Having learnt about risks involved in the Business Process Automation, it is now time to discuss on how to manage the risks. The risks we are going to talk about, at the beginning of this lecture is the overall risks of an entity and management of such risks through appropriate controls. Down the line, we will dive deeper into Information Technology Security and implementation of controls in Information Technology.
An entity should be first aware of existence of risks. This will lead to, getting to know about the nature of the risks better, and how to handle them to get the most out of them. Entities usually adopts numerous ways and means to handle risks. If it is not possible to eliminate risks, then there is a popular way out there to control them, which is by implementing appropriate controls.
There are numerous controls which can be implemented, but they are usually selected based on the company's Risk Management Strategy. Some companies will be willing to take more risks in certain areas to get more profits. In some areas, it might not be willing to take any risk at all. This depends purely on the company's management, their risk appetite (the risk appetite is said to be more if the company is willing to take more risk to get more returns out of it and it is said to be less otherwise)and their strategy. The Sarbanes Oxyley Act (in the US) talks about relevant controls and their implementation.
Now, let us look into the definition of Enterprise Risk Management (ERM) as defined in the ICAI material. It is good to write the definition as it is in the examinations, to score maximum marks. To memorize this definition way easier, let me explain this part by part to you.
ERM is defined as a process, effected by an entity's Board of Directors, Management and other Personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity's objectives.
( You got to memorize this up like silencer in the movie 3 Idiots. Let us see how)
Process effected by entity's board of directors, management and other personnel: ERM is a process and just not one time random event. This process has to be discussed, evaluated and implemented by The Board of Directors (the top level directors), Management (Managerial personnel below the level of Board of Directors) and other personnel ( other staffs of the company or outside consultants, who may not be in the top management level, but possess required competence and skill-set required for its implementation).
Applied in Strategy Setting and across the enterprise: The ERM must be implemented in the organization in such a way that the Entity's goals are achieved with lesser cost and more profits. In other words, it has to be strategically implemented taking all factors into consideration and not compromising on any of them. Finally, the implementation has to be made across the enterprise, meaning throughout and not just for one function.
Designed to identify potential events that may affect the entity and manage risk to be within its risk appetite: The ERM must be designed in such a way that it identifies potential events that may affect the entity. Remember, we talked about identifying events giving negative results in our last lecture? Here we say that ERM must be designed in such a way to identify such potential events that affect the entity, even before they occur. ERM should be designed to manage such risks so that it does not go beyond the entity's risk appetite.
(Example of a Risk Appetite: A consultant says to the management that, if the entity invests in Project A, it has a chance of getting $20,000 dollars profit and a risk of $10,000 loss and in Project B, it has a chance of getting $50,000 profit and a risk of $25,000 loss. If the management says, i cannot risk to lose beyond $15000 in case if a negative event happens, it would choose Project A and not Project B. Hence the Risk Appetite of the Management is limited to $15000 loss, not beyond that).
To provide reasonable assurance regarding the achievement of entity's objectives: The ERM implemented should be able to give an assurance to a reasonable extent, that the entity's objectives will be achieved despite the existence of such risk and that proper strategies are in place to mitigate and handle such risks.
(Now that i have explained the definition bit by bit, you should be able to memorize it in no time. Read aloud the definition twice, before proceeding to the next section).
All entities, whether profit oriented or not, governmental or non-governmental, face certain kind of uncertainties. If the entity wants to stay in safe zone and does not want any uncertainties, then the returns would also get limited to that extent. This is because, uncertainties provides both risk and opportunity. It has the potential to both erode value or enhance value to its stake holders (stake holders are people with vested interest who directly benefit from the financial gain of the entity). ERM should be a solution which will not only mitigate such risks but also strives to enhance value to its stake holders.
Thus the management of an entity must ensure that, appropriate Information Technology Controls are also forming part of its overall Enterprise Risk Management Plan.
In our next lecture, we shall look into the benefits of ERM and components of ERM.
If you have not already, send us an email to get updates about the daily lecture notes posted in the form of blog posts and short exam oriented revision notes in the form of PDFs to email@example.com.