Introduction : In a large engineering company operating in Western India having global operation, a new Chief Audit Executive (CAE) was appointed. The CAE had joined this organisation based on the public positioning of the group but felt disappointed within a few months of joining.
The organisation had grown organically and was largely family-owned with the senior management being hands on with the operations of the company. The Internal Audit culture had not yet matured and was largely focussed on ‘compliance’. The budget was not sufficient as the management had very low level of expectations from the internal audit function which was mainly compliance-driven.
The organisation processes had not been mapped out. The audit team composition had an average age of 37 years with people moving in by rotation and hence there was no continuity. Control environment, management style, the internal reporting and the audit scope were inadequate.
However, taking up the challenge, a mix of training and re-staffing was undertaken. Efforts were initiated towards mapping out all the organisation’s processes using COSO — Internal Control Framework. All this was accelerated because of a fire in the key facility leading to massive losses of equipment and parts.
Hitherto, risk management had been taken lightly. This incident made the management realise the need for managing ‘risk’. As the Internal Auditor had been playing a key role in identifying risks in processes, he was also involved in the Risk Management Committee which was formed after the incident.
The Committee started a programme for identifying risks in the organisation and establishing mitigating controls including a Business Contingency Plan. The mandate to Internal Audit was to lead the entire programme and then report to the Risk Management Committee which was accountable to the Board.
Team formation :
The Internal Auditor took the lead in facilitating the implementation of a strong risk management system in the organisation. A core team was established of senior members who were familiar with the activities.
Using COSO — Internal Control Framework as the basis, the control activities were sought to be reviewed.
Brainstorming sessions conducted to identify the reasons for the failure of the earlier internal control procedures identified especially those which resulted in the loss. Alternative procedures were discussed.
A need for an external consultant was felt but the contribution was sought to be limited to a pilot/illustrative case to control ‘costs’.
Risk management standard :
The CAE felt a certain need to ensure that in the organisation everyone considered risk and control uniformly. Options were available in terms of various Standards on Risk Management around the world — COSO RM standard, AIRMIC from the UK, Australia, New Zealand 4360 and other Risk Management approaches worldwide. The group did a quick desk research for a week reviewing all of these. They were swamped with the material available and could not easily reach a conclusion.
On one hand they had a Risk Management Standard that was in line with the COSO — Internal Control Framework (refer Exhibit — ERM Cube) with reference to the business objectives and several other components.
Exhibit — COSO ERM CUBE :
On the other hand, they had Risk Management Standards which were developed by Core Risk Management specialists or representatives of interest groups who were involved with Risk Management activities on a daily basis like the AIRMIC, IRM and ALARM from the UK or the Standards of Australia/New Zealand (refer Exhibits for their approaches).
The accountants in the team favoured continuity in thoughts and preferred the COSO ERM adoption, while some other team members thought that the AIRMIC/ Aus/NZ standard was preferable. Given the predominance of accountants/auditors and the familiarity with COSO, it was preferred.
Pilot implementation :
A consultant was hired who was a known authority in the field of RM. He was given a brief of implementing a pilot RM project starting with selection of the project area to the identification of risks, their assessments and identification of procedures for mitigating steps.
As an initial stage, the consultant sought to identify the risk appetite of the organisation and had elaborate discussions with the senior management and with the CAE on the subject matter. The risk appetite was sought to be categorised in different terms using financial scales, quantitative loss/ gain scales, qualitative in terms of human life and reputation. These were identified in a range of 5 points to keep it simple, although the first recommendation was a scale of 10 which allowed greater flexibility in terms of assessing the risk events. An illustrative scale for financial terms is given in Exhibit.
Having established the scale, the next phase was identification and assessment of risk. Alternative approaches available were, the ‘workshop’ approach where all concerned could be involved in the process, or a cumulative approach where separate meetings would be held with each business head/ department/process/project-head and risks assessed. While the workshop approach was thought to be more effectiv
e and efficient, as it was the initial introduction of a formalised risk management system and the risk of failure or limited success was sought to be managed, the ‘one-to-one’ interaction was preferred. In this way, although the time taken for the assessment was more, the process was better managed with one stakeholder at a time and the process could be geared well.
Selection of the project was the next stage and since the business had recently suffered a huge loss, the area of ‘business continuity’ was selected. Business continuity (a mitigating control) was taken as the key point of review for the business. Adequacy of controls to ensure business continuity, hence, was the pilot project. The project was defined as Managing Risks in Organisation Infrastructure.
A completed inventory of all infrastructural facilities was made. The likely hazards — fire, flood, earthquake, hurricane, technical failure, etc. faced by each element of the infrastructure were identified with its likely impact and a collection of such incidents in the organisation and in similar organisations in India and worldwide. The existing controls were also evaluated with reference to the control checklists maintained by Internal Audit. Meetings were then initiated with all concerned stakeholders on the subject.
An inventory of all risks was collated in Risk Register. A list of additional mitigating measures was also identified in a Treatment Register with specified Action Plans. One of the key treatments identified was to have extensive insurance coverage to protect against the consequential losses. The other key treatment identified was to have a fully-operational Business Continuity Plan to be prepared and implemented.
Establishing the Risk Management Infrastructure :
Having been successful with the pilot implementation, the CAE was given the responsibility to establish a Risk Management Group in the organisation, independent of the Internal Audit activity. He was asked to head the function along with Internal Audit.
As an initial step, one audit manager was transferred to the Risk Management Group. The CAE also advertised for 2 risk managers in this group with requisite risk analysis and reporting experience.
A process of risk assessment and reporting on a continuous basis (at least once a quarter) was established. Risk champions were identified in the organisation from the middle-management cadre who had at least 3 years’ experience in the organisation and at least one year in the relevant function. These ‘risk champions’ were made responsible for collating the risk events and identifying adequacy of mitigation of these risk events. They were to be assisted by Risk Managers from the Risk Management Group. The ‘risk champions’ were to review the Risk Register and also scan the business environment for any changes in risk patterns, which alter the adequacy of mitigation measures within the organisation and trigger an immediate corrective action course to be taken. In any case, a comprehensive review of the complete Risk Register was to be done every quarter.
A reporting format was also finalised for presentation to the Risk Management Committee and the Board on a quarterly basis highlighting the top 10 risks in the organisation in the form of a heat map and also a list of the risks, control and treatments for these top 10 risks (refer Exhibit for a sample report).
Conclusion : Based on the pilot implementation and the first cycle of reporting from the newly established Risk Management Group, the CAE and his team’s contribution was well appreciated and a special bonus was also approved for the team.
Exhibit — Risk Management Process — AZ/NZS 4360 — 2004 :
Exhibit — AIRMIC RM Standard — UK :
Exhibit : Risk Appetite :
|Consequences||ABC Ltd.’s Financial Risk Appetite Indicators|
|5. Severe||Results in extreme financial loss of revenue, expenses or assets, i.e., >USD 100m|
|4. Major||Results in very significant financial loss of revenue, expenses or assets, i.e., from USD 10-100m|
|3. Moderate||Results in significant financial loss of revenue, expenses or assets, i.e., from USD 1-10m|
|2. Minor||Results in minor financial loss of revenue, expenses or assets, i.e., from USD 0.1-1.0m|
|1. Insignificant||Results in some financial loss of revenue, expenses or assets, i.e.,|
Exhibit : Summary Risk Report
Summary of Risks Ranking
The graph points represent the current level of risk after considering the effectiveness of existing control systems, as assessed by a selected group comprised of Departmental Heads.
Only one Risk — Ageing facilities is in the ‘Extreme Zone’ . Many risks are in the High Zone and most of these are being addressed by specific actions and projects to treat the current level of risk, which is not acceptable. If and when that treatment is effective, the Risks can be re-assessed and are expected to be in the (acceptable) Moderate Zone.
|Poor co-operation between business and support units||2|
|Transition to MBO status||3|
|Reliance on experienced staff||4|
|Unexpected downtime affects production||5|
|Loss and/or misappropriation of resources||6|
|Integration not reaching expectations||7|
|Conflict of interest.||8|
|Electronic control system’s failure rates expected to increase||9|
|High Salt Content (SU) affects (all) material quality||10|
|Factors limiting production potential||11|
|Inappropriate investment decisions||12|
|Less than optimum recovery from utility plant||14|
|Unpredicted water production||16|
|Factors contributing to production shortfall||17|
|Over-specification of requirements||18|
|Shortage of quality technical graduates||19|
|Inadequate material quality||20|
|Vehicle loses cargo||21|
|Vehicle damages loading facility||22|
|Rejected vehicles interrupt shipping programme||23|
|Control room disaster||24|
|Complex and challenging guidelines||25|
|HQ Computer room disaster||26|