COSO: This article thoroughly inspect the guidance published by COSO.

COSO is a joint initiative to combat corporate fraud. COSO was established

with a purpose of "dedicated to guiding executive management and
government entities in relevant aspects of organizational governance,
business ethics, internal control, business risk management, fraud and
financial reports". COSO has established a common internal control model
against which companies and organizations can evaluate their control
systems. COSO is sponsoring a National Fraudulent Financial Information
Commission (the Treadway Commission). The treadway commission was
formed (in response to the requirement of implementation of Internal
control programs imposed by US SEC and US Congress) to inspect, analyze
and make recommendations on fraudulent corporate financial reports.
COSO is sponsoring in such a way that it studies/researches the problems
regarding Fraudulent Financial Information and write a report on an
integrated internal control framework.

This report presented a common definition of internal control and provided

a framework (components) against which internal control systems can be
evaluated and improved. ERM Model: (original shape was pyramid and
now it is in cube shape) Original model was created (pyramid shape) to
evaluate existing controls (only controls) but updated to cube (aimed at
managing the overall risk) so that a risk management framework could be
used where eight components (including controls and many more) have
been highlighted and linked with objectives which means that what are the
components including controls that must be taking care of against which
internal control system can be analyzed so that objectives of an org could
be achieved. Framework consist of four objectives , eight components and
four organization's units (which part of an org is being focused..). These
are basically the components of an org, (and use these as a checklist when
analysing or evaluating org's risk managemt process), where issues can be
seen and then org must have to tackle with these issues so that objectives
can be obtained.
Issues in Eight Components: Internal Env - (Read article point as well)
The internal env establishes (setup something on a firm and permanent
basis) the tone of an org and etc... the tone is setup by the board but if
board will be unbalanced (due to lacking in appropriate knowledge and
etc..) then right tone may not be set up. Board committees' work is also a
significant contribution towards the tone where risk and audit committee
plays an important part. Even if board members are performing well but
their performance may be undermined if management of divisions and
units is not sufficient specifically where line managers may tolerate staff
ignoring controls or they may emphasise achievement of results over
responsible handling of risks. One criticism on ERM model is that internal
environment is being analysed without considering the impact of
external/competitive environement (by starting from internal env), means
that inetrnal environment is not reflecting the impact of external
stakeholders and regulations on risk appetite and management and culture.
Objective Setting - Objectives are set to better moving towards mission of
an org but when objective is set then also associated risk should be
considered. If business is being carried out then of course associated
enterpreneurial risk will arise like a major business invenstment is itself a
risk or competitor actitvities may bring risk for us. Risk appetite should be
considered like hwo much variations in objectives are acceptable which is
called risk tollerance. Risk tolerance should be aligned with Risk Appetite
means like how much you are tolerating should be as per the calculations
of risk appetite. One main thing is that board should consider that what
control systems can be used for strategic purposes. Making things
obscured (not to understand easily) may allow illegal or unethical
objectives which can be seen with adopting business' own framework
deliberatley by making complex structures rather than adopting prof codes
accepted globally.

Event Identification - Identify internal and external events affecing

achievement of objectives and events have negative (risk) and positive
(opportunity) impact both so org must need to take this into account in
strategy setting whenever these events are identified at any point in time. A
mistake that org may do is not thinking about the process to identify events
and expect that nothing will go wrong. A risk relating to strategy and
operational is distinct where danger to the achievement of strategic obj
and disruption in oper must be identified. Only focusing on internal factors,
i.e. operational risk, could result in a failure to analyse strategic dangers
sufficiently. Initial identified risk may change if any one-off event or gradual
trend arise, so a process to identify such one-off events could be in place.
One risk have been discussed only (from events and particularly from
sudden events with major conseq) but slow changes that can give rise to
important risks have been emphasised insufficiently (which is a criticism on
ERM model). Along with analysis to identify potential events a respond to
such dangers is vital as soon as those events arise in order to minimise the
threats.
Risk Assessment - Identification of risk and assessment of risk both are
different. After we identify the risk, an impact of the risk is assessed so that
we could determine how to manage it. Mapping of impact on each risk is
done but remember not to forget the interrelation of individual risks. A
combination of qualitative and quantitaive risk assessment methodologies
should be employed. After the risk management actions taken on inherent
risk assessed, the residual risk left should also be assessed.. Read the
criticism from article. Risk Response - An action is necessary to be taken in
order to manage the risk so that the risk could be aligned with the risk
tolerance and risk appetite. Responses are: reduce, accept, transfer or
avoid. Response should be decided by viewing that particular risk at the
organizational level rather than ending up treating the risk in isolation
(called portfolio view of risk). Realistic responses should be selected. Org's
environment (highly or less regulated orgs) also affects its responses and
also complexity of controls. Risk response approach should result in risk to
be as low as reasonably practicable (ALARP). Obviously, responses means
you are trying to reduce the risk (existing or potential) and you can only
reduce/manage something by putting controls so part of risk responses
stage will be designing a sound system of internal controls. Controls should
be mixed like, detective, preventive, manual and automatic controls.
Control Activities - Controls are put in place in form of policies and
procedures which ensure that risk responses are effective. Controls are itself
not important but useful in achieving an aim (a means to an end). Internal
controls have an important people related significance where people impact
on Internal controls because if managers and staff utilise controls
inappropriately then controls will fail. Controls may not be taken seriously or
collusion between staff or management telling staff to over-ride controls.
Basic type of controls or we can say policies are segregation of duties, to
reduce the possibility of a single person being able to act fraudulently and to
increase the possibility of errors being found. Controls should perform at all
levels of org, at different stages within business processes and over the
technology environment. Information and communication - To carry out
responsibilities, Information system should ensure that managers and staff
receive information in such a way that data in it is correctly identified and
communicated in a format and within timeframe.

Communication of risk areas that are relevant to what staff do is an

important means of strengthening the internal environment by embedding
risk awareness in staff’s thinking. Failure to take provision of Info and comm
seriously can have adverse consequences, for example, senior management
may not learn about potential problems in time if middle management have
been given full rights to decide on what to report or what not to report
which may lead to operational management disinclined to report problems..
Monitoring - Monitoring of management system is very important. Also,
regular and annual review of risk management has been very important.
Apart from monitoring at board level, separate evaluation/monitoring by
key players, i.e. audit committee and internal audit department, is very
important. Separate monitoring without internal audit function can not be
effective. Once an organisation goes beyond a certain level of size and
complexity, it becomes difficult to believe that an internal audit function will
not be required.
Conclusion - The ERM model has provided a foundation for organisations to
manage risks more effectively. However, managers need an awareness of
the limitations of risk management and where the process could fail.
Probablity of risk accurrence and potential impact of risk will be examined. Risk
management is an essential element of business governance. Safeguards for
investors and other stakeholders from risk threat are 1) awareness of all possible
risk 2) understanding their potential impact 3) the probability of their occurrence. If
you want to analyse and manage different types of risk in a structured way then
risk needs to be categorised. A) Day-to-day activities (operational risks) brings
many risk and have shorter time frame. B) Longer term (strategic risk) which are
few but management of such risks is fundamental to the organisation’s continued
existence and prosperity. Having categorised risks, probablity of risks can be easily
identified in terms of materiality and if material then only impact or consequences
will be measured.

Strategic Risk - These risks arise when directors take fundamental decision
concerning (relating to or in connection with or on the subject of) organization's
objectives (saifi's example of shopify bus and related payment approval risk).
Essentially, strategic risks are the risks of failing to achieve these business
objectives. Strategic risk can be subdivided into two risk: Business Risk - risks that
derive from the decisions that the board takes about the products or services that
the organisation supplies. They include risks associated with developing and
marketing those products or services, economic risks affecting product sales and
costs, and risks arising from changes in the technological environment which
impact on sales and production. Non-Business Risk - risks that do not derive from
the products or services supplied. For example, risks associated with the long-term
sources of finance used. Strategic risk is not solely affected by the decisions of
directors but it also affects strategic risk levels that how (the way) the org is
positioned in relation to its environment.

Responsibility for strategic risk management (what are responsibilities for those
who manage strategic risk): Strategic risk are determined by board decisions about
objective and direction of the org. Board strategic planning and decision-making
processes, therefore, must be thorough. Cadbury report recommends, directors
should establish a formal schedule of matters (which are going to occurr in future
as per planned) and reserve it for decision in future and meanwhile thoroughly
evaluate each matter, (significant acquisitions and disposals of assets, investments,
capital projects, and treasury policies.) why reserve and evaluate ? because, to
take strategic decisions effectively, (board need sufficient information about how
the business is performing, and about relevant aspects of the economic,
commercial, and technological environments - called evaluation of matters and
after all these take decision, now risk is minimised). To assess the variety of
strategic risks that the org faces, the board needs to have a breadth of vision (a
range of future planning with wisdom), hence governance reports recommend that
a board be balanced in skills, knowledge, and experience.
Even if you see in exam scenarios that directors follow the best practice concerning
the procedures for strategic decision making, this will not necessarily ensure that
the directors make the correct decisions, means despite they follow they may not
take correct decisons. It happens like people follow something, so called, but do
whatever they want. Strategic success and failure is dependent on these key issues
- a) choice and clarity of strategy and strategy execution b) the ability to respond
to abrupt changes or fast-moving conditions c) the undertaking of unsuccessful
mergers and acquisitions (the most significant issue in strategy-related failure).
Managing strategic risk: Strategic risks are often risks that organisations may have to take in order (certainly) to expand, and
even to continue in the long term. Risk 1) Developing a new product (e.g. software) is vey significant risk and the risk may be
that the technology may be uncertain, and the competition facing the organisation may severely limit sales but an alternative
to persist with product in mature markets. Risk 2) Other strategic risk may be accepted in short term but an action to reduce o
eleminate these risks over the long time period is necessary, e.g. a short term global fluctuation in the supply of raw material is
unavoidable risk even by changing the supplier but if production processes are redesigned over the longer term in such a way,
for instance, that over the long time period a product stay safe in go-downs through bulk production or a material generating
facility can be available itself, that the reliance on the materials could be reduced or eliminated...

Risk 3) Some risks should be avoided by not accepting a business opportunity due to their high possible impact that the
probability of success could be so low that the returns offered are insufficient to warrant taking the risk. Directors may make
what are known as ‘go errors’ when they unwisely pursue opportunities, risks materialise, and losses exceed returns. However
directors also need to be aware of the potentially serious consequences of ‘stop errors’ – not taking opportunities that should
have been pursued. A competitor may take up these opportunities, and the profits made could boost its business.Go error =
directors do unwisely what should not be done Stop error = Directors do not do what should have been done. Operational Ri
- Although boards need to incorporate an awareness of strategic risks into their decision making, there is a danger
that they focus excessively on high-level strategy and neglect what is happening ‘on the ground’ (where practical
work is done) in the organisation. If production is being disrupted by machine failure, key staff are leaving because
they are dissatisfied, and sales are being lost because of poor product quality, then the business may end up in serio
trouble before all the exciting new plans can be implemented. All of these are operational risks – risks connected wit
the internal resources, systems, processes, and employees of the organisation.

Risk 1) Some operational risks can have serious impacts if they are not avoided e.g. Failure to protect sensitive data. Read
Example from article. Operational risk may also materialised if proper risk awareness and its impact is not incorporated into th
operational activities. Risk 2) Other operational risks may not have serious financial (or other) impacts if they only materialise
once or twice. However, if they are not dealt with effectively, over time – if they materialise frequently – they can result in quit
substantial losses, e.g. a situation regarding a concern that security measures at a factory might be insufficient to prevent
burglaries. The impact of a single burglary might not be very great; the consequences of regular burglaries might be more
significant. Responsibility for operational risk management: All operational risks can not be managed by board itself but the
board must ensure that control systems can deal appropriately with operational risks by establishing a rsik committee to
monitor a) risk exposure b) actions taken by middle management c) risks that have materialised. Risk committe assesses the
operational risk in aggregate, for the whole org, and decide which risks are most significant, and what steps should be taken to
counter these. Operational risk assessment by risk committee include setting priorities for control systems (which business
process should have sound control system with what priority) and liaising with internal audit to ensure audit work covers these
risks (controls recommended by risk team are audited by internal audit dept). Risk committee can establish a risk managemen
framework and policies, promoting risk management by information provision and training, and reporting on risk levels, this al
can support risk committee to establish a control environment.
A key part of line managers’ responsibilities is: the management of the operational risks in their area. Line manager's
assessment will help supply information to senior managers to enable them to assess the risk position over the whole
organisation. Line managers have to ensure that specific risks are dealt with effectively BUT they will be concerned with their
local working environment and will deal with conditions that may cause risks to materialise. For example, they may need to
assess whether employees are working excessively long hours and are more likely to make mistakes as a result. Ultimately,
employees will be responsible for taking steps to control operational risks. However, senior management is responsible for
ensuring that employees, collectively, have the knowledge, skills, and understanding required to operate internal controls
effectively. Managing operational risk: It may be fairly obvious (kaafi wazeh hona) what the most significant strategic risks are
and how important they are.But because of the number and variety of operational risks, accurate operational risk analysis can
be more difficult, and can require evidence from a large number of different sources.

A key distinction, when defining different types of operational risk, is between a) low probability high impact risks and, b) high
probability low impact risks. With a), e.g.(manage a risk through Insurance ) a sporting venue insuring against the loss of
revenue caused by an event being cancelled. OR for other risk (manage a risk through contingency plan) the availability of
alternative information technology facilities if a major systems failure occurs. Preventive controls should be implemented to
manage risks of type a). With b) High probablity means risks that materialise but are unlikely to have severe impact. Detective
or Corrective controls are implemented. Conclusion - If risk management is to be effective and efficient, the board needs to
understand the major risks that its strategies involve, and the major problems that could occur with its operations. Risk and
initiative cannot be separated from business decision making; however, directors can ensure that a wide view is taken of risk
management and thus limit the trouble that risks can cause.