Nature of Internal Audit Work 5

Chapter 4
Theory and concepts of risk

Objectives for this chapter:

 Define what risk management is and explain the importance of risk management in organisations
 Give examples of the application of various risk management strategies

4.1 Introduction
The vast change occurring currently, the complexity of that change and the rate at which that change
is taking place, are the roots of the increased uncertainty and risk confronting organisations. In today’s
competitive business world, it is becoming increasingly difficult for organisations to achieve good
results. The reason for this is the growing global business landscape in which organisations operate. In
addition, the greater global business landscape brings about greater opportunities, resulting in
increased complexity which means that there is greater likelihood for things to go wrong. It brought
about a need for risks to be managed. The importance of risk management at the highest levels of an
organisation was noted by various role-players, including governments, executives of organisations and
corporate governance institutions world-wide. These sentiments are also reflected in publications
issued by professional organisations around the world, as well as in legislation enforcing
implementation.

4.2 The concept of risk

Risk is a general concept and an everyday phenomenon in the business world, governments and in
professional and academic environments. Management of organisations refers to the term risk as a
hazard or threat, which includes potential uncertain negative events such as financial loss, fraud or
theft, damage to reputation, injury or death, systems failure, or a lawsuit, to name a few. In a general
sense, risk is the possibility that an accident or a loss could occur, or that there is a threat as a result of
an uncertainty. In addition, risks also exist in a positive connotation, such as winning a tender or contract
or making a profit, which might not happen. Business risk (for both the private and the public sector) is
classified as uncertain future events that could adversely affect the organisation in preventing it from
achieving its objectives. The IIA defines risk as “the probability that an event or action will adversely
affect the organisation or activity under investigation”. In this context managing risk refers to
implementing management policies and procedures (for example, control activities) to reduce the
probability of a negative event – being it something good not happening or something bad that could
happen. If the event occurred (the risk has materialised), for example the tender was not granted (loss
of opportunity) or an accident happened (hazard occurred), then this loss is referred to as a loss event.
The risk has passed and no longer exists – until the next time when the organisation tenders for a
contract or circumstances for an accident are favourable. To illustrate the risk cycle, an example (refer
to figure 4.1) of the City Council that must ensure that pedestrians are safe, is used.

1
 Nature of Internal Audit Work 5

Figure 4.1: Risk cycle

Arising from the principle of sound corporate governance are two questions typically asked by
management:
• “Which part of the organisation is exposed?”
• “Are we taking enough risk?”
The latter question reflects a healthy focus on performance improvement. Risk as opportunity is implicit
in the concept that a relationship exists between risk and return – there is no return without risk. When
the risk appears higher, the opportunity is likely to be greater – along with the possible loss. Most
business decisions are taken based on a play-off between risk and return. Value is created for the
shareholders if the return on investment is greater than the cost of the risk. Shareholders expect
organisations to yield a return on their investments. Too high a level of risk may of course cause an
organisation to under-perform, or even collapse. Managing risk therefore also means using techniques
to maximise the opportunities within the constraints of the organisation’s operating environment.
Risk can thus be linked to three key characteristics, namely:
 Uncertainty
Risks are uncertain future events that could influence the achievement of the organisation’s
strategic, operational and financial objectives.
 Loss of opportunity (“good things do not happen”)
Risks embody the possibility that an opportunity to achieve something positive could be lost.
 Hazard/Threat (“bad things do happen”)
Risks embody the possibility that an action has a potentially negative outcome.
Of the three aspects, most organisations formally address hazards, yet senior management spends
most of its time considering opportunities. Furthermore, it is important to note that the risk profile will
differ from organisation to organisation, depending on the type, size, market, to mention a few, of the

2
 Nature of Internal Audit Work 5
organisation. With this in mind, management must decide on the amount of risk it is willing to take and
manage the risks accordingly; thus, balancing well-managed risks (by implementing a risk management
strategy) and improving performance (reaching of objectives).

4.3 Sources of risk

As part of the process to identify risks, it is important to understand where each risk originates. This is
essential as it influences the decisions on how to mitigate the risks. All risks originate either from within
the organisation (internal) or externally. Furthermore, every time there is change, new risks emerge and
need to be addressed.

4.3.1 External and internal risks

External risks are usually difficult and sometimes impossible to control. This category includes risks
such as economic factors (inflation and petrol price), the financial markets (exchange rates and share
prices), regulating factors (legislation) and the actions of competitors. Internal risks arise due to the
organisation’s own activities, processes, products, contractual obligations and/or relationships with
employees, clients, suppliers and the environment. Examples of these risks are the use of technology
(is it being used optimally?) and information (is the information that is used for decision-making relevant
and accurate?). Both PESTEL and DESTEP, as covered in chapter 1, can be used to identify risks.

4.3.2 Change
Change encircles and influences organisations daily. Common changes affecting organisations include
new technology, the legislative environment, political changes, new personnel who are appointed or
changes in management and new products and activities. People’s fears and resistance to change are
the greatest obstacles to successfully managing change in an organisation. For the management of
risk, it is important to understand that each time there is change, a potential new risk(s) emerges. To
effectively manage change, attention must be given to several aspects, such as the impact of the
change on employees, training requirements, and its impact on the achievement of the organisation’s
objectives.

4.4 Types of risk categories

It is sometimes difficult to identify the risks threatening an organisation as there are so many risks.
According to a study performed by the Institute of Internal Auditors (IIA) Research Foundation, the top
five risk categories are expenses (the only one directly linked to financial risks), technology, reputation,
competition and people or intellectual capital. This section will identify a few risk categories that could
affect an organisation, but it is important to note that this is not a complete list.

4.4.1 Process risk

Process risks arise when business processes do not achieve the objectives for which they were
designed. By analysing the processes in the organisation, risks may be identified. The following are
characteristics of processes that perform poorly:
• The process is not in accordance with the overall strategy of the business.
• The process does not succeed in satisfying the needs of the users.
• The process does not work effectively.
• The process does not contribute to the well-being of the organisation.
• The process does not succeed in protecting the organisation’s assets (financial,
intellectual and physical) against unacceptable losses or misuse.
Every time a business process is changed, new potential risks arise and should be mitigated, for
example by implementing new controls or revising existing controls.

3
 Nature of Internal Audit Work 5
4.4.2 Management of people/intellectual capital risk
Many organisations view the appointment of the right person as a critical factor in the achievement of
objectives. At the same time it is not seen as a risk to lose key personnel. This is, however, changing.
A lack of expertise is identified by many as one of the key risks facing the business environment. This
could result in projects being curtailed, the launching of products being postponed and expansions
being limited. Areas that should be addressed include:
• Suitable personnel should be appointed for each position. This could refer to inter alia the over- or
under-qualification of a person for a specific task, the lack of expertise and competence, and
compensation requirements.
• There should be consideration of the loss of expertise and talent when key personnel resign and
join competitors or begin to work for themselves.
• Health and safety risks will apply more in certain organisations than in others, for example in a
mine (physical safety) or in a hospital (infection).
• Labour legislation stipulates the working condition of employees – how employees must be treated,
what their specific working hours are and to what benefits they are entitled.

4.4.3 Fraud risk

Fraud is an increasing social problem affecting organisations world-wide (fraud is covered in chapter
9). Various fraudulent activities have led to major losses (loss event), and even the failure of
organisations, such as Enron and Arthur Anderson, and closer to home the problems experienced by
KPMG, Steinhoff and VBS Bank. The risk of fraud taking place is part of the business world and must
consistently be considered as a possible risk. Even after the risk has materialised, organisations must
consider that the risk can materialise again, thus it is an ongoing threat to any organisation.

4.4.4 Information technology risk

Information technology (IT) forms a critical part of all organisation activities and the risks which arise
from the use of IT cannot be ignored. In the current disruptive business environment, organisations are
increasingly faced with technological risks (threats and opportunities). Clients and consumers expect
more from the organisation, such as better service and cheaper products. Management expects better
financial performance and productivity as well as the control of costs. To comply with this pressure,
changes are often also made within the organisation, for example:
• new systems are implemented;
• business processes are adapted; or
• IT processes and equipment are adapted.

4.4.5 Poor management

One of the risks that are traditionally seldom addressed in an organisation is that related to poor
management. Poor management and poor decisions taken by management could naturally also cause
many other risks in the organisation.

4.4.6 Natural disasters

The risk of natural disasters must be kept in mind, particularly if the organisation’s products are exposed,
or if the location of the organisation increases this type of risk. Management must concentrate on the
risks of the continuity of business if such a natural disaster should take place, for example, data
processing, the loss of information, the loss of production and many more. There is also the risk of not
having an appropriate contingency plan in place. An increasing number of organisations expect their
suppliers and other business partners to have such plans in place and consider this a pre-requisite to
doing business.

4
 Nature of Internal Audit Work 5
4.4.7 Environmental risks
The risk that the organisation could have a negative impact on the natural environment, and the
consequences of such an impact, is becoming increasingly important. This risk has led to greater
regulation, which is applied particularly in the form of self-regulation. There is also an increase in
disclosure in financial statements regarding environmental matters.

4.4.8 Geo-political risks

This refers to the risk that threatens the society at large by geographical factors, including countries’
changing leadership, wars and conflicts, commodity price fixing across borders (e.g. oil price), and how
general politics and economics impacts organisations.

4.5 Legislation and guidance

Various corporate governance reports, other guidance documentation, and rules and legislation,
incorporate the issue of risk and risk management. For the private sector in South Africa, no formal
legislation exists that makes risk management compulsory, but the King reports on governance, as well
as the Companies Act, make the responsibility of all the stakeholders regarding risk management very
clear. For the public sector, the Public Finance Management Act (PFMA), Municipal Finance
Management Act (MFMA) and the National Treasury Public Sector Risk Management Framework
incorporate risk and risk management.

Other guidance that is available includes the ISO 31000 issued by the International Standards
Organisation (ISO) and COSO ERM issued by the Committee of Sponsoring Organisations (COSO) of
the Treadway Commission.

4.5.1 King Report

Risk management has been included in both the second and the third King reports on governance, with
the latter report including a much broader scope than the previous report. With the fourth King Report
issued in 2016, the guidance remained, but is now more of a universal nature with the governing body
that needs to “apply and explain” whether they have implemented the principles, how they were
implemented, and if not, why not.
From the guidance, it is clear that the governing body (in both the private and the public sectors) must
take full responsibility for the formal risk management strategy that should form part of the organisation’s
strategic and business processes. Their guidance and leading by example (“tone-at-the-top”) will be the
decisive factor as to whether or not management, specific individuals and departments responsible for
risk management, and all other employees, will take risk management seriously.

4.5.2 Companies Act

According to section 94(7) of the Companies Act, the duties of the audit committee include performing
any other tasks as stipulated by the governing body, including an approach to evaluate and improve
the effectiveness of the risk management process. Although the Act does not enforce risk management,
it leaves the decision to implement a risk management framework in the hands of the audit committee.

4.5.3 Public Finance Management Act

According to section 38(1)(a)(i) of the PFMA:

5
 Nature of Internal Audit Work 5
“The accounting officer for a department, trading entity or constitutional institution must ensure that the
department, trading entity or constitutional institution has and maintains effective, efficient and
transparent systems of financial and risk management and control.”
The Treasury Regulations (as revised in March 2005) are issued in terms of the PFMA and adds to this
statement in paragraphs 3.2.1, 3.2.7(a) and 27.1.8.

4.5.4 Municipal Finance Management Act

According to section 165(2)(a) and 2(b)(ii) & (iv) of the MFMA:
• “The internal audit unit of a municipality . . . must prepare a risk-based plan and an internal audit
programme for each financial year.”
• “The internal audit unit of a municipality . . . advise the accounting officer and report to the audit
committee on the implementation of the internal audit plan and matters relating to internal
controls/risk and risk management.”

4.5.5 Public Sector Risk Management Framework

The Framework has been developed in response to the requirements of the PFMA and MFMA for
Institutions to implement and maintain effective, efficient and transparent systems of risk
management and control in the public sector.

4.5.6International Standards Organisation (ISO): ISO 31000

The ISO 31000 set of standards provides principles and generic guidelines (for benchmarking) for the
effective management of risk. The standards outline a generic approach to risk management that can
be applied by any type or size of organisation.

4.5.7 COSO Enterprise Risk Management

A risk management framework to assist the organisation with enterprise wide risk management. The
framework integrates strategy and performance with risk management. The first version was released
in 2004 and an updated version in 2017. The 2017 version addresses the evolution of enterprise risk
management and an improved approach to managing risk. The updated version is titles: Enterprise
Risk Management - Integrating with Strategy and Performance. In 2018 a version for applying
enterprise risk management to environmental, social and governance related risks were released.

4.6 Role players and responsibilities

The main role players in the management of risk include the governing body and its risk committee, a
chief risk officer and/or risk department, and the internal audit activity that reports to the audit committee.
To a lesser degree, various external parties, as well as other governing body committees can also be
included in the process. All of the above typically include senior management and have broad cross-
functional membership. Although external auditors do not have a direct responsibility to ensure that the
risk management strategy of the organisation is implemented, they have to include risk management,
especially the assessment of risk, in the pre-engagement activities and planning stages of the external
audit process.

4.6.1 Governing body and risk committee

The governing body determines the strategy and direction in which the organisation moves and is
ultimately responsible for sound corporate governance structures including a risk management
framework. Their duties regarding risk management include, inter alia:

6
 Nature of Internal Audit Work 5
• setting the risk philosophy for the organisation as a whole;
• approving the risk appetite and risk tolerance that the organisation is willing to
accept;
• understanding all the high or key risks;
• ensuring that the treatment of high risks is effective;
• ensuring that the overall risk management framework is efficiently implemented and maintained;
and
• proper communication of risk management to all stakeholders.
The governing body mostly delegates these responsibilities to a governing body committee, being either
the audit committee or, if appropriate or necessary, a separate risk committee. The risk committee’s
ultimate responsibilities are to ensure that the risk management framework is implemented and
maintained, and to provide the governing body with assurance that the above is functioning as approved
by the governing body.

4.6.2 Senior management and chief risk officer/risk management department

One of the responsibilities of the chief executive officer/accounting officer is the establishment and
implementation of the overall risk management framework, including a risk management process.
Responsibilities also include alignment of strategic objectives with the risk appetite. These tasks are
mostly delegated to a chief risk officer and/or risk department. The activities of the above role players
include, inter alia:
• establishing and communicating the risk management department’s vision;
• ensuring that other relevant parties, such as the risk committee, are properly trained on risk
management;
• managing the risk function in terms of:
- determining and implementing appropriate risk management infrastructures, policies and
processes;

- establishing methodologies and facilitating the use of tools and techniques;

- facilitating risk identification and assessment;

- implementing risk reporting structures; and

- ensuring that risks are appropriately treated and monitored.

4.6.3 Risk steering committee

A new tendency is to establish an internal steering committee that manages risk on a holistic basis. The
chief risk officer is the convenor of such a body that consist of various individuals within the organisation
that is responsible for risk management activities on a senior level. Loss events, changes to the
business environment (for example the implementation of a new system), weaknesses identified during
an internal audit engagement, or key risks identified by the external auditor, to name a few, are reported
at such a meeting and discussed. The appropriate action is decided (for example, update the risk
register) and a responsible division or person is allocated to address the issues.

4.6.4 Assurance providers

Based on professional guidance by the IIA, the internal audit activity has three responsibilities regarding
risk management. These are:

7
 Nature of Internal Audit Work 5
 To provide reasonable assurance that the risk management framework and process are in line
with the decisions and the risk management strategy adopted by the governing body.
 If the internal auditor can rely on the risk management process, the internal audit plan must be
based on the key strategic risks threatening the organisation in meeting its objectives.
 When conducting the internal audit engagement, the operational risks identified during the risk
management process and documented in the risk register, must be considered when planning the
engagement.

4.7 Risk management strategies

A risk management strategy and process refer to the management (identification, measurement and
mitigation or treatment) of risks. When risk is managed, most organisations give attention to the result
of the risk rather than to the cause. This approach is not pro-active. It does not make provision for risks
which do not have a current result or cannot be linked to financial losses, for example, the reputation of
the organisation is damaged as a result of poor service. To effectively manage risk, another approach is
required – an approach which will assist management in understanding all the key risks of the organisation
on both the strategic and operational levels, as well as its interrelationship. Although the process used
for risk management will differ from organisation to organisation, the most elementary method is to ask
the “what” questions, namely:
• What could go wrong?
• What could cause it to go wrong?
• What could be done to prevent it from going wrong?
• What must go right?
The risk management process is a structured, consistent and continuous process across the
organisation to assist management in managing risk. According to the Committee of Sponsoring
Organisations (COSO), enterprise risk management “. . . is a process, effected by an entity’s governing
body, management and other personnel, applied in strategy setting across the enterprise, designed to
identify potential events that may affect the entity, and manage risks to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives”.

4.7.1 Risk terminology

The terminology used in relation to risk includes:
 Inherent risk
Inherent risk is the risk without any procedures in place to minimise or eliminate the specific risk,
for example, no control activities are in place.
 Likelihood
The possibility of a risk materialising. Also referred to as probability. Simply stated, it is the chance
that something might happen and prevent the organisation from achieving its strategic objectives.
It is measured in qualitative values and the most simplistic is high, medium and low. The
organisation adopts a rating scale to suit their environment and 3-rating to 5-rating scales are most
common.
 Impact
The effect that the risk that materialises will have on the organisation. As with likelihood, it is
measured in qualitative values. Typically, the same rating scale that applies to likelihood is used
to measure the impact.
 Residual risk

8
 Nature of Internal Audit Work 5
The amount of risk that remains after the implementation of controls. It is not possible to mitigate
all risk and the organisation needs to decide to what extent inherent risk must be managed so that
the risk exposure falls within the risk appetite of the organisation.
 Risk appetite
Risk appetite is the amount of risk an entity is willing to accept in pursuit of value. This is usually a
decision made by the governing body and can be qualitative (high, medium or low) or quantitative
(specific numeric values). The risk appetite is directly linked to the risk response, that is: to avoid,
reduce, share or accept the risk. Risk appetite is influenced by the risk culture of an organisation.
This is the set of shared attitudes, values and practices that determines how an organisation
considers risk in its day-to-day activities.
The risk appetite is determined, inter alia, by the following:
o the number of errors which management will accept;
o the scope of losses which are permissible;
o the organisation’s objectives;
o the measure to which management will accept risk;
o the ability to meet risk; and
o the cost versus benefit of risk control.
 Risk tolerance
The risk tolerance provides an acceptable variation or deviation from the risk appetite to ensure
that objectives are achieved, for example, if the risk appetite based on benchmarking is three
mistakes, the risk tolerance will increase the tolerance to four mistakes.

4.7.1 Risk mitigation strategies

Risk mitigation strategies is an integral part of an organisation’s business processes as it refers to the
actions that management takes to manage inherent risks. Risk responses include the following:
• Avoid by not taking the action that gives rise to risk, for example, exiting a product line, selling a
division;
• Reduce the likelihood or impact of the risk by implementing, for example, controls.;
• Share by transferring or sharing some of the risk with other parties, for example, insurance; and
• Accept the risk by taking no action to manage the risk, for example, not cost effective to implement
controls.
The design and implementation of responses would be determined by the risk appetite of the
organisation.

4.8 Summary
Risk management as a relatively new concept for the general business environment was discussed.
Risk management practices have made a phenomenal impact on the governance of organisations.
Management and the governing body can no longer ignore this important strategy to assist with the
management of risk.
The internal audit activity, as the right hand of management, has to ensure that it stays in the forefront
of business management. The role of internal auditing with regards to risk management is to provide
assurance and/or consulting activities on the risk management framework and/or process and to
incorporate risk management concepts into the internal audit engagement.