„Life it self is a risk”
The management of any organization, whether working in the public sector, whether working in the private sector, aims in order to achieve its objectives to monitor and reduce risks. Risk control is achieved by managing them effectively, namely by implementing an adequate risk management system.
Risk management is an important concept related to safety and financial integrity of an organization, and risk assessment is an important part of its strategic development.
The strategy of an organization on risk management should be that all the risks it faces must be identified, assessed, monitored and managed so that they are maintained in a certain limit, accepted by the entity’s management.
2. Risk management – Defining function within the organization
Risk management is the process of identifying, analyzing and responding to the risks the organization faces and is exposed to. The costs of implementing this system depend on the methods used to manage unexpected events.
Risk management process is an ongoing one and the results are embodied in the decisions taken on accepting, reducing or eliminating risks that affect the achievement of objectives. The aim is to optimize the organization’s exposure to risk in order to prevent losses, avoid threats and exploit opportunities.
2.1. Conceptual approaches for risk
In general terms, risk is part of any human effort. Once we leave to go back home, we are exposed to risks of different levels and degrees. It is significant that some new risks are completely voluntary, and some are created by us through the nature of activities.
The word “risk” derives from the Italian word „risicare”, which means “to dare”. In this sense, the risk is a choice, not fate1. From this definition it follows that the risk is not an option, but we are permanently exposed to risk in everyday life, what is really important is that each time, to gain control over it.
Nowadays there is no unanimously accepted definition of the concept of risk by all specialists in the field. Among the most commonly used definitions, we present the following:
“Risk is the possibility of obtaining favorable or unfavorable results in a future action expressed in terms of probabilities.”or
“Risk is a possible future event whose production could cause some losses.”or
"Risk is the threat that an event or action to affect in a negatve manner the capacity of an organization to achieve its planned goals.2 "
The analysis of these definitions of risk gives rise to the following conclusions:
Probability versus consequences. While some definitions given to risk focus only on the probability of the occurrence of an event, other definitions are more comprehensive, including both the probability of risk manifestation and the consequences of the event.
Risk and threat. In defining the concept, some experts have put an equal sign between risk and threat. We specify that a threat is an event with a low probability of manifestation, but with high negative consequences, since the probability of manifestation is difficult to assess in these cases. A risk is an event with a higher probability of occurrence, for which there is sufficient information to rate the probability and consequences.
Comparing only negative results. Some concepts about risk are focused only on negative events, while others take into account all variables, both threats and opportunities.
Risk is related to profitability and loss. Achieving the expected result of an activity is under the influence of random factors that accompany it in all stages of its development, regardless of the domain of activity.
In conclusion, the risk can be defined as a problem (situation, event etc.) which has not yet occurred, but can occur in the future, threatening the achievement of agreed outcomes. Viewed in this context, risk is the uncertainty in obtaining expected results and should be treated as a combination of probability and impact.
The probability of risk occurrence is the possibility that the risk materializes and it can be appreciated or determined by measurement, when the nature of risk and available information permit such evaluation.
The risk impact is a consequence of the results (objectives) when risk materializes. If the risk represents a threat, the consequence upon the results is negative and if the risk represents an opportunity, the consequence is positive.
The probability of risk occurrence and its impact on the results contribute to establish the risk value.
Based on concepts presented above, in our opinion, the risk is a permanent reality, an inherent phenomenon that accompanies all activities and actions of an organization and that occurs or not, depending on the conditions created for it. This could cause negative effects by deteriorating the quality of management decisions, reducing profit volume and affecting the organization’s functionality, with consequences even in blocking the implementation of activities.
In the literature, but also in practice, besides the concept of risk other concepts are used, respectively:
Inherent risk is the risk that exists naturally in any activity and is defined as “the risk existing before the implementation of internal control measures to reduce it” or “all risks that threat the entity/organization and may be internal or external risks, measurable or immeasurable”.
Residual risk is the risk remaining after implementation of internal control measures. Applying these measures should have as effect the limitation of inherent risk to a level accepted by the organization. The residual risk should be monitored in order to maintain it at accepted levels.
Risk appetite is the level of exposure that the organization is prepared to accept, namely the risk tolerated by the organization.
Practitioners recommend to organizations’ management to bear in mind that risks can not be avoided and under these conditions to be concerned by their evaluation to keep them “under control” at levels considered acceptable, tolerated by the organization, and not to seek the total elimination of them, as this can lead to other unexpected and uncontrolled risks.
2.2. Risk – Threat and opportunity
Internal and external environment in which the organization operates generate risks. In these circumstances the organization should identify its weaknesses and threats it faces, in order to manage and minimize them. Also, strengths must capitalize and exploit opportunities.
In this respect, designing and implementing a risk management process at corporate level, is appropriate and necessary due to uncertainties of threats in achieving organizational goals.
The implementation of this concept leads to certain changes within the organization, whose effects should be materialized through a better use of available funds and obtaining levels of profitability planned, namely:
risk management requires modifications in leadership style, the organization’s management would be forced besides the consequences treatment measures of events that occurred, to devise and implement adequate internal control devices to limit or eliminate the possibility of risks manifestation. Implementing these control devices should enable the organization to master, within acceptable limits, risks and to achieve the objectives.
risk management ensures the efficient and effective achievement of objectives, mastering threats the organization deals with, allows to hierarchy risks based on materialization probability, of impact magnitude and costs posed by mitigating or limiting unwanted effects.
risk management requires a healthy internal control system, designing and implementing adequate internal controls and ensuring their operation require a reasonable assurance that objectives will be achieved. Enhancing and strengthening the internal/management control system is indispensable without designing and implementing appropriate risk management.
Risk management is characterized by the establishment and implementation of concrete activities and actions of identification and risk assessment leading to determine the risk level and by this act to implement adequate internal control devices to limit the probability of the risk occurring or the consequences if the risk materializes. The process must be coherent, integrated to the objectives, activities and operations carried out within the organization.
The staff within the organization, regardless of the current hierarchical level, should be aware of the importance of risk management to achieve planned results and to form necessary skills in order to perform monitoring and control based on principles of efficiency and effectiveness.
The functional structures responsibles within the organization have the task to identify and analyze regularly the risks related to their activities, to propose and substantiate appropriate measures in order to limit the possible consequences of risks and ensure approval by decision makers within the organization.
Practice3 recommends that any organization needs to manage its risks, because in many cases the occurrence of risks can have serious consequences upon the activities, sometimes these consequences jeopardizing the very existence of the organization4.
The complexity of risks and their increase has led organizations’ management to understand that it is better to manage a risk than to cover a loss. Based on this requirement, many organizations have proceeded to implement risk management, developing specific strategies that have defined the organization’s behavior towards risk and risk management arrangements.
2.3. The importance of risk management organization
Risk management is a preventive attitude on the elimination or limitation of damages, if any possibility of a risk materializing, namely a process of identifying, analyzing and responding to potential risks of an organization.
In these conditions, the role of risk management is to help understand the risks the organization is exposed to, so that they can be managed. This role varies depending on when the analysis is done, as follows:
if the risk assessment is conducted before the risk materialization, the goal is to avoid the occurrence of this event;
if the risk assessment is carried out after the risk has materialized, the goal is to ensure the development of the activities and the organization’s activities continuity.
The advantage of implementing the risk management system within the organization is to ensure economic efficiency. To achieve this requirement, the organization’s management has the responsibility to make known the risks they face and manage them properly, in order to avoid consequences for their materialization.
2.4. Responsibility for risc management
Risk management is the responsibility of the organization’s management, and the central objective of this process aims the risks management so that resources to be used efficiently and effectively in order to maximize profit and minimize threats, while safeguarding the interests of employees and customers.
In this respect, the entity’s management must act in the following directions:
establishing the definition of risk that is widely accepted and understood across the organization and also the types of risk;
assessing current risks and monitoring potential sources of internal and external risks;
establishing clear responsibilities on each hierarchical level and per employee concerning the implementation of risk management process;
developing an adequate information system for the management on risks and risk assessment system;
setting tolerance in taking risks and limits of exposure in accordance with it;
permanent analysis of achievements and poor results in risk management and continuous improvement of risk management process;
ensuring an adequate level of knowledge and skills of employees in accordance with the requirements followed by the implementation of the risk management process.
To ensure an efficient risk management is necessary to create certain organizational structures appropriate for the policies and strategies of the organization. In this respect, the organization should adopt appropriate policies regarding the organization plan, in order to effectively monitor each risk or category of risk and in an integrated manner, the whole risks system accompanying activities.
Policies and strategies that may be adopted regarding the organization plan are related to:
establishing and developing its own system of rules and procedures that, implemented, to ensure avoiding or minimizing risks;
establishing appropriate functional structure based on a clear concept, which should ensure appropriate departments in order to contribute at identifying and monitoring risks.
Given that risk can be identified, evaluated and limited, but never completely eliminated, the organization must develop both general policies and specific policies to limit exposure.
2.5. Effectiveness of risk management
The activity of an organization is characterized by all processes, procedures, inputs, outputs, resources (financial, material, human and informational) and technical means for recording, processing, transmitting and storing data and information on activities and environment where the system is operating.
By internal/management control programs prepared each functional structure should identify the risks they face, and by using procedures and risk management policies to ensure their maintenance at acceptable levels.
Risk management is an ongoing, structured process, that allows identifying and assessing risks and reporting on opportunities and threats affecting the achievement of its objectives. The benefits of implementing the risk management process include:
higher probability of achieving the entity’s goals;
improving the understanding of risks and their implications;
increased attention to major issues;
limitation to the consequences by implementing adequate internal controls;
assuming a certain tolerance to risk is acceptable;
broader information for adequate decision making in terms of risks.
The organization’s management and staff perform risk management activities in order to identify, assess, manage and control all types of events or situations that may affect its activities.
In the world today has become increasingly more imperative for corporate managers to monitor and manage risk5 in all aspects. A good risk management means avoiding or minimizing loss, and also treating opportunities in a favorable manner.
Risk management is necessary because organizations face uncertainty and the biggest challenge of the leadership is to determine what level of risk it is prepared to accept to achieve its mission, in order to add value to activities and to achieve planned goals.
Risk management is an essential component of the organization’s success and must become an intrinsic part of its functioning. It must be closely related to corporate governance and internal control, but also connected with performance management6.
3. Integrated approach to risk
Integrated risk management process is designed and set by the management and implemented by the whole staff within the organization. This process is not linear, a risk management may have impact also on other risks, and control devices identified as being effective in limiting a risk and keeping it within acceptable limits, may prove beneficial in controlling other risks.
Risk management currently knows an appreciation and recognition increasingly large, both in theory and practice, which means, on the one hand the increase of number of specialists in the field, and on the other hand the interest of managers within organizations to design and implement effective risk management systems to meet the objectives.
Mastering risk determines organizational development, performance growth, both generally, of the whole organization and also of individual activities.
3.1. COSO and integrated risk management
Referring to risk management, COSO presented an initial framework methodology for implementing internal controls, built-in policies, rules, procedures and regulations that have been used by various organizations to secure control over how to run the plan and meet objectives.
Later, after the appearance of great scandals of fraud and the need to improve corporate governance processes, large corporations talked about and set up risk management departments to help implement procedures regarding the identification, assessment and risk control.
Following the emergence of these needs, Treadway Commission, COSO model promoter, initiated a program in order to develop a general methodology that can be used by organizations’ management to improve risk management.
Risk management within the organizations was created on the concept of internal controls, but the focus was particularly on risk management. This was not intended to replace internal controls, but incorporating basic concepts of internal control in this process.
Thus, between risk management and internal control was preserved a strong connection interrelated with common concepts and elements.
3.1.1. Risk management and internal control
The main objectives of internal control/management system are to ensure the efficiency and effectiveness of activities, the reality of reporting and regulations compliance in the field. The internal control/management system is developed and monitored in order to implement by the organization’s management, which is responsible for designing adequate internal control devices in order to ensure limitation of significant risks and keeping them within acceptable limits, aiming to give the security that the organization’s objectives will be met.
Risk management system was structured on components of internal control/management, structured according to COSO model, namely on five elements, whose implementation ensures that the tools/internal control devices exist and function as intended.
These components were defined as:
the control environment specific to the organization is the one that sets the foundations of internal controls system, influencing the control awareness of employees and represents the basis for other components;
risk assessment is carried out by management, is performed at both corporate and activity level and includes identifying and analyzing risks that affect the achievement of objectives. In general, risk assessment involves determining the level of importance of the risk, assessing the probability that the risk to occur and determining the way to manage it;
control activities are policies and procedures to ensure that management’s provisions are respected. By this, it is ensured that all necessary measures are taken in order to manage risks and achieve the objectives set by management;
information and communication helps other components through proper communication to employees of their responsibilities with regard to internal control and provision of relevant, reliable, comparable and understandable information so that they could perform their duties and tasks;
monitoring implies the verification made by the management of the implementation means of internal controls it demanded, or by responsibles pursuing if internal controls imposed by it work and if they are sufficient so that activities or actions to take place as planned.
3.1.2. Objective of risk management system
COSO defines integrated risk management as “the process conducted by the Board, management and others, applied in setting strategy and across the organization, designed to identify potential events that may affect the entity and to manage risk within the risk appetite to provide a reasonable assurance regarding the achievement of organizational objectives”7.
From the content of this definition it follows some essential elements, characteristic to the integrated risk management, as follows:
the process is conducted permanently throughout the organization, being circumscribed to other activities;
the purpose is to manage risks associated with objectives and to secure expected results through their implementation;
within the process is involved the whole staff, regardless of the hierarchical level;
the approach starts from the strategic goals rather than from operational objectives;
the process is applied to the entire organization and not functional structures.
The general objective of integrated risk management is to effectively manage uncertainties, risks and opportunities. The need for risk management stems from the fact that uncertainty is a reality and the reaction to uncertainty is a constant concern.
Risk management involves establishing actions to respond to risk and to implement adequate internal control devices, with which to limit the possibility of occurrence or consequences of risk, if it would materialize. In order to ensure efficiency in achieving objectives, the process must be coherent and convergent, integrated to objectives, activities and operations carried out within the organization.
Also, regardless of the staff’s hierarchical level, it should be aware of the importance of risk management has in achieving its own objectives and thus to form the necessary skills to perform monitoring and control based on principles of efficiency and effectiveness.
In order to ensure the success of this approach and to achieve an effective risk management, within the organization it needs to create a culture of risk, namely developing a risk management philosophy specific to the organization and management, and awareness of risk’s negative effects at all levels of the organization.
From the above it is found that the need for internal control/management is determined by the existence of threats or opportunities in carrying out planned activities or actions with negative consequences in the organization. This requires the establishment and implementation of certain internal control devices in order to prevent or limit the risks.
Also, the need for risk management stems from the fact that risk is everywhere, in everything we want to achieve. It can not be removed; any action to eliminate risk can lead to the emergence of new risks, uncontrolled, which may affect to much greater extent the organization. In these conditions, the risk needs to be minimized, process that can be achieved by establishing and implementing adequate internal controls.
3.2. The role of integrated risk management system
Risk management process is considered to be a set of activities and actions carried out in a certain manner and order to prevent or reduce exposure to risk, resulting from an operation or several operations.
In practice, most commonly applied concept of risk management is that managing risks should be carried out separately within departments independently organized in the organization’s functional structure. This method provides simplicity and efficiency form in making decisions on risk management, but leads to actions and multiple records of the same exposure to risk and does not address correlations between different exposures.
There are other practices too, which considers that each employee must be responsible for the risk management, having the competence to identify risks and implement appropriate internal controls to mitigate the probability of their manifestations. This mean of managing risks does not lead to results and does not ensure the guarantee of conducting activities given that they were planned, because it does not ensure the requirements for exposure on the same activities, and the process is influenced by knowledge and understanding by employees of the risk management system implemented within the organization.
These traditional risk management processes are usually fragmented, meaning they are found implemented at the operation or transaction level and are aimed at preventing losses. Managing risks in these cases “does not consider the fact that risks are a source of competitive advantage”.
Recent research on models and risk management strategies focus on competitive advantages of risks if they are approached as a whole or at system level. In this case the system is considered to be composed of all processes and activities necessary to achieve the objectives.
This approach requires that all relevant functions within the organization (personnel, finance and accounting, manufacturing, commercial, procurement, IT, legal, internal control, internal audit, strategic development, marketing etc.) to participate in risk management process.
For implementing the integrated risk management is necessary that the organization to be viewed from the standpoint of system, both as the link of the industry in which it operates and as part of it, acting in accordance with certain principles, features being: the complexity, limitation of resources, factors that influence its activity, the nature of events, the possibilities for development.
In this view, it is considered that the risks should be managed in an integrated way, to eliminate multiple records on the same risk exposure and to analyze correlations between different exposures. This risk management approach is complex; it requires a large volume of information necessary for decision making and higher costs of administration. At the same time, making wrong decision can have a high impact on the business, or even on the organization.
The integrated risk management system, based on this concept, must be interdependent with the organization’s development needs and to include the processes of development and establishment of elements concerning assessment, monitoring and risk management. At the same time, integrated risk management must be also approached in correlation with all types of risk management for each functional structure of the organization.
Integrated risk management system operates with broad categories of risk (personnel risk, financial risk, legal risk etc.), with different risks attached to various activities, risks associated with different operations or transactions, and also with external risks that may affect the development of the overall organization (risks related to legislative changes) or making one or more activities carried out within the organization.
In these conditions, implementing the concept of integrated risk management within the organization is more than necessary because the risk management process should be approached by all types of risk that are found and affect all functional structures of the organization.
The approach in this unitary manner, of the exposures, respectively as a righteous and coherent system of exposure to various risks, of connections and mutual conditioning between them, will enable effective management of risks that may affect achieving the objectives and will contribute to improve activities and performance growth within the organization.
The integrated risk management system can identify all risks that affect the implementation of processes and activities attached to an organizational goal; it can assess the overall consequences and adopt measures depending on the level of uncertainty and the existing inherent risk that affects achieving objectives set.
Also, integrated risk management allows the foundation and decision making to lower hierarchical levels of the organization and also at the top level and ensures co-ordination of activities in order to solve current problems between certain functional structures. It helps to increase efficiency within the organization also by others administrative or managerial ways, such as better allocation of resources.
The implementation of integrated risk management within the organization will provide to shareholders and potential investors, more concrete and reliable information on the risks to which it is exposed, which will allow them to base their decisions in more optimal conditions.
Once with the development of organization’s activities, the old risk management systems become inadequate and risk exposures, especially the risk of fraud and error increases significantly. Implementing the integrated risk management system involves the design of evaluation criteria capable of measuring all activities related risks, by considering the relationships and connections between them and thus, to determine the exposure to any organization’s risk factor or its functional structures at any time.
This risk management process, characterized by the development of integrated risk management methodology, shall include as steps: establishing the organizational context and risk management, identifying, analyzing and assessing risk, risk treatment, risk control, communication and monitoring the risk management plan.
The process should not be a linear, the risk management may impact on other risks, and measures identified as being effective in limiting a risk and keeping it within acceptable limits may prove beneficial in controlling other risks.
3.3. Integrated risk management system functions
The effectiveness of implementing an integrated risk management system, compared with traditional risk management, is determined by the fact that it reflects the integration of all activities related to risk and risk management in a single system. This system is operated and controlled from a single management level, thus eliminating duplication and disruption of communication and action that can occur within a classical system.
The functions that the integrated risk management system meet within the organization’s management system can be classified as follows:
defining goals and setting objectives of the organization on risk. Setting goals represents a defining requirement for the identification, assessment and risk response planning. The organization must define properly its objectives, so to be understood and carried out by people who were assigned to.
The basic role of integrated risk management is to provide to the management and organization’s board a reasonable assurance regarding the achievement of objectives. In this respect, COSO8 states that in order to identify associated risks it should be established in advance the organization’s objectives, which shall be grouped into four categories as follows:
strategic objectives, that define the mission and long term development directions;
operational objectives, that refers to the effective and efficient use of available resources;
reporting objectives, that refers to reporting reality;
objectives of compliance, that refers to comply with the regulations, standards, rules or regulations applicable to the organization.
In order to define the objectives, the key is that, first, to define strategic objectives, and then, of these, to derive other types of goals: operational, reporting and compliance.
Also, for each goal it is necessary to establish risk tolerance, accepted materiality concerning the degree of achievement of identified indicators attached to the objectives in order to be considered achieved.
determining courses of action to manage risk. To achieve risk management within the organization, the lines of action of the integrated risk management are:
defining the organization’s strategy on risk;
setting activities to be achieved if the risk occurs;
evaluating results and measuring performances;
risk monitoring at corporate level;
reviewing corporate strategy on risk.
The strategy on risk must be coherent, contain how to recover losses caused by an adverse event and to integrate risk response measures.
Activities to be carried out if the risk materializes deal with the settlement of measures to address the consequences of risk, recover losses and identifying and implementing appropriate control devices to eliminate the causes that led to the risk occurrence.
To apply vigorously decisions taken in order to ensure effective functioning of integrated risk management will ensure continued operations and obtaining the expected results.
Monitoring risk at corporate level refers to observing the functioning of integrated risk management system, identifying and reporting existant weaknesses to adopt necessary remedial measures.
Updating the strategy on risk is necessary to be made whenever the organization changes its development strategy or strategic objectives, and also when management’s risk policy changes.
Also, periodic review of risks involves the redistribution and concentration of resources in areas of interest.
determining relations between integrated risk management system and other subsystems of the organization. The organization’s management must permanently ensure the interdependence between the objectives of the organization, its functional departments and risk management.
Risk management process aims to identify and assess risks that can affect the objectives’ achievement and to establish risk response measures. It should “become part of the organization’s functioning as the base of management approaches9”.
Considering that the objectives concern all levels of the organization, strategic, general and operational, being defined at strategy level, functional departments and even individual level, in a post, it is required that risk management to be aware of all the relationships that occur or develops between them or within them.
The incomplete determination of the relationship between risk management system and other subsystems of the organization, will lead to an inadequate identification and management of risks associated to the objectives with major negative consequences on the organization.
setting activities, responsibilities on risk. Seeks to identify all activities in progress within integrated risk management process and establish responsibilities for implementing each activity. Since the process involves all functions and functional departments of the organization, it is required that the activities and responsibilities on risks, defined and agreed at their level, to be communicated to employees involved in carrying out the activities.
defining performance indicators. For each strategic objective, operational, reporting or of compliance defined at corporate level, must establish performance indicators by which to ensure measurement of the degree of achieving goals. Also, setting goals to achieve within each indicator, will allow establishing performance resulting from the risk measures imposed within each goal.
allocating resources necessary to carry out activities and training the staff involved. For each activity planned to be conducted, it must be identified the necessary resources for their achievement, respectively financial, human, material and information resources. Resources necessary in order to accomplish the activities must be available and approved in budgets.
communication and consultation on the results, performance evaluation related to risk compared to objectives planned. Communication involves on time and clear transmission of necessary information about risk, as follows:
the responsibles for risk management communicate information about the process content and also on management decisions relating to any measure on risk;
the responsibles for risk of functional structures communicate information on risks associated to objectives established, and on how risks are managed.
the entire staff reports information on identified risks and whose management needs to be achieved.
The consultation on the results aims to provide information on risk exposure, after their evaluation and the implementation of control measures. The role is to establish the effectiveness of control measures applied.
Performance evaluation of risk aims to determine performance obtained due to the risk response compared to the costs involved for implementing control measures taken to reduce risk and maintain its level within the risk appetite.
monitoring effects and reviewing formulated strategy. It involves evaluating the efficiency and effectiveness of risk management process within the organization and conducted according to the results obtained to carry out the appropriate review of the risk strategy, in order to ensure the minimization of adverse events and appropriate integration of measures to respond to risk.
In our opinion, we believe that the implementation and operation of an integrated risk management is neccesary, it can be done through ongoing monitoring of risk and integration risk response measures, based on risk strategies, which ensure the objectives achievement and deliver the expected results, in case of an event causing loss.
The firm implementation of decision taken, as the effect of the effective operation of integrated risk management system, gives premises for further activities and obtaining performance across the organization.
Knowing threats that affect the achievement of the goals will allow their classification according to the level of materialization, the extent of impact on the objectives and costs involved for the measures necessary in order to minimize risk effects. Establishing a hierarchy of threats will lead to establish an order of priorities in resource allocation.
4. Integrating risk management into the management sistem
The conception, implementation and operation of an integrated risk management system must ensure ongoing monitoring of risk and the integration of the risk response measures in a coherent risk strategy.
Risk strategy should contain clear objectives on risk policy promoted and applied within the organization, to define exposure levels and response to risk in all circumstances where it is analyzed and evaluated. Also it should be set the terms and conditions for recovery of losses whenever the risk is manifested and had or will have financial consequences.
4.1. Integrated risk management system - Part of the organization’s management system
Implementing an integrated risk management within the organization will allow the organization’s management to focus its resources on those risks that affect the objectives achievement, in order to protect assets, ensure continuity of organization’s activities and adopting the effective decisions.
Risk management function must be a defining function within the organization and provide a complete and coherent set of activities and actions that define decision-making of the organization if the risk materializes and to guide staff in risk management.
An effectively integrated risk management system must ensure the recovery of the organization in case of interruption in activity, by maintaining its essential functions, at least of minimal levels from event appearance until its remediation.
The decisive part in the functioning of an integrated risk management system is the plannification in order to ensure business continuity, because it contains measures of recovery for activities under risk event.
The approach, implementation and functioning of an integrated risk management system in the organization is achieved depending on the processes undertaken, the organization situation and leadership style. However, to ensure process efficiency it needs to be taken into account primarily the following:
COSO10 principles on the integrated risk management, whose compliance involves designing and implementing an efficient risk management, which contributes to further objectives and efficient use of resources;
risk approach within the integrated risk management, starting from strategic risks and then the operational, reporting and of compliance;
analysis and risk assessment must be done in terms of relevant factors, materiality, impact, probability;
preparing reports on risk management, having practical value that can be used by management in making decisions.
The role of integrated risk management system is to ensure the implementation of risk management function within the organization’s management system. Its functions are activated while the organization’s management system signals the existence of threat in achieving its objectives and deliver the expected results because of their activities.
From the scheme presented above it can be seen that developing and implementing an integrated risk management enables entity’s management to focus efforts on the risks affecting the achievement of the objectives.
Also, the integrated risk management system reflects the integration of all activities and actions related to risk and risk management in a single system so that it can act upon them at one level. By it, the parallelism and dysfunction of action and communication are eliminated, occuring within organized systems operating independently of each other.
Implementing an integrated risk management system within the organization leads to the following:
strategic risk analysis, operational, reporting and of compliance that may affect the achievement of organizational objectives;
definition and prioritization, according to risk level and costs required, of control devices required to eliminate the consequences if the risk has manifested or to limit the risk, if it constitutes a threat to the organization;
identification and evaluation of internal controls related to activities and actions attached to the objectives, both in terms of their existence and of those expected to exist and the establishment of areas or zones that require implementing control measures, so that targets set to objectives to be achieved within conditions planned;
designing and implementing certain internal control measures to improve activities;
providing conditions for the organization to comply in different situations;
establishing data and critical information concerning the environment of the organization, that may be used in the analysis and decision-making strategy.
Exercising risk management function, as defining function within an organization, involves making through integrated risk management system a coherent set of processes, activities and operations, by which it is ensured an effective risk management and defined the decision-making process if risk occurs.
However, depending on the types of risks identified, on the response to risk determined according to risk appetite, on the costs involved and the levels at which risks may be maintained after their treatment, integrated risk management system can guide organization to improve work according to the benefits of good risk management.
4.2. Assessing and measuring risks – Component of integrated risk management system
In the integrated risk management process, the component on risk assessment is a major step aiming to:
identify significant risks within the organization, associated to objectives;
assess the capacity of the internal control/management system to prevent/manage risk effectively;
determinate significant risks and uncontrolled adequately by the organization and that are going to be treated to reduce exposure levels;
Risk assessment depends on the probability of occurrence and severity of the consequences if the risk materializes, meaning the impact of risk and uses as tools the risk assessment criteria. These criteria should cover the purpose, in which risk was identified, in terms of compliance and performance.
By prioritizing are selected medium and large risks on which will conclude responses to the risk.
The risk assessment process includes the assessment of inherent risks existing before the implementation of control measures and residual risks, resulted after implementing control measures and have two phases, namely:
Assessing probability is a qualitative element and is carried out by evaluating the potential for risk occurrence, by considering qualitative factors specific to the context in which goals are defined and achieved. This can be expressed on a scale of values on three levels as follows: low probability, medium probability and high probability. Illustration:
|LOW||Rare modifications in the regulatory framework, over 3 yearsLess complexity of activities and actionsExperienced staffObjectives and targets are not changedReliable, adequate and updated informationProcesses well designed, formal and conducted|
|MEDIUM||Legal framework is relatively new or experienced significant changesAverage complexity of activities and actionsAverage level of employment and experience of staffRare changes of objectives and targetsExisting information from many sources, but insufficientProcesses related to practice|
|HIGH||Very frequent modifications in the regulatory frameworkHigh complexity of activities and actionsInexperienced staff and newly employedFrequent changes of objectives and targetsPoorly designed processes and leadInsufficient and outdated information|
Assessing impact is a quantitative element and is carried out by evaluating the effects of risk if it would materialize, by considering quantitative factors specific to the financial nature of the context of achieving objectives. This can be expressed on a scale of values on three levels as follows: low impact, moderate impact and high impact. Illustration:
|LOW||Low cost of implementation of activities/actions, under planningNo losses of financial assets, employees nor materialsGood image of the organizationCompetencies and responsibilities provided in decision makingGood quality servicesContinuity of activities is ensured|
|MODERATE||Costs of implementing the activities/actions equal to planningReduced losses of financial assets, employees and materialsModerate image of the organizationDecisions made without assuming responsibilitiesModerate quality of services providedVery rare interruptions in activity|
|HIGH||High costs in relation to implementation planning of activities/actionsPoor image of the organizationDecision making without ensuring the competence and responsibilitiesPoor quality services providedSignificant break in activity|
Risk analysis criteria are represented by the probability assessment of risk occurrence and the impact level assessment if the risk would materialize, as follows:
the probability assessment is made based on the analysis and evaluation of quality factors specific to the context in which objectives are defined and met;
assessing the level of impact is made based on the analysis and evaluation of quantity factors specific to financial nature of the context of achieving objectives.
Establishing the response to risk and pursuing if it falls into the risk appetite, agreed by the organization’s management, is carried out by multiplying probability and risk impact, obtained from the formula:
where: PT = total risk score
P = probability
I = impact
Depending on the outcome of the risk measurement process, applied to all risks the organization faces and that affects achieving objectives employment shall be: high risk, medium risk and low risk as follows:
for PT = 1 or 2, low risk
for PT = 3 or 4, medium risk
for PT = 6 or 9, high risk
Assessing internal control
To assess the internal control are considered the risks associated with the objectives the organization faces and that were measured.
Internal control assessment process involves the identification and analysis of internal controls expected and existing, implemented by the entity to manage risks and aims to establish areas where it does not work or work improperly. This can be expressed on a scale of three levels as follows: compliant internal control, internal control partially compliant and non-compliant internal control. Illustration:
|COMPLIANT||Implemented internal control system, prevent risk materializing.|
Regulatory framework of risk management and internal control known.
Positive attitude towards internal control/management and risks.
Internal control/management integrated into organization’s activities and actions.
Risk management ensures identification of significant risks, their assessment, establishing risk management measures and monitoring their effectiveness.
Systematic reporting on activities development.
Objectives met and appropriate remedies for violations.
|PARTIALLY COMPLIANT||Internal control system is implemented, but does not prevent risk materializing.Neutral attitude towards internal control/management and risks.Internal control/management is partially integrated into the organization’s activities and actions.Risk management process ensures the identification of risks, their assessment, but risk management measures are not always adequate and effective.Systematic reporting on activities development, but states objectives met.|
|NON-COMPLIANT||Internal control system not implemented.Regulatory framework of internal control/management is not known.Uncooperative or indifferent attitude towards internal control/management.Internal control/management perceived as a separate activity, conducted in parallel with the activities of the entity.Risk management does not provide identification of significant risks.Systematic reporting on activities development, but information is not reliable.|
Risk response involves establishing and implementing possible actions, selecting those appropriate to the risk appetite and the costs required to implement risk management measures, by considering the following:
for objectives whose risks were classified as low risk and for which internal controls have been assessed as compliant, the risk is residual, so the organization’s exposure is below the accepted level. In these cases, the organization accepts the risk as such, without interfering for its treatment, but will provide ongoing permanent monitoring to ensure that the exposure level does not change.
for objectives whose risks were classified as medium risk or high risk and for which internal controls have been assessed as partially compliant or non-compliant, the risk is inherent, so organization’s exposure is above the accepted level. In these cases, the organization will proceed to treat, avoid or transfer risks.
5. The structure of integrated risk management
Achievement of the objectives of integrated risk management within an organization presupposes the meeting, in a logical sequence, of specific and required activities, as follows: setting the context, setting the objectives, risk identification, risk assessment, setting a risk response, implementation of control measures, information and communication and monitoring.
5.1. Integrated risk management process
Integrated risk management is structured on component elements of the COSO model, indicating that the control environment is defined by the internal environment and risk assessment consists of setting goals, identifying events, risk assessment and risk response.
5.1.1. The internal environment
It represents the theoretical and conceptual stage of risk management process, which presupposes an organizational culture on risks and knowledge of risk management operating concepts, and whether they are implemented and known at all levels within the organization.
This stage involves carrying out specific activities to implement risk management within the organization, as follows:
establishing an organizational context, that analysis of objectives, operating structure, delineation of duties and responsibilities and the main conditions in which the organization operates. They also set requirements for future development of the organization and key risk exposures, including the characteristics and consequences;
setting the context of risk management, the concept of the organization against the risks they face and the level of acceptance in relation to exposure to risk.
In relation to the means of establishing the context of implementation of risk management it is established and designed risk management policy, objectives and tasks of the implementation of risk management methods and methodologies for the identification, evaluation, treatment and control risk. At the same time, it is determined the structure responsible for risk management, the powers and responsibilities of it, taking into account the fact that “management activity it means to commonly achieve the necessary objectives for the final of the organization11”.
The characteristic of this work is the tone given by the organization on risk management and methodology they use in risk management and how are communicated the concepts of risk and the response of staff on risk management philosophy.
5.1.2. Objectives establishment
Implementing an integrated risk management system involves identifying and assessing the risks that are threatening to accomplishment of objectives.
This includes risks related to activities and actions of input and risks of actual processes undertaken within the organization, risks that prevent achieving the intended results and the risks about the impact of realized activities on organizational development.
Identification of the events that may affect achieving the expected results is only possible if objectives are set in advance and under each one were defined activities necessary to ensure their implementation which, therefore ensures, the delivery of the expected results.
If we consider the approach according to which performance is characterized as "achieving organizational objectives regardless of their nature and variety” 12, we believe that goals should be established to represent a challenge for management and employees.
Management by objectives has a beneficial effect for the organization, it facilitates the exercise of effective control over all activities, motivates employees to participate in the objectives and it creates a coherent organizational framework which stimulates the collaboration between all structures within the institution.
The control of meeting the objectives is considered necessary for the management of the organization and requires each manager to have established controls for each activity and objective for which he has responsibility. At the same time, it must be taken into account the impact of likely risks that may jeopardize the attainment of these objectives, so it is necessary to design and implement appropriate risk management systems.
5.1.3. Identification of events
To ensure achievement of activities as planned, it is necessary for the management to identify all events, internal and external, positively or negatively affect the objectives, and depending on the probability of event and type of consequences that can be produced in the organization they are divided into risks and opportunities.
Risk identification, depending on the time in which the process takes place, involves the following stages:
the initial risk identification specific to newly established organizations and those who have not previously identified risks.
the permanent identification of risk is specific for those organizations that have implemented a risk management and necessary for assessment of risks that have not previously shown to change their circumstances, and the limitation of the probability to manifest13.
An effective risk management involves identifying risks at any level, where there is a threat on the goals and taking specific measures to limit the problems caused by these risks. Risks can be identified and defined only in relation to those objectives that are affected by their materialization.
Risk identification can be achieved in two ways:
self-evaluation of risks carried by each employee involved in the objectives and activities, regardless of where they performed tasks hierarchically, by monitoring the risks they face daily,
establishing a special department within the entity, that has responsibilities regarding the evaluation of operations and activities within the organization and on this basis the identification of risks that characterize the organization's objectives and individual goals set for thr employees.
Application of either of two ways to identify risks can have negative consequences for the entity because, first, each employee has a certain culture and training which leads to a different understanding of risk management, making monitoring, to identify risk differ from employee to employee. Also, some employees can be more involved in current tasks and pay less attention to their risk management.
Second, establishing a specialized department, with responsibilities in risk identification ensures not always effective risk management. However, as much the staff of this department is prepared, it is very difficult to know in detail how to achieve the activities and therefore to identify all threats that may affect achievement of objectives.
The practical and effective risk identification is the combination of the two forms presented. Thus, employees from all levels of the organization have responsibility for identifying and reporting threats to their achievement by the specialized compartment, and it has the responsibility to assess each reported event and if it finds that the event reported is a risk to do registration, evaluation and its treatment.
In identifying and defining risks should be considered the following rules14:
risk must be an uncertainty, so it must be considered whether it is a possibility or about an existing situation which is an existing problem and not a risk;
difficult issues identified should be assessed, as they can become repeat risk situations;
problems not occurring are not risks, this means that the organization has control over them, and their analysis may lead to consumption of resources;
problems that are guaranteed to arise are certainties and measures are to be taken as such, with certainty as a starting point;
risk should not be defined by its impact on the objectives, as the impact is the result of the risk materialization;
risks are identified by correlation with the objectives; the aim is to identify those threats that could lead to failure of objectives;
risks have a cause and effect, the effect is the consequence of the materialization, and the cause is a circumstance which favors the appearance of risk;
making the distinction between inherent and residual risk. Inherent risk is related to the objectives and the risk is there before intervening with internal control measures. The residual risk is the risk result after implementation of internal controls. Residual risk that results from the inherent risks cannot be controlled completely, whatever measures were taken, uncertainty remains.
On identifying opportunities, they are performed by employees within the organization regardless of where they are, and their recovery is the responsibility of management, to be used to increase efficiency and effectiveness of activities.
5.1.4. Risk assessment
Achieving this step involves assessing the likelihood of risks materializing and the impact of risk when it would occur, and classification of risk on 3 levels (high, medium or low) based on a risk analysis matrix.
After the risk assessment process is done, priorities are established so that high risks are considered by management to treatment.
The purpose of risk assessment is to establish a hierarchy of risks within the organization and to establish the most appropriate ways of dealing with risk.
Risk assessment process involves consideration of the following:
the probability of materialization of the risk stems from the fact that, at some point in the progress of activities, there may be conditions that favor the emergence of risk. In these conditions, analysis of the causes which favored the emergence of risk can lead to an appreciation of its opportunities to materialize;
the impact of risk on the objectives represents the consequence of risk materialization, and how risk affected the achievement of the objective;
risk exposure represents the extent to which risk can be accepted by the organization, if it would materialize;
determination of the specific outcome, involves risk assessment after deployment of control. The result may be a risk exposure exceeding the limits of acceptance, which means that risk is inherent, which involves the review of existing internal control mechanisms, or exposure below the limits of acceptance, which means that the risk is residual.
The risk assessment is performed to identify the likelihood and impact of risk and thus to determine how it can be managed.
Risk assessment must be the essential component and a constant concern of management organization, as the people change, regulations change, the objectives are reviewed or new ones established. All these contribute to the continuous changing of the map risks, namely the emergence of new risks, modification of existing risks and the level that the organization accepted the risks.
5.1.5. Reaction to risk
Information collected following the risk assessment is processed and measures to diminish risk exposure identified. To limit exposure the organization should identify opportunities to reduce risk, the probability of the event, or if this it is not possible, to establish measures to eliminate risk.
Also, the organization should develop appropriate criteria for risk management to reduce the likelihood of risk and risk consequences. If risks are not well managed or costs are high relative to benefits of the activities, the criteria should be directed to transfer the risk or eliminate the risk.
The management of the organization, based on the risk assessment, will determine the response to risk, as follows:
accept the risks as they are, without mitigation measures, and without devices to establish and implement internal control. Acceptance or tolerance of risk as the risk response strategy is recommended for the risks inherent with low exposure, less than the risk tolerance.
After acceptance, the risk becomes residual and will be monitored regularly, aiming as it does not change the level of acceptance.
Setting the limit for the tolerance of risk is the responsibility of management and involves the establishment of the exposure that can be assumed, in conjunction with costs and control measures to be taken. If the risk exposure is a probabilistic measure on a sized scale (combination of probability and impact) then the risk tolerance must respect the same features.
treat risks, and that will identify and implement appropriate control devices, to limit the probability of risk manifestation and keep it within acceptable limits.
In practice, for risk treatment the following categories of controls instruments are used:
preventive control tools are used when it is intended for an undesirable outcome not to materialize or for limiting the risks that may materialize;
corrective control tools are used when it seeks to correct undesirable results of risk materialized and is a way to recoup losses;
direct control tools are used when seeking to ensure any particular outcome, that is when we intend to effect a particular risk that may materialize to be oriented towards a tolerable direction of the organization;
detective control tools are used when aimed at identifying new situations arising from the risk materialized.
If the risks materialize, the cause is represented by the internal control that either has not been implemented or was implemented but they not functioned properly.
avoid risks, risks that cannot be treated, and treatment costs are higher than assumed results, will be eliminated or kept within reasonable limits by reducing or abolishing their activities.
transfer risks, risks that cannot be controlled will be transferred to other units or organizations. This option is especially beneficial for financial or economic risks. Transfer risk is a measure to help reduce exposure to a functional structure of the organization, but another functional structure or organization, which are capable or specialized in managing such risks, will take the risk exposure.
Diversity of internal control is considerable for all aspects of activities and can be classified as: objectives, resources, information systems, organization, procedures and supervision15.
Objectives - grouping tools/internal control devices implemented through measures aimed at: their clear defining, their decomposition into a pyramid up to the job, convergence, measurability, association of measurable outcome indicators and monitoring information system.
Means - is the group of devices/tools of internal control implemented through measures of adequacy of resources against objectives.
Information system – it groups devices/an internal control instrument operationalized and aims to achieve a complete information system and steering, reliable, comprehensive and appropriate.
Organization - grouping devices/internal controls instruments resulting from application of measures aimed at correcting anomalies detected in the procedural and structural organization and that are circumstances favored for the manifestation of risk.
Procedures - are tools / internal control mechanisms which control the risks arising from lack of processes and rules to be observed while activities are taking place.
Supervision - grouping instruments/devices of internal controls designed to control risks arising from abnormal exercise hierarchical control. Such internal control tools are aimed at the management style of the makers of different levels.
5.1.6. Risk control
Represents policies, procedures, controls and other management practices established by the organization to make a prudent management of risks, and ensure the implementation of activities as intended. Also, to control risks is to ensure that objectives are met and significant risks are properly managed.
To prevent conflicts it is recommended to ensure independence of risk control to functional structures of the organization that runs the identified risk. Any measure taken to control risks should be placed in the famous “internal control system”, which is responsible for directing the implementation.
Risk control requires that the functional structure where there is a risk, carry out continuous monitoring of risks and appropriate mitigation of the manifestation probability or risk impact. Otherwise, the risks are uncontrollable and there are no means of intervention to limit the probability and risk impact.
5.1.7. Information and communication in the supervision of risk
Activities are initiated by the management entity for transmission to employees of their responsibilities regarding the identification and monitoring of risks.
At the same time for employees to ensure proper risk monitoring in accordance with the requirements of established risk management process within the organization, it is necessary for the management to provide appropriate and timely information for them to accomplish the tasks set.
5.1.8. Risk monitoring and supervision
Risk monitoring involves reviewing and monitoring whether their risk profile changes following the implementation of internal controls. Review processes are implemented to assess whether: risks persist, new risks have emerged, the impact and likelihood of risks have changed, internal controls are effectively put into practice or risks should be redefined.
Risk monitoring involves tracking the knowledge of strategies applied to risk management, of their implementation and the evaluation of performance after implementation. Risk-sensitive areas are monitored continuously, and the results are sent in the initial stage for reconsideration, identification and implementation of adequate internal control tools or application of other ways to reduce exposure to risk.
The management of risk register, which contains summary information and decisions in risk analysis, attests that the organization has introduced a risk management system and that it works.
The process of identification, assessment and risk treatment must ensure that risk analysis is carried out periodically and are established mechanisms for information management on new or emerging risks of changes in already identified risks so that these changes to be addressed properly.
Risk monitoring is necessary to monitor progress of risk profiles and to ensure that risk management is appropriate and is obtained by revision of the risks.
Risk monitoring is done through internal control, which must be flexible, and develop appropriate control tools in areas where the risk is not sufficiently controlled or reduce those instruments where excessive risks are controlled.
Risk management must consider internal control system implemented in the organization, and the expected internal controls and internal controls existing, and considering their sufficiency identifies the risks, makes them subject to the evaluation and based on results establishes the internal control necessary to be implemented in order to limit exposure.
5.2. Internal and external environment and its influence over the integrated risk management
The implementation of a risk management system within the organization should impose establishing relationships both within the organization and beyond. Also, the ones responsible for implementing integrated risk management have relationships with the entity's management and staff of the entity's functional structures.
The management of the entity shall decide on the risk management strategy adopted in the organization and approve any measure relating to the risks. In this regard, is regularly informed of the results of risk management and carry out in order to establish ways in which the risk management is done.
The ones responsible for risk management in the organization are communicating and realizing the risk strategy and policy promoted to all the employees, and any decision taken by management on risks. Receive from the structures any information on the risks, analyst, process, and make proposals for the management on appropriate measures to be taken depending on the nature of managerial implement these measures.
Risk communication and how they are required to be managed is based starting on the management level to the level of execution and shall ensure that:
risks related strategy and all associated risks to the objectives are known by all the staff involved in achieving the objectives;
staff in the organization is aware of the risks they assume and their monitoring system.
The nature of relationships established in risk management process is a functional one, respectively; the ones responsible with the risks have the authority to charge risk of transmitting to the functional structures of the entity information on risk strategy and information related to risk management process implemented. At the same time, they require the information about the identification and management of risks.
The increase of confidence in the risk management system promoted and implemented at the organizational level is achieved by:
developing a clear risk management strategy;
sufficient support at all levels to ensure risk management;
development of simple risk management systems;
communication with all parties involved in risk management;
communication and equal relations and cooperation between different functional structures of the organization;
improving the risk assessment.
Entity’s activities are influenced by several external factors, the nature of threats that affect achievement. Integrated risk management system must identify the nature of the risks these threats, to analyze, evaluate and determine the response to risk. In some cases, establishing a risk response does not ensure acceptable risk appetite as risk reduction measures are dependent on the activities and objectives of the organization.
To ensure acceptable levels of risk there should be a system of relationships established with various external factors, which, put in place, to ensure reduction of exposure.
Building and implementing an integrated risk management system helps to direct resources to risk which particularly affect the activities and support the organization in achieving its objectives.
6. Impact of integrated risk management on the organization
To ensure good risk management it is important to provide assurance that each employee understands properly the risk management process within the organization and knows his role and responsibilities in this process.
Risk management process does not require identification and elimination of negative events that may affect the carrying out, if the risk occurs, but also aims to analyze and evaluate risk and risk appetite according to design and implement control devices to limit the probability of risk. It provides the management with a “framework approach to effective risk management and its possibilities”.
Risk management objective is to identify risks, causes that generated them and establish appropriate control device to reduce its level, but using the lowest cost.
By implementing an integrated risk management system shall ensure:
strategy development, objective setting and risk management mechanisms considering the risk appetite. The organization will define its development strategy to the risks they face and how to manage, taking into account the limit of the appetite to which it may be exposed. The objectives are dependent on the planned development requirements and performance levels established, but should be considered the risks to the objectives and the costs necessary to manage these risks.
development of a framework for the level of response to risk. This involves performing analysis and diagnostics, in order to determine the level of risk to which the organization can be exposed and considering the results obtained, to proceed with the acceptance, treatment, and avoiding or risk transfer.
improving the expertise to identify events that threaten the organization and establishing decisions with efficiency and effectiveness. Applying an integrated risk management process will allow evaluation of the risks, by providing a link between the objectives, functional departments of the organization and components of risk assessment. Making this process will help increase the expertise in knowing events facing the organization, the nature of the risks threatening the objectives and nature of opportunities.
identifying and managing risks that affect the achievement of objectives and the set planned results and not risks of every operation or activity achieved. Integrated risk management system, is not fragmented, to ensure identification and risk assessment, in isolation, only at the operation or action, but is a system for identifying and addressing risks to the target integrated. This ensures that by implementing a single control measures to be managed more risks. It also allows knowledge of risks affecting achievement, which ensures that decisions are based and to consider the risk exposures.
identifying opportunities following monitoring events and their capitalization with benefits in increasing efficiency and effectiveness of the activities. Integrated risk management system takes into account the analysis and evaluation, events that may affect achievement of objectives. These can be negative events that are risks and positive events that are opportunities.
appropriate use of capital. Knowledge of risks the organization is facing in achieving objectives, allowing management to guide decisions to those activities where the risks are well managed, thus ensuring better use of available resources.
Integrated risk management model has some limitations due to errors, avoiding checks, and human judgment in making decisions that can sometimes be wrong. These limitations make it impossible to issue an insurance of the need to achieve objectives.
At the same time, responsibility for designing and implementing appropriate risk management is the organization's management and other staff to support risk management philosophy and apply established rules on risk management, each in their area of responsibility.
The classic risk management process, which was joined and implemented by most of organizations, is a fragmented on, in the sense that functional structures within an organization manages its own risks independently. Thus, each compartment, according to the procedures and methodologies developed, shall identify and manage risks associated to objectives independently, without a coordinated approach and without taking into account the interdependencies of risk within the entity.
7. The advantages of implementing integrated risk management
Integrated risk management has mechanisms to help the recovery of the organization in the situation of work stoppage, major incident or disaster, by maintaining minimum levels of business critical functions.
The main feature of integrated risk management system is that it integrates risk monitoring mechanisms of the functional departments of the organization and its culture, with a focus on the risks associated with strategic objectives. Also, the emphasis is on monitoring and controlling risk, and minimizing it.
Advantages of an integrated risk management can result as follows:
insurance of correlation with the risk appetite of the organization strategy. Risk appetite is a limit to which risk can be accepted and to which the organization may be exposed. The management has the opportunities available to them to achieve goals and select the most advantageous option in conjunction with the profile of risk;
helping to improve decisions about risk treatment. The management options to limit risk, assess their correlation with risk appetite and costs and determine appropriate measures for risk management.
integrated approach of risk allows that, by establishing a single internal control measure to be able to handle more risk, or one risk, but which is found in several functional structures of the organization;
the capitalization of opportunities. Integrated risk management takes into consideration events outside the negative and positive nature of the risks, the nature of opportunities.
improvement of management decision. Knowledge of risks the organization is facing and the level of risk exposure contribute to a more realistic analysis and substantiation of managerial decisions. Substantiate decisions can be made by considering the following requirements: the existence of one or more objectives to be achieved; existence of several alternatives, including economic factors in decision-making plan, making the decision, decision and action unit, clear and optimal fit between
Between components of integrated risk management and objectives of the organization must be a direct relationship. The analysis and risk assessment by following the eight components of integrated risk management, namely internal environment, identification, analysis and risk assessment, risk treatment, risk control, information and communication and monitoring of risks is done for each structure and functional organization for each objective.
By applying this method it is showed that risks are assessed and treated for all purposes of the organization, regardless of their definition (strategic, operational, reporting and compliance) and regardless of the compartment or structure that are defined.
Meanwhile, the integrated risk management process represents an instrument that allows a coordinated approach across the organization to identify and analyze the mechanisms of risk whose initial starting point is the strategic dimension.
Integrated risk management is a powerful tool that enables the management of the organization to have a picture of the risks affecting the achievement of strategic and operational objectives, and provides at the same time, leverage for the foundation and management decision making.
The process of identification, analysis and assessment takes into account the events of the organization, which can take negative shape and are associated with risks or positive shape and are associated with opportunities.