Risk Management and Control
1 Introduction to risk management
1.1 What is risk
“Risk is the effect of uncertainty on objectives”
- Links risk to objectives
- Effect may be negative, positive or a deviation from expectations
- Risk may be considered to be related to: a loss, an opportunity, the presence of an uncertainty for an
organization
ISO Guide 73 = risk classification system for analyzing/evaluating risks based on impact
Hazard or pure risks
- Only result in negative outcomes
- Associated with a source of potential harm of situation with the potential to undermine objectives
- Operational risk: normal efficient operations may be disrupted by loss, damage, breakdown, theft
- Often insurable
Examples:
- People: lack of skilled people and resources, unexpected absence of key personnel
- Premises: damage, insufficient premises
- Assets: theft of loss of physical assets
- Suppliers: delivery of defective goods
- IT: failure of systems, hacker
Hazard tolerance: manage risks to the lowest level that is cost-effective and in compliance with law
Control or uncertainty risks
- Give rise to uncertainty: difference between plans and real outcome
- Extremely difficult to quantify
- Often associated with project management: difficult to predict and control, unknown and unexpected
Control management = reducing the uncertainty and minimizing the potential consequences
> companies are averse to risk, but have to accept a level of uncertainty
Opportunity or speculative risks
- When companies deliberately take risks (market or commercial) in order to achieve a positive return
- Often financial, normal with development of new strategies
- Risk appetite: different for every company
2 kinds: associated with taking an opportunity & associated with not taking the opportunity
Opportunity management = maximize the benefits of taking entrepreneurial risks
> link between opportunity management and strategic planning: maximize the likelihood of a significant
positive outcome from investments in business opportunities
Examples: moving business to new location, diversifying into new products
There is no universal classification for risks (there is no right or wrong), choose one that is most suitable
o Impact: hazard, control, opportunity risks
o Time scale: impact in ST (operations), LT (strategy)
o COSO: strategic operations, reporting, compliance
o FIRM risk scorecard: Financial, Infrastructure, Reputational and Marketplace
Risk management and control – 2024 1
,1.2 What is control
Control mechanisms = all arrangements and procedures in place to ensure that business objectives may be met
Two important dimensions: formal vs. informal control
COSO Classification (in order of best to worst control):
- Preventive: limit the possibility of any undesirable outcome
- Corrective: limit the scope for loss and reduce any undesirable outcomes that have been realized
- Directive: designed to ensure that a particular outcome is achieved, giving directions to people on how
to ensure that losses do not occur: both prevents risks from occurring and detects risks when they occur
- Detective: designed to identify occasions of undesirable outcomes having been realized (after event)
Some traditional control mechanisms: authorization, supervision, segregation of duties, procedure manuals
1.3 Development of Enterprise Risk Management (ERM)
Historically, the term RM was used to describe an approach related to only hazard risks
Early 2000: ERM emerged as an attempt to manage enterprise risks in an integrated way
September 2014: COSO (Committee of Sponsoring Organizations of the Treadway Commission) defined ERM:
“ a process, effected by an entity’s board of directs, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives “
ERM is constantly developing: 2009: ISO Guide 73: definitions of common terminology
1.4 Corporate governance en regulatory context
Corporate governance = the way organizations are directed and controlled, a set of codes, regulations, standards
- Facilitate accountability and responsibility for efficient and effective performance an ethical behavior
- Obligations placed on the board of an organization
- Protect executives and employees, ensure stakeholder confidence
RM is an integral part of CG, most countries have placed CG requirements: comply or explain of full compliance
CG in Belgian context: Code Lippens, Code 2009, Code Bysse
Almost all organizations use the Code as a framework, only 44% provides a description of the internal control
and risk management system => huge variation in details of description, quality of information
Sarbanes-Oxley Act (SOX) 2002: sets new or enhanced standard for all US companies as a reaction to a number
of accounting scandals
1.5 Control responsibilities
Internal control
= a process effected by the board, management and other personnel (at every level of the organization),
designed to provide reasonable assurance regarding the achievement of objectives in
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Risk management and control – 2024 2
,Objectives of internal control (IIA)
- Accomplishment of objectives and goals
- Efficient use of resources
- Compliance with policies, plans, laws, regulations
- Safeguarding of assets and prevention of fraud
- Reliable financial and operational reporting
Internal audit
- Working independent for the board of directors
- Validation of the controls and procedures in place to manage risks > tries to give reasonable
assurance to the board that their control works
- Monitoring the effectiveness of the ERM processes (designed and implemented by management)
- Only responsible for reporting (internal control: responsible for activities and their execution)
- Focus on operational audit, continuous, future oriented
- Responsibilities:
o Giving assurance on the risk management processes
o Giving assurance that risks are correctly evaluated
o Evaluating the reporting of key risks
o Reviewing the management of key risks
External audit
- Performed by people independent of the company, works for the stakeholders (3rd party)
- Expert opinion on the financial statements
- Focus on financial audit, periodic, past oriented
Senior management
- Responsible for day-to-day management of risk and risk reporting to the board
- CFO or CRO
- Role of CRO: compliance champion, modeling expert, strategic controller, strategic advisor
Board of directors
- Not responsible for day-to-day management of risks
- Responsible for strategy, policies, values and risk appetite (willingness to take risk)
- Oversight responsibility that ERM processes are comprehensible, in line with strategy and functioning
The three lines of defence
Board
Audit committee
Senior management
Operational Management Risk management compliance Internal audit= 3rd line External
Internal controls = 1st line = 2nd line Audit
How is RM working?
Responsibility of CEO, CFO.. Risk manager, no direct link to
operational
Risk management and control – 2024 3
,2 A closer look at ERM
2.1 Major drivers of ERM development
- Corporate scandals
- Economic crisis > we want to predict what’s going on
- Corporate governance requirements and legal developments
- ERM standards, frameworks, best practices
- Regulatory pressure including credit rating agencies
- Management and board of directors increasingly accountable for risks
- Rising volume and complexities of risks affecting firms
- Internal drivers as ERM can increase value: greater understanding of business, competitive advantage
2.2 Major benefits of ERM
Financial: reduced cost of capital, better control of CAPEX, increased profitability, accurate financial risk
reporting
Infrastructure: efficiency and competitive advantage, improved supplier and staff morale, reducing operating
costs
Reputational: regulators satisfied, good reputation and publicity, enhanced shareholder value
Marketplace: better marketplace presence, commercial opportunities maximized, higher ratio of business
success, increased customer spend and satisfaction
2.3 Risk Management Standards
Risk standard (COSO, ISO 31000) = document that produces information on both:
- Risk management framework (RASP)
o Risk architecture: define roles, communications
and reporting structure
o Strategy: overall RM strategy that is set by the
organization
o Protocols: set of guidelines and procedures
- Risk management process (8R 4T)
Recognition of risk Recognition or identification of the nature of the risk and circumstances in
which it could materialize
Rating of risks Magnitude (impact) and likelihood: to produce the risk profile for in the risk
register
Ranking of risks Current risk against risk criteria or risk appetite
Responding to risks Decisions on the appropriate action:
- Tolerate: accept
- Treat: do something about it
- Transfer: insurance, 3rd party
- Terminate
Resourcing controls For example to find the risk
Reaction (and event) For hazard risks: disaster recovery or business continuity planning
planning
Reporting en monitoring Actions and events and communicating on risks issues, via the risk architecture
risk performance
Reviewing the RM Internal audit procedures and arrangements of the review and updating of the
system risk architecture, strategy and protocols
Risk management and control – 2024 4
, COSO ERM Cube = widely used standard
internal environment: tone of the organization,
formal informal, how risk is viewed = most important
objective setting: what are we aiming at?
event identification: internal, external events
affecting the achievement of objectives: risks and
opportunities
risk assessment: risks are analyzed (impact and
likelihood for determining how to be managed
risk response: avoiding, accepting, reducing or sharing
control activities: policies and procedures to ensure
risks are effectively handled
information and communication: so that people can fulfil their responsibility
monitoring: of risk management and modifications made if necessary
ISO 31000 standard
- ERM should have net value for its stakeholders, be part
of all processes, transparent, dynamic, continuous
improvement
- Underlying concept of quality management: Deming
paradigm of Plan-Do-Check-Act (PDCA)
- Principle based (rather than prescriptive): adapt to
situation
ERM frameworks: RISK MANAGEMENT PROCESS (RMP)
Context
Defines the risk management environment and formulates organization-wide risk appetite
> external, internal and risk management context
needs to be practical: checklists, best practices, industry norms
Risk assessment
- Risk identification
o In risk register or risk log
o Categorization with clear names, room to add new risks
- Risk analysis
o Develop an understanding of the risks: likelihood, impact and consequences
o Understanding of existing controls
- Risk evaluation
o By comparing residual risks against risk criteria
o Risk prioritization and cost benefit analysis of risk treatment
Risk treatment
Includes identification, selection and implementation of different controls
Risk management and control – 2024 5
1 Introduction to risk management
1.1 What is risk
“Risk is the effect of uncertainty on objectives”
- Links risk to objectives
- Effect may be negative, positive or a deviation from expectations
- Risk may be considered to be related to: a loss, an opportunity, the presence of an uncertainty for an
organization
ISO Guide 73 = risk classification system for analyzing/evaluating risks based on impact
Hazard or pure risks
- Only result in negative outcomes
- Associated with a source of potential harm of situation with the potential to undermine objectives
- Operational risk: normal efficient operations may be disrupted by loss, damage, breakdown, theft
- Often insurable
Examples:
- People: lack of skilled people and resources, unexpected absence of key personnel
- Premises: damage, insufficient premises
- Assets: theft of loss of physical assets
- Suppliers: delivery of defective goods
- IT: failure of systems, hacker
Hazard tolerance: manage risks to the lowest level that is cost-effective and in compliance with law
Control or uncertainty risks
- Give rise to uncertainty: difference between plans and real outcome
- Extremely difficult to quantify
- Often associated with project management: difficult to predict and control, unknown and unexpected
Control management = reducing the uncertainty and minimizing the potential consequences
> companies are averse to risk, but have to accept a level of uncertainty
Opportunity or speculative risks
- When companies deliberately take risks (market or commercial) in order to achieve a positive return
- Often financial, normal with development of new strategies
- Risk appetite: different for every company
2 kinds: associated with taking an opportunity & associated with not taking the opportunity
Opportunity management = maximize the benefits of taking entrepreneurial risks
> link between opportunity management and strategic planning: maximize the likelihood of a significant
positive outcome from investments in business opportunities
Examples: moving business to new location, diversifying into new products
There is no universal classification for risks (there is no right or wrong), choose one that is most suitable
o Impact: hazard, control, opportunity risks
o Time scale: impact in ST (operations), LT (strategy)
o COSO: strategic operations, reporting, compliance
o FIRM risk scorecard: Financial, Infrastructure, Reputational and Marketplace
Risk management and control – 2024 1
,1.2 What is control
Control mechanisms = all arrangements and procedures in place to ensure that business objectives may be met
Two important dimensions: formal vs. informal control
COSO Classification (in order of best to worst control):
- Preventive: limit the possibility of any undesirable outcome
- Corrective: limit the scope for loss and reduce any undesirable outcomes that have been realized
- Directive: designed to ensure that a particular outcome is achieved, giving directions to people on how
to ensure that losses do not occur: both prevents risks from occurring and detects risks when they occur
- Detective: designed to identify occasions of undesirable outcomes having been realized (after event)
Some traditional control mechanisms: authorization, supervision, segregation of duties, procedure manuals
1.3 Development of Enterprise Risk Management (ERM)
Historically, the term RM was used to describe an approach related to only hazard risks
Early 2000: ERM emerged as an attempt to manage enterprise risks in an integrated way
September 2014: COSO (Committee of Sponsoring Organizations of the Treadway Commission) defined ERM:
“ a process, effected by an entity’s board of directs, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives “
ERM is constantly developing: 2009: ISO Guide 73: definitions of common terminology
1.4 Corporate governance en regulatory context
Corporate governance = the way organizations are directed and controlled, a set of codes, regulations, standards
- Facilitate accountability and responsibility for efficient and effective performance an ethical behavior
- Obligations placed on the board of an organization
- Protect executives and employees, ensure stakeholder confidence
RM is an integral part of CG, most countries have placed CG requirements: comply or explain of full compliance
CG in Belgian context: Code Lippens, Code 2009, Code Bysse
Almost all organizations use the Code as a framework, only 44% provides a description of the internal control
and risk management system => huge variation in details of description, quality of information
Sarbanes-Oxley Act (SOX) 2002: sets new or enhanced standard for all US companies as a reaction to a number
of accounting scandals
1.5 Control responsibilities
Internal control
= a process effected by the board, management and other personnel (at every level of the organization),
designed to provide reasonable assurance regarding the achievement of objectives in
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Risk management and control – 2024 2
,Objectives of internal control (IIA)
- Accomplishment of objectives and goals
- Efficient use of resources
- Compliance with policies, plans, laws, regulations
- Safeguarding of assets and prevention of fraud
- Reliable financial and operational reporting
Internal audit
- Working independent for the board of directors
- Validation of the controls and procedures in place to manage risks > tries to give reasonable
assurance to the board that their control works
- Monitoring the effectiveness of the ERM processes (designed and implemented by management)
- Only responsible for reporting (internal control: responsible for activities and their execution)
- Focus on operational audit, continuous, future oriented
- Responsibilities:
o Giving assurance on the risk management processes
o Giving assurance that risks are correctly evaluated
o Evaluating the reporting of key risks
o Reviewing the management of key risks
External audit
- Performed by people independent of the company, works for the stakeholders (3rd party)
- Expert opinion on the financial statements
- Focus on financial audit, periodic, past oriented
Senior management
- Responsible for day-to-day management of risk and risk reporting to the board
- CFO or CRO
- Role of CRO: compliance champion, modeling expert, strategic controller, strategic advisor
Board of directors
- Not responsible for day-to-day management of risks
- Responsible for strategy, policies, values and risk appetite (willingness to take risk)
- Oversight responsibility that ERM processes are comprehensible, in line with strategy and functioning
The three lines of defence
Board
Audit committee
Senior management
Operational Management Risk management compliance Internal audit= 3rd line External
Internal controls = 1st line = 2nd line Audit
How is RM working?
Responsibility of CEO, CFO.. Risk manager, no direct link to
operational
Risk management and control – 2024 3
,2 A closer look at ERM
2.1 Major drivers of ERM development
- Corporate scandals
- Economic crisis > we want to predict what’s going on
- Corporate governance requirements and legal developments
- ERM standards, frameworks, best practices
- Regulatory pressure including credit rating agencies
- Management and board of directors increasingly accountable for risks
- Rising volume and complexities of risks affecting firms
- Internal drivers as ERM can increase value: greater understanding of business, competitive advantage
2.2 Major benefits of ERM
Financial: reduced cost of capital, better control of CAPEX, increased profitability, accurate financial risk
reporting
Infrastructure: efficiency and competitive advantage, improved supplier and staff morale, reducing operating
costs
Reputational: regulators satisfied, good reputation and publicity, enhanced shareholder value
Marketplace: better marketplace presence, commercial opportunities maximized, higher ratio of business
success, increased customer spend and satisfaction
2.3 Risk Management Standards
Risk standard (COSO, ISO 31000) = document that produces information on both:
- Risk management framework (RASP)
o Risk architecture: define roles, communications
and reporting structure
o Strategy: overall RM strategy that is set by the
organization
o Protocols: set of guidelines and procedures
- Risk management process (8R 4T)
Recognition of risk Recognition or identification of the nature of the risk and circumstances in
which it could materialize
Rating of risks Magnitude (impact) and likelihood: to produce the risk profile for in the risk
register
Ranking of risks Current risk against risk criteria or risk appetite
Responding to risks Decisions on the appropriate action:
- Tolerate: accept
- Treat: do something about it
- Transfer: insurance, 3rd party
- Terminate
Resourcing controls For example to find the risk
Reaction (and event) For hazard risks: disaster recovery or business continuity planning
planning
Reporting en monitoring Actions and events and communicating on risks issues, via the risk architecture
risk performance
Reviewing the RM Internal audit procedures and arrangements of the review and updating of the
system risk architecture, strategy and protocols
Risk management and control – 2024 4
, COSO ERM Cube = widely used standard
internal environment: tone of the organization,
formal informal, how risk is viewed = most important
objective setting: what are we aiming at?
event identification: internal, external events
affecting the achievement of objectives: risks and
opportunities
risk assessment: risks are analyzed (impact and
likelihood for determining how to be managed
risk response: avoiding, accepting, reducing or sharing
control activities: policies and procedures to ensure
risks are effectively handled
information and communication: so that people can fulfil their responsibility
monitoring: of risk management and modifications made if necessary
ISO 31000 standard
- ERM should have net value for its stakeholders, be part
of all processes, transparent, dynamic, continuous
improvement
- Underlying concept of quality management: Deming
paradigm of Plan-Do-Check-Act (PDCA)
- Principle based (rather than prescriptive): adapt to
situation
ERM frameworks: RISK MANAGEMENT PROCESS (RMP)
Context
Defines the risk management environment and formulates organization-wide risk appetite
> external, internal and risk management context
needs to be practical: checklists, best practices, industry norms
Risk assessment
- Risk identification
o In risk register or risk log
o Categorization with clear names, room to add new risks
- Risk analysis
o Develop an understanding of the risks: likelihood, impact and consequences
o Understanding of existing controls
- Risk evaluation
o By comparing residual risks against risk criteria
o Risk prioritization and cost benefit analysis of risk treatment
Risk treatment
Includes identification, selection and implementation of different controls
Risk management and control – 2024 5
