Total Number of Subscribers:1665  

 

http://www.primeacademy.com/smartlogo4.gif

  Date:2nd March 2010

 Compiled by: M Sathya Kumar  


Enterprise risk management

Background :

The top management of a writing and printing paper company, with Rs.400 crores turnover, is extremely happy with its internal audit department, specially with the cost saving measures recommended by the department. The company has two plants in Thane (Mumbai) and Vapi (Gujarat), with its corporate headquarters at Mumbai. Being a public limited company, it needs to comply with the listing agreements and regulations of SEBI. Clause 49 of the listing agreement has laid down several risk management and internal control requirements for a public limited company.

Clause 49 of the listing agreement requires among other matters, the following mandatory compliances :

(a) "The company shall lay down procedures to inform Board Members about the risk assessment and minimisation procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework."

(b) CEO/CFO certification that "They accept responsibility for establishing and maintaining internal controls and that they have evaluated the effectiveness of the internal control systems of the company and they have disclosed to the auditors and the Audit Committee, deficiencies in the design or operation of Internal Controls, if any, of which they are aware and the steps they have taken or propose to take to rectify these deficiencies."

The Audit Committee directs the internal audit department to help the company comply with these requirements and work with the CFO to ensure that a proper risk management framework is in place along with required procedures.

Methodology :

In the above background, the CIA has a meeting with his peers in industry and also benchmarks with several organisations, who have gone through this process. The following objectives are outlined and methodology adopted by the company.

Specific objectives to be achieved :

1. ‘Sensitise’ the entire organisation to Risk in decision making and structured approach to Risk Management.

2. Establish a risk model for identifying risks, prioritising risks and monitoring or treating the risks for a selected area, activity or process.

3. Establish an enterprisewide risk model for identifying risks, prioritising risks and monitoring or treating the risks.

Standards to be used :

COSO ( Committee of Sponsoring Organisations of Treadway Commission) Internal Control Framework is adopted as the basis of the review and establishment of internal control system. The Australia and New Zealand Risk Management Standard is adopted as the Risk Management Framework for the organisation.

Enterprise risk management process :

Risk management serves the following purposes :

·         To support the organisation’s efforts to identify and pro-actively manage external conditions and internal developments that could influence its success;

·         To assist with the organisation’s strategic and operational planning;

·         To protect and enhance the company’s people, resources, physical assets, environment and neighbouring communities; and

·         To support efficient resource allocation.

The enterprise risk management framework must ensure that this activity is conducted cost-effectively. A significant component of the effective-ness of the process will be its assurance of trace-ability and demonstration of the use of best practice.

To achieve these ends, the process will ensure that :

·         All significant risks to the success of the company are identified;

·         Identified risks are understood, with both the range of potential outcomes they represent and the likelihood of values in that range being determined as far as is necessary for decision making;

·         Assessments of individual risks are directly comparable to support priority setting;

·         Strategies for treating risks take account of opportunities to address more than one risks with a particular strategy, and integrate related strategies where this is found to be worthwhile;

·         The process itself and the risk treatment strategies are all implemented cost-effectively; and

·         Where uncertainties give rise to opportunities, these opportunities are identified and exploited as appropriate.

As mentioned earlier, the CIA’s approach to identification, assessment and evaluation of risks and opportunities is based on the Australian and New Zealand Standard for Risk Management, AS/NZS 4360 : 2004.

The process generates a list of potential risks and opportunities, with associated priorities. This list can be used to highlight major risks, and decide on the appropriate allocation of attention and resources to manage them. The assessment of risk can also be used to develop action plans to treat major risks and develop strategy to capitalise on opportunities.

The risk management process has several important features :

·         It is a generic process, applicable across a wide spectrum of organisational activities;

·         It is internationally accepted as world’s best practice, and being used by public and private sector organisations around the world;

·         It is compatible with more recent and specific processes like COSO;

·         It supports the identification and assessment of opportunities as well as risks;

·         It supports both qualitative and quantitative assessment approaches.

The process is illustrated below :

The same general approach can be used at any organisational level for identifying the risks facing the company across all its activities. It is as applicable to operational and support activities as it is to strategic management.

Roles and responsibilities are clearly identified by the CIA (in his capacity as the catalyst for Risk Management process) as given in Annexure ‘A’.

Few illustrative strategic risks identified during the exercise were :

·         More players were concentrating in western sector of the country and could lead to high competitive pressures in two years’ time.

·         Availability of waste paper which is basic raw material could be in short supply in a few years and virgin pulp which is high cost would have to be used making the units unviable.

·         Government norms on pollution were getting stricter and the company would have to modernise the effluent treatment plants or face closure in the next few years.

·         Availability of skilled personnel, specially technically competent personnel at plant level is an issue, as new companies which are being set up are enticing them to join these new companies at any cost. Retaining these technically competent personnel would be a tough issue.

·         Cost of manpower would go up substantially in the coming years, with no corresponding increase in final product prices.

·         Retaining one’s dealer network would be an issue over the years as a result of new players coming in.

·         Information Technology is outdated and an ERP system needs to be implemented for integration and information for better decision making.

Numerous operational risks were also identified in each process, which led to several action plans for treating these risks by the process owners and also a few major ones escalated to the Audit Committee and Board. In all, around 245 risks were identified and top 50 placed before the Audit Committee in the first round of rollout of the risk management exercise.

Conclusion :

The positive attitude of the CIA and the process owners led the entire exercise of risk management a value added exercise with quite a few benefits, specially with better decision making at all levels. It was not only an exercise for the purpose of fulfilling the regulations. The Managing Director appreciated the efforts of the CIA and the entire team.

It led the internal auditing function to be elevated to deliver business solutions.

Annexure ‘A’

Roles and responsibilities with action plan is clearly identified by the CIA —

Statement of activities

Process

Activity

Deliverable

Role of CIA

Role of other company officials

Risk management training

Awareness workshops — 3 hours each.

Risk management training materials

improved understanding of risk and control

Organise training materials

Conduct workshops.

Participation by top management, senior management and middle management team (Function heads, heads of departments, process owners, managers).

Establish an interim risk management administration structure

Identify the risk management process owner.

Document the process adopted.

Create a document of risk

management vocabulary.

Document the overall risk management framework in company and circulate to all in the organisation.

Establish a risk management communication system.

Process documentation

Risk management system information booklet including RM vocabulary

Established visible structure of risk management

Define the risk management process owner profile

Draft the write up for the information

booklet.

Define the parameters of risk management communication system.

Commit somebody adequately experienced to be the assignment coordinator who can later on be identified as the risk management system owner.

Printing and circulation of the information booklet.

Establish the communication channels — separate, if required.

Develop an operational risk management model

Document contexts and rating scales.

Draft contexts and scales

Establish the strategic, organisational and risk management context and define the criteria

Establish consequence and likelihood rating scales

Provide additional inputs to finalise and sign off.

 

Risk and control identification and assessment and

prioritising process with all members in the senior management

Risk register

Conduct meetings and

help in documenting risks, controls and assessments

Senior management participation.

 

Risk treatment process.

Treatments and proposed action plan

Conduct meetings and compile treatments and proposed action plans

Participation of same senior management

Commit resources for shortlisting action plan.

Schedule implementation of action plan.

Risk management roll out

Identify the risk management champion within the organisation.

Establish the overall plan for the roll out.

Establish Monitoring mechanisms.

Establish risk assessment and reporting cycles.

Rollout plan

Established monitoring mechanisms

Risk assessment and reporting cycle schedules

Document overall roll out plan.

Identify the monitoring mechanisms and assist

in establishing the same.

Document the assessment and reporting cycle.

Execute the rollout plan.

Implement the monitoring mechanisms.

Implement the cycles.

Article by Deepak and Manish, a renowed chartered accountants in the field of Internal audit

 

 

Rewards waiting for feedback at
E-mail : smarttrainee@gmail.com

www.primeonlinetest.com

Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here.

Prime Academy - In Pursuit of excellence

 

Click here to contact us, if you are unable to view the content properly