.
By Onisiforos A. Onisiforou
President of the Cyprus Institute of Internal Auditors
Prevention
Doctors advise us to have a healthy diet, exercise, take our medical tests regularly and so forth. What they are in fact telling us is that prevention is the best cure. Prevention, of course, is not desirable only in health matters. It is important in other fields of our personal and professional life.
To use a more “business-like” terminology, prevention is similar to risk management, which is of concern for any enterprise, whether public or private. It also has to do with the governmental apparatus, public law organizations, as well as local government. What is “risk management” then?
Risk Management
Risk management is a process of identifying, evaluating, addressing and monitoring risks, that is to say the occurrence of events that are likely to threaten a corporation’s achievement of its objectives.
Risk may originate in the external environment in which a company carries on its activities or they may arise from the activities within the company itself. The risk can also be of a strategic, financial, operational, legal or other nature.
The way of handling risks is proportional to their gravity. The degree of risk gravity may, simply speaking, be measured on the occurrence probability of various events and the effects they will have if such events actually come about.
There are various ways of handling risk. For instance, risk can be transferred to third parties outside the company (e.g. through insurance coverage) or may be avoided altogether (e.g. by refraining to take any action, the negative effects of which might be huge). Moreover, risk may be accepted without taking any further action, provided the possible effects are within the specified acceptable limits. Also, the magnitude of negative effects or the occurrence probability of events can be reduced by adopting suitable measures and strengthening the management and control system.
The risk management procedure does not aim to obliterate the risks; for this may cost too much or it may not be either possible or desirable. Without taking risks it is not possible to attain the results pursued through the business activities. However, the taking of risks must be done in a responsible way through the operation of an effective risk management process.
Responsibility for an effective risk management process
Who has ultimate responsibility for the establishment and effective functioning of such a risk management process? The initial responsibility lies with the current authority, administration, the governing body of a corporation, which must define a risk management policy, prescribe what is and what is not an acceptable level of risk and plan and establish – with the help of experts – a risk management process. Such process must be adequate and capable of functioning effectively by identifying and addressing all important risks; furthermore the vision, the mission, the values, the objectives, the strategy and the management and control system of an organisation should be aligned to this process.
In this way the persons in charge, who make decisions and are the “owners” of any risk, shall have the necessary information and awareness of the risks involved. It follows that they will be in a position to plan the corresponding actions and take proper preventive measures in time.
The role of the Internal Auditor
Risk management is an issue of direct concern to the professional Internal Auditor. The nature of the Internal Auditor’s work has three basic aspects. One has to do with the corporate governance, the other with the management and control system and the third with the risk management process. The Internal Auditor may advise the administration and the management on the setting up of an adequate risk management process, the adoption and effective functioning of which would be beneficial to the corporation. In corporations where such process is already in place, the Internal Auditor assesses the adequacy and effectiveness of its operation and at the same time makes suggestions for improvement to the administration and management of the corporation.
In conclusion
The risk management process is an important tool in the hands of those who run a company, private or public corporation, even the state mechanism. Especially in a period of economic crisis when new, changing and interconnected risks are lying in wait, we must escape from the mentality of oversimplifying the risks and their handling by relying mainly on our intuition. It is absolutely necessary to develop a decision making and action promoting culture – not one of procrastination instead – based on the functioning of an effective risk management process that will help us to become less vulnerable and multiply the chances of achieving our objectives.
