Calendar year 2010 is about to close in just a few days and we are about to welcome a new corporate year in 2011. As organizations across the globe set their goals and objectives on the coming year, one little devil can never be set aside. That is risk.
When we hear or read the word “risk”, usual connotation is “unfavorable” or “negative” outcome. Common reactions ranges from a shrug, to worry and to panic! Why do we react in such manners? Simply because risk is something that we really need to address whether we like it or not.Defined as the “likelihood of a potential threat materializing and causing an adverse effect in the organization”, risk has many forms. It is something that can affect our processes, people, structure, relationships, and ultimately our goals and objectives as individuals and as an organization. From the definition, it is easy to identify risk. Just think of a threat that may materialize and may negatively impact our processes, people, achievement of objectives/KRAs and you are actually in the process of risk identification.
If you are in finance, typically identified risks are in the areas of investments, tax strategies, liquidity, cash flow, credit and collection and financial planning. If you are from the Information Technology (IT), common risks that need to be addressed, among others, are access rights, system integrity, technology infrastructure, system development, and business continuity. At the top level, strategic risks such as those affecting capital investment decisions, reorganization, divestitures, mergers and acquisitions, and strategic planning are commonly identified.
Having identified those top level and divisional level risks, the next questions now are “how do we address risks?” and “am I responsible for addressing those risks?”. We’ll going to answer that on the next two paragraphs.
The types of risks mentioned above are further broken down into business unit level and process level risks. Process level risks are the lowest level of risk hierarchy and usually are the subject of evaluations such as audit. Process level risks are straightforward and can be addressed plainly by “plugging the leaks” in the systems or process and reinforcement of control actions.
The responsibility for identifying, highlighting and covering risks rest not with our auditors. Risk is everyone’s responsibility. Gone are the days when we point our fingers at the auditors for the failure to uncover numerous and significant risks across the organization. In the first place, auditors shall not assume risk ownership in every process because doing so would be equivalent to assuming management responsibility and that is a clear impairment of independence issue.
On the other hand addressing process level risks does not fully solve the risk equation. Organizations are being manned by a management team often referred to as the Management and the Board of Directors. This is where the risk consciousness and control compliance must be seriously taken. Why? Because no matter how good your process-level controls are, if your “tone from the top” does not sound good or worse, cannot be heard, it's actually non-sense and automatically deficient. This is where the Entity-Level Control Concept which almost all control model (e.g. COSO, CoCo, ISO and others) advocates. And these standards are evolving in response to its commitment to address newly emerging risks in the business.
One tax author during my college years said that aside from change, there are other two things that are permanent in this world: death and taxes. He’s grossly wrong. Because as we witness the 2008 financial mess, we were fully convinced that aside from change, there are actually three with risk being the third one.
We all face risks everyday. Risk is inherent in every endeavor. The only state where there is no risk is the state of perfection. Again, nobody and nothing is perfect. This is the inevitable reality we face everyday.
So if we want a fruitful and progressive year 2011, risk should be present at every corporate and individual scorecard.
Merry Christmas and a Happy New Year to all!
No comments:
Post a Comment