Riskd – Risk Management Blog

Big projects (> 1 Million) have too many unknowns. The secret in managing Big projects is to be proactive about knowing what your unknowns are and planning  enough room for managing the unknowns. This is the biggest challenge.

Passive management on big projects is a guaranteed recipe for failure.

In the internet startup business this philosophy doesn’t have too many followers. The idea there is to let the business grow organically and let the project be managed based on the demands. Twitter is a good example of that where a concept grew organically very fast and the team behind it had to scale the systems based on the demand.

A canadian company http://localads.org is planning to do the same thing by organically growing a unique concept and taking on the classifieds industry.

How far the concept will be accepted is something to be seen.

1 – Do you need a centralized facility to model your audit universe?

2 – What are your expectations with respect to work papers automation?

3 – What type of audit planning do you engage in and how do you do it?

4-  How does your audit process integrate with the company wide ECM strategy?

Read more about how these questions can help you with selecting your audit software here.

To quote from wikipedia http://en.wikipedia.org/wiki/Market_risk

Market risk is the risk that the value of an investment will decrease due to moves in market factors. The four standard market risk factors are:

• Equity risk, or the risk that stock prices will change.
• Interest rate risk, or the risk that interest rates will change.
• Currency risk, or the risk that foreign exchange rates will change.
• Commodity risk, or the risk that commodity prices (i.e. grains, metals, etc.) will change.

Under the Framework there are three basic audit objectives:

• to determine whether controls provide reasonable assurance of effective and efficient operations;
• to determine whether controls provide reasonable assurance as to the reliability of financial data and reports; and
• to determine whether controls provide reasonable assurance of compliance with laws and regulations.

Each of these objectives has five components of control:

• A sound Control Environment;
• A sound Risk Assessment Process;
• Sound Operational Control Activities;
• Sound Information and Communications System; and
• Sound Monitoring Practices

1. For the Control Environment Component auditors assess

• whether managers and employees possess integrity, ethical values and competence;
• whether the nature of management’s philosophy and operating style is appropriate;
• whether there is proper assignment of authority and responsibility;
• whether there is proper organization of available resources;
• whether there is proper training and development of people; and
• whether there is proper attention and direction from management.

2. For the Risk Assessment Component auditors assess

• whether management has established a set of objectives that integrate all the organization’s resources so that the organization operates in concert;
• whether there is an awareness of and ability to deal with the risks and obstacles to successful achievement of business objectives; and
• whether management identifies, analyzes and manages the risks and obstacles to successful achievement of business objectives.

3. For the Operational Control Activities Component auditors assess

• whether management has established and executed policies and procedures to help ensure effective implementation of the actions they have identified as being necessary to address risks and obstacles to achievement of business objectives;

4. For the Information and Communications Systems Component auditors assess

• whether the information system produces the financial, operational and compliance reports needed to run the business;
• whether the reports that are produced deal with internal and external activities, conditions and events necessary to informed business decision making and external reporting;
• whether the organizations people are able to capture and exchange the information they need to conduct, manage and control operations;
• whether pertinent information is identified, captured and communicated in a form that enables people to effectively carry out their responsibilities;
• whether communications flows in all directions throughout the organization;
• whether management has made it clear to all employees that control responsibilities are to be taken seriously;
• whether employees understand their own roles in the internal control system, as well as how their individual activities relate to the work of others;
• whether all employees have the means of communicating significant information upstream; and
• whether their is effective communication with external parties.

5. For the Effective Monitoring Component auditors assess

• whether the entire control system is monitored to assess the quality of the system’s performance over time;
• whether there is on-going monitoring in the normal course of doing business, such as regular supervisory and management activities, and actions employees take in performing their normal duties;
• whether internal deficiencies are reported upstream, with serious matters reported directly to top management;
• whether there are separate, independent evaluations of the internal control system.

 Some experts have said that a strong risk management process can decrease problems on a project by as much as 80 or 90 percent. In combination with solid project management practices–having a well-defined scope, incorporating input from the appropriate stakeholders, following a good change management process, and keeping open the lines of communication–a good risk management process is critical in cutting down on surprises, or unexpected project risks. Such a process can also help with problem resolution when changes occur, because now those changes are anticipated and actions have already been reviewed and approved, avoiding knee jerk reactions.

Read further on this CIO article – Project Risk Management – Practical and Effective Approach 

STEP 1 – Preparation

1. Review relevant control information
2. Review Systems and Material Account Balance for the controls
3. Review Financial Reporting and Disclosure Risks

STEP 2 – Assessment

1. Assess Control Environment
2. Entity level controls
3. Process controls

STEP 3 – Conclusion and Disclosure

1. Assess findings and make appropriate disclosures

It is very important to clearly distinguish the following when you do an assessment (step2).

• The overall control environment including the ‘tone from the big guys’ and the extent and nature of involvement of the audit committee and board of directors. Remember that the ‘tone’ gives the direction on how internal controls are setup.
• Controls over the preparation of financial statements, including controls regarding accounting estimates, closing adjustments and the application of accounting principles in the preparation of financial statements and the information disclosed in the notes to the financial statements.
• Controls in the various accounting systems that capture, summarize and record the routine accounting transactions (e.g., recording of revenue, expenses, etc.) on which the financial statements are based. These are referred to as process controls.

Risks which exists ‘already’ before you address it is called Inherent Risk ; i.e., the risk to your company in the absence of any actions you might take to alter either the likelihood or impact. Every company in every
industry faces inherent risk; of course, not every company manages it
effectively or efficiently. Some examples for this are

• lack of management competence. Management competence refers to the competence of directors and other senior management personnel. It includes matters such as their:
  • industry experience,
  • knowledge of the entity’s business,
  • commercial skills,
  • common sense,
  • knowledge of good corporate governance, and
  • communication and judgement ability.

Auditors can assess management competence by speaking to directors individually as well as considering such factors as the number of years experience of each director in the industry, the number of years experience with the entity, and the extent of changes to management during the past several years.

• another example is the extent of significant and prolonged under staffing of the accounting department. Such understaffing could be indicative of management’s lack of interest in quality reporting, or even a positive interest in poor quality reporting.

Residual risk is also known as your “vulnerability” or “exposure”; .e., the risk that remains after you have attempted to mitigate the
inherent risk. Companies can only understand residual risk if they ave first addressed inherent risk. An example for this which could be unique to a company are strikes, the outcome of unfavorable litigation, or a natural catastrophe that can be eliminated through diversification.

This is a process of determining which risks might affect the project (an example of an asset) and documenting their characteristics.

Risk Identification is an iterative process, involving the project team, management team, stakeholders and subject matter experts (if required).

Risk Identification process is a part of “Project Planning Phase”.