Bridging Risk Management and Internal Audit for Organizational Resilience

Introduction

A risk, as defined by IIA, is the positive or negative effect of uncertainty on objectives.

 
Risks are not only about threats but if well managed, they can also present great opportunities that can be exploited for an organization’s benefit. Every business is exposed to risks whether inherent due to environment of operation or residual after implementation of controls. 

Risks arise from both internal factors which an organization has control over as well as external factors which an organization has no control over. It is important for organizations to acknowledge and identify risks they are exposed to, to build resilience in today’s dynamic operating environment.
 

Types of Risks in Business

Strategic risk – associated with key strategic decisions of an organization, such as new product development, market expansion, restructuring and all decisions touching on an organization’s long-term objectives.

Financial risk – affects an organizations financial standing. Examples include liquidity risks, credit risks, bankruptcy risks etc.

Operational risk – involves disruption of normal day-to-day operations and can be caused by inadequately designed and/or ineffective internal processes, systems failures, people related issues as well as an array of external factors such as global supply chain disruptions, political instability etc.

Legal and regulatory risk – arises due to non-compliance with applicable laws, regulations and/or industry standards. This might lead to penalties, sanctions and restrictions imposed by relevant regulatory authorities.

Reputational risk – relates to negative perception and potential loss of trust from customers, investors, key stakeholders as well as the public due to negative publicity, unethical behavior, substandard products and/or services etc.

Market risk – arises due to significant changes in the operating market such as volatility of forex rates, changes in interest rates, changes in raw material prices as well as changes in the stock market

Human resource risk – relates to losses and/or disruptions arising from people related issues such as turnover rates, failure to attract and retain talent, productivity issues, succession planning etc.

Cyber risk – relates to the potential loss or harm caused by threats exploiting vulnerabilities in an organization’s information systems assets. Examples include ransomware attacks, data breaches, phishing and social engineering attacks, system disruptions or downtime.

Environmental risk – refers to impact on organizations due to environmental factors, changes in regulatory scene, natural disasters etc.
 

Risk Management Steps

Risk Management is defined by IIA as “a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.”

It involves identifying and categorizing organizational relevant risks, noting the key risk indicators, rating the risks in terms of likelihood of occurrence and their impact to the organization, their cause and effect, identifying strategies employed by management to ensure risk exposure is managed and continuous monitoring of identified risks as well as development of relevant treatment strategies.

It helps organizations to control risks that could hinder them from attaining the set goals and objectives. A good risk management process should be backed by the leadership team (management and the board), ensuring integration into all organizational activities.  This ensures risk management is aligned with the organization’s strategic objectives and culture, and every member of the organization is responsible and accountable for risk management in their respective divisions.
 

a)    Risk identification

This involves recognizing, defining and categorizing risks. For an effective risk assessment process, all risks should be adequately identified and defined, regardless of whether their causes are internal or external.

b)    Risk analysis

This involves a detailed review of the identified risks to help in understanding their characteristics. At this point, key risk indicators, likelihood and impact, risk levels, cause and effect and controls effectiveness are reviewed in detail. 

c)    Risk evaluation

This step involves comparison of the risk analysis results against the established risk criteria to determine the best course of action.

d)    Risk treatment

This step involves identifying and implementing the appropriate risk treatment strategies to manage the identified risks. These strategies include acceptance, avoidance, sharing, transfer and reduction.

e)    Risk monitoring and review

Risk management is a continuous process that involves monitoring the risk environment and effectiveness of established controls to ensure the organization adapts to new challenges and can exploit available opportunities.

Benefits of Risk Management

With a clear understanding of risks, organizational leaders can make more informed decisions, adequately allocate resources in risk mitigation efforts, ensure compliance with applicable regulations and avoid penalties and legal cases. 

In identifying, evaluating and treating risks, the likelihood of occurrence is reduced thus ensuring business continuity. This enhances stakeholder trust, thus maintaining the organization’s credibility.
Regular risk reporting to the board and key stakeholders makes processes transparent and holds the management accountable for accuracy and information integrity.

Identifying threats early on helps organizations protect their assets and ensure smoother operations and reduced downtime as the organization plans for anticipated disruptions.
  

Caveat

This publication has been prepared by RSM (Eastern Africa) Consulting Ltd, and the views are those of the firm, independent of its directors, employees and associates. This publication is for general guidance, and does not constitute professional advice. Accordingly, RSM (Eastern Africa) Consulting Ltd, its directors, employees, associates and its agents accept no liability for the consequences of anyone acting, or refraining from acting, in reliance on the information contained herein or for any decision based on it. No part of the newsletter may be reproduced or published without prior written consent. RSM (Eastern Africa) Consulting Ltd is a member firm of RSM, a worldwide network of accounting and consulting firms. RSM does not offer professional services in its own name and each member firm of RSM is a legally separate and independent national firm.