Risk Management: Questions and Answers 

What is Risk Management, and how is it implemented? What is its mission, and how is it managed by whom?

Institutions must evaluate their risks in today’s competitive environment by recognizing their weaknesses and strengths. They should evaluate the magnitude of risk they can take and take precautions for other risks. Companies must improve their risk management, internal control, and internal audit capacities. In the article below, you can find answers to questions about risk management, which is one of the most critical management tools for companies to maintain the sustainability of their activities and achieve their goals.

Risk

These are situations or events that may prevent the company from achieving its founding purposes and strategic goals and the performance of its duties or may cause unexpected damages.

Risk assessment

It is the whole work that includes the development of appropriate control measures to predict, identify, reveal, and eliminate situations or events that may prevent the company from achieving its founding purposes and strategic goals and the performance of its duties or may cause unexpected damages.

Risk Factor

It refers to the measurable or observable characteristics of a process that indicate the presence of risk or exposure to risk. In other words, they are the criteria used to determine the risk level.

Risk Appetite

It is the level of risk that a Company is ready to accept before deciding whether to take any precautions, at any time, in line with its mission, vision, and strategic goals it is trying to achieve.

Risk Control Matrix

It is a standard and essential working paper whose form and content are specially determined and used in the audit task. RKM is to rate the sub-activities/processes within the scope of the audit area according to their risk levels. It includes the sub-activity or process, inherent (natural) risks, existing controls against them, tests to be applied, and risk levels.

Risk Register

It is a central risk register where the significant risks of a Company are recorded. Here, risks are defined by classifying them according to their impact, probability, area, and type. The risk log may also include who is responsible for managing the risk, potential risk factors, and indicators.

Risk Prioritization

It refers to comparing risks and ranking them according to their importance in terms of achieving the Company’s goals and objectives. Prioritized risks refer to the risks that require the most attention from the administration’s perspective and where priority efforts must be made to eliminate or reduce their effects.

Risk Classification

Part of the risk assessment process is the categorization of risks. Risks typically include: are classified as high, medium, and low.

Structural Risk

It is the risk arising from the existing structure of the Company or the nature of the activity carried out when existing controls and measures are excluded.

Risk management

The management process ensures the implementation, review, and reporting of the necessary controls to identify, evaluate, and keep the impact of risks at an acceptable level.

Risk Based Audit

It is an audit approach that envisages identifying risk factors related to the company’s areas of activity, measuring risk levels, evaluating the effectiveness and adequacy of the controls applied for these risks, and giving audit priority to high-risk areas.

Macro Risk Assessment/Analysis

Activity/process/project included in each audit area in the audit universe by IDBs: It is evaluated to determine audit priorities in line with risk factors, taking into account the goals and objectives included in the strategic plans of the institutions and the opinions of senior managers and executives.

Micro Risk Assessment/Analysis

It is the risk analysis model used by internal auditors during audit tasks.

Coso Frameworks

COSO (The Committee of Sponsoring Organizations of the Treadway Commission) There are two frameworks published initially:

The Internal Control-Integrated Framework, one of which was published in 1992, was revised in 2013.

The other one is “Enterprise Risk Management-Integrated Framework,” published in 2004.yes” say(Enterprise Risk Management – ​​Integrated Framework). It was republished in 2017 under the Corporate Internal Control Framework Aligned with Strategy and Performance.

COSO ERM 2017 Components and Principles

The five interrelated components and their 20 principles included in the renewed COSO Enterprise Risk Management Framework are briefly expressed below.

Core Principle 1: GOVERNANCE and CULTURE

Principle 1: The Board of Directors Performs Risk Oversight

Principle 2: Creates the Operational Structure

Principle 3: Defines the Desired Culture

Principle 4: Shows Commitment to Core Values

Principle 5: Attracts, Develops, and Retains Talented Personnel

Core Principle 2: STRATEGY and GOAL SETTING

Principle 6: Analyze the Business Environment 

Principle 7: Defines Risk Appetite

Principle 8: Evaluate Alternative Strategies

Principle 9: Creates Business Goals

Core Principle 3: PERFORMANCE

Principle 10: Identifies risks

Principle 11: Evaluate the Severity of Risks

Principle 12: Prioritizes Risks

Principle 13: Apply Risk Responses

Principle 14: Portfolio Develops Perspective

Core Principle 4: REVIEW AND CORRECTION

Principle 15: Evaluate Significant Changes

Principle 16: Reviews Risks and Performance

Principle 17: Pursues Improvements in Enterprise Risk Management

Core Principle 5: INFORMATION, COMMUNICATION and REPORTING

Principle 18: Benefits from the Advantages of Information and Technology

Principle 19: Communicates Risk Information

Principle 20: Reports on Risk, Culture and Performance

Sarbanes-Oxley Act

The Public Company Accounting Reform and Investor Protection Act, or Sarbanes-Oxley Act, which is seen as an effort that aims to improve companies’ controls over their financial reporting and at the same time supports effective corporate governance, covers all 30 publicly traded companies traded on stock exchanges in the United States. It was signed in July 2002. Within the framework of Articles 302 and 404 of the Law, it is obligatory to determine the risks in companies’ financial reporting and to document and evaluate the controls related to the identified risks. Company managers are held directly responsible for the effectiveness of the controls.

Resources

• IPPF (International Professional Practice Framework) – Standards, Practice Recommendations, Practice Guides)
• Public Internal Audit Guide (Public Internal Audit Coordination Board Ankara September 2013)
• İSMMMO-Practical Information for Internal Audit in SMEs 2013
• Teolupus Internal Audit Guide Studies