P5 Princples of Risk Management 2.1

Possibility of an event occuring that will have an impact (positive or negative) on the achievement of objectives.  Risk is measured in terms of impact and likehood

Causes - vary include Board , market forces and unnatural events

Impact - org ability to

• survive as ongoing concern
• compete successully/maintain quality staff products and services 
• maintain financial strength and public image

Controls are put in place to deal with risk - if inadeqate or increase increased exposure to risks

Risk - being burgled

Control - lock doors

Control failure - failure to lock door

Exposure - open to being burgled

Write risk as combination of cause and consequence 

e..g not setting alarm leading to waking up late and impact on ability to get to work on time and be productivity in that working day

e.g. not locking the door may increase the chances of being burgled and the abilty to protect homes from authorised entry

e.g. lack of regular check at sernor level increases rik of issuing incorrect pymts to benefit claimaints 

e.g. lack of internal resouce to manage an IT contract may put organisation at a competitive disadvantage to inefficient contract management arrangements

e.g.lack of competent transmission methods  increase risk of customer data loss when transported on CD

Define as the amount of risk an organisation will tolerate in it operation before action to reduce it to an acceptable levele.g. financial lossses may fall witin an org's risk appetite, white reputational, death or injurty of employee, will fall outside the appetite of all org's expect the armed forces

Appetite may vary between public and private

• risk reward link. private - drive toward profit implying risk takin to achieve level of reward/public- wary of being accused of failing to achieve vfm need to avoid waste public money
• public - sm may perceived little to gain taking unnecessarily high risks
• public - funds so tight mgrs forced to select risk with low level risk and high chane problem free delivery
• Consequence for public - not adopt leading technology due to level of associated risk/ inefficient solution as outdated
• lower risk lead to reduce success/inability to engage efficinetly  as mismatch of practices
• promoted outdate perception causing reputation risk & - perceptions
• solution for public - Treat introduce control such as checking by supervisior, Transfer -outsource contract mgmt function, Terminate end activity using alternative Tolerate staff stationary theft accept risk as low value 

Purpose of UKCG code to ensure board manage companies well.  

Promotes discusssion of key risk - required a process to id and quantifiy key risk and monitor extent they are operating and controlling the level of risk

UKCG requires:

• RM as ongoing, regular feature of company life embedded in the culture

Primary Related Standard

2120 - Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Set up objective 

Identification risk on achieveing objective

Assess likelihood and impact 

Determing appetie, - decide need nature and implementation of response and action

Monitorign reporting of effective response/action

Take corrective action and learn lesson

International Standards Organisation (ISO) 9000 series  

A framework to manage key processes, ensuring consistency and minimising defects. Organisations or parts of organisations can be certified against this standard when they meet its requirements, which may help to win or retain business. Some internal audit functions have attained ISO 9000 accreditation to demonstrate 'quality' to their stakeholders and in some cases ISO 9000 is regarded as a prerequisite for tender submissions. The BSI website has more detail on ISO 9000. 

ISO 31000  ISO 31000:2009 provides principles and generic guidelines on risk management. Although ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed. It is intended that ISO 31000:2009 be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards.