Risk Assessment Methodology in Public Financial Institutions

This chapter classifies the risk and fundamental elements necessary to manage it. It presents the individual stages of the procedure and standards of conduct in risk management. In accordance with the EU accession agreement, Poland has developed and implemented a system of financial management and control standards in public finance sector units. This chapter presents the risk assessment tools that can be customized to the needs of a specific organization, including public sector entities. Information about how to manage risk in each EU country are made available because of the desire to show the stability and proper monitoring of the risks in order to fulfil the given tasks. This affects the perception of stability in the country, which has a direct impact on the economic effects.


Introduction
Risk management concerns both public and private organizations. Recent failures in companies from the public and private sector all around the world resulted in an increased interest in effective risk identification and, most importantly, risk management. In many companies there are regular processes related to risk management, including periodic (e.g. monthly) reports for regulatory bodies. However, it turns out that such periodic reports are not sufficient for management bodies to prevent risk effectively. This is of particular importance in the public finance sector, where there is a high degree of legislation and hierarchy. Now, given the changeability of the economic situation caused by globalization processes, among other reasons, this method is no longer sufficient [1]. This method of management can be applied only in units which do not take numerous activities or when such activities do not generate unacceptable risk which may significantly deteriorate the situation. This is why risk should be considered in the tasks performed by units from the public finance sector. The possibilities of a public finance unit in terms of risk management in the course of its activities should be defined. Knowledge on how to use risk management tools will contribute to effectiveness in achieving goals, i.e. higher and more secure financial results [2]. Positive effects (opportunities) of risk management, which citizens and the administration can enjoy, are perceived by the Polish government as an added value. Thus, efforts should be made so that all employees in a public administration unit could fully understand the idea of risk management, which is not fighting risk or using it to achieve better results but managing it in line with the policy pursued by the management. It is, therefore, necessary for managers of public administration units to learn appropriate risk management methodology. The aim of the article is to analyse the process of risk management and the role of internal control in quick decision-making in public sector units. In order to achieve this aim, particular stages of risk identification and management were analysed, and the score-based risk assessment method was presented.

Notion of risk: definition and classification
Risk is an objectively existing possibility of failure, loss or damage as a result of an activity. As a consequence of making wrong economic decisions, there might be a decrease in potential profits, loss of financial liquidity, bankruptcy of an organization (an enterprise or a public institution) and even huge debt which entails legal liability. Risk cannot be eliminated; it can only be limited by appropriate economic, legal, organizational and HR-related prevention. The size of risk depends on numerous interrelated factors, the majority of which is independent of the activity of an organization. These include general economic, social, political, demographic and technical factors.
Financial institution risk is a danger which results from making a profit whose amount is different than expected. In terms of the main sources of risk, Jachowicz points to the following: "the lack of possibility to perfectly anticipate future states and the possibility of occurrence of unexpected states", i.e. the undisputed impossibility to predict all determinants of the future in a particular economic situation and consequences following a given activity [3]. Risk is, therefore, inherent to each and every economic activity. Moreover, risk is taken intentionally in order to make a higher profit because there is a close link between the level of income and risk [4]. A higher risk gives the possibility to achieve a higher return on investment. Taking risks, we expose ourselves to bigger losses, but at the same time, we have a chance to make a higher profit, so the spectrum of both advantages and disadvantages is wider. Risk is defined as a negative deviation of the achieved result from the previously planned figure [5]. Therefore, when striving to optimize profit, it is unavoidable to accept certain levels of risk, which are usually related to an increase in the volume of income. Each organization operates in a state of uncertainty of future events [6]. Information which is available when making a decision is usually incomplete and inaccurate, and predicting how events will unfold is not always possible.
In general terms, it is impossible to avoid risk. This results from the fact that within the general approach, the term risk refers to everything that is uncertain [7]. It is beyond any doubt that life was, is and will be unpredictable as far as future events are concerned, i.e. risky. This is why the aim of this chapter is to present new suggestions in terms of risk management and to identify deterministic activities, i.e. activities which enable determination of the consequences and scope of risk. Each activity involves risk, which is to a large extent undefined, is complex and undergoes dynamic changes. The term "risk" is ambiguous and defies a clear and synthetic definition. Risk itself follows from the very fact of making decisions concerning the future. This is because it refers to situations in which a company does not have a 100% certainty as to the course and final results of its activity. Phenomena which influence an entity's operating business activity but which are beyond the scope of its will are usually referred to as uncertainty. Risk, however, is defined as merely a possibility of failure, in particular a possibility of occurrence of events which are beyond the control of an entity and which are impossible to predict and prevent. As a consequence, a particular activity may turn out to be less effective or less beneficial. Both notions, i.e. "risk" and "uncertainty", are often treated as equivalent although they denote something entirely different. One could quote a number of definitions which define mutual relations between these categories. According to Willet "risk is the objectified uncertainty concerning the occurrence of an undesirable event. Risk changes together with uncertainty and not with the level of probability" [8]. Braig et al. define risk as a combination of elements of hazard and it is measured with probability, whereas uncertainty is measured with the level of faith. "Risk is a state of the world and uncertainty is a state of the mind" [9]. Being convinced of the result of an action, one can decide not to perform such action and not to take a risk. In order to specify a general and universal definition of risk, one can refer to the PWN dictionary of foreign terms, according to which risk is an undertaking whose result is unknown, the possibility that something either works or not as well as the decision to conduct such undertaking [10]. The meaning of the word "risk" is derived from the Italian word "risco", which means reef, which ships should stay away from. The notion of risk is frequently and incorrectly equated with danger. There is a significant difference between these two terms, which should be taken into consideration. Danger is rather a direct threat, whereas risk occurs in a situation when the consequences are uncertain. Within this meaning, a certain loss is not a risk. There are many other definitions of risk as well. The approach to the category of risk varies depending on the author, and it proves how complex phenomenon it is and how difficult it is to define and measure it.
As it is the case with defining risk, classifying it is also very problematic. Current categories are not unanimous and disjunctive, which means that one type of risk can be a specific example of another risk [11]. Generally, there are the following basic types of risk [12]: 1. Commercial risk: risk following directly from a commercial activity. It comprises a. Liquidity risk-manifests itself in the necessity to adjust maturities of assets and liabilities to make sure an entity is able to meet its obligations.
b. Credit risk-related to the failure on the part of a business partner to meet their liabilities towards a particular entity. Currently, over 80% of global trade is conducted with a deferred payment term. The term of trade credit depends on the type of goods. It is shortest for consumer goods (ca. 30 days), whereas investment goods are at the other end of the scale with payment terms of at least 1 year. Due to an increasing competition and the need to fight for clients, companies will extend the terms even more. There also exists a market risk, which exerts indirect impact on financial results, i.e. resource risk, price risk, business cycle risk and technological risk.
3. Operational risk-danger of failure to achieve objectives due to mistakes in an IT system or mistakes made by employees or inappropriate internal control of the enterprise.
4. Social risk-related to the way people in a particular country behave, religion, political regime, culture and tradition.
5. Risk of contingent events-e.g. natural disasters and calamities (flood, earthquake), accidents caused by social conflicts and prohibited acts (strike, arson).
6. Political risk-concerns the possibility of intervention on the part of state authorities in particular countries or on an international scale, both for the entire economy and in selected sectors.
7. Economic risk-related to the possibility of a change in a country's economic policy and legal regulations concerning, e.g. tax or foreign exchange law.
8. Risk of events-resulting from unexpected events which influence a particular entity or investment but without influence on the entire market.
9. Transfer risk-concerns situations in which there are obstacles in transferring funds abroad or changing the currency of such funds.
10. Legal risk-risk of loss due to a failure to conduct transactions due to a lack of legal regulations or insufficient documentation and lack of financial reliability of a partner.
More specific areas of risk are identified depending on the specific nature of a particular business activity. The following conclusions can be drawn from the general classification: • Lack of a criterion which would unanimously identify risk.
• Strong and bidirectional relations among factors which cause risk.
• Strong relations among particular types of risk.
• Risk is determined by external and internal factors at the same time.
• Risk is inherent to the financial market.
The list of types of risk presented above is not an exhaustive one. Given the complexity of business activity, managers of public organizations are constantly exposed to various forms of this phenomenon [7]. Although not all of the risks enumerated above can be predicted or controlled, one should be aware of their existence and limit their occurrence and impact on organization to the greatest extent possible. Since there are so many factors causing risk, it is simply impossible to avoid it. Moreover, some of these factors are beyond the control of an enterprise. There are two main groups of factors which influence risk [13]

Internal control as an element of the risk management process
Risk management is one of the basic elements (processes) of managing a unit. Its primary aim is to increase the probability of achieving goals. In order to manage risk successfully, one should establish and adopt objectives which are to be achieved in a particular time and specific objectives of particular organizational departments. Defining objectives allows for identification of risk which can endanger the achievement of goals. In the process of risk management, it is important to take measures to reduce risk to an acceptable level. Risk management undertaken by the management of a unit is a continuous process. To emphasize the importance of risk management, three standards of financial control announced in a communication from the Minister of Finance in January 2003 [14] were introduced: • The head of a unit conducts day-to-day assessment (monitoring) of the completion of tasks with the use of quantifiable indicators or precisely defined criteria.
• The head of a unit systematically identifies external and internal risk related to the achievement of the unit's objectives, concerning both the entire unit's operations and particular schemes, projects or tasks undertaken by the unit. In the event of a change of conditions in which a unit operates, identification of risk should be resumed.
• The head of a unit guarantees systematic analysis of the identified risk in order to define potential consequences and the probability of the occurrence of a particular risk. The head of a unit defines the acceptable level of risk and measures which are to be taken in order to reduce a particular risk to the acceptable level.
Effective risk management is one of the elements of effective management of a public administration unit [15]. The Act on public finance has been in force as of 1 January 2010, with the exception of regulations concerning the obligation to plan and implement budgets in a task-based manner, which are effective as of 1 January Standards of internal control drawn up by the Minister of Finance and currently subject to consultation constitute an attempt to arrange this type of control. It has been primarily emphasized that it is necessary to organize such control at two levels [17]. The basic level of internal control is a unit from the public finance sector (first level of internal control). It is the head of the unit who is responsible for the functioning of internal control. There should be internal control in government and self-government administration at the level of a government administration department as a whole (second level of internal control). Mayors of villages, towns and cities, province governors or marshals are responsible for the functioning of internal control at this level [18]. There is a project on standards of internal control which includes five areas: 1. Internal environment which constitutes the basis for the remaining elements of control because it concerns the management system of a unit and includes professional competences (level of expertise, skills and experience) of the management and employees and their scope of duties, authorization and responsibility in particular organizational departments.
2. Risk management whose aim is to increase the probability of achieving goals by defining objectives and monitoring completion of tasks, identifying and analysing risk and taking preventive measures.
3. Control mechanisms which constitute the answer to a particular risk. The unit wants to reduce by documentation, registration and confirmation (authorization) of commercial operations, division of key responsibilities, verification, supervision under company hierarchy, registration of deviations from procedures, maintenance of operational continuity, controlled access to financial, material and information resources (protection of resources) and IT system control mechanisms. Example includes control of access to IT resources and system software.
4. Information and communication standards provide employees with access to information which is necessary for the performance of their duties and maintain effectiveness of internal and external communication systems.

5.
Monitoring and assessment of control system by ongoing assessment of the efficiency of the control system and its components and day-to-day problemsolving by all employees depending on their competences, including by selfassessment and internal audit.

Risk management in the public sector
Risk management is an implemented system of procedures and rules, which is used to identify, analyse, assess and monitor risk. It allows not only to reduce risk but also to take advantages of any opportunities that may appear [19]. A correct system is supposed to improve results in the future and support decision-making on an ongoing basis. Therefore, it should comprise a planned, logical, comprehensive and documented strategy [20]. Such strategy includes instructions, plans and procedures which will function in everyday work of a particular office or its organizational units in order to manage risk. In local government units, risk can be considered in the following areas: finance (e.g. income from tax on real estate is lower than expected), human resources (e.g. mistakes made by employees when making various decisions), IT (e.g. faulty software) and other areas which influence the risk of failure to achieve established objectives and results. Therefore, risk management in local government units should be subject to a strictly defined process which comprises the following elements: • Acceptance of risk (resulting from the fact that costs of prevention exceed potential losses related to the occurrence of a particular phenomenon) • Withdrawing from certain activities • Counteracting risk (creating and implementing action plans) • Transfer of risk (e.g. taking out insurance policies, relying on guarantees of correct performance of contracts) Governments and public services in European Union (EU) countries often make available information on the nature and scope of investment in risk management because stakeholders want to be sure that risk is adequately supervised and resources are adequately protected [21]. If Poland wants to be perceived as a country where investments pay off, it should implement a risk management system which will meet relevant standards established by the European Commission. In the administrative system, senior management is responsible for risk management whose objectives are the following [22]: • Achievement of goals • Protection of assets • Efficient, economical and effective use of resources Risk Assessment 8 A risk management system is of particular importance in this process. Risk management in the public sector can be defined as a logical and systematic method of creating context; identifying, analysing and assessing risk, action and supervision and informing about risk in a way which enables an organization to minimize loss and maximize opportunities [23]. Thus, the process of risk management includes: • Identifying risks related to operational activities as soon as possible • Assessing the degree of influence of risk on a particular organization's results and objectives • Implementing adequate risk control measures • Risk management structures, including organizational plans, policies and procedures concerning risk management, data on all teams and individuals responsible for risk and documentation concerning risk Risk management is one of the basic processes (elements of managing a unit), and its primary aim is to increase the probability of achieving objectives. In order to manage risk successfully, objectives of particular units should be established in order to identify risks which may prevent from achieving them. Risk management is a continuous process. According to financial control standards, the head of a unit systematically identifies both internal and external risk related to the achievement of the unit's objectives, concerning the whole unit as well as particular programmes, projects or tasks separately [24]. When there is a change of conditions in which a unit operates, identification of risk should be performed again. Each identification of risk should be analysed in terms of potential consequences and the probability of their occurrence. A manager will perform ongoing assessment of task completion with the use of qualitative and quantitative indicators or with the use of other established criteria. Each sector of public finance should develop and implement a method of identifying and analysing risk. The implemented programme must enable identification and understanding of all types of risk which a unit is exposed to when providing services and achieving its goals.

Score-based risk assessment in public financial institutions
Score-based risk assessment is one of the methods of internal control mechanisms which enable risk detection. It includes the definition of risk for various levels of impact and probabilities of occurrence. This method prioritizes risk (increases transparency) and enables assessment of the identified risk in terms of its impact on the achievement of goals (Tables 1-3 Of course, the number of probability levels for different risk events for an organization may vary. It will be adjusted depending on the state, ownership, sector and industry in which the organization operates. In the further methodology, it will translate into the level of economic effects having a certain impact on the functioning of the organization. In this chapter we have to deal with the public organization concerning the implementation of budgetary tasks in Poland. In this method, the scores describing the impact and probability are multiplied to calculate a total score-based risk assessment. Tables presenting the assessment of impact and probability of risk are adjusted depending on the entity under analysis. This chapter presents an example of a matrix of risk management in public administration developed for the Ministry of Finance, which was an EU requirement. This enables to identify risk early enough and take decisions to counteract negative consequences.   Score-based risk analysis enables to prioritize actions, and its aim is to reduce risk:

Impact
• Risks in the top right corner (almost certain, score above 16, catastrophic impact) require immediate actions to be taken.
• Risks in the middle of the matrix (score between 10 and 15) should be addressed and monitored; action should be taken in some cases.
• Risks in the bottom left corner (below nine points) pose the smallest threat to an organization and frequently do not require any reaction.
After ranking risks, an organization must agree on actions to take in order to control particular risks. How they proceed depends on the level of acceptance of risk and the possibility to control it as well as the relation between the cost of reducing or eliminating it and possible negative consequences of such risk.

Conclusions
An organization should have a process of supervising the probability of the occurrence of risk. The manager should receive reports from a register of risk to be able to react to various levels of risk. Reporting on risk should be integrated into currently existing processes of internal reporting. Frequency of reporting should be adjusted to the organization, and measures related to high risk should be monitored on an ongoing basis [26]. The importance of risk management in the public sector is due to the requirement of the European Union to implement risk management systems in units from the public finance sector. During talks on EU accession, one of the requirements was to develop and implement financial management systems and control in units from the public finance sector and develop standards of financial control in self-government units. Controls are performed by an internal auditor and concern risks involved in raising and using public funds. Risk management standards are based on the COSO (Committee of Sponsoring Organizations of the Treadway Commission) model. In this way the legislator obliged units from the public sector to analyse and manage risk pertaining to completing public tasks. This results from the intention to provide citizens with services they need because risk management can streamline processes of making reasonable decisions. It is not the aim of the process to avoid risk but to increase the probability of achieving success in particular areas of operation of the public sector. This also results from the intention to manifest stability and adequate supervision of risk in order to complete tasks assigned by the public sector. Strengthening the function of internal control and risk management in the new Act on public finance, the Polish government follows other European Union countries. Risk management helps to protect the population and ensure efficiency of public administration in the event of a financial crisis or other threats. Changes which are increasingly visible in many Polish institutions are the components of a bureaucratic change in administration towards an effectively managed organization. The aim of this change is to increase the effectiveness of the public sector. Thanks to such an approach, the system of procedures in an organization is adequate to its current needs. The article described the particular stages in risk identification and a score-based risk assessment method, which shows the importance of risk management in units from the public sector for ensuring the possibility to make management decisions early enough.