Page 26 - The Insurance Times September 2022
P. 26
changes that can give rise to important risks - for example, practicable - has become important here, particularly in
changes in internal culture or market sentiment. sectors where health or safety risks are potentially serious,
but are unavoidable.
Organisations should carry out analysis to identify potential
events, but it will also be important to identify and respond Part of the risk response stage will be designing a sound system
to signs of danger as soon as they arise. For example, quick of internal controls. COSO guidance suggests that a mix of
responses to product failure may be vital in ensuring that lost controls will be appropriate, including prevention and
sales and threats to reputation are minimised. detection and manual and automated controls.
Risk assessment Control activities
Policies and procedures should operate to ensure that risk
The likelihood and impact of risks are assessed, as a basis for
responses are effective.
determining how to manage them.
Once designed, the controls in place need to operate properly.
As well as mapping the likelihood and impact of individual
COSO has supplemented the ERM model by guidance in
risks, managers also need to consider how individual risks
'Internal Control - Integrated Framework'. The latest draft
interrelate. The COSO guidance stresses the importance of
of this framework was published in December 2011. It stresses
employing a combination of qualitative and quantitative risk
that control activities are a means to an end and are effected
assessment methodologies. As well as assessing inherent risk
by people. The guidance states: 'It is not merely about policy
levels, the organisation should also assess residual risks left
manuals, systems and forms but people at every level of an
after risk management actions have been taken.
organisation that impact on internal control.'
The ERM model has, though, been criticised for encouraging Because the human element is so important, it follows that
an over-simplified approach to risk assessment. It's claimed many of the reasons why controls fail is because of problems
that it encourages an approach that views the materialisation with how managers and staff utilise controls. These include
of risk as a single outcome. This outcome could be an expected failing to operate controls because they are not taken
outcome or it could be a worst-case result. Many risks will seriously, mistakes, collusion between staff or management
have a range of possible outcomes if they materialise - for telling staff to over-ride controls. The COSO guidance
example, extreme weather - and risk assessment needs to therefore stresses the importance of segregation of duties,
consider this range. to reduce the possibility of a single person being able to act
fraudulently and to increase the possibility of errors being
found.
Risk response
Management selects appropriate actions to align risks with
The guidance also stresses the need for controls to be
risk tolerance and risk appetite. performed across all levels of the organisation, at different
stages within business processes and over the technology
This stage can be seen in terms of the four main responses -
environment.
reduce, accept, transfer or avoid. However risks may end up
being treated in isolation without considering the picture for
Information and communication
the organisation as a whole. Portfolio management and
Information systems should ensure that data is identified,
diversification will be best implemented at the organisational
captured and communicated in a format and timeframe that
level and the COSO guidance stresses the importance of
enables managers and staff to carry out their responsibilities.
taking a portfolio view of risk.
The information provided to management needs to be
relevant and of appropriate quality. It also must cover all the
The risk responses chosen must be realistic, taking into
objectives shown on the top of the cube.
account the costs of responding as well as the impact on risk.
An organisation's environment will affect its risk responses. There needs to be communication with staff. Communication
Highly regulated organisations, for example, will have more of risk areas that are relevant to what staff do is an important
complex risk responses and controls than less regulated means of strengthening the internal environment by
organisations. The ALARP principle - as low as reasonably embedding risk awareness in staff's thinking.
26 The Insurance Times, September 2022
