Fundamentals of Risk Management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
Risk assurance
400 Many organizations have created their own formulas for educating employees about why controls are important and what adopting such measures means to them. The common element among these organizations is a commitment by senior management that embraces the internal control model. Canada Post Corporation uses eight major groupings to evaluate the control environment, as follows: ● ● leadership; ● ● planning; ● ● customer focus; ● ● people focus; ● ● process management; ● ● partnership; ● ● business performance; ● ● continuous improvement. During self-assessment workshops, executives receive the final results of all audit work performed throughout the year. The group then discusses business objectives for the coming year and the risks that could interfere with achieving them. The participants rate themselves on a scale of 1 to 10 for each of the criteria. Internal audit then compares the information it received directly from a business process to the information the group acquired about that process during other workshops. Using the workshop results, internal audit develops an audit opinion on the effectiveness of controls and an audit plan for the coming year. Additionally, internal auditing provides a summary of the results to the board of directors to consider in its strategic planning session. The report includes a commentary on the company’s five highest risks and five weakest controls. evaluating the control environment the control environment 401 good safety culture Ensuring a risk-aware culture in the organization is vitally important. A risk-aware culture will be achieved when all members of staff and management understand and accept the importance of adequate risk management. In addition, management and staff need to understand the role they will play in the successful management of risks and have a desire to fulfil that role enthusiastically. There are many ways in which a risk-aware culture can be demonstrated. Clearly, one of the ways of demonstrating such a culture is to achieve high scores in a CoCo analysis. COSO ERM also has an internal environment component, although this component is not as comprehensive as the CoCo framework. Nevertheless, evaluation of the internal environment and the level of risk awareness within the organization can be undertaken using the COSO ERM framework. Many organizations regard the combination of COSO and CoCo as an ideal way of combining the detailed approach to measuring culture within CoCo with the more exhaustive approach of COSO. ISO 31000 refers to the context of risk man- agement. Context has three components in ISO 31000, described as the internal context, the external context and the risk management context. Together, analysis of these three contexts will provide information on the status of the risk-aware culture in the organization. A subset of a good risk-aware culture is a strong safety culture. Following a major rail crash at Ladbroke Grove near London Paddington railway station in 1999, the Ladbroke Grove Inquiry heard various definitions of the word ‘culture’. Counsel to the Inquiry submitted that: A good safety culture is the product of individual and group values, of attitudes and patterns of behaviour that lead to a commitment to an organization’s health and safety management. Organizations with a positive safety culture are characterized by communication founded on mutual trust, by shared perception of the importance of safety and by confidence in the efficiency of preventative measures. Research by the Health and Safety Executive into the components of a safety culture produced a detailed report and the key components of the safety culture were identi- fied as leadership, involvement, learning, accountability and communication. This gives rise to the acronym LILAC, which is described in more detail in Chapter 24. This represents an alternative approach to the purpose, commitment, capability, monitoring and learning components of the CoCo framework. |
