Risk assessment
136
There are similarities in the way that risks are classified by the different risk classifica-
tion systems. However, there are also differences, including the fact that operational 
risk is referred to as infrastructure risk in the FIRM risk scorecard. COSO takes a 
narrow view of financial risk, with particular emphasis on reporting. The different 
systems have been devised in different circumstances and by dif ferent organizations; 
therefore, the categories will be similar but not identical. In describing different risk 
classification systems, Table 11.1 illustrates that many classification systems offer a 
combination of source, event, impact and consequences categories.
TAbLE 
11.2
Attributes of the FIRM risk scorecard
Financial
infrastructure reputational Marketplace
Description
Risks that can 
impact the
way in which 
money is 
managed and 
profitability is 
achieved
Risks that will 
impact the level 
of efficiency
and dysfunction 
within the core 
processes
Risks that will 
impact desire 
of customers 
to deal or trade 
and level of 
customer 
retention
Risks that will 
impact the 
level of 
customer trade 
or expenditure
Internal or 
external risk
Internal
Internal
External
External
Quantifiable
Usually
Sometimes
Not always
Yes
Measurement 
(performance 
indicator)
Gains and 
losses from 
internal 
financial
control
Level of 
efficiency in 
processes and 
operations
Nature of 
publicity and 
effectiveness 
of marketing 
profile
Income from 
commercial 
and market 
activities
Performance 
gap
Procedures
Failure of 
procedures to 
control internal 
financial risks
Process
Failure of 
processes to 
operate without 
disruption
Perception
Failure to 
achieve the 
desired 
perception
Presence
Failure to 
achieve 
required 
presence in the 
marketplace
Control 
mechanisms
CapEx 
standards
Internal control
Delegation of 
authority
Process control
Loss control
Insurance and 
risk financing
Marketing
Advertising
Reputation
and brand 
protection
Strategic and 
business 
plans
Opportunity 
assessment

Risk classification systems
137
British Standard BS 31100 sets out the advantages of having a risk classification 
system. These benefits include helping to define the scope of risk management in the 
organization, providing a structure and framework for risk identification, and giving 
the opportunity to aggregate similar kinds of risks across the whole organization. 
ISO 31000 does not suggest a risk classification system. In summary, examples of the 
advantages of having a risk classification system, include: 
●
●
Accumulations of risk that could undermine a key dependency or business 
objective and make it vulnerable can be more easily identified.
●
●
Responsibility for improved management of each different type of risk can be 
more easily identified/allocated if risks are classified.
●
●
Decisions and knowledge about the type of control(s) that will be 
implemented can be taken on a more structured and informed basis.
●
●
Circumstances where the risk appetite of the organization is being exceeded 
(or the risk criteria not being implemented) can be more readily identified.
The British Standard states that the number and type of risk categories employed should 
be selected to suit the size, purpose, nature, complexity and context of the organization. 
The categories should also reflect the maturity of risk management within the 
organiza tion. Perhaps the most commonly used risk classification systems are those 
offered by the COSO ERM framework and by the IRM risk management standard.
However, the COSO risk classification system is not always helpful and it contains 
several weaknesses. For example, strategic risks may also be present in operations 
and in reporting and compliance. Despite these weaknesses, the COSO framework is 
in widespread use, because it is the recognized and recommended approach for com-
pliance with the requirements of the Sarbanes–Oxley Act.
It is worth noting that the COSO ERM framework (2004) is the broader version 
of COSO, and it also includes the requirements of the recently updated COSO 
Internal Control framework (2013). The reporting component of the COSO internal 
control framework is specifically concerned with the accuracy of the reporting of 
financial data and is designed to fulfil the requirements of section 404 of the 
Sarbanes–Oxley Act.

Download 3.45 Mb.

Do'stlaringiz bilan baham: