Risk is defined as ‘the possibility of an event occurring that will have an impact on the achievement of objectives’. In simple words, risk management is concerned with positive and negative aspects of risk. Risk can have an adverse impact as well as can have potential benefit.
Types of risks
There are three types of risks. These are as follows:
- Inherent risk
This kind of risk could not be detected by entity’s internal controls. It could happen as a result of complexity of the client’s nature of business or transactions.
- Control risk
This is the risk that potential material misstatements would not be detected or prevented by a client’s control system.
- Detection risk
This risk states that the audit procedures used are not capable of detecting a material misstatement.
Risk management framework
Risk management framework is a structured process which defines the strategy for reducing or eliminating the impact of risks, as well as the mechanisms to effectively monitor and evaluate the strategy, for an organisation.
Steps in a Risk management framework
- Identification of potential threats
- Measure or analyse threats
- Reporting & Monitoring
What are the different frameworks for risk management?
The some of the common used frameworks are as follows:
- COSO: In 1992, the Committee of sponsoring organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. The COSO model defines internal control as ‘a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulation
Five components of COSO are:
- Control environment
- Risk assessment
- Information and communication
- Monitoring activities
- Existing control activities
17 principles of COSO framework’s effective internal control are:
|Internal control component||Principles|
|Control environment||1. Demonstrate commitment to integrity and ethical values
2. Ensure that board exercises oversight responsibility
3. Establish structures, reporting lines, authorities and responsibilities
4. Demonstrate commitment to a competent workforce
5. Hold people accountable
|Risk assessment||6. Specify appropriate objectives
7. Identify and analyse risks
8. Evaluate fraud risks
9. Identify and analyse changes that could significantly affect internal controls
|Control activities||10. Select and develop control activities that mitigate risks
11. Select and develop technology controls
12. Deploy control activities through policies and procedures
|Information and communication||13. Use relevant, quality information to support the internal control function
14. Communicate internal control information internally
15. Communicate internal control information externally
|Monitoring||16. Perform ongoing or periodic evaluations of internal controls (or a combination of the two)
17. Communication internal control deficiencies
Coco (confidential consortium) is an open source block chain framework designed by Microsoft. Microsoft announced the ‘Coco’ in August 2017 in their whitepaper ‘Coco Framework Technical Overview’. Coco is not just a standalone block chain protocol like bitcoin or ethereum rather it provides a platform for building trusted networks using any of the existing protocols.
The Coco framework outlines the criteria for effective controls in the following four areas:
- Monitoring and learning
COBIT is an acronym for “Control Objectives for Information and Related Technologies”. This is the only business framework for the Governance and Management of enterprises IT developed by ISACA (information systems audit and control association) and launched in April 2012.
Principles of COBIT:
- Meeting stakeholder needs
- Covering the enterprise end to end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating governance from management
Main focus areas of COBIT are:
- Planning & organizing
- Delivery and support
- Acquiring and implementation
- Monitoring and evaluating