Integrated risk management process is designed and set by the management and implemented by the whole staff within the organization. This process is not linear, a risk management may have impact also on other risks, and control devices identified as being effective in limiting a risk and keeping it within acceptable limits, may prove beneficial in controlling other risks.
Risk management currently knows an appreciation and recognition increasingly large, both in theory and practice, which means, on the one hand the increase of number of specialists in the field, and on the other hand the interest of managers within organizations to design and implement effective risk management systems to meet the objectives.
Mastering risk determines organizational development, performance growth, both generally, of the whole organization and also of individual activities.
3.1. COSO and integrated risk management
Referring to risk management, COSO presented an initial framework methodology for implementing internal controls, built-in policies, rules, procedures and regulations that have been used by various organizations to secure control over how to run the plan and meet objectives.
Later, after the appearance of great scandals of fraud and the need to improve corporate governance processes, large corporations talked about and set up risk management departments to help implement procedures regarding the identification, assessment and risk control.
Following the emergence of these needs, Treadway Commission, COSO model promoter, initiated a program in order to develop a general methodology that can be used by organizations’ management to improve risk management.
Risk management within the organizations was created on the concept of internal controls, but the focus was particularly on risk management. This was not intended to replace internal controls, but incorporating basic concepts of internal control in this process.
Thus, between risk management and internal control was preserved a strong connection interrelated with common concepts and elements.
3.1.1. Risk management and internal control
The main objectives of internal control/management system are to ensure the efficiency and effectiveness of activities, the reality of reporting and regulations compliance in the field.The internal control/management system is developed and monitored in order to implement by the organization’s management, which is responsible for designing adequate internal control devices in order to ensure limitation of significant risks and keeping them within acceptable limits, aiming to give the security that the organization’s objectives will be met.
Risk management system was structured on components of internal control/management, structured according to COSO model, namely on five elements, whose implementation ensures that the tools/internal control devices exist and function as intended.
These components were defined as:
the control environmentspecific to the organization is the one that sets the foundations of internal controls system, influencing the control awareness of employees and represents the basis for other components;
risk assessmentis carried out by management, is performed at both corporate and activity level and includes identifying and analyzing risks that affect the achievement of objectives. In general, risk assessment involves determining the level of importance of the risk, assessing the probability that the risk to occur and determining the way to manage it;
control activitiesare policies and procedures to ensure that management’s provisions are respected. By this, it is ensured that all necessary measures are taken in order to manage risks and achieve the objectives set by management;
information and communicationhelps other components through proper communication to employees of their responsibilities with regard to internal control and provision of relevant, reliable, comparable and understandable information so that they could perform their duties and tasks;
monitoringimplies the verification made by the management of the implementation means of internal controls it demanded, or by responsibles pursuing if internal controls imposed by it work and if they are sufficient so that activities or actions to take place as planned.
3.1.2. Objective of risk management system
COSO defines integrated risk management as “the process conductedby the Board, managementand others, appliedinsettingstrategyandacross the organization, designedtoidentifypotentialeventsthat may affect theentityand to manageriskwithintheriskappetitetoprovide a reasonable assuranceregarding the achievement oforganizational objectives”7.
From the content of this definition it follows some essential elements, characteristic to the integrated risk management, as follows:
the process is conducted permanently throughout the organization, being circumscribed to other activities;
the purpose is to manage risks associated with objectives and to secure expected results through their implementation;
within the process is involved the whole staff, regardless of the hierarchical level;
the approach starts from the strategic goals rather than from operational objectives;
the process is applied to the entire organization and not functional structures.
The general objective of integrated risk management is to effectively manage uncertainties, risks and opportunities.The need for risk management stems from the fact that uncertainty is a reality and the reaction to uncertainty is a constant concern.
Risk management involves establishing actions to respond to risk and to implement adequate internal control devices, with which to limit the possibility of occurrence or consequences of risk, if it would materialize. In order to ensure efficiency in achieving objectives, the process must be coherent and convergent, integrated to objectives, activities and operations carried out within the organization.
Also, regardless of the staff’s hierarchical level, it should be aware of the importance of risk management has in achieving its own objectives and thus to form the necessary skills to perform monitoring and control based on principles of efficiency and effectiveness.
In order to ensure the success of this approach and to achieve an effective risk management, within the organization it needs to create a culture of risk, namely developing a risk management philosophy specific to the organization and management, and awareness of risk’s negative effects at all levels of the organization.
From the above it is found that the need for internal control/management is determined by the existence of threats or opportunities in carrying out planned activities or actions with negative consequences in the organization. This requires the establishment and implementation of certain internal control devices in order to prevent or limit the risks.
Also, the need for risk management stems from the fact that risk is everywhere, in everything we want to achieve. It can not be removed; any action to eliminate risk can lead to the emergence of new risks, uncontrolled, which may affect to much greater extent the organization. In these conditions, the risk needs to be minimized, process that can be achieved by establishing and implementing adequate internal controls.
3.2. The role of integrated risk management system
Risk management process is considered to be a set of activities and actions carried out in a certain manner and order to prevent or reduce exposure to risk, resulting from an operation or several operations.
In practice, most commonly applied concept of risk management is that managing risks should be carried out separately within departments independently organized in the organization’s functional structure. This method provides simplicity and efficiency form in making decisions on risk management, but leads to actions and multiple records of the same exposure to risk and does not address correlations between different exposures.
There are other practices too, which considers that each employee must be responsible for the risk management, having the competence to identify risks and implement appropriate internal controls to mitigate the probability of their manifestations. This mean of managing risks does not lead to results and does not ensure the guarantee of conducting activities given that they were planned, because it does not ensure the requirements for exposure on the same activities, and the process is influenced by knowledge and understanding by employees of the risk management system implemented within the organization.
These traditional risk management processes are usually fragmented, meaning they are found implemented at the operation or transaction level and are aimed at preventing losses. Managing risks in these cases “does not consider the fact that risks are a source of competitive advantage”.
Recent research on models and risk management strategies focus on competitive advantages of risks if they are approached as a whole or at system level. In this case the system is considered to be composed of all processes and activities necessary to achieve the objectives.
This approach requires that all relevant functions within the organization [personnel, finance and accounting, manufacturing, commercial, procurement, IT, legal, internal control, internal audit, strategic development, marketing etc.] to participate in risk management process.
For implementing the integrated risk management is necessary that the organization to be viewed from the standpoint of system, both as the link of the industry in which it operates and as part of it, acting in accordance with certain principles, features being: the complexity, limitation of resources, factors that influence its activity, the nature of events, the possibilities for development.
In this view, it is considered that the risks should be managed in an integrated way, to eliminate multiple records on the same risk exposure and to analyze correlations between different exposures. This risk management approach is complex; it requires a large volume of information necessary for decision making and higher costs of administration. At the same time, making wrong decision can have a high impact on the business, or even on the organization.
The integrated risk management system, based on this concept, must be interdependent with the organization’s development needs and to include the processes of development and establishment of elements concerning assessment, monitoring and risk management. At the same time, integrated risk management must be also approached in correlation with all types of risk management for each functional structure of the organization.
Integrated risk management system operates with broad categories of risk [personnel risk, financial risk, legal risk etc.], with different risks attached to various activities, risks associated with different operations or transactions, and also with external risks that may affect the development of the overall organization [risks related to legislative changes] or making one or more activities carried out within the organization.
In these conditions, implementing the concept of integrated risk management within the organization is more than necessary because the risk management process should be approached by all types of risk that are found and affect all functional structures of the organization.
The approach in this unitary manner, of the exposures, respectively as a righteous and coherent system of exposure to various risks, of connections and mutual conditioning between them, will enable effective management of risks that may affect achieving the objectives and will contribute to improve activities and performance growth within the organization.
The integrated risk management system can identify all risks that affect the implementation of processes and activities attached to an organizational goal; it can assess the overall consequences and adopt measures depending on the level of uncertainty and the existing inherent risk that affects achieving objectives set.
Also, integrated risk management allows the foundation and decision making to lower hierarchical levels of the organization and also at the top level and ensures co-ordination of activities in order to solve current problems between certain functional structures. It helps to increase efficiency within the organization also by others administrative or managerial ways, such as better allocation of resources.
The implementation of integrated risk management within the organization will provide to shareholders and potential investors, more concrete and reliable information on the risks to which it is exposed, which will allow them to base their decisions in more optimal conditions.
Once with the development of organization’s activities, the old risk management systems become inadequate and risk exposures, especially the risk of fraud and error increases significantly. Implementing the integrated risk management system involves the design of evaluation criteria capable of measuring all activities related risks, by considering the relationships and connections between them and thus, to determine the exposure to any organization’s risk factor or its functional structures at any time.
This risk management process, characterized by the development of integrated risk management methodology, shall include as steps: establishing the organizational context and risk management, identifying, analyzing and assessing risk, risk treatment, risk control, communication and monitoring the risk management plan.
The process should not be a linear, the risk management may impact on other risks, and measures identified as being effective in limiting a risk and keeping it within acceptable limits may prove beneficial in controlling other risks.
3.3. Integrated risk management system functions
The effectiveness of implementing an integrated risk management system, compared with traditional risk management, is determined by the fact that it reflects the integration of all activities related to risk and risk management in a single system. This system is operated and controlled from a single management level, thus eliminating duplication and disruption of communication and action that can occur within a classical system.
The functions that the integrated risk management system meet within the organization’s management system can be classified as follows:
defining goals and setting objectives of the organization on risk.Setting goals represents a defining requirement for the identification, assessment and risk response planning. The organization must define properly its objectives, so to be understood and carried out by people who were assigned to.
The basic role of integrated risk management is to provide to the management and organization’s board a reasonable assurance regarding the achievement of objectives. In this respect, COSO8 states that in order to identify associated risks it should be established in advance the organization’s objectives, which shall be grouped into four categories as follows:
strategic objectives, that define the mission and long term development directions;
operational objectives, that refers to the effective and efficient use of available resources;
reporting objectives, that refers to reporting reality;
objectives of compliance, that refers to comply with the regulations, standards, rules or regulations applicable to the organization.
In order to define the objectives, the key is that, first, to define strategic objectives, and then, of these, to derive other types of goals: operational, reporting and compliance.
Also, for each goal it is necessary to establish risk tolerance, accepted materiality concerning the degree of achievement of identified indicators attached to the objectives in order to be considered achieved.
determining courses of action to manage risk.To achieve risk management within the organization, the lines of action of the integrated risk management are:
defining the organization’s strategy on risk;
setting activities to be achieved if the risk occurs;
evaluating results and measuring performances;
risk monitoring at corporate level;
reviewing corporate strategy on risk.
The strategy on risk must be coherent, contain how to recover losses caused by an adverse event and to integrate risk response measures.
Activities to be carried out if the risk materializes deal with the settlement of measures to address the consequences of risk, recover losses and identifying and implementing appropriate control devices to eliminate the causes that led to the risk occurrence.
To apply vigorously decisions taken in order to ensure effective functioning of integrated risk management will ensure continued operations and obtaining the expected results.
Monitoring risk at corporate level refers to observing the functioning of integrated risk management system, identifying and reporting existant weaknesses to adopt necessary remedial measures.
Updating the strategy on risk is necessary to be made whenever the organization changes its development strategy or strategic objectives, and also when management’s risk policy changes.
Also, periodic review of risks involves the redistribution and concentration of resources in areas of interest.
determining relations between integrated risk management system and other subsystems of the organization.The organization’s management must permanently ensure the interdependence between the objectives of the organization, its functional departments and risk management.
Risk management process aims to identify and assess risks that can affect the objectives’ achievement and to establish risk response measures. It should “become part of the organization’s functioning as the base of management approaches9”.
Considering that the objectives concern all levels of the organization, strategic, general and operational, being defined at strategy level, functional departments and even individual level, in a post, it is required that risk management to be aware of all the relationships that occur or develops between them or within them.
The incomplete determination of the relationship between risk management system and other subsystems of the organization, will lead to an inadequate identification and management of risks associated to the objectives with major negative consequences on the organization.
setting activities, responsibilities on risk.Seeks to identify all activities in progress within integrated risk management process and establish responsibilities for implementing each activity. Since the process involves all functions and functional departments of the organization, it is required that the activities and responsibilities on risks, defined and agreed at their level, to be communicated to employees involved in carrying out the activities.
defining performance indicators.For each strategic objective, operational, reporting or of compliance defined at corporate level, must establish performance indicators by which to ensure measurement of the degree of achieving goals. Also, setting goals to achieve within each indicator, will allow establishing performance resulting from the risk measures imposed within each goal.
allocatingresources necessary to carry out activities and training the staff involved.For each activity planned to be conducted, it must be identified the necessary resources for their achievement, respectively financial, human, material and information resources. Resources necessary in order to accomplish the activities must be available and approved in budgets.
communication and consultationon theresults, performance evaluation related to riskcompared toobjectives planned.Communication involves on time and clear transmission of necessary information about risk, as follows:
the responsibles for risk management communicate information about the process content and also on management decisions relating to any measure on risk;
the responsibles for risk of functional structures communicate information on risks associated to objectives established, and on how risks are managed.
the entire staff reports information on identified risks and whose management needs to be achieved.
The consultation on the results aims to provide information on risk exposure, after their evaluation and the implementation of control measures. The role is to establish the effectiveness of control measures applied.
Performance evaluation of risk aims to determine performance obtained due to the risk response compared to the costs involved for implementing control measures taken to reduce risk and maintain its level within the risk appetite.
monitoring effects and reviewing formulated strategy.It involves evaluating the efficiency and effectiveness of risk management process within the organization and conducted according to the results obtained to carry out the appropriate review of the risk strategy, in order to ensure the minimization of adverse events and appropriate integration of measures to respond to risk.
In our opinion, we believe that the implementation and operation of an integrated risk management is neccesary, it can be done through ongoing monitoring of risk and integration risk response measures, based on risk strategies, which ensure the objectives achievement and deliver the expected results, in case of an event causing loss.
The firm implementation of decision taken, as the effect of the effective operation of integrated risk management system, gives premises for further activities and obtaining performance across the organization.
Knowing threats that affect the achievement of the goals will allow their classification according to the level of materialization, the extent of impact on the objectives and costs involved for the measures necessary in order to minimize risk effects. Establishing a hierarchy of threats will lead to establish an order of priorities in resource allocation.