Presented by Straton Makundi Partner, Auditax International MBA, - - PowerPoint PPT Presentation

Presented by Straton Makundi Partner, Auditax International MBA, ACCA, B.com Email: straton@auditaxinternational.com

Transcending Business Confidence

Contents

 Introduction  Risk Management in Tanzania  Standards / Principles on Risk Management  Embedding

Risk Management in Organizational Activities

 Developing A Risk Management Framework  The role of Accountants in Risk Management  Challenges and Way Forward  Discussion, Questions

Transcending Business Confidence

Introduction

Why was the recent global financial crisis not spotted timely by Auditors, Accountants, Regulators, Professional bodies, bankers etc.?

3

Transcending Business Confidence

Introduction

Various organizations in Tanzania and elsewhere (both private and public) are exposed to a number of risks which if not properly managed may hinder the achievement of their objectives. This presentation is focusing at providing understanding of risk and risk management and shall attempt to emphasize and remind us the importance and benefits of managing risks, the most common risk management frameworks, our role as accountants in risk management and the challenges of risk management in Tanzania. The Institute of Internal Auditors defines risk as “the uncertainty/possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood”. ISO defines risk as “effect of uncertainty on objectives. Note that an effect may be positive negative, or a deviation from the expected. Also, risk is often described by an event, a change in circumstances or a consequence.”

4

Transcending Business Confidence

Introduction

Institute of Risk Management (IRM) defines risk as “the combination of the probability of an event and its consequence. Consequences can range from positive to negative”. Thus from the definitions above we can conclude that:

 Risks results from pursuing objectives  Risks have impacts on objectives  Risks can be an event, situation or circumstances which are uncertain.

Some people confuse between a risk and a problem. Risks are uncertain (future events which may or may not happen) which should be managed while problems are certain (have happened or certain of happening) thus requiring solutions.

5

Transcending Business Confidence

Introduction

Risks can be categorized according to their nature and effect. The most common types and categories of risks are: i) Strategic risks: Risks pertaining to the entity’s direction, external environment and to the achievement of its plans e.g. changes in government policies, political changes etc. ii) Compliance risks: Risks of contractual relationships/meeting regulatory obligations e.g., non- compliance with tax laws, contractual obligations or environmental regulations. iii) Operational risks: This emanates from operational activities e.g. inadequate human resources, low quality of services, physical damage to assets or security risk.

6

Transcending Business Confidence

Introduction

iv) Technical risks: Risks of managing assets such as machine failure, IT risks like virus incidents, computer crash etc. v) Financial and systems risks: Risks resulting from financial controls and systems, e.g. fraud, theft or misappropriation of funds, lack of funding, delayed procurements etc.

7

Transcending Business Confidence

Introduction

What is Risk Management? The Institute of Internal Auditors (IIA) defines risk management as “a process for identifying, assessing, managing, and controlling potential events or situations to provide reasonable assurance regarding the achievement of

• rganization's objectives”.

Why Risk Management? The potential benefits of managing risks are:

 Provision of a reliable basis for decision making

i.e. it facilitates strategic and

• perational

planning because

• f

comfort that

• bjectives

and performance targets will be achieved as management becomes aware of events which may hinder achievement.

 Stakeholders confidence and trust is increased  Improved communication across the organisation  Effective uses of resources as surprises and shocks are reduced  Enables compliance with legal and regulatory requirements  Improved health and safety as well as environmental protection

8

Transcending Business Confidence

Risk Management in Tanzania

 The Government of Tanzania (via the Internal Auditor General’s Office) has

mandated all public sector

• rganizations

to adopt and implement risk management practices.

 Treasury Circular No. 12 of 2013 requires all Accounting Officers to establish

and implement risk management processes in their organizations.

 The Public Finances Act (2001) amended in 2010 established the Internal

Auditor General’s Unit under the Ministry of Finance. The Unit is responsible with issuing of guidelines and conducting reviews and assessments of the quality and effectiveness of risk management practices across MDAs and LGAs.

 In December 2012, the Internal Auditor General issued the Guidelines for

Developing and Implementing Institutional Risk Management Framework in the Public Sector. This document provides step-by-step guidelines

• n how to

implement risk management.

9

Transcending Business Confidence

Risk Management in Tanzania

Implementation Requirements for the 2012 Guidelines

Specifically the IAG Division, 2012 Guidelines on Risk Management requires each government entity including Parastatal Organizations to develop, implement and enhance a risk management framework which ensures that:

 There is a policy, culture and structure that facilitates how the organisation will

identify record and monitor risks, including procedures for reporting risks information to the Accounting Officers and other oversight organs;

 There is a risk management process which is in line with international

standards for risk management (e.g. ISO 31000 or COSO etc.);

 The risk management process is part of the strategic, operational and annual

business planning activities of the organisation;

 There is a risk register that is used to record, rate, monitor and report risks;  There is an established process for monitoring, reviewing and enhancing

risk management and governance systems.

10

Transcending Business Confidence

Risk Management in Tanzania

In 2010 the Bank of Tanzania issued Risk Management Guidelines for Banks and Financial Institutions. Its Risk Management Framework for instance requires banks and financial institutions to have:

 Active Board and Senior Management Oversight  Adequate Policies, Procedures and Limits  Risk measurement, monitoring and management information systems  Adequate Internal Controls  Independent Review etc.

The guidelines also prescribe Credit , Liquidity, Market and Operational Risks, Strategic and Compliance Management Guidelines. The guidelines were updated to include some risks such as Strategic and compliance risks and merge some risks into market risks.

11

Transcending Business Confidence

Standards/Principles on Risk Management

 Risk

management relies

• n

established principles and international

• standards. Common standards and models for risk management proposed

by different institutions are:

 ISO 31000:2009 Risk Management – Practice and Guidelines  BS 31000:2008 Code of Practice for Risk Management-British Code  COSO:2004 Enterprise Risk Management – Integrated Framework  FERMA:2002 A Risk Management Standard-Federation of European Risk

Management Association

 Solvency II:2012 Risk Management for the Insurance Industry  Basel I and II Guidelines for financial institutions  The most common models are: ISO 31000 of 2009 and the COSO of 2004.  The

Tanzanian Government Risk Management Guidelines allow Government entities to decide on any of the internationally recognized standards to base on its risk management architecture.

12

Transcending Business Confidence

Standards/Principles on Risk Management

COSO The Committee of Sponsoring Organisations (COSO) was established in the mid-1980s to sponsor research into the causes of fraudulent financial reporting. Its mission now is to: “provide thought leadership through the development of comprehensive frameworks and guidance

• n

enterprise risk management, internal control and fraud deterrence designed to improve

• rganizational performance and governance and to reduce the extent of

fraud in organizations”. COSO has been influential because it provides frameworks against which risk management and internal control systems can be assessed and improved especially where corporate scandals, occurred in companies where risk management and internal control were deficient. It has been providing best practice on Risk Management and Internal Control.

13

Transcending Business Confidence

Standards/Principles on Risk Management

COSO Enterprise Risk Management Model

Transcending Business Confidence

Standards/Principles on Risk Management

15

Transcending Business Confidence

COSO’s guidance portrays the ERM model in the form of a cube. COSO’s intention was to illustrate the links between objectives (shown on the top) and the eight components (shown on the front), which are the requirements to achieve the objectives. The third dimension shows the organization's units, which illustrates the model’s ability to focus on parts of the organisation as well as the whole. i) Internal environment The internal environment establishes the tone of the organisation, which in turn determines the risk appetite, attitudes towards risk management and ethical

• values. This tone is set by the board.

So when you have unbalanced board, lacking appropriate technical knowledge and experience, diversity and strong, you limit independent voices thus unlikely to set the right tone. Further, the work directors do in board committees can contribute significantly to the tone. Thus having effective and efficient board audit and risk committees is critical.

Standards/Principles on Risk Management

However, having appropriate boards is not enough as they may be undermined by a failure of management in divisions or business units. Systems and processes to control line management may not be sufficient or may not be operated correctly. Unit Managers may not be aware of their responsibilities or may fail to exercise them properly. E.g. by tolerating staff who take controls for granted or who put more emphasize on achievement of results over responsible handling of risks. The COSO ERM model has been criticized in the sense that it starts at the wrong place i.e. by ignoring the external environment. By doing this, it does not reflect adequately the impact

• f

the competitive environment, regulation and external stakeholders on risk appetite and management and culture.

16

Transcending Business Confidence

Standards/Principles on Risk Management

ii) Objective setting The board must set objectives which supports the organization's mission but also consistent with its risk appetite. Thus for the board to set objectives effectively, it must be aware of the various risks which may occur as a result of pursuing the

• bjectives.

The board should also consider its risk appetite and strategically decide on how much risk it is willing to accept, avoid or reduce. iii) Event identification The models requires organizations to identify internal and external events that affect the achievement of its objectives. The guidance distinguishes between events with negative impact (representing risks) and events with a positive impact (representing opportunities), which should be an input to strategy setting. In some organizations there may not be a process for event identification in important areas and a culture of no-one expecting anything to go wrong may have taken roots.

17

Transcending Business Confidence

Standards/Principles on Risk Management

Organisations should also distinguish between strategic and operational

• risks. Care should be taken to avoid excessive focus on internal factors, which

is one of the weaknesses of the model, which may result in a concentration

• n
• perational

risks and a failure to analyze strategic dangers sufficiently. Processes should also be put in in place to identify the risks arising from one-

• ff events as well as the more gradual trends that could result in changes in
• risk. The model has been criticized for discussing risks primarily in terms of

events, especially sudden events with major consequences. It is argued that the framework does not adequately address slow changes that can give rise to important risks e.g. changes in internal culture or market sentiment. Thus it is critical for entities to carry out analysis to identify potential events, as well identifying and responding to signs of danger as soon as they

• arise. E.g. quick responses to product failure may be important to minimize or

eliminate lost sales and threats to reputation.

18

Transcending Business Confidence

Standards/Principles on Risk Management

iv) Risk assessment This involves assessing the likelihood and impact of risks and forms a basis for determining how to manage them. A consideration of how individual risks interrelate should also be made. The COSO framework emphasizes the importance of employing a combination of qualitative and quantitative risk assessment methodologies. The COSO framework has been criticized for encouraging an over-simplified approach to risk assessment. Critics claim that that it encourages an approach that views the materialization of risk as a single outcome. This outcome could be an expected outcome or it could be a worst-case result while in practice many risks have a range of possible outcomes on materialization. E.g. extreme weather.

19

Transcending Business Confidence

Standards/Principles on Risk Management

v) Risk response

 This is a stage where management selects appropriate actions to align

risks with risk tolerance and risk appetite. The the four main responses – to risks are-reduce, accept, transfer or avoid. Risks should not be treated in isolation without considering the picture for the organisation as a whole.

 The COSO guidance emphasizes the importance of taking a portfolio view of

risk.

 Further, the risk responses chosen must be realistic, putting into

consideration the costs of responding as well as the impact on risk.



Risks responses will be affected by organization's environment. Highly regulated organizations, for instance, will have more complex risk responses and controls than less regulated organizations.

20

Transcending Business Confidence

Standards/Principles on Risk Management

vi) Control activities

 This involves instituting Policies and procedures so as to ensure that risk

responses are effective. The designed controls should operate properly. COSO has supplemented the ERM model by guidance in ‘Internal Control – Integrated Framework’ which stipulates that: ‘It is not merely about policy manuals systems and forms but people at every level of an organisation that impact

• n internal control.’

 The reasons why controls fail is because of problems with how managers and

staff utilize controls. This emphasizes the importance of the human factor. E.g. failure to operate controls because they are not taken seriously, mistakes, collusion between staff or management telling staff to over-ride controls.

 Thus COSO guidance emphasizes the importance of segregation of duties i.e.

to reduce the possibility of a single person being able to act fraudulently and to increase the possibility

• f

errors being found. Likewise the framework emphasizes the need for controls to be performed across all levels of the

• rganisation, at different stages within business processes and over the

technology environment.

21

Transcending Business Confidence

Standards/Principles on Risk Management

They control activities include the following:

i)

Authorisation and approval procedures: ensuring the process

• f

authorising and executing transactions and events are only done by persons acting within the scope of their authority.

ii)

Segregation

• f

duties (authorising, processing, recording, reviewing):This is aimed at reducing the risk of error, waste or wrongful acts as well as the risks of not detecting such problems by ensuring that no single individual or team should control all key stages of a transaction

• r event.

iii)

Controls over access to resources and records: This control ensures that access to resources and records is limited to authorised individuals who are accountable for the custody and / or use of the resources.

iv)

Verifications: Verification ensures transactions and significant events are verified before and after processing.

22

Transcending Business Confidence

Standards/Principles on Risk Management

v) Reconciliations: This involves reconciliation of records with appropriate documents on a regular basis. vi) Reviews of operating performance: This involves the review of operating performance against a set of standards on a regular basis, assessing effectiveness and efficiency. vii) Reviews of operations, processes and activities: Operations, processes and activities should be periodically reviewed to ensure that they comply with current regulations, policies, procedures or other requirements. viii)Supervision (assigning, reviewing and approving, guidance and training):The process of assigning, reviewing and approving an employee’s works encompasses: Clear communication of duties, responsibilities and accountabilities assigned to each staff member; Systematically reviewing each member’s work to the extent necessary. Approving work at critical points to ensure that it flows as intended. Ix) IT Controls-General and application controls

23

Transcending Business Confidence

Standards/Principles on Risk Management

vii) Information and communication

 Organisations should put in place information systems which ensures that data

is identified, captured and communicated in a format and timeframe that facilitates managers and staff in carrying out their responsibilities.

 Management should be furnished with relevant and appropriate quality

information covering all the objectives shown on the top of the cube.

 There must also be communication with staff. When this is done in risk areas

relevant to what staff do strengthens the internal environment by embedding risk awareness in staff’s thinking.

 Similar to other controls, a failure to take information and communication

seriously can have adverse consequences. For instance, management may not insist on a business unit providing the required information if that business unit appears to be performing well. Likewise , a system of reporting by exception, may leave important information the judgment of managers thus limiting the ability of top management in learning about potential problems in time.

24

Transcending Business Confidence

Standards/Principles on Risk Management

viii) Monitoring

 The management system should be monitored and modified if necessary. As

‘unmonitored controls tend to deteriorate over time’ (COSO).

 A

distinction should be drawn between regular review (ongoing monitoring) and periodic review (separate evaluation). The model requires that that weaknesses be reported, assessed and their root causes corrected.

 The key players when performing separate evaluation are the audit

committee and internal audit department. When the size and level of complexity increases an internal audit function will be required.

25

Transcending Business Confidence

Standards/Principles on Risk Management

ISO 31000

Transcending Business Confidence

Standards/Principles on Risk Management

As per ISO 31000: 2009, the risk management process should consist of 6

• components. These are:

i) Establish the context: This can be external (political, legal, technological, economic, social and environmental) and in terms of the internal environment

• f the entity.

ii) Identify risks: This is the process of identifying what, why and how events arise so as to perform further analysis. iii) Analyze and evaluate risks: This process looks at existing controls and the analysis of risks in the context of consequence and likelihood in relation to the controls. iv)Treat risk: This involves the development and implementation of risk management plans taking into account cost and benefit analysis.

27

Transcending Business Confidence

Standards/Principles on Risk Management

v) Monitor and Review: This is the oversight and review of the risk management system changes which may affect it. vi) Communication and Consultation: There must be appropriate communication and consultation with internal and external stakeholders at each stage of the risk management process. When an entity is choosing an international standard for risk management it should base its decision on:

 The compatibility/or adoptability of the standard with its environmental settings;  Whether the standard is popular among similar organizations.

28

Transcending Business Confidence

Embedding Risk Management in Organizational Activities

Risk management requires a careful approach of integrating it within the existing cultures, systems and activities of organizations. It is important when adopting risk management, to avoid the mistake of turning risk management to be seen as a separate activity which may lead to mismatch and possible conflict or resistance from stakeholders. Thus risk management should be part and parcel of daily activities of an entity. This involves the creation of an environment which demonstrates:

 Leadership from senior management and board  The involvement of staff at all levels;  Inculcating a culture of learning from experience;  Ensuring appropriate accountability for actions (but avoiding a blame culture)  Proper communication on risk issues.

29

Transcending Business Confidence

Embedding Risk Management in Organizational Activities

To build a culture of risk awareness an organisation should ensure:

 The

existence

• f

appropriate risk management framework (i.e. risk architecture, strategy and protocols which are the main components)

 Conducting awareness and capacity building campaigns to key stakeholders

within the entity.

30

Transcending Business Confidence

Developing A Risk Management Framework

Before an entity starts to implement the risk management process, best practice requires the development of a risk management framework, which is defined below and forms the foundation for the risk management process. “A framework is defined as an essential supporting or underlying structure.” (Concise Oxford Dictionary) Risk management framework? “A risk management framework is a set of components that provides a structure that will facilitate the use of a consistent risk management process.” ( IRM, 2010). Risk management process? “A risk management process is a process for identifying, assessing, managing, and controlling potential events or situations to provide reasonable assurance regarding the achievement of organization's objectives.” (Institute of Internal Auditors)

31

Transcending Business Confidence

Thus from the two definitions above, the following should be noted: Risk management framework supports the risk management process. Thus, a risk management framework must first be established before starting to conduct the risk management process. Components of a risk management framework (Source: Hopkin, 2010) i) Risk Strategy / Policy It describes risk appetite, attitudes and philosophy ii) Risk Architecture/Governance Structure This defines roles, responsibilities, communication and risk reporting structure iii) Risk Protocols/Procedures These are risk guidelines for an entity. They include the rules and procedures as well as the risk management methodologies, tools and techniques that should be used in implementing risk management process. Note: Sometimes risk management framework and risk management policy are used interchangeably. There are cases where risk management policy may include all the components of a risk management framework.

32

Developing A Risk Management Framework

Transcending Business Confidence

Developing A Risk Management Framework

i) Risk Management Policy “A risk management policy is a statement of the overall intentions and direction of an organization related to risk management.” (ISO 31000:2009). The objectives of a Risk Policy Statement It defines the policy of the organisation; showing how the policy will be implemented and define the particulars of the policy as well as protect the

• rganization from misunderstandings that might lead to unauthorized behavior.

It also sets the entity’s risk management objective and strategy to achieve this

• bjective. It also covers the overall philosophy, commitment, appetite, attitudes,

intentions, and direction related to risk management. The policy must be customised to the needs of the entity, approved by top management and board of the entity and communicated to all staff and key stakeholders.

33

Transcending Business Confidence

Developing A Risk Management Framework

A risk management policy may have the following sections:

i)

The purpose for implementing risk management in the entity;

ii)

Policy statements to show the entity’s philosophy, attitudes and commitment towards risk management;

iii)

Risk management principles adopted-these are standards and models which the entity adopts in implementing risk management (e.g. the ISO 31000:2009)

34

Transcending Business Confidence

Developing A Risk Management Framework

ii) Risk Architecture This is the structure on how officials and organs in the organisation relate to each other on risk management activities. This document assigns risk management roles and responsibilities to organs,

• fficials and all staff and established communication and risk reporting culture.

The risk architecture enables operation of risk management activities by establishing clear reporting lines and risk information transfer as well as avoidance of conflicts.

35

Transcending Business Confidence

Developing A Risk Management Framework

The Guideline for Developing and Implementing Risk Management Framework has provided some indicative roles and responsibilities for LGAs. These are detailed below: Position Risk Management Responsibilities The Council: Responsible for setting an overall direction and oversight of risk management across the LGA. Executive Director: He/she is responsible for setting the tone and promoting a strong risk management culture through ensuring firm and visible support and ensuring risk management processes are implemented at lower levels. Audit Committee: The audit/risk committee should assist the Executive Director in discharging his/her responsibilities regarding risk management by making risk management as their standing agenda.

36

Transcending Business Confidence

Developing A Risk Management Framework

Risk Management Coordinator: This is the Chief Risk Officer responsible for coordination of the development, enhancement, implementation and monitoring of risk management policies, procedures and systems at the LGA. Internal Audit: They provide comfort that the risk management framework is effective as intended through evaluating the risk management process and focusing their audit activities on key risks. In some case, internal audit acts as the risk coordinator, especially

• n

initial stages

• f

developing the LGA’s risk management framework. Care must be taken to avoid conflict of interest. Heads of Units and Departments: The heads of units and departments are “risk

• wners". They assume responsibility for designing, implementation etc.

37

Transcending Business Confidence

Developing A Risk Management Framework

iii) Risk Protocols/Procedures/Processes a) Risk Assessment Risk management process involves the identification, analysis and evaluation of risks among other things. Risk assessment is an important step in the implementation of an entity’s risk management process. As per ISO 31000:2009 model of risk management risk assessment exercise covers three main activities:

 The identification of risks: Consideration of events or circumstances that may

happen to impact the objectives.

 The analysis of risks: Establishing the impact and likelihood of the risk happening.  The evaluation of risks: Identifying controls that exists against the risks.

Small differences could occur when risk assessment is done using the COSO ERM (2004) model of the risk management process

38

Transcending Business Confidence

Developing A Risk Management Framework

Approach to Conduct the Risk Assessment Exercise There are various approaches or methods for conducting the risk assessment exercise such as:

 Desk- top review of documentation;  Survey using a specific questionnaire;  One-to-one interviews with employees in the organisation;  Group interviews (e.g. in a group of 5 staff);  A

workshop approach. For instance in Tanzania LGAs surveys and workshops have been more widely used. Workshop approach (self risk assessment):

 Assemble all heads of units/departments for two to five days;  These are divided according to common objectives or departmental targets in

• rder to brainstorm potential risks (a special risk assessment form is used)

later, each group is given an opportunity to present before the whole plenary;

 Then all participants discuss and deliberate on the risks identified by the group.

39

Transcending Business Confidence

Developing A Risk Management Framework

Survey Approach (Commissioning a risk review)

 A task force or team is formed and mandated to develop the tools for risk

assessment (normally special questionnaires or a forms to capture all information

• n risk);

 The questionnaires/forms are distributed to all members of staff (particularly

heads of department/units/sections) based on the entity’s objectives and targets. The task force/team then collects the completed questionnaires, summaries them and prepare the risk register. Note: Once the approach is chosen, a decision should be made on the level on which to base the risk assessment (strategic or operational level).

 Strategic level implies that the risk assessment exercise will mainly focus on

risks against the entity’s strategic objectives (as indicated in the strategic plan).

 Departmental/unit/operational level implies that the risk assessment exercise

mainly focus on risks against departmental/units targets (normally they have links to the strategic objectives).

40

Transcending Business Confidence

Developing A Risk Management Framework

Sources of Risks When identifying risks, the groups should consider the following possible sources

• f risks:

External Sources and Internal Sources

 Outsourcing to external service providers  Commercial/legal changes  Changes in the economic conditions  Socio-political changes e.g. elections  National and international events  Behavior of contractors/private suppliers  Financial/market conditions  Natural events  Misinformation  New activities  Disposal or cessation of current activities

41

Transcending Business Confidence

Developing A Risk Management Framework

 Personnel/human behavior  Management activities and controls  Operational (the activity itself) changes  Department interruption  Occupational health and safety  Technology/technical changes i.e. new hardware and software

implementations, new systems

 Property/assets  Security (including theft and fraud)  Public/professional/product liability

42

Transcending Business Confidence

Developing A Risk Management Framework

Risk analysis This is the analysis by the team of the causes and Consequences of Risks i.e. situations that may lead the risk to happen and their ultimate effect on the

• bjective/organisation.

43

Transcending Business Confidence

Developing A Risk Management Framework

Assessment of the Likelihood and Impact of Each Risk Risks are defined as events that might occur or not with their occurrence being

• utside the control of the entity. The organisation must thus assess two factors for

each risk:

i)

The risk’s LIKELIHOOD or probability of happening/occurring.

ii)

The risk’s IMPACT on the objective. Sources of Information on Likelihood and Impact The most relevant sources of information used in analysing impact and likelihood include:

 Past records;  Practical and relevant experience;  Relevant published literature;  Market research;  Results of public consultation, or  Expert judgment.

44

Transcending Business Confidence

Developing A Risk Management Framework

Rating of Risks

Risks are rated using various classification band-levels: 5-band level: Very High = 5, High = 4, Medium = 3, Low = 2, Very Low = 1 4-band level: Very High = 4, High = 3, Medium = 2, Low = 1 3-band level: High = 3, Medium = 2, Low = 1

 In this session, a 5-band level for both likelihood and impact is presented as this

scheme has been adopted in the Government’s Risk Management Guideline.

45

Transcending Business Confidence

Developing A Risk Management Framework

Meaning of rates on impact and likelihood of risks

 Number Impact Likelihood

5 Very High (VH) also Catastrophic Very High (VH) also Almost Certain 4 High (H) also Major High (H) also Likely 3 Medium (M) also Moderate Medium (M) also Possible 2 Low (L) also Minor Low (L) also Unlikely 1 Very Low (VL) also Insignificant Very Low (VL) also Rare Then Rating is made by multiplying likelihood and impact: The highest level of a risk is the one with a product of 25 (i.e. 5 x 5); the lowest level is 1 (i.e. 1 x 1). Note: The result (product) is called total risk.

 The total risk assists in indicating the priority of the risk as especially very high

risks have to be dealt with.

46

Transcending Business Confidence

Developing A Risk Management Framework

Assigning Risk Owners

 Similar to objectives, risk fall under different areas of responsibilities. Thus

responsibility for risk treatment should be assigned to the responsible official under whom the risk functionally falls i.e. Department or Unit. Usually, the risk owner is assigned responsibility for the risk by the CEO/ MD/Executive Director.

 Risk owners are people who with the ability to carry out the proposed

treatment options. They are responsible and accountable for the risk. Risk Evaluation After the inherent risk rating, the team evaluates how the entity is controlling each of the risks i.e. by assessing the EXISTING CONTROLS (and their weakness) in order to determine the RESIDUAL RISK i.e.:

47

Transcending Business Confidence

Developing A Risk Management Framework

The risk remaining even after being controlled; The remaining risk due to some existing weaknesses in the controls. Questions to be addressed when assessing the current controls against each risk include:

 What are the existing controls for a particular risk?  Are those controls capable of adequately treating the risk so that it is

controlled to a level that is tolerable?

 In practice, are the controls operating in the manner intended and can they b

demonstrated to be effective when required? Assess the Residual Risk and Propose Mitigation Controls The residual risk (i.e. risk after the existing controls) needs to be re-assessed to see whether it is within the entity’s TOLERABLE LEVEL.

 The tolerable level of the risk is the extent up to which the entity is ready to

bear the risk after it has been treated in order to achieve the objectives.

 The tolerable level of risk is determined by the management and may be

stipulated in the risk policy.

48

Transcending Business Confidence

Developing A Risk Management Framework

Again, as in the inherent risk assessment, the risk will be rated in terms of LIKELIHOOD (of happening) and IMPACT (to the objective) given the current

• controls. It is expected that the residual risk will be lower than the inherent

risks. This will happen if the existing controls are effective. If the residual risk remains above the entity’s acceptable level, more mitigation controls need to be taken to reduce the risks. The proposed mitigation controls should be guided by the total residual risk (i.e. IMPACT x LIKELIHOOD). The last column of Table 8 below gives guidance on how to respond to each level of the total risk.

49

Transcending Business Confidence

Developing A Risk Management Framework

 Total Risk/Risk Status  (Impact x Likelihood)  Description Expression in  Colour  Meaning and Responses  15-25 Extreme or severe  Red Very serious concern; highest priority. Take immediate action and

review regularly.

 10-14 High Light brown Serious concern; higher priority. Take immediate

action and review at least three times a year.

 5-9 Moderate Yellow Moderate concern; steady improvement needed.

Possibly review biannually 1-4 Low Green Low concern; occasional

• monitoring. Tolerate/Accept. Continue with existing measures and review
• annually. 10.6.3 Need for a Special Form to Record the Assessment of Each
• Risk. All of this information must be captured in the Risk Identification and

Analysis Sheet

50

Transcending Business Confidence

Developing A Risk Management Framework

11 The Risk Management Process –Risk Register and Treatment Plans The risk assessment process ends up with entity’s Risk Register and Risk Treatment Action plans. Developing the entity’s Risk Register The objective of the risk register is to form an agreed record of the significant risks that have been identified and serves as a record of the control activities that are currently being undertaken. The risk register It will also be a record of the additional actions that are proposed to improve the control of the particular risk To prepare the risk register, all the information collected during the risk assessment process are summarized.

51

Transcending Business Confidence

Developing A Risk Management Framework

Key information from the Risk Identification and Analysis Form are selected to prepare the register. These include:

i)

The objective that is affected by the risks;

ii)

The risk title and category (e.g. strategic, operational etc.);

iii)

The risk identification code (each risk should be given a unique ID that connects it with the objective it affects);

iv)

The residual risk assessment (i.e. risk by likelihood and impact with appropriate color);

v)

The principle risk owner;

vi)

The page number linking the summary to the detailed risk assessment form attached to the register; All of this information must be captured in the Risk Register Template cut across departments.

52

Transcending Business Confidence

Developing A Risk Management Framework

Review of the Risk Register

 The risk register should be taken as a dynamic element and considered to be

the risk action plan for a unit or the organization as a whole.

 The best practice is to review risk register every year. The revision of the

register through the same process of risk assessment. Preparing the Risk Treatment Action Plans

 When the risk register is completed, risk treatment action plans should be

prepared by each of the risk owners committing to implement the proposed risk mitigation actions.

 The timetable for implementation and the key indicators for risk treatment are

the most important items.

53

Transcending Business Confidence

The role of Accountants in Risk Management

ACCA Rules for risk management: culture, behavior and the role

• f

accountants issued in January 2012 concludes that accountants role in providing decision support is an approach to risk management and places accountants in a very important position. The report note that most ‘risky’ decisions in companies have some sort of financial aspect, and it is most often accountants who are asked to estimate the financial implications of alternative courses of action. Further, in most cases accountants outnumber formally designated risk managers in any organisation. Thus the work of accountants is important to managing risk and ensuring an integrated risk management approach. The report quotes one respondent to the survey who concluded that ‘although not always appreciated, the contribution

• f

the finance section to risk management is huge and necessary in any organisation.’ The survey identified 39 practices which can be done by accountants to facilitate Risk Management in their organizations.

54

Transcending Business Confidence

The role of Accountants in Risk Management

• 1. The production of management accounts shows the organizations' desire

to support decision-making based on evidence rather than assumption. Thus preparation of both management accounts and financial forecasts which is done with a range of possible outcomes, can be a crucial part of risk

• management. Elements used in management accounts are:

 Performing comparison against budgets and Reporting on the liquidity of the

• rganisation.

 Analysis of past trends and Proportion of costs that are fixed, or a breakeven

analysis, relating volume and profit.

 Graphs showing results for past time periods (e.g. last six months, last year

superimposed on this year)

 Analysis of sensitivity of results (e.g. to interest rates, currency exchange

rates, credit risk). Capital gearing ratio, or similar, relating debt to equity, or interest to earnings

 Information about the limitations of figures that rely on estimates, samples,

• r non-financial data captured in unreliable ways Risk adjusted performance

measures

55

Transcending Business Confidence

The role of Accountants in Risk Management

Items in financial forecasts are:

 Assumptions documented  The possible impacts of external factors such as the economy and

competition

 Notes of risks and uncertainties  A clearly stated plan of action on which each forecast is based  Sensitivity analysis for variables in the forecast considered one by one  Forecasts for alternative scenarios  The possible impacts of/on non-financial factors, such as volume constraints,

safety, error rates, or public reactions

 Analysis of past forecasting errors  Ranges (i.e. prediction intervals showing a range within which results are

likely to fall)

56

Transcending Business Confidence

The role of Accountants in Risk Management

• 2. Support decision making: Effective decision-making hinges on a careful

contemplation of the possible consequences of a series of actions. Thus accountants should support decision-making by guiding people to understand the alternative possible futures that exist, instead of just detailing the most likely

• utcome. This should be done through:

 Analysis of past actual results  Analysis of the implications of different future scenarios  Sensitivity analysis for forecasts or decisions  Identification of potential knock on effects of actions that may not have

immediate financial effects

 Facilitation of planning, process design, or decision making workshops  Checklists of ‘risks’  Weights or limits for ‘risk’  Other limits or weights intended to discourage excessive risk taking

57

Transcending Business Confidence

The role of Accountants in Risk Management

• 3. Provide control against Unethical and Illegal Behavior: This involves the

use of financial compliance controls. Examples on financial non-compliance include:

 Ask for explanations of variances against budget  Design financial procedures and controls  Personally scrutinize expense claims for items that should not have been

claimed

 Search for and examine patterns of transactions that may indicate other types

• f fraud

 Personally scrutinize expenditures for amounts that might be bribes  Search for and examine patterns of transactions that may indicate money

laundering.

58

Transcending Business Confidence

The role of Accountants in Risk Management

Examples on control of unethical behavior include:

 A disciplinary process for dealing with unethical behavior  Corporate culture evaluation to help ensure appropriate behavior and avoid

unethical or dysfunctional actions.

 Training on how to act when unethical or illegal behavior is detected or

suspected.

 An official listener and advisor for staff with ethical concerns  Establishing confidential whistle-blowing hotline

Experience has shown many instances of accountants being involved in more reactive control activities. However the accountant’s role in the more proactive activities, such as in delivering elements of ethics programmes, is less widespread. This is an area we can do better.

59

Transcending Business Confidence

The role of Accountants in Risk Management

 Overall, the ACCA study found out that non-executive directors were most

positive about the impact of accountants on supporting decision-making. Accountants and auditors were most appreciative of the reporting of quality

• issues. Accounting information facilitates decision making by:

 Making people more aware of the uncertainties involved  Helping people think more widely about possible consequences of the

decision

 Encourages decisions reflecting the interests of all relevant stakeholders

Thus, good accounting practices are an important part of integrated risk

• management. Accountants should make more use of the 39 practices

looked at.

60

Transcending Business Confidence

Challenges and Way Forward

 Increasing incidences of frauds in banks due to collusion  Security: Cyber Crimes-do we have adequate knowledge and appropriate laws

and regulations e.g.. ATM skimming, physical security of banks? Decreasing incidences but any additional measures?

 Too many banks? Can the BOT properly supervise all? A need to increase

capital requirements?

 Is the regulator (BOT) performing its duties properly e.g. FBME?  Compliance challenges: Compliance to the BOT Risk Management Guidelines

at the expense of profit maximization?

 Integrity of the society? A culture of getting rich quick, unemployment?etc

61

Transcending Business Confidence

Challenges and Way Forward

CAG 2013 Reports issued in March 2014 indicate the following weaknesses in Risk Management: i) Inadequate Risk Management process for some MDAs/RS entities The review of MDAs/RS noted that, 11 MDAs and 14 RS had no documented Risk Management Policy. Further, these entities had not recently conducted formal risk assessment to identify existing risks and those emerging as a result of the changing environment and methods of services delivery. The report recommend for more effort on conducting risk analysis on entity level, establishment of risk management policy and risk register ii) LGAs do not o periodically assess and update their risk management frameworks The CAG noted that despite his previous year’s recommendation, in 55 LGAs sampled, he still noted that there were no formally documented Risk Management Framework and no recent risk assessment conducted to identify existing and emerging risks.

62

Transcending Business Confidence

Challenges and Way Forward

No documentation of risk assessment processes including maintaining risk register which serves as a The reports notes that lack of documented risk management framework and plan would imply that “LGAs are not in a position to respond in a timely manner to risks which may have an adverse effect on their current and future operations”. The CAG recommends that the LGAs management and PMO-RALG should design, document and institute adequate mechanism for risks identification, assessment, grading and analysis of impact of the risks, as well as control activities for monitoring and mitigating such risks for better provision of the required services.

63

Transcending Business Confidence

Challenges and Way Forward

MDAs found with lack of Risk Management Policy:

 Registrar of Political Parties  Ethics Secretariat  Ministry of Water  Ministry of Defense  Planning Commission  Public Service Recruitment Secretariat  Ministry of Communication, Science and Technology  Ministry of Information, Youth, Culture, and Sports  Ministry of East African Cooperation  Ministry of Works  President Office –Public Service Commission

64

Transcending Business Confidence

Challenges and Way Forward

 Recent Scandals e.g. EPA and Escrow- Did the Auditors and Accountants

perform their duties thoroughly? The question of whether the funds were public

• r not?

 Strengthening of regulatory bodies-Internal Auditors General (a move in the

right direction); Independence of the CAG Office e.g. on budget allocations?

 Collapse of buildings? General Security in the country? Are these risks

properly managed?

 Political Risk? Election? Unemployment? Panya Road?  Do we have active and effective Boards of Directors? Are they Independent?  Strong control environment? Implementation of issues raised in CAG Reports?  Should we consider mandatory risk management reporting including internal

controls?

65

Transcending Business Confidence

References



COSO (2004) Enterprise Risk Management - Integrated Framework, available online

at http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/ PRDOVR~PC-990015/PC-990015.jsp



Risk Management Guidelines for Banks and Financial Institutions, Bank of Tanzania, 2010



Rules for risk management: culture, behavior and the role of accountants, ACCA, 2012



Hopkin, P. (2010), Fundamentals of Risk Management, Understanding, Evaluating and Implementing Effective Risk Management, Kogan Page, London.



Internal Auditor General Division, Ministry of Finance (2012), Guidelines for Developing and Implementing Institutional Risk Management Framework in the Public Sector, Dar e Salaam.



Treasury Circular no.12 of 2012/13, Ministry of Finance, Dar es Salaam.



International Standards Organization (2009), ISO 31000:2009, Risk Management Principles and Guidelines, Geneva.



Risk Management Participants’ Handbook, April 2014, Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH



International Standards Organization (2009), ISO Guide 73:2009 Risk Management Vocabulary, Geneva



CAG Reports for Central Government and Local Government Authorities for the year ended June 2013: Issued March 2014

66

Transcending Business Confidence

Thank you

Auditax International

• Audit. Tax. Consulting. Accounting Services

PPF Tower, 7th Floor Garden Avenue / Ohio Street P.O.Box 77949 Dar es Salaam

Website : www.auditaxinternational.com

Transcending Business Confidence