|
整理的ACCA科目P1 Professional Accountant笔记(NOTES)(9)
Risks impact on stakeholders
(1) Shareholders: Potential loss of value of investment (fall in share price) and loss of income (decrease in dividends).
(2) Directors: Loss of income (assuming remuneration is linked with company performance) and potential for poor reputation.
(3) Managers/Employees: Fall in remuneration or become demotivated.
(4) Customers: Mainly negative impact on the company because of poor product reputation.
(5) Suppliers: Loss of supply.
(6) Government: Less tax revenue raised.
(7) Banks: Loans and interest due to banks are not repaid.
Risk assessment
Risk map
(1) The map identifies whether a risk will have a significant impact on the organization and links that into the likelihood of the risk occurring.
(2) The approach can provide a framework for prioritizing risks in the business.
(3) Risks with a significant impact and a high likelihood of occurrence need more urgent attention than risks with a low impact and low likelihood of occurrence.
(4) The significant and impact of each risk will vary depending on the organization.
Board consideration of risk
(1) The board considers risk at strategic level and defines the organization’s attitude and approach to risk.
(2) The board is responsible for ensuring that risk management supports the strategic objectives of the organization.
(3) The board will determine the level of risk which the organization can accept in order to meet its strategic objectives, and which cannot be managed or is not cost-effective to manage.
(4) The board ensures that the risk management strategy is communicated to the rest of the organization and integrated with all the other activities.
(5) The board is responsible for driving the risk management process and ensuring that managers responsible for implementing risk management have adequate resources.
(6) The board reviews risks and identifies and monitors progress of the risk management plans.
Reporting on internal control and risk
(1)
(2)
(3)
(4)
(5)
Part D – Controlling Risk
Role of risk manager
(1) Risk manager is a member of the risk management committee, reporting directly to that committee and the board.
(2) The role of manager focuses primarily on implementation of risk management policies.
(3) The risk manager is supported and monitored by the risk management committee.
(4) Policy is set by the board and the risk management committee and implemented by the risk manager therefore the role is more operational than strategic.
(Risk manager is responsible for)
(1) Identifying and evaluating the risks affecting an organization.
(2) Implementing risk mitigation strategies including appropriate internal control to manage identified risks.
(3) Seeking opportunities to improve risk management methods and practices.
(4) Developing, implementing and managing risk management programs and initiatives.
(5) Maintaining good working relationships with the board and the risk management committee.
(6) Working with the external auditors to provide assurance and assistance in their work in appraising risks and controls of the organization.
(7) Reporting on risk management.
Role of internal/external auditing
(1) Risk is integral to the work of internal and external audit, both in terms of influencing how much work they do and also what work they actually do.
(2) Risk auditing assists the overall risk monitoring process by providing an independent view of risks and controls in an organization.
(3) With auditing, a fresh pair of eyes may identify errors or omissions in the original risk monitoring process.
(4) External auditors will be concerned with risks that impact most on the figures shown in the financial accounts.
(5) Internal auditors have more flexible role and their approach depends on whether they focus on the control or the overall risk management process.
Risk awareness/attitude
(1) In general, a lack of risk awareness means that an organization has an inappropriate risk management strategy.
(2) Risks may not have been identified meaning there will be a lack of control over that risk.
(3) Risk may occur and the control over that risk is not active due to lack of monitoring and awareness.
(4) Continued monitoring within the organization is therefore required to ensure that risk management strategies are updated as necessary.
(5) Risk awareness can be divided into three levels: strategic level, tactical level, and operational level.
(6) Risk attitude is influenced by many factors: (a) response to shareholder demand; (b) the size, structure and stage of development of the organization; (c) the pursuit of business opportunities, say entrepreneurial risk. (d) personal views and cultural influence.
Embedding risk
Organization’s systems/procedures
(1) Embedding risk means that ensure risk management is included within the control systems of an organization.
(2) Embedding risk also means that risk assessment should evolve into a consistent, embedded activity within a company’s strategic, business, budget and audit planning process rather than be executed as a significant stand-alone/separate process.
(3) Embedding risk is a statutory requirement of a code of best practice. To be successful, embedding risk management needs approval and support from the board.
Organization’s culture/values
(1) Embedding risk into system/procedure may still fail unless all workers (board to employee) in a company accept the need for risk management.
(2) Embedding risk into culture and values implies that risk management is ‘normal’ for the organization.
(3) Embedding a risk management frame of mind into an organization’s culture requires top-down communications on what the risk philosophy is and what is expected of the organization’s people.
(4) Whether the culture is open or closed affects the success of embedding risk management within the culture and values of an organization.
|
|