We hear
about them as a theme in fashion: financial, operational, liquidity…of any
kind. Internal Auditors and Compliance Officers should know them. They should
apply the business risk administration (“BRA”). But…
What is a
risk?
A control?
For someone
that is not a specialist let’s explain them in a simple and easy way:
A risk is something
that could happen or not. In business it has been connoted in a negative way;
something that could jeopardize to obtain or achieve the results. In business,
a risk is mitigated but never eliminated. The risk is mitigated with a control.
Controls as
risks have several types but let’s keep it simple. There are 4 types of them:
manual (performed by a person), electronic (performed by a system), preventive
and detective.
Depending
upon the size of the company, its business lines, processes, resources, etc.
controls should be designed in order to minimize risks. But, how to do it if
the risks have not been identified? Here are the steps to deploy the BRA:
1. Analyze the company externally and
internally. Start with an inventory of potential events that could affect it;
such as the threats (external). This will depend on where the company is
established and/or operates. For example: is a high risk jurisdiction for
corruption or money laundering or tax evasion? What are the economic factors
that could affect? How are the financial markets? How is the employment rate?
Who is our competition? (direct and indirect) Which is the regulation we have
to comply? What is the political environment? Which natural catastrophes could
affect us? What is our customers’ behavior? Which emerging technology affects
us?, Etc.
Afterwards, think about the inventory of events that could affect
internally, such as: how is our relationship with shareholders? How is the
processes design? Which is our staff capacity? How often are they trained? Do
we depend on technology? How are we protecting our core business? (Confidential
information such as formulas, plans, data, etc.) Do we cover our operating
costs? How often maintenance is given to the equipment? How leveraged we are?
Which kind of accidents could happen in our facilities? How is the
surveillance? Which are the areas that manage cash or important information?
Which are our more important products or services? Do we have an alternative
provider in case the main fails? Have we established a mission, vision and
values? Do our employees know them? Where the company keeps the money? Who has
access to it? Do we manage a considerable amount of money?, etc.
2. Now that you got the list, start
evaluating each event by these two questions:
a) In the case this event happens, what will be
its impact on our business?
b) Which is its probability of occurrence?
Design a table in Excel with 3 columns: events,
impact and probability of occurrence. Evaluate impact and likelihood in a scale
of 0 to 10. It is recommended that for the first time done, someone in charge
(either Internal Audit or Compliance) determines the list and afterwards send
it to the other Area Directors so they can evaluate it, individually. Establish
a deadline and a date for a meeting to share the results. That the same person
in charge of the list, is the moderator between the Directors. The purpose of
the meeting is that everybody explains their point of view and also to obtain a
consensus answer. It sounds easy but it can be quite exhausting, especially if
it is done for the first time. The key is that everybody participates so you’ll
obtain two things: evaluation of risks and make sensitive the people who runs
the company about what the company could face.
3. After you
have the evaluation, divide the scale by three. Classify both the importance
and probability of occurrence in high, medium and low. Start prioritizing the
ones with the maximum number. Which are the risks that could easily happen and
impact us more? Those will be the high risks. A medium probability and impact?
And low?
4. Use a graph
to place the risks, such as: (you can use the X axis or Y indistinctly for
importance or likelihood)
This is a “risk map” or “heat map”…it’s a very useful tool to have an idea on how a
company, process or area is today. Is like the “photo” of its vulnerabilities.
As you can see, events could lead to threats and therefore become risks. What
yesterday is a low risk, today can be a high risk or tomorrow a medium one. The
risks are changing; they are dynamic. External factors change; they are out of
the hands of the company; i.e. who would imagine that we would have drones?
Internal factors, of course depend more on the company.
The
importance of the BRA is to know the company in detail. Is to evaluate how
vulnerable we are and know if we are prepared to minimize what it could turn a
reality. Therefore it is recommended to be updated at least once a year, or
when:
-an event
occurs,
-a new
event appears,
-a new
system is bought,
-a new
service or product will be launch, etc.
It should
be again evaluated.
Next step:
if you’ve already diagrammed the company process (in case you haven’t, please
refer to the article: “Let’s draw! The
importance of the flowchart”) that information will be helpful. From the
risk list where will they be placed? (Depends if the flowchart has been done by
area or process) On a next article we’ll continue…
By Mónica
Ramírez Chimal, México
Partner of
her own consultancy Firm, Asserto RSC:
www.TheAssertoRSC.com
Author of
the books, “Don´t let them wash, Nor dry!” and “Make life yours!” published in
Spanish and English. She has written several articles about risks, data
protection, virtual currencies, money laundering. Monica is international
lecturer and instructor and has been Internal Audit and Compliance Director for
an international company.
No comments:
Post a Comment