Fundamentals of Risk Management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
the control environment
399 CoCo framework of internal control The first component of the CoCo framework is concerned with the establishment and communication of objectives, the significant internal and external risks faced by the organization and the policies designed to support achievement of the organ- ization’s objectives. Plans to assist with the achievement of objectives and the inclusion of measurable performance targets and indicators are also important aspects of the purpose component of CoCo. When establishing and analysing the purpose of the organization, CoCo makes it clear that the risks and opportunities facing the organization should be analysed in detail. The importance of risk assessment and organizational resilience is emphasized, together with the importance of recognizing the sources and origins of risk. The commitment component of CoCo is concerned with shared ethical values, including integrity. It is also concerned with human resource policies and practices and communication throughout the organization. Authority, responsibility and account- ability are also included, together with the requirement to achieve an atmosphere of mutual trust. The capabilities component of CoCo is concerned with the fact that people should have the necessary knowledge and skills to support the organization’s objectives, as well as its values. Sufficient relevant information should be identified and communicated, together with decisions and actions of different parts of the organi- zation. Activity should be co-ordinated and designed as an integral part of the organization. The monitoring and learning component of the CoCo framework is concerned with external and internal environments and the fact that they should be monitored to obtain information. Performance should be monitored against targets and indi cators and assumptions behind the objectives of the organization should be periodically challenged. The information needs and related information systems should be assessed when objectives change, and a procedure should be established and performed to ensure that appropriate change actions occur in these circumstances. Finally, management should periodically assess the effectiveness of control in the organization and communicate results to appropriate stakeholders. An example of an organization evaluating its control environment is set out in the box on the next page. |
