (for a company) by a broad statement of approach

which is written by the board
 RISK MANAGEMENT FRAMEWORK
The Standard defines a risk management framework with
different organizational procedures, roles and responsibilities in the
management of risks.
RISK MANAGEMENT FRAMEWORK

Risk Management Framework

determines how risk management
is integrated with the
organization’s management
system.
 RISK MANAGEMENT FRAMEWORK
 Should include:
a. Risk architecture – roles and responsibilities of individuals and
committee that support the risk management process (who
“owns” different risks?)

b. Strategy – objectives of the risk management activity in the

organization.

c. Protocols – how the strategy will be implemented and risk

managed (procedures, indicators, risk reporting and escalation
procedures)
 RISK MANAGEMENT
ENTERPRISE RISK MANAGEMENT (ERM)
ERM is defined by COSO (2002) as – a process, effected by an
entity’s board of directors, management, and other personnel,
comprising internal control and applied in strategy and across the
enterprise, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting
Compliance with applicable laws and regulations
 RISK MANAGEMENT
ENTERPRISE RISK MANAGEMENT (ERM)
According to COSO (2002), ERM provides risk information to the
Board of Directors about the most important entity risks and how
well risk is being managed, including risk-adjusted measures of
performance.
 Board of Directors responsible for overseeing management’s design
and operation of ERM.
 Management responsible for the design and operation of an entity’s
enterprise risk management, and all personnel have some
responsibility for successful execution of ERM.
 Internal Audit Function responsible for evaluation of the effectiveness
of the ERM.
RISK MANAGEMENT PROCESS

Risk Assessment includes

identification, analysis and
evaluation
 RISK MANAGEMENT PROCESS
1. Establishing the context / environment
consists of defining the scope for the risk management process,
defining the organization’s objectives, and establishing the risk
evaluation criteria.

Includes:
 external elements: regulatory environment, market conditions,
stakeholder expectations

 internal elements: organization’s governance, culture, standards

and rules, capabilities, existing contracts, worker expectations,
information systems
 RISK MANAGEMENT PROCESS
The following were collectively called as Risk Assessment

2. Risk Identification
identifying what could prevent us from achieving our objectives.

3. Risk Analysis
understanding the sources and causes of the identified risks; studying
probabilities and consequences given the existing controls, to identify
the level of residual risk.

4. Risk Evaluation
comparing risk analysis results with risk criteria to determine whether
the residual risk is tolerable.
 RISK MANAGEMENT PROCESS
5. Risk Treatment
 changing the magnitude and likelihood of consequences, both
positive and negative, to achieve a net increase in benefit.
 It is an action that is taken to manage a risk.

 Risk treatment, depending on the trade-off, can be,

i. Avoiding
ii. Accepting
iii. Mitigating, includes sharing, transferring or reducing (including
control activities)
 RISK MANAGEMENT PROCESS
5. Risk Treatment
a. Avoiding
You can choose not to take on the risk by avoiding the actions that cause
the risk.

For example, if you feel that swimming is too dangerous you can avoid the
risk of not swimming.

b. Accepting
Risk acceptance, also known as risk retention, is choosing to face a risk.
In general, it is impossible to profit in business or enjoy an active life
without choosing to take on risk.

For example, an investor may accept the risk that a company will go
bankrupt when they purchase its bonds.
 RISK MANAGEMENT PROCESS
5. Risk Treatment
c. Mitigating
c.1. Sharing

Risk sharing is the distribution of risk to multiple organizations or

individuals. This is done for a variety of reasons including insurance
products and self-insurance strategies.

c.2. Transferring

You can transfer all or part of the risk to a third party. The two main types
of transfer are insurance and outsourcing.

For example, a company may choose to transfer collection of project risks

by outsourcing the project.
 RISK MANAGEMENT PROCESS
5. Risk Treatment

c. Mitigating

c.3. Reducing

This can be addressed by the implementation of control activities applied

throughout the organization such as approvals, authorizations,
cancellation, confirmations, observations, verifications, reconciliations,
review of operating performance, physical security assets, and segregation
of duties.

Internal auditors are familiar with control activities for financial

reporting, and ERM extends the concept to responding to all risks.
 RISK MANAGEMENT PROCESS
6. Monitoring and Review

 Measure risk management performance against indicators, which

are periodically reviewed for appropriateness
 Check for deviation from the risk management plan
 Check whether the risk management framework, policy and plan
are still appropriate, given organizations’ external and internal
context.
 Report on risk, progress with the risk management plan and how
well the risk management policy is being followed.
 Review the effectiveness of the risk management framework.
 RISK MANAGEMENT PROCESS
6. Monitoring and Review
As with internal control, an entity monitors the effectiveness of
enterprise risk management and its components through:

a. Day –to-day monitoring activities (or ongoing monitoring)

Occurs in the normal course of business as events and transactions take
place. It includes ordinary management and supervisory activities in
conducting transactions.

b. Separate evaluation
May be based on either planned periodic examinations or follow-up of
exceptions arising in operations or day-to-day monitoring. The Internal
Audit Function is often the preferred provider for separate evaluations of
ERM because of internal auditors’ competencies, skills, and experiences
with independent investigation, risk assessment, and reporting
 RISK MANAGEMENT PROCESS
7. Communication and consultation
This task helps understand stakeholders’ interests and concerns, to
check that the risk management process is focusing on the right
elements, and also helps explain the rationale for decisions and for
particular risk treatment options.
 RISK MANAGEMENT PROCESS
7. Communication and consultation

Effective communication involves,

 Downward flows – communicating management’s plans and

know risks to employees

 Parallel flows – personnel communicating production and

distribution risks across departments

 Upward flows – employees informing top management of

surprises.
 RISK MANAGEMENT PROCESS
7. Communication and consultation
Part of an effective ERM environment regarding communication
is recognition by employees that risk management is to be taken
seriously and the employees are expected to communicate
significant risks upstream.
RISK MANAGEMENT PROCESS
Importance of effective risk management for safety
risks is evident.

For financial risks, evidence shows that the financial

markets value good risk management, and better
ratings of risk management performance lead to lower
capital costs for firms.
 PRINCIPLES
The Standard outlines a management philosophy where risk
management is seen as an integral part of strategic decision-making
and the management of change
It includes a number of Principles (enumerated in the next slides)
that should influence the design and implementation of
organization’s risk management framework and process.
 PRINCIPLES
 Creates and protects value
 Is based on the best information
 Is an integral part of organizational processes
 Is tailored
 Is part of decision-making
 Takes human and cultural factors into account
 Explicit addresses uncertainty
 Is transparent and inclusive
 Is systematic, structured and timely
 Is dynamic, iterative and responsive to change
 Facilitates continual improvement of the organization
How do the components fit together?
Principles guide the The framework defines the
creation of the framework risk management process

Feedback on the performance of the

process is used for monitoring and
reviews