P5 How Organisation's manage risk 2.3

Risk responses are means by which organisation chooses to manager individual risk: Challenge is risk are tolerated but impact note fully recognised Treat - TAKE ACTION TO REDUCE IMPACT OR LIKELIHOOD introduce control such as checking by manager then finance team check staff expense claims Transfer - TRANSFERE RISK IN PART OR WHOLE TO OTHER ORG -contract out services (building and maintenance) or outsource (contract mgmt function/IAS)  Terminate - STOP end activity using alternative or refusing to deliver good to area not pleasant Tolerate - CARRY OUT NO FURTHER CONTROLS, AS COST OF CONTROLS ARE EXCESSIVE OR WHAT IS THERE IS SUFFICENT e.g. staff stationary theft accept risk as low value/ shop tolerating small amount of shoplifting Take Opportunity - AFTER CONSIDERING E.G. FIXING MORTAGE RATE ON ENERGY PRICE TARIFF - which may save consumer money SEE TABLE  

CONTROL DEFINE AS 

ANY ACTION BY MANAGEMENT, THE BOARD AND OTHER PARTIES TO ENHANCE RISK MANAGEMENT AND INCREASE THE LIKELIHOOD ESTABLISHED OBJECTIVES AND GOALS WILL  BE DELIVERED 

ACTION TAKEN BY MANAGEMENT TO PLAN,ORGANISE AND DIRECT PERFOMANCE OF SUFFICIENT ACTIONS TO PROVIDE REASONABLE ASSURANCE THAT FOLLOWING WILL BE ACHIEVED

ACCOMPLISHMENT OF OBJECTIVES AND GOALS

COMPLIANCE WITH POLICIES PLANS AND PROCEDURED 

RELIABILITY AND INTEGRITY OF INFORMATION

ECONOMICAL AND EFFICIENT USE OF RESOURCES

SAFEGUARDING OF ASSETS

Individual risk require a range of response to be managed effectively.  Internal control is considered essential for good management as it helps organisations meet their objectives. The IIA defines control as 'any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved'. 

One of the most influential models is the so-called COSO- THE COMMISSION OF SPONZORING ORGANISATION OF THE TREADWAY COMMITTEE)  Internal Control Framework, shown below. The framework consists of five inter-related components:

• control environment - ethical value, integrity, competence & sustainable strucure e.g. policies and processes, reporting and learning environment SETTING TONE AT TOP
• risk assessment - mechanism to identify, analyse and manage risks ID & ANALYSE RELEVANT RISKS
• control activities - policies and procedures est by mgmt to ensure obj achieved ACTIVITIES TO ADDRESS IDENTIFIED RISKS E.G MOHICAN
• information and communication - system that enables mgmt to ,ACTVITIES TO COMMUNICATE IDENTIFIED RISK
• Monitoring. REVIEWING AND MANAGING CONTROL SYSTEMS

A PRACTICAL TOOL TO EVALUATE ORG CONTROLS IS BASIS OF IA WORK PLACE

COSO Internal Control framework  

COSO describes the control environment as setting 'the tone of an organisation, influencing the control consciousness of its people'. Whilst COSO does not use the term culture, its description of the control environment infers culture. 

More precisely, the control environment consists of the high-level parameters that influence the organisation's culture. 

The IIA defines the control environment as 'the attitude and actions of the board and management regarding the importance of control within the organisation' (emphasis added). 

The parameters include integrity, ethical values, Management's philosophy and operating style, Organisational structure, and Human resource policies and practices.  

Control processes 

These are the daily routines, checks and balances that make the organisation function. The IIA definition is: 

"The policies, procedures and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process". 

Control processes 

These are the daily routines, checks and balances that make the organisation function. The IIA definition is: 

"The policies, procedures and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process". 

The table illustrates two alternative ways of categorising controls, with some examples. 

Catergorisations useful to help decide control to put in place, some may fall in more than one category Training is preventative as well as detective.  Training is directive as well as corrective

If not satisfied level of inherent risk exceeds or higher than risk appetite than it should consider implementing risk responses to redeude this level of inherent risk to a residual risk level that equates to Org's appetite for that risk. Challenge for mgmt to select most appropriate response

Overall purpose is to reduce inherent risk (those risk which occur before action is taken) to organisaton to leve equal with its risk appetite.  Those controls are a mechanism for managing such risk.  They are only effective is the people in an org take responsiblity for it management, and that it is continually reviewed, monitored and maintained.  This will help an organisation to ensure it process are working effectively.