RiBIA

Corporate Risks

As we have seen, in order to perform Internal Audit and Risk Management work
efficiently, organizations tend to address risk and audit issues by entity; these entities can
be functions, products or processes, or a combination of all three. There are, however,
risks inherent within an organization that do not fall neatly into any of these entities; by
their nature these risks span many if not all entities. For example consider the following
risk:

A strategy either does not exist, or it has not been communicated to the relevant
staff. Even if a strategy is in place it is possible that adverse variances are not
reported to the Board and therefore remedial action cannot be taken.

Finally, since strategies are medium term documents there is the possibility that,
what was a sound strategy when it was developed becomes less relevant as time
passes; if the strategy is not updated it becomes less of a useful document.

Whereabouts in the organization would this risk sit? It is just possible that the
organization has a Strategy Department and so may accommodate it there, but in the
absence of this there is nowhere to comfortably place the risk. But this is a major problem
for the organization should the risk occur and so it needs to be included in the overall risk
and audit portfolio. This risk, and others of a similar nature, are referred to as Corporate
Risks; they are the concern of and the responsibility of the Main Board. Corporate risks
are those that are both very significant to the organization and do not fit into a specific
entity. They are usually few in number (perhaps <20) but major in impact if they occur.
The following is an example of a list of Corporate Risks taken from a major
organizations Risk Database:

Day 2
HO 3
1
 RiBIA

You can see the wide-ranging scope of each risk, how it would not sit comfortably under
the responsibility of one senior manager but requires several, if not all, senior executives
to manage it; and this brings us to the next critical point, if no one entity can have a
Corporate Risk assigned to it, who is responsible for designing and enforcing the controls
that mitigate it?

The answer to this question is that, typically, the control responsibility is spread around
amongst several business areas; let us take a simple example, the risk of Significant
Corporate Fraud; if this happens it can cost the organization millions but it could happen
in one of several areas:
Finance fraudulent manipulation of the Financial Statements;
Purchasing corrupt buying practices, collusion with suppliers;
Treasury fraudulent dealing in order to achieve bonuses;
And so on.
In this example the risk would sit in one place on the Corporate Risk Profile and the
responsibility for ensuring that it was suitably mitigated would lie with the Main Board;
but they are not going to actively design controls and then regularly monitor them, they
would expect the areas in which the fraud might occur to have in place suitable
mitigating controls and to be monitoring that these controls continue to be deployed
properly. So we can see that, in a number of entities within an organization there will not
only be controls that the entity is relying upon to mitigate their own risks, there will also
be controls that they operate on behalf of the Main Board.

Now we need to address the point raised in the above paragraph about ensuring that the
controls in place to mitigate Corporate Risks continue to be correctly deployed. Testing
can be done by two areas:
Day 2
HO 3
2
 RiBIA
1. the manager of the entity can periodically test that the controls continue to work;
this role is typically referred to as Control Risk Self Assessment, or CRSA;
2. Internal Audit can test that the controls continue to work.
As we have seen earlier, Internal Audit do not have the manpower to test every area in
their portfolio every year, but in the case of the controls set up to mitigate Corporate
Risks they would be expected to make an exception to this rule and ensure that each
control was independently tested every year. In addition, the Board would also expect
some form of CRSA to be applied to the controls over Corporate Risks.

The foregoing means that, to adequately manage Corporate Risks, an organization must:
Determine what such risks are;
Determine whereabouts in the organization such risks could manifest themselves;
Determine what controls the various areas of the organization that are susceptible
to such risks have in place to mitigate them, and whether such controls are
adequate;
Arrange to have such controls regularly tested and evaluated.
Risk Management have an important role to play in points 1 3, whilst Internal Audit are
heavily involved in points 3 & 4.

Day 2
HO 3
3