Risk management is the identification, assessment, and prioritization of risks. Risk management in normal life means that it should be avoided but in corporate life it does not mean the same. It is defined in ISO 31000 as the effect of uncertainty on objectives (whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Therefore a Company will focus on achieving growth and profitability within appropriate risk/control boundaries. The people in charge of governance must ensure that there are adequate controls in place for monitoring risks. Whereas the people in charge of the unit tasked with risk management must ensure they probe, analyse and take steps to mitigate negative impact and accept risk within the agreed appetite for risk and set boundaries.
The senior management recruited to develop plans to execute the strategy set by the board must ensure also put in place a process to manage risks arising from execution. Oversight responsibilities for the senior management activities rest with the board. To fulfill this responsibility the board should select competent board members and establish guidelines to govern the board, approve the overall risk appetite of the company and the plans prepared by senior management for which they should have recruited competent senior management. The convergence of governance with risk management activities takes place when the board performs these important tasks.
The COSO framework made up of eight components, as listed below may be followed to have an effective risk management function;
* Internal Environment – risk management philosophy and risk appetite, ethical values, etc
* Objective setting – Management must have process to set objectives and ensure it aligns with entity’s mission and are consistent with risk appetite
* Event Identification – Internal and external events affecting achievement of objectives must be identified, distilling between risk and opportunity
* Risk Assessment – Risks are identified and analyzed considering likelihood and impact, as a basis for determining how they are managed.
* Risk response – Develop set of actions in line with risk appetite – avoid, accept, reduce or share risks
* Control Activities – Policies and procedures to ensure risk response is effectively implemented
* Information and Communication – relevant information is identified and communicated in time for people to execute functions
* Monitoring – Entirety of enterprise risk management is monitored and modifications made as appropriate, regularly.