Fundamentals of Risk Management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
- Bu sahifa navigatsiya:
- Risk assurance techniques 405
|
Role of risk management
The risk management policy should set out the roles and responsibilities for risk management and internal control. The purpose of risk management is to fulfil mandatory obligations, provide assurance, support decision making and help ensure the effectiveness and efficiency of core processes (MADE2). When allocating risk management responsibilities, consideration should be given in respect of each of the significant risks faced by the organization to the separate allocation of responsibilities for: ● ● determining strategy; ● ● designing controls; ● ● auditing compliance. For example, a head office department may decide on the appropriate level of security for an organization. The design of the appropriate controls may be the responsibility of the production department. This is appropriate because security risk may be an integral part of production that needs to be under the ownership of the production department. In other organizations, it may be appropriate for the security arrangements to be designed by a specialist security adviser or the head of security within the company. Auditing of compliance with the security arrangements is likely to be the responsibility of the internal audit department. Even in a small organization, it may be important for responsibilities for the man- agement of fraud risk to be separated between different employees or departments. Risk assurance techniques 405 In a small charity, for example, it may be appropriate for a non-executive board member to undertake the internal control audit and thereby provide an objective view of the efficiency and effectiveness of the internal financial controls in place in the organization. The role of the risk manager in the allocation of these responsibilities should be a facilitation role. The risk manager may facilitate a workshop designed to identify the fraud risks within the organization and allocate responsibilities for controlling them. However, the risk manager cannot be responsible for implementing controls or auditing compliance. Risk management and internal audit should restrict their roles to the evaluation of the effectiveness of the controls and assist with the identification of whether additional and/or different control measures should be introduced. Risk managers should be aware of the added value of internal audit, as outlined in the text box below. Although what constitutes value-added activity will vary based on many factors, there are some general rules that apply across the board. Four factors that can help auditors determine what will add the most value to their organization are: ● ● knowledge of the organization, including its culture, key players, and competitive environment; ● ● courage to innovate in ways stakeholders don’t expect and may not think they want; ● ● ability to adapt to the organization in ways that exceed stakeholder expectations; ● ● knowledge of those practices that the profession, in general, considers value-added. Three of these factors (organizational knowledge, courage and ability to adapt) are competencies and personal qualities that, for the most part, are self-explanatory. However, knowledge of the practices that the profession considers value-added is a continuing professional challenge for internal auditors. added value of internal audit Download 3.45 Mb. Do'stlaringiz bilan baham: 
|