Risk Governance Tool

The board ultimately has responsibility for effective risk governance even if it The COSO framework consists of eight interrelated components, around which the delegates certain aspects of risk to committees, typically the audit committee. tool has been developed: In the light of the financial crisis, it is becoming more common for companies to either establish separate risk committees to consider the more forward-looking  internal environment risks or to rename the audit committee as the audit and risk committee.  objective setting However as companies re-organise their risk governance activities, one issue  event identification remains clear – the need for the board to take an increasing role in risk.  risk assessment The following tool is an abridged and modified version of a checklist from the  risk response AICPA Audit Committee Toolkit1 to highlight the questions that boards should be addressing on risk. It is based on the COSO2 publication, Enterprise risk  control activities 3 management – integrated framework which is a globally recognised framework  information and communication for managing risk. The COSO ERM framework is geared to achieving an entity’s objectives, set out in four categories:  monitoring.

 Strategic - high-level goals, aligned with and supporting its mission. When each of the eight components is determined to be effective in each of the  Operations - effective and efficient use of its resources. four categories of objectives, the board and management have reasonable assurance that they understand the extent to which the entity’s strategic and  Reporting - reliability of reporting. operational objectives are being achieved and that the entity’s reporting is reliable  Compliance - compliance with applicable laws and regulations. and applicable laws and regulations are being complied with.

It should be noted that evaluation of risk management is not a one-time, but a continuous event for both the board and its committees.

2 HOW TO IMPROVE YOUR BOARD’S EFFECTIVENESS: Tool three - Risk governance, a tool for strategic oversight Internal environment

1. Is the organisation’s philosophy for managing risk articulated in a comprehensive code of conduct?

2. Is the risk appetite for the organisation formally articulated in qualitative or quantitative terms?

3. Is the risk appetite consistent with the risk management philosophy and aligned with business strategy?

Objective setting

1. Has the board established high-level objectives that are consistent with the strategic direction, key strategic options and risk appetite for the organisation?

2. Have we identified critical success factors, relevant performance measures, milestones and risk tolerances for the achievement of the organisation’s strategic objectives?

3 HOW TO IMPROVE YOUR BOARD’S EFFECTIVENESS: Tool three - Risk governance, a tool for strategic oversight 3. Have we identified breakpoints and/or risk tolerances that will trigger broad discussion of potential need for intervention or modification of strategy?

4. Has management established operations, reporting and compliance objectives that are aligned with the overall strategic objectives?

Event identification

1. Has management employed a systematic approach in the identification of potential events that will affect the entity?

2. Is the categorisation of events across the organisation appropriate to the organisation and consistent with the risk philosophy and appetite of the organisation?

Risk assessment

1. Has management conducted a systematic assessment of all events with the potential for significant impact on the entity?

4 HOW TO IMPROVE YOUR BOARD’S EFFECTIVENESS: Tool three - Risk governance, a tool for strategic oversight 2. Has management sufficiently considered the interdependency of potentially related events in its event identification and risk assessment process?

Risk response

1. Has management adopted an appropriate and cost effective array of risk responses at the activity level of the organisation to reduce inherent risks to levels in line with established risk tolerances?

2. Has management taken a portfolio view to assure that the selected risk responses have reduced the entity’s overall residual risk to a level within the identified risk appetite for the organisation?

Control activities

1. Has management implemented adequate control activities throughout the organisation to assure that its risk responses are carried out properly and in a timely manner?

5 HOW TO IMPROVE YOUR BOARD’S EFFECTIVENESS: Tool three - Risk governance, a tool for strategic oversight Information and communication

1. Do the organisation’s management information systems capture and provide reliable, timely and relevant information sufficient to support effective enterprise risk management?

Monitoring

1. Are sufficient ongoing monitoring activities built into the organisation’s operating activities and performed on a real-time basis to allow for appropriate reaction to dynamically changing risk conditions?

2. Have all deficiencies and recommendations for improvement in risk management processes been addressed and appropriate corrective actions taken?

6 HOW TO IMPROVE YOUR BOARD’S EFFECTIVENESS: Tool three - Risk governance, a tool for strategic oversight Footnotes 1 The AICPA Audit Committee Toolkit, AICPA, 2008 – available through the AICPA store at www.cpa2biz.com 2 COSO is The Committee of Sponsoring Organizations. It consists of the AICPA, the Institute of Management Accountants (IMA), the Institute of Internal Auditors (IIA), Financial Executive International (FEI) and the American Accounting Association (AAA) 3 The AICPA Toolkit includes a primer on the COSO framework as well as the tool. The COSO publication can also be published through the AICPA store at www.cpa2biz.com. The proceeds from the sale of the framework are used to support the continuing of COSO

Distribution of this material via the internet does not constitute consent to the redistribution of of International Certified Professional Accountants. This material is offered with the it in any form. No part of this material may be otherwise reproduced, stored in third party understanding that it does not constitute legal, accounting, or other professional services or platforms and databases, or transmitted in any form or by any printed, electronic, mechanical, advice. If legal advice or other expert assistance is required, the services of a competent digital or other means without the written permission of the owner of the copyright as set forth professional should be sought. The information contained herein is provided to assist the above. For information about the procedure for requesting permission to reuse this content reader in developing a general understanding of the topics discussed but no attempt has been please email [email protected] made to cover the subjects or issues exhaustively. While every attempt to verify the timeliness and accuracy of the information herein as of the date of issuance has been made, no The information and any opinions expressed in this material do not represent official guarantee is or can be given regarding the applicability of the information found within to any pronouncements of or on behalf of AICPA, CIMA, the CGMA credential or the Association given set of facts and circumstances.

7 HOW TO IMPROVE YOUR BOARD’S EFFECTIVENESS: Tool three - Risk governance, a tool for strategic oversight American Institute of CPAs 1211 Avenue of the Americas New York, NY 10036-8775 T. +1 2125966200 F. +1 2125966213

Chartered Institute of Management Accountants 26 Chapter Street London SW1P 4NP United Kingdom T. +44 (0)20 7663 5441 F. +44 (0)20 7663 5442 www.cgma.org

March 2012

CIMA has offices in the following locations: Australia. Bangladesh, Botswana, China, Ghana, Hong Kong SAR, India, Ireland, Malaysia, Nigeria, Pakistan, Poland, Russia, Singapore, South Africa, Sri Lanka, UAE, UK, Zambia, Zimbabwe