Let us discuss in detail on the topic RISK before jumping in to discuss Enterprise Risk Management.
Do you know that, business process automation is not something which a company can easily decide, as it involves some risk? Hence, before automating all its manual processes, the company carefully evaluates the pros and cons of business process automation, before investing its money and time.
RISK: In ICAI's material, risk is defined as follows
"Risk is any event that may result in significant deviation from a planned objective resulting in unwanted negative consequences".
Let us try to break down this definition into meaningful chunks.
Risk is any event that may result in significant deviation from planned objective: Here risk is any undesirable event or a happening, which deviates the expected result or attainable goals significantly. You don't call something a risk when the deviations from your expectation are only mild. Hence the variation or the deviation has to be significant.
Resulting in unwanted negative consequence: Imagine a situation where your company aims for an additional profit of Rs.50,000 when starting a new line of business, and your company end up getting Rs.1,00,000 as profit, more than what you expected!! Do you call this a risk? The answer is No, because it is definitely a significant deviation from planned objective, but that has resulted in a positive consequence, and which something you would always welcome. But here, risk is something which results in negative consequence. That is, if your company aims for Rs.50,000 profit, you end up with Rs.20,000 loss with the new line of business. Now this is Risk.
Degree of Risk: After getting to know about the risk, let us discuss something called as Degree of Risk.
Do you know it is possible to predict the risk and the amount of financial loss, in the case of any significant deviation even before a company decides to invest on something or spend on something? Companies determine the extent of risk or the extent of loss that it would incur in case if there is a deviation even before starting something. This is an essential evaluation which every company carries out.
First it determines the probability of the undesirable event occurring, it could say there is a 10%, 20%, 30% probability of the event happening. Then it determines the impact in terms of monetary loss, loss of customers etc in case if that happens. It also determines the approximate timing around which this event would happen.
Companies undertake the risk whenever it starts a new venture, invests money on any asset etc.
Now let us discuss what kind of risks are associated with the business process automation. It should be noted here that the risks are inherent, meaning it is there already and you cannot do anything about it. You can only take steps to avoid them. Most importantly, you can do them only if you know they exist. Do you agree with me?
INPUT AND ACCESS: We discussed about how the automated processes are so efficient that they produce accurate data, on timely manner etc. But have you ever thought of a situation, when wrong data is fed into the system? Yes, there is an inherent risk that , the employees of the company may feed the system with inputs, which are either not accurate, are incomplete or is not authorized by appropriate person (if the nature of data is such that it requires authorization from any senior official for example). If you ask me, is authorization a big deal? I would say, of course it is. Data authorized by appropriate higher official proves the credibility and correctness of data. Not only that, if a company has such a procedure or a policy, definitely it has to be complied with.
FILE & DATA TRANSMISSION: Different people, sitting in different departments and in different locations, feed inputs into the system. The system usually takes all the input, processes it and throws out a result. For example, if someone sitting in India is looking for Revenue made by the company for the period March 2019 in North America, people sitting in USA, Canada and Mexico would have fed the numbers from their own locations into the system by the end of March 2019. But let us say, the data fed from Mexico has not be transmitted properly and stored in the server, due to some network error, the system would throw the result only for the two regions USA and Canada. Hence the result thrown up by the system is not accurate. Having said that, companies will have to draft their own ways and means to verify the output and identify if them it they are wrong, knowing about the risk.
PROCESSING: When I was a fresher, I ran a Revenue Report on the SAP for the month of June. The system was supposed to throw out revenue numbers of all products for the month of June. It did throw out, but I guessed something was wrong with the numbers. I could say that because, I knew the company made nothing less than $1 Billion a month all the while. Whereas the report showed something which was not even close to $1 Billion. Then my Manager told me, there could be some processing problem and asked me to re-run the report after sometime. That time around, I got the correct numbers.Hence, network error or system error is inherent and cannot be avoided. But rest assured, it does not happen always.
OUTPUT: As we discussed, all outputs may not be completely accurate due to errors and bugs in processing, network error etc. Not only that, there is also a risk that the output reaches an unauthorized person, who is not authorized to view that. This can happen if the access control is weak.
DATA: If the access control is weak and is not stringent enough, it may not only lead to unauthorized person viewing your data, but there is also a risk that this person will make changes to the transaction data or the master data (permanent details). Example of transaction data would be revenue numbers and profit numbers for the month and example of master data would be Customer Name, Nature of Business, Location, PAN Number etc.
INFRASTRUCTURE: All data in the system has to be taken a back-up (copies) and stored in different locations. This is because, in case if some natural disaster occurs and the data stored in main office are destroyed, and if no such arrangement is made, then think of the loss the company would incur as a result of proper infrastructure.
I have taken quite a lot of time to explain you about risks. This is to prep you well before jumping into the topic Enterprise Risk Management. Not only that, you will be learning about the concept of risk again and again in different subjects like Financial Management and Auditing both in your Intermediate and Final.
I also hope, giving some interesting insights into the difficulties and realities faced by companies would go a long way in not only making you more knowledgeable, but will also make you employment ready once you are out of the course and make you more confident when you enter as a fresher. This has what made our students score high in this subject in every exams.
Will catch you tomorrow with the next interesting topic.
If you have not already, subscribe to our email list to get quick daily exam revision notes on the subject. Drop us an email to firstname.lastname@example.org