8/13/2019 Intosai Gov 9130 e

1/39

INTOSAI GOV 9130The International Standards of Supreme Audit Institutions, ISSAI, areissued by the International Organization of Supreme Audit Institutions,INTOSAI. For more information visit www.issai.org

Guidelines for Internal ControlStandards for the

Public Sector Further Informationon Entity Risk

Management

I N T O S A I

8/13/2019 Intosai Gov 9130 e

2/39

INTOSAI P ro fe s s iona l S t anda rds Commi t t e ePSC Secretariat

Rigsrevisionen Landgreven 4 P.O. Box 9009 1022 Copenhagen K Denmark

Tel.:+45 3392 8400 Fax:+45 3311 0415 E-mail: info@rigsrevisionen.dk

I N T O S A I

EXPERIENTIA MUTUA

OMNIBUSPRODEST

EXPERIENTIA MUTUA

OMNIBUS PRODEST

INTOSAI General Secretariat - RECHNUNGSHOF(Austrian Court of Audit)

DAMPFSCHIFFSTRASSE 2A-1033 VIENNA

AUSTRIATel.: ++43 (1) 711 71 Fax: ++43 (1) 718 09 69

E-MAIL: intosai@rechnungshof.gv.at;WORLD WIDE WEB: http://www.intosai.org

http://www.intosai.org/http://www.intosai.org/

8/13/2019 Intosai Gov 9130 e

3/39

3

INTOSAI Internal Control Standards Subcommittee

F. VANSTAPELSenior President of the Belgian Court of Audit

Regentschapsstraat 2 Rue de la Rgence 2B-1000 BRUSSELS

BELGIUM

Tel : + 32 2 551 8111Fax : + 32 2 551 8629

E-mail : international@ccrek.be

8/13/2019 Intosai Gov 9130 e

4/39

4

G uidelines for InternalControl Standards forthe Public Sector

Further Information on Entity Risk Management

Preface

The 1992 INTOSAI Guidelines for Internal ControlStandards were conceived as a living document reflectingthe vision that standards should be promoted for the design,implementation, and evaluation of internal control. Thisvision involves a continuing effort to keep these guidelinesup-to-date.

The 17th INCOSAI (Seoul, 2001) recognized a strong needfor updating the 1992 guidelines and agreed that theCommittee on Sponsoring Organisations of the TreadwayCommissions (COSO) integrated framework for internalcontrol should be relied upon. Subsequent consultationresulted in a further expansion to address ethical values and

provide more information on the general principles ofcontrol activities related to information processing.

The updated Internal Control Guidelines were issued in2004 and should also be viewed as a living document

8/13/2019 Intosai Gov 9130 e

5/39

5

which over time will need to be further developed andrefined to embrace the impact of new developments such asCOSOs Enterprise Risk Management framework 1 .Accordingly, this addition to the Guidelines has been

produced to cover current thinking on risk management, asset out in COSO's ERM framework . As this paper is

intended primarily for public sector readers the termentity is used in place of Enterprise which has a particular private sector association.

The additional information provided here is the result of the joint effort of the members of the INTOSAI InternalControl Standards Subcommittee. This update has beencoordinated by a Task Force set up among thesubcommittee members with representatives of the SAIs ofFrance, Hungary, Bangladesh, Lithuania, the Netherlands,Oman, the Ukraine, Romania, the United Kingdom, theUnited States of America and Belgium (chair).

Franki VANSTAPELSenior President of the Belgian Court of AuditChairman of the INTOSAI Internal Control StandardsSubcommittee

1 Enterprise Risk Management - IntegratedFramework (COSO - September 2004)

8/13/2019 Intosai Gov 9130 e

6/39

6

Introduction

The underlying premise of the COSO Entity Risk Management framework is that every entity exists to provide value for its stakeholders. In the public sector,general expectations are that public servants should servethe public interest with fairness and manage publicresources properly. Effectively the stakeholders are the

public and their elected representatives.

All entities face uncertainty and the challenge formanagement is to determine how much uncertainty toaccept as it strives to obtain best value for stakeholders. Itis also important to note that uncertainty presents both riskand opportunity, with the potential to erode or enhancevalue or, in public sector terms to service the public interestmore or less well. The aim of entity risk management is toenable management to effectively deal with uncertainty andits associated risk and opportunity, enhancing the capacityto build value, to deliver more effective services moreefficiently and economically, and to target them whilsttaking into account values such as equity and justice.

The INTOSAI Guidelines for Internal Control Standards for the Public Sector sees internal control as providing anoverarching conceptual framework through which an entitycan be managed to achieve its objectives. The COSO ERM framework and other similar models take this a stagefurther in that the entity can be directed on the basis ofidentifying future risks and opportunities to refineobjectives and design internal controls to minimise risk andmaximise opportunity.

As well as extending the definition of functions covered bythe corporate governance regime entity risk managementrequired a change in the way organisations think aboutachieving their objectives. This is because to be effective,

8/13/2019 Intosai Gov 9130 e

7/39

7

entity risk management is an ongoing process applied instrategy setting, effective across and affected by all levelsand every business unit of an entity and which is designedto identify all events that will affect the organisation'sability to achieve its objectives.

This document outlines a recommended framework forapplying the principles of entity risk management in the public sector and provides a basis against which entity riskmanagement can be evaluated. However, it is not intendedto replace or supplant the Guidelines for Internal ControlStandards for the Public Sector but rather is designed to

provide complementary additional information to be usedalongside those standards where member states consider itto be appropriate to do so. Nor, is it intended to limit orinterfere with duly granted authority related to developinglegislation, rule-making or other discretionary policy-making in an organisation.

In conclusion, it should be clearly stated that this documentincludes additional guidelines for corporate governancestandards. The guidelines do not provide detailed policies,

procedures and practices for implementing a best practicecorporate governance regime, nor are they expected to besuitable for all organisations in all regulatory environments.However, the addendum provides an addition to the broadframework within which entities can develop regimes to

best help them maximise the services provided tostakeholders.

8/13/2019 Intosai Gov 9130 e

8/39

8

How is this document structured?

The supplement is structured in a similar manner to theINTOSAI Guidelines for Internal Control Standards forthe Public Sector. In the first chapter the concept of Entityrisk management is defined and its scope is delineated. Inthe second chapter the components of Entity riskmanagement are presented and the extensions to theinternal control standards highlighted.

8/13/2019 Intosai Gov 9130 e

9/39

9

C hapter 1: W hat is Entity Risk Management

1.1 Definition

1.1.1 COSO's Entity Risk Management: Integrated Framework states that Entity risk managementdeals with risks and opportunities affecting valuecreation or value preservation defined as follows:

"Entity risk management is a process effected by

an entity's board of directors, management andother personnel, applied in strategy setting andacross the Entity, designed to identify potentialevents that may affect the entity and manage riskto be within its risk appetite, to provide reasonableassurance regarding the achievement of entityobjectives." (COSO ERM model 2004)

1.1.2 In the public sector the terms value creation andvalue preservation do not have as much directrelevance as in the private sector. However, thedefinition is purposefully broad to cover as manysectors and types of organisations as feasible. As

such it is possible to substitute service creationand preservation for value creation and preservation for the definition to be fullyapplicable to public sector entities.

8/13/2019 Intosai Gov 9130 e

10/39

10

1.2 Identifying the Mission

1.2.1 The starting point for Entity risk management isthe entity's established mission or vision. Withinthe context of this mission, management shouldestablish strategic objectives, select strategies toachieve these objectives and set supportingaligned objectives that are cascaded throughoutthe organisation.

1.3 Setting Objectives

1.3.1 The INTOSAI Guidelines on Internal ControlStandards states that objectives can be sub-dividedinto four categories (although most objectives willfall into more that one category). These are:

Strategic - high level goals, aligned with andsupporting the entities mission

Operational executing orderly, ethical,economical, efficient and effective operations;and safeguarding resources against loss,misuse and damage

Reporting - reliability of reporting includingfulfilling accountability obligations

Compliance - compliance with applicablelaws and regulations and being able to act inaccordance with Government policy

1.3.2 Objectives in the first two categories are notentirely within an entity's control so any riskmanagement system can only provide reasonableassurance that these risks are being managed

8/13/2019 Intosai Gov 9130 e

11/39

11

satisfactorily, but should enable management to beaware of the extent to which these objectives are

being met in a timely fashion. However,objectives relating to reliability of reporting andcompliance are within an entity's control soeffective Entity risk management will usually givemanagement assurance that these objectives are

being met.

1.4 Identifying Events - Risks andOpportunities

1.4.1 Once objectives have been set Entity riskmanagement requires an organisation to identifyevents that might have an impact on theachievement of those objectives. Events can havea negative impact, a positive impact or both.Events with a negative impact represent risks,which can hinder the entity's ability to achieve itsobjectives. These risks can arise due to internaland external factors. Figure 1, below, sets outmany of the risks which government entities face

there may well be other risks relevant to particular entities.

1.4.2 Events with a positive impact may offset negativeimpacts or represent opportunities. Opportunitiesare the possibility that an event will occur that willenhance the entity's ability to achieve itsobjectives or enable the entity to achieveobjectives more efficiently. As well as seeking tomitigate risks management should formulate plansto seize opportunities.

8/13/2019 Intosai Gov 9130 e

12/39

12

1.5 Communication and Learning

1.5.1 Determining whether an entity's Entity riskmanagement is "effective" is a fundamental part ofthe process. Management need to make a

judgement on whether the components of Entityrisk management are present and operatingeffectively; namely that there are no materialweaknesses and that all risks have been broughtwithin acceptable parameters given the entity'srisk appetite. Where Entity risk management iseffective management will understand the extentto which objectives in all four categories arealigned with the mission and are being achieved.Effective top down and bottom up communicationthroughout the entity is essential to facilitate this

process.

1.6 Limitations

1.6.1 No matter how well designed and operated thesystem is, Entity risk management cannot providemanagement with absolute assurance regardingthe achievement of general objectives. Instead,this supplement recognises that only a reasonablelevel of assurance is obtainable.

1.6.2 Reasonable assurance equates to a satisfactorylevel of confidence that objectives will beachieved or that management will be made awarein a timely fashion if objectives are unlikely to be

achieved. Determining how much assurance isrequired to reach a satisfactory level of confidenceis a matter of judgement. In exercising that

judgement management will need to consider theentity's risk appetite and events that may impacton achievement of objectives.

8/13/2019 Intosai Gov 9130 e

13/39

13

1.6.3 Reasonable assurance reflects the notion thatuncertainty and risk relate to the future, which no-one can predict with certainty. In addition, factorsoutside an entity's control or its influence, such as

political factors, can impact on its ability toachieve its objectives. In the public sector, factorsoutside an entity's control can even change coreobjectives at quite short notice. Limitations alsoresult from the following realities: that human

judgement in decision making can be faulty; that breakdowns can occur because of human failuressuch as simple errors or mistakes; that decisionson responding to risk and establishing controlsneed to consider the relevant costs and benefits;and that controls can be circumvented by collusion

between two or more people and management canoverride the control system. These limitations

preclude management from having absoluteassurance that objectives will be achieved. Figure1 sets out some of the risks might typically face.It is intended to be illustrative rather thanexhaustive.

8/13/2019 Intosai Gov 9130 e

14/39

Figure 1: Some Typical Risks that Government Entities

Face?

Economic changes such as

lower economic growth

reduce tax revenue and

opportunities to provide a

iderran e ofservices or

Failure to

innovate

leading to

Loss or

misappropriation

of funds through

fraud or

Environmental

damage caused

by failure of

regulations or

Inconsistent

policy

objectives

resulting in

Project delays

cost overruns

and

inadequate

Inadequate

skills or

resources to

deliver

services as

Failure of

contractors,

partners or other

government

agencies to provide

Failure to evaluate

properly pilot

projects before a

new service is

introduced may

result in problems

Failure to

measure

performance

Technical risk

failure to keep pace

with technical

developments, or

investment in

inappropriate or

Inadequate

service plans

to maintain

continuity of

Failure to

monitor

implementation

Achieving Service

Delivery

14

8/13/2019 Intosai Gov 9130 e

15/39

15

1.7 Link between Internal Controland Entity Risk Management

1.7.1 In many respects entity risk management may beregarded as a natural evolution of the internalcontrol model. Most organisations will seek tofully apply the internal control model beforeimplementing the concepts inherent within Entityrisk management. Internal control is an integral

part of entity risk management. The entity riskmanagement framework encompasses internalcontrol, but in addition, forms a more robustconceptualisation of how an entity's businessdecisions should fall out of its core mission andassociated objectives and provides a tool formanagement to help them to determine what thecorrect response to a particular event should be.The ERM model goes further than the INTOSAIInternal Control Guidelines in a number of areas,in particular:

the categories of objectives are broader, andalso include more complete reporting, non-financial information, strategic objectives;

it expands the risk assessment component andintroduces different risk concepts, such as riskappetite, risk tolerance, risk response; and

it emphasises the importance of independentdirectors on the board and elaborates on their

roles and responsibilities.

8/13/2019 Intosai Gov 9130 e

16/39

16

C hapter 2:

C omponents of Entity Risk Management

Entity risk management consists of eight interrelatedcomponents. These are derived from the way thatmanagement runs a business and are integrated with the

management process. The components are: Internal environment Objective setting Event identification Assessing risks Risk response Control activities Information and communication Monitoring

In applying the components of Entity risk management, anentity should consider the entire scope of its activities at alllevels of the organisation. Management should alsoconsider new initiatives and projects using the Entity riskmanagement framework.

8/13/2019 Intosai Gov 9130 e

17/39

17

Applying Entity Risk Managementacross the Entity

Management is required to take a portfolio view of risk. Ineffect all levels of management will need to consider theevents that may impact on their areas of activity and feedthem up to senior management. This assessment can bequalitative or quantitative. Senior management should usethese assessments running through all levels and businessareas of the entity to build up an entity level assessment ofthe overall risk portfolio of the organisation.

Importance of People

Entity risk management is implemented and made to workeffectively by an entity's management and other personnel.It is accomplished by what individuals within anorganisation do and say. Similarly, Entity riskmanagement affects people's actions. Each employee is anindividual with different competencies and understanding.Entity risk management seeks to provide the mechanismsto enable members of staff to understand risk in the contextof the entity's objectives.

Members of staff should know their responsibilities and thelimits of their authority. Accordingly a clear and conciselinkage needs to exist between an individual's duties andthe way that they are carried out. Senior management

primarily provide oversight. However, they also providedirection, approve strategies and approve certaintransactions and policies thereby playing a vital role in

enforcing organisational culture.

8/13/2019 Intosai Gov 9130 e

18/39

18

2.1 Risk Environment/Context

2.1.1 The risk environment/context encompasses thetone of an organisation, influencing the riskconsciousness of all of its people and, is the basisfor all other components of Entity riskmanagement, providing discipline and structure.Internal environment factors include an entity'srisk management philosophy; its risk appetite;oversight by the management board; integrity andethical values; competence of staff; and the waymanagement assigns authority and responsibilityand organises and develops staff.

2.1.2 An entity's risk management philosophy is the setof shared beliefs and attitudes which set out howthe entity considers risk in everything it doesfrom strategy setting to day to day operationalactivities. It influences culture and operatingstyle including how risks are identified, the kindof risks accepted and how they are managed. Anentity's risk management philosophy should becaptured in policy statements, oral and writtencommunications to stakeholders and staff and indecision making. Irrespective of the method ofcommunication it is of critical importance thatsenior management reinforce the philosophy, notonly through communicating policies, butthrough everyday actions.

2.1.3 Risk appetite is the amount of risk on a broadlevel that an entity is willing to accept in seeking

to achieve its objectives. It reflects the riskmanagement philosophy and in turn influencesthe entity's culture and operating style. Riskappetite can be considered quantitatively orqualitatively. It should be considered in strategysetting, where the desired return from a strategy

8/13/2019 Intosai Gov 9130 e

19/39

19

should be aligned with the risk appetite, that isthe willingness to accept or tolerate risk.

2.1.4 In addition, when identifying the riskenvironment and selecting an appropriate riskappetite, public sector entities need to consider

the "extended Entity". The opinions andexpectations of sponsoring and sponsoredorganisations, be they other government bodiesor legislation setters, and the opinions of partnerorganisations can give a clear steer as to asuitable risk management philosophy and riskappetite.

2.1.5 An entity's senior management is a critical part ofthe internal environment and significantlyinfluences its elements. It is a truism thatorganisational culture can be set or be fatallyundermined by the "tone at the top". The senior

management's independence from executivemanagement, experience and stature of members,extent of involvement and scrutiny, and theappropriateness of its activities all play a role.Members of top executive management can be

part of senior management, but for the internalenvironment to be effective it is advisable that thesenior management team contain someindependent outside members. This is becausesenior management must be prepared to holdexecutive management to account by questioningand scrutinising activities and being prepared to

present alternative views.

2.1.6 Management's integrity and ethical valuesinfluence the way strategy and objectives areimplemented. Because an entity's goodreputation is so valuable, the standards of

behaviour must go beyond mere compliance with

8/13/2019 Intosai Gov 9130 e

20/39

20

minimum legal standards. Ethical behaviour andmanagement integrity are by-products ofcorporate culture, which includes ethical and

behavioural standards and how this iscommunicated and enforced. Top management

plays a key role in determining the corporateculture. An undue emphasis on short term resultsas opposed to achieving the overall mission canfoster an inappropriate internal environment.

2.1.7 Formal codes of conduct are important to and thefoundation of the promotion of an appropriateethical tone. Upward communication channels(or formal whistleblowing procedures) whereemployees feel comfortable bringing relevantinformation to the board are also important.However, a written code of conduct does not byitself ensure that procedures are being followed,even if all employees have to evidence that theyare aware of the behaviours expected of them.Equally important to compliance are resulting

penalties to employees who violate the code.Messages sent by senior management quickly

become embodied in corporate culture, so "doingthe right thing" when faced with tough businessdecisions quickly become embodied throughoutthe entity.

2.1.8 Competence reflects the knowledge and skillsneeded to perform assigned tasks. It needs to besupported by human resources practices

pertaining to employing and promotingappropriate individuals, induction, training anddealing with poor performance. Managementneeds to specific competency levels for particulartasks and translate those into appropriate jobdescriptions for specific posts. It is important to

8/13/2019 Intosai Gov 9130 e

21/39

21

recognise that a trade-off can exist betweencompetence and cost.

2.1.9 An entity's organisational structure provides theframework to plan, execute, control and monitorits activities. The organisational structure

adopted will be suitable to business needs. Someare centralised, others decentralised, someorganised by geographical location and others byfunction. Whatever the structure, an entityshould be organised to enable effective riskmanagement and to carry out its activities so as toachieve its objectives.

2.1.10 Assignment of authority and responsibilityinvolves the degree to which individuals andteams are authorised to and encouraged to useinitiative to address issues and solve problems aswell as the limits to their authority. The key

challenges are to ensure that all personnelunderstand the entity's objectives and how theiractions contribute to the achievement of thoseobjectives and only to delegate to the extentrequired to achieve objectives. Responsibility isas important as authority. The internalenvironment is greatly influenced by the extent towhich individuals recognise they will be heldaccountable. This holds true all the way to thechief executive.

2.2 Objective Setting

2.2.1 Objectives are set at a strategic level, establishinga basis for lower level operations, reporting andcompliance objectives. Every entity faces avariety of risks from external and internal sourcesand a precondition to effective event

8/13/2019 Intosai Gov 9130 e

22/39

22

identification, risk assessment and risk responseis the establishment of objectives. Objectivesmust be established before management canidentify and assess risks to their achievement andtake the necessary actions to mitigate those risks.Objectives are aligned with an entity's riskappetite, which drives risk tolerance levels for theentity.

2.2.2 An entity's mission sets out in broad terms whatthe entity aspires to achieve. Management setsstrategic objectives formulates strategy andestablishes related operations. Strategicobjectives are high-level goals aligned with andsupporting the entity's mission. The strategyimplemented to achieve the mission and therelated objectives tend to be more dynamic thanthe mission and will be adjusted to take accountof changing conditions.

2.2.3 Despite the diversity of objectives across entities,there are certain broad categories that can beapplied. All objectives will fall into one or moreof the following:

Operations objectives - These pertain to theeffectiveness and efficiency of the entity'soperations, including performance goals andsafeguarding resources against loss. Whenused in conjunction with public reporting, anexpanded definition of "safeguarding ofresources/assets" can be used: dealing with

preventing or detecting and correcting themisappropriation of public funds. Theoperations objectives need to reflect the

particular environment in which the entityfunctions. As operations objectives are thefocal point for directing allocated resources if

8/13/2019 Intosai Gov 9130 e

23/39

23

they are not clear or not well conceived,resources may be misdirected.

Reporting objectives - These pertain to thereliability of reporting and may involve bothfinancial and non-financial data. Although

reporting objectives also relate to information prepared for external parties, the keyobjective of reliable reporting is to providemanagement accurate and completeinformation appropriate for its intended

purpose. Without accurate and completeinformation it is very difficult formanagement to make good decisions.

Compliance objectives - These pertain toadherence to relevant laws and regulations.The requirements may relate to markets, theenvironment, employee welfare etc. Some

entities will also need to comply withinternational compliance objectives.

2.2.4 Effective entity risk management providesreasonable assurance that an entitys operational, reporting and compliance- objectivesare being achieved.

2.2.5 Risk appetite, established by management and the board of directors, is a guidepost in settingstrategy and assessing the relative importance ofobjectives. Effectively risk appetite is the levelof risk an entity is prepared to accept in providing

value (in the form of public services) tostakeholders. Usually any of a number ofdifferent strategies can be designed to achieve thedesired mission, each having different risks.Management should select the strategy and

8/13/2019 Intosai Gov 9130 e

24/39

24

associated objectives that best fit in with the riskappetite.

2.2.6 Risk tolerances are the acceptable levels ofvariation relative to the achievement ofobjectives. They can be measured through

performance targets. Often performance targetsare best measured in the same units as the relatedobjectives. Operating within risk tolerances

provides management greater assurance that theentity remains within its risk appetite and willachieve its objectives

2.3 Event Identification

2.3.1 Management identifies potential events that, ifthey occur, will affect the entity. Events need to

be classed as to whether they representopportunities or whether they might adverselyaffect the entity's ability to successfullyimplement strategy and achieve objectives(risks). When identifying events managementconsiders a variety of internal and externalfactors that could give rise to risks andopportunities, in the context of the full scope ofthe entity.

2.3.2 An event is an incident or occurrence emanatingfrom internal or external sources that affectsimplementation of strategy or the achievement ofobjectives. Events may have a positive ornegative impact or both. Events range from theobvious to the obscure and the effects from theinconsequential to the highly significant.However, to avoid overlooking events, eventidentification is best made apart from the

8/13/2019 Intosai Gov 9130 e

25/39

25

assessment of the likelihood of the eventoccurring and its impact.

2.3.3 Management needs to understand the key classesof internal and external factors driving the events.External factors can include but are not limited to

those arising from changes in the politicalenvironment, the social and technologicalenvironment and economic issues affecting eitherthe entity itself or its suppliers. Internal factorsstem from choices that management makes aboutthe way it will function. This can include theinfrastructure of the entity, how many locations itoperates in, the skills and competence of

personnel and how business information systemsoperate.

2.3.4 Event identification techniques look both to the past and to the future. Techniques that focus on

past events can consider matters such as annualreports and accounts, payment default historiesand internal reports. Techniques that focus onfuture events can consider factors such as shiftingdemographics, new market conditions andexpected changes in the political environment.Techniques vary widely in their level ofsophistication and automation and can be focusedon a top down or bottom up view of events.

2.3.5 Events do not often occur in isolation. One eventcan trigger another and events can occurconcurrently. Management should understand

how events relate to one another. By assessingthe relationships, it may be possible to determinewhere risk management efforts are best directed.

2.3.6 It may also be useful to group potential eventsinto categories. By aggregating events

8/13/2019 Intosai Gov 9130 e

26/39

26

horizontally across the entity and verticallywithin operating units, management can gain anunderstanding of relationships between events.Grouping events can also give some guidance asto what the most cost effective responses could

be. Although each entity will develop its ownmethod of grouping events there are standardtools such as PEST Market Analysis 2 that canserve as a basis.

2.4 Assessing Risks

2.4.1 Assessing risks allows an entity to consider theextent to which potential events have an impacton the achievement of objectives. Managementshould assess events from two perspectives -impact and likelihood - using a combination ofquantitative and qualitative techniques. The

positive and negative impacts of events can beassessed either individually or by category fortheir impact across the entity. Risks should beassessed on both an inherent and a residual basis.

2.4.2 Although the term "risk assessment" sometimeshas been used in conjunction with a one-timeactivity, in the context of Entity risk

2 PEST analysis is a useful tool for understanding andassessing the impact of external factors on the achievementof entity objectives. PEST is an acronym for Political,Economic, Social and Technological factors

8/13/2019 Intosai Gov 9130 e

27/39

27

management, the risk assessment component is acontinuous and iterative interplay of actions thattake place throughout the entity. The objective ofassessing risks is to identify which events areimportant enough and significant enough to bethe focus of management attention.

2.4.3 Uncertainty of potential events needs to beevaluated from the perspectives of likelihood andimpact. Likelihood represents the possibility thatan event will occur in a given period of time,whilst impact represents the scale of the effectthat the event will have on the entity's ability toachieve its objectives. The period of time overwhich management assesses likelihood should beconsistent with the time horizon of the relatedstrategy and objectives. The most important risksare those with a high likelihood of occurrenceand high impact. Conversely the least importantrisks are those with a low likelihood ofoccurrence and low impact. The balance ofmanagement focus should be on the high

probability, high impact risks (see Figure 2 below). The end result of the process will be toassign each risk a rating for both likelihood andimpact. Some entities use a high-low rating,others a "traffic light" system of red, amber andgreen and others a quantitative measure such as a

percentage score.

8/13/2019 Intosai Gov 9130 e

28/39

Figure 2: Simple Risk Assessment and Response Matrix

High Impact/

Low likelihood

Contingency Plan

High Impact/

High likelihood

Control Procedures

Low Impact/

Low likelihood

Tolerate

Low Im

High likelihood

Control Procedures

pact/

Significance

Probability

2.4.4 Risk assessment methodology can be quantitativeor qualitative. It can be based on objective orsubjective methods. Nor does an entity need toemploy common assessment techniques across all

business areas. However, management needs to be aware of human bias when assessing risks andneeds to ensure that all relevant members of staffhave a common understanding of what the ratingterminology for assessing risk means. If this isnot done it will be difficult for seniormanagement to assess the relevant importance ofdifferent risks.

2.4.5 Once risks have been assessed the risk prioritiesfor the entity should emerge. If the risk exposureis unacceptable given the risk appetite of theentity, the risk should be classed as high priorityor "key risk". The key risks should be givenregular attention at the highest level of the entity.Specific risk priorities will change over time as

28

8/13/2019 Intosai Gov 9130 e

29/39

29

the objectives of the entity changes, the riskenvironment changes and key risks are addressed.

2.4.6 Risk assessment as outlined above pertains to

that

ph.

t on

2.5.1 Having assessed the relevant risk, management

ating the

.

e an entity

2.5.2 Risk responses fall within the following

Sharing/Risk Transfer - Reducing the risk

This

inherent risk. Inherent risk is the risk to anentity in the absence of any actions that

management may take to alter the event'slikelihood or impact. Residual risk is the risk remains after considering management's riskresponse, which is outlined in the next paragraThe advantage of this method is that it allowsentities to identify risks that are taking upmanagement time that could be better spenother issues (e.g. because the inherent risk has alow probability of occurring).

2.5 Risk Response

decides how it will respond. Ways to addressidentified risk include risk transfer, risktreatment, terminating activities and toler risk. In considering its response, managementassesses the effect on likelihood and impact, aswell as the costs and benefits of each response,with the aim of selecting a response that bringsthe residual risk within the desired risk toleranceManagement should also identify anyopportunities that are available and tak wide, portfolio view of risk.

categories:

likelihood or impact by transferring orotherwise sharing a portion of the risk.

8/13/2019 Intosai Gov 9130 e

30/39

30

might be done by conventional insurance or by paying a third party to take the risk inanother way. This option is particularlyuseful when mitigating financial risks, risassets and for outsourcing activities.However, most risks will not be fullytransferable. In particular, it is general

possible to transfer reputational risk even ifthe delivery of a service is contracted out.

ks to

ly not

Reduction/Risk Treatment - By far theed in

nd in

Avoidance/Terminating the Activity - Exiting

e

Acceptance/Tolerate - No action is taken to

e the

realised.

greatest number of risks will be addressthis way. Action is taken to reduce the risklikelihood or impact or both. This typicallyinvolves a myriad of everyday businessdecisions including control proceduresdiscussed in more detail in section 2.6 aInternal Controls - Integrated Framework.

the activities giving risk to the risk. Whilst public sector entities are rarely likely to beable to avoid delivering a core programmeelement, avoidance may be a useful responswhen considering whether a new method ofservice delivery is appropriate or consideringwhether to continue with a specific project.

mitigate risk likelihood or impact. Thisresponse suggests that no cost effectiveresponse was identified that would reduc

impact and likelihood to an acceptable levelor that the inherent risk is already within risk tolerances. Tolerating the risk can of course

be supplemented by contingency planning tohandle the impacts that will arise if the risk is

8/13/2019 Intosai Gov 9130 e

31/39

31

2.5.3 Thema s but also, within the sameapproach, identifying opportunity. In any

not

2.5.4 the

decide how best to manage the risk, selecting ao

2.5.5 that

might result from a response. Here it is helpful

d

2.5.6

implementation plan. A critical part of every

ERM model stresses not just anticipating andnaging risk

situation management should look to consideropportunities or events with a positive impact not

just consider risk or events with a negativeimpact. There are two aspects to this: firstlywhether or not at the same time as mitigatingthreats, an opportunity arises to exploit a positiveimpact; and secondly, considering whether or circumstances have arisen that, whilst notgenerating threats, offer positive opportunities.

Management should evaluate the effects of various methods of addressing the risk, then

response or combination of responses designed t bring both risk likelihood and impact within risk tolerances. The selected response need notnecessarily result in the least amount of residualrisk, but if the response would result in a residualrisk that still exceeds risk tolerances,management will need either to reconsider theresponse or to reconsider risk tolerances.

Evaluating alternative responses to inherent risk requires consideration on additional risks

for senior management to consider responsesfrom a portfolio perspective as this gives them anoverview of the overall risk response profile andenables them to consider whether the nature antypes of residual risks remaining are those that fitwith the overall mission and risk appetite.

Once management selects the preferred methodof addressing the risk it needs to develop an

8/13/2019 Intosai Gov 9130 e

32/39

32

implementation plan is control activities to ensurethat the risk response is carried out effectivel

Control Activities

y.

2.6

proceduresment's risk responses

are carried out. Control activities occur

ontains

2.6.2 hich an

entity seeks to achieve its business objectives.

s.

2.6.3

appropriately, in respect to certain objectives,

ronse

2.6.4 sh, there will be

differences in risk responses and related controlactivities. Even if two entities had the same

2.6.1 Control activities are the policies andthat help ensure that manage

throughout the organisation, at all levels and inall functions. As the Guidelines for InternalControl Standards for the Public Sector cdetailed information on setting up effectivecontrols, this addendum does not intend to doanything more than put internal controls into thecontext of Entity risk management.

Entity risk management sees control activities asan important part of the process by w

Control activities are not performed simply fortheir own sake or because it seems the "rightthing to do", but rather serve as mechanisms for managing the achievement of business objective

Whilst control activities generally are establishedto ensure that risk responses are carried out

control activities themselves are the riskresponse. The selection or review of controlactivities needs to include consideration of theirelevance and appropriateness to risk respand the related objectives.

Because each entity has its own set of objectiveand implementation approac

8/13/2019 Intosai Gov 9130 e

33/39

33

objectives and made similar decisions on howthey should be achieved the resulting controlactivities would be likely to be different. This is

because different management teams will havdifferent risk appetites and risk tolerances.

However, in the context of risk management allcontrol procedures fit into four broad categories

e

2.6.5

:

greater the impact of the risk on the ability to

thatese are

itical thatan undesirable event (such as a security

tifyrred

ent". However, the presence ofappropriate detective controls can also

ed.

achieve some recovery either of funds orserviceability against loss or damage.

Preventive controls are designed to limit the possibility of a risk maturing and anundesirable outcome being realised. The

achieve the entity's objectives, the moreimportant it becomes to implementappropriate preventative controls.

Directive controls are designed to ensurea particular outcome is achieved. Th

particularly important when it is cr

breach) is avoided so are often used tosupport the achievement of complianceobjectives.

Detective controls are designed to idenwhether undesirable outcomes have occu"after the ev

mitigate the risk of undesirable outcomesoccurring by creating a deterrence effect.

Corrective controls are designed to correctundesirable outcomes that have been realisThey could also act as a contingency to

8/13/2019 Intosai Gov 9130 e

34/39

34

2.7 n

2.7.1 Thereqcon ents of

the Public Sector contains detailed informations,

Informati

2.7.2 at

objectives, for example, the focus on strategicives requires more output and outcome

information. In addition the use to which this

2.7.3

up the entity.

I formation and Communication

re is little difference between the qualityuirements of data used to support internaltrol objectives and the quality requirem

data used to support Entity risk management. Asthe Guidelines for Internal Control Standards for

on information and communication requirementthis addendum does not intend to do anythingmore than put these requirements into the contextof Entity risk management.

on

Entity risk management specifically requires than entity capture a greater range of informationthan is necessary to achieve internal control

object

data is put is slightly different. Historical dataallows the entity to track actual performanceagainst targets, plans and expectations and can

provide early warnings of potential events thatrequire management attention. Present dataallows management to take a real-time view of existing risks within a business unit/process andidentify variations from expectations. This canallow the entity to determine whether it isoperating within risk tolerances.

Pertinent information should be identified,captured and communicated in a form andtimeframe that enable staff to carry out theirresponsibilities. Effective communication alsooccurs, flowing down, across and

8/13/2019 Intosai Gov 9130 e

35/39

35

All personnel should receive a clear messagfrom senior management that Entity riskmanagement responsibilities must be takenseriously. They need to understand their ownrole in the Entity risk management process aswell as how this relates to the work of others.Personnel must have means of communicsignificant information to an appropriate levmanagement. There also needs to be effectivecommunication with external stakeholders.

Having the right people with the rightinformation, on time and at the right place, isessential to effecting entity risk management.

e

atingel of

2.7.4

ica

2.7.5

ppropriate personnel to carry out theircommunication must take place in a

broader sense, disseminating corporate culture,

2.7.6

sld include a clear

statement of the entity's risk management bout

th and

Commun tion

Communication is inherent in informationsystems. As well as providing information to

enable aduties,

dealing with expectations, covering theresponsibilities of individuals and groups, andother relevant matters.

Management provides specific and directedinternal communication that addresses

behavioural expectations and the responsibilitieof personnel. This shou

philosophy and approach. Communication a

processes and procedures should align wiunderpin the desired culture. Communicationshould convey:

The importance and relevance of Entity riskmanagement

8/13/2019 Intosai Gov 9130 e

36/39

36

The entity's objectives

The entity's ris k appetite and risk tolerances

ilities of personnel in

2.7.7 s tocom ased information to their line

an

issrecognise proble uch

2.7.8 .

sistleblowing hotline) are

necessary. Because of its importance, effectivee of

2.7.9

with stakeholders about the way in which the

A common language for identifying andassessing risks

The roles and responsibeffecting and supporting the components ofrisk management.

There also needs to be methods for employeemunicate risk b

m nagement and across the organisation. Front-li e employees who deal with critical operating

ues every day are often best placed toms as they arise. For s

information to be reported there must be openchannels of communication and a clear-cutwillingness to listen. If the corporate culture isone of "shooting the messenger", members of

staff will not communicate problems to theirsuperiors and risks may not be identified in atimely fashion.

In most cases normal reporting lines are theappropriate channels of upward communicationHowever, there are some circumstances wherealternative channels of communication (such asome form of wh

Entity risk management requires the existencan alternative communication channel direct tosenior management and available for all staff touse without fear of repercussion.

There needs to be appropriate communication notonly within the entity, but with the outside aswell. It is important to externally communicate

8/13/2019 Intosai Gov 9130 e

37/39

37

entity is managing risk to give them assurancethat the entity will deliver what is expected and tomanage expectations of what can be delivered.

2.8

2.8.1

gluations or a

two. Deficiencies in theent system need to be

reported to an appropriate level of management,

2.8.2

ective

tivities may becomeless effective or lapse altogether. Management

This is particularly important in relation to risksthat affect the public and where the public dependon their government to manage the risk for them.The seriousness in which communication withexternal parties is taken and the honesty of suchcommunication also sends important messagesthroughout the entity and can have a significantimpact on organisational culture.

Monitoring

Entity risk management should be monitored toassess the functioning of its components overtime. This can be accomplished through ongoinmonitoring activities, separate evacombination of theEntity risk managem

with serious matters reported to seniormanagement or the board in order for the entityto improve its processes.

The objectives of an entity may change overtime. The portfolio of risks faced and theirrelative importance is also likely to change overtime. Risk responses that were once eff may become irrelevant or impossible toimplement, and control ac

needs to constantly monitor the effectiveness oftheir risk management system in order todetermine whether it is still appropriate andeffective.

8/13/2019 Intosai Gov 9130 e

38/39

38

2.8.3

ated

nt makes the decision to undertake acomprehensive evaluation of the risk

d bes

health

Evaluations of the effectiveness of riskmanagement will vary in scope and frequency,depending on the significance of groups of risksand the importance of risk responses and relcontrols in managing those risks. Whenmanageme

management framework, attention shouldirected to addressing every aspect of the procesincluding strategy setting. However, regularmanagement activities such as updating riskregisters and organisational or functional "checks", also form part of monitoring the riskmanagement process.

8/13/2019 Intosai Gov 9130 e

39/39

Bibliography

Australian Standard for risk management (Standards Australia, 2004)

Entity Risk Management - Integrated Framework (COSO, 2004)

Integrated Risk Management Framework (Treasury Board of Canada Secretariat, 2001)

Internal Control - Integrated Framework (COSO, 1992)

Risk Management Standard (ARMIC, IRM & ALARM, 2002)

The Orange Book: Management of Risk - Principles and Concepts (HM Treasury, 2004)