ACCOUNTING
MA2
MODULE 3
Copyright 2014 by the Certified General Accountants of Ontario
LEARNING OBJECTIVES
3.1 Risk environment and types of risk
3.2 Levels of risk management
3.3 Evaluating risk
3.4 Techniques for mitigating risk
3.5 Case analysis: Entropic Communications, Inc.
Copyright 2014 by the Certified General Accountants of Ontario
3.1-1 RISK ENVIRONMENT AND TYPES OF RISK
Risk is the probability that a negative outcome will occur. All organizations face risk. In many instances, it cannot be avoided, but it can be mitigated.
The COSO framework is used by organizations as an enterprise risk management tool for dealing with risk. In this topic, the framework is used to describe the risk environment.
The COSO (the Committee of Sponsoring Organizations) cube has three dimensions:
1. Four key categories used to classify entity objectives
Strategic goals: High-level goals that support the mission
Operational objectives: Effective and efficient operations
Reporting objectives: Reliability of financial reporting
Compliance objectives: Compliance with applicable laws and regulations
Copyright 2014 by the Certified General Accountants of Ontario
3.1-2 RISK ENVIRONMENT AND TYPES OF RISK
2. Eight components of enterprise risk management (ERM)
Internal environment — The internal environment encompasses the tone of an organization. It sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective setting — Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in a process in place to set objectives. It also ensures that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
Event identification — Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
Copyright 2014 by the Certified General Accountants of Ontario
3.1-3 RISK ENVIRONMENT AND TYPES OF RISK
Risk assessment — Risks are analyzed, considering likelihood and impact as a basis for determining how they should be managed.
Risk response — Management selects risk responses – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Control activities — Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and communication — Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring — The entire process of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Copyright 2014 by the Certified General Accountants of Ontario
3.1-4 RISK ENVIRONMENT AND TYPES OF RISK
3. The third dimension represents the business/ operational units of the organization – entity-level, division, business unit, and subsidiary As a whole, the ERM components focus on identifying, assessing, and controlling risk.
Copyright 2014 by the Certified General Accountants of Ontario
3.1-5 RISK ENVIRONMENT AND TYPES OF RISK
Part of the process of managing risk is to assess its likelihood and impact. The types of risks an organization faces can be divided into four categories:
Hazard risk — The possibility that an event will cause harm to an individual (by the organization) or that harm is done to the organization. Hazard risks