**3.1. COSO and integrated risk management**

Referring to risk management, COSO presented an initial framework methodology for implementing internal controls, built-in policies, rules, procedures and regulations that have been used by various organizations to secure control over how to run the plan and meet objectives.

Later, after the appearance of great scandals of fraud and the need to improve corporate governance processes, large corporations talked about and set up risk management departments to help implement procedures regarding the identification, assessment and risk control.

Following the emergence of these needs, Treadway Commission, COSO model promoter, initiated a program in order to develop a general methodology that can be used by organizations' management to improve risk management.

Risk management within the organizations was created on the concept of internal controls, but the focus was particularly on risk management. This was not intended to replace internal controls, but incorporating basic concepts of internal control in this process.

Thus, between risk management and internal control was preserved a strong connection interrelated with common concepts and elements.

### *3.1.1. Risk management and internal control*

*The main objectives of internal control/management system are to ensure the efficiency and effectiveness of activities, the reality of reporting and regulations compliance in the field.* The internal control/management system is developed and monitored in order to implement by the organization's management, which is responsible for designing adequate internal control devices in order to ensure limitation of significant risks and keeping them within acceptable limits, aiming to give the security that the organization's objectives will be met.

Risk management system was structured on components of internal control/management, structured according to COSO model, namely on five elements, whose implementation ensures that the tools/internal control devices exist and function as intended.

Integrated Risk Management System – Key Factor of the Management System of the Organization 261

Risk management involves establishing actions to respond to risk and to implement adequate internal control devices, with which to limit the possibility of occurrence or consequences of risk, if it would materialize. In order to ensure efficiency in achieving objectives, the process must be coherent and convergent, integrated to objectives, activities

Also, regardless of the staff's hierarchical level, it should be aware of the importance of risk management has in achieving its own objectives and thus to form the necessary skills to

In order to ensure the success of this approach and to achieve an effective risk management, within the organization it needs to create a culture of risk, namely developing a risk management philosophy specific to the organization and management, and awareness of

From the above it is found that the need for internal control/management is determined by the existence of threats or opportunities in carrying out planned activities or actions with negative consequences in the organization. This requires the establishment and implementation of certain internal control devices in order to prevent or limit the risks.

Also, the need for risk management stems from the fact that risk is everywhere, in everything we want to achieve. It can not be removed; any action to eliminate risk can lead to the emergence of new risks, uncontrolled, which may affect to much greater extent the organization. In these conditions, the risk needs to be minimized, process that can be

Risk management process is considered to be a set of activities and actions carried out in a certain manner and order to prevent or reduce exposure to risk, resulting from an operation

In practice, most commonly applied concept of risk management is that managing risks should be carried out separately within departments independently organized in the organization's functional structure. This method provides simplicity and efficiency form in making decisions on risk management, but leads to actions and multiple records of the same

There are other practices too, which considers that each employee must be responsible for the risk management, having the competence to identify risks and implement appropriate internal controls to mitigate the probability of their manifestations. This mean of managing risks does not lead to results and does not ensure the guarantee of conducting activities given that they were planned, because it does not ensure the requirements for exposure on the same activities, and the process is influenced by knowledge and understanding by

These traditional risk management processes are usually fragmented, meaning they are found implemented at the operation or transaction level and are aimed at preventing losses.

exposure to risk and does not address correlations between different exposures.

employees of the risk management system implemented within the organization.

achieved by establishing and implementing adequate internal controls.

**3.2. The role of integrated risk management system** 

or several operations.

perform monitoring and control based on principles of efficiency and effectiveness.

and operations carried out within the organization.

risk's negative effects at all levels of the organization.

These components were defined as:


#### *3.1.2. Objective of risk management system*

COSO defines integrated risk management as *"the process conducted by the Board*, *management and others*, *applied in setting strategy and across the organization*, *designed to identify potential events that may affect the entity and to manage risk within the risk appetite to provide a reasonable assurance regarding the achievement of organizational objectives"*7*.*

From the content of this definition it follows some essential elements, characteristic to the integrated risk management, as follows:


*The general objective of integrated risk management is to effectively manage uncertainties, risks and opportunities.* The need for risk management stems from the fact that uncertainty is a reality and the reaction to uncertainty is a constant concern.

Risk management involves establishing actions to respond to risk and to implement adequate internal control devices, with which to limit the possibility of occurrence or consequences of risk, if it would materialize. In order to ensure efficiency in achieving objectives, the process must be coherent and convergent, integrated to objectives, activities and operations carried out within the organization.

Also, regardless of the staff's hierarchical level, it should be aware of the importance of risk management has in achieving its own objectives and thus to form the necessary skills to perform monitoring and control based on principles of efficiency and effectiveness.

In order to ensure the success of this approach and to achieve an effective risk management, within the organization it needs to create a culture of risk, namely developing a risk management philosophy specific to the organization and management, and awareness of risk's negative effects at all levels of the organization.

From the above it is found that the need for internal control/management is determined by the existence of threats or opportunities in carrying out planned activities or actions with negative consequences in the organization. This requires the establishment and implementation of certain internal control devices in order to prevent or limit the risks.

Also, the need for risk management stems from the fact that risk is everywhere, in everything we want to achieve. It can not be removed; any action to eliminate risk can lead to the emergence of new risks, uncontrolled, which may affect to much greater extent the organization. In these conditions, the risk needs to be minimized, process that can be achieved by establishing and implementing adequate internal controls.

### **3.2. The role of integrated risk management system**

260 Risk Management – Current Issues and Challenges

These components were defined as:

the basis for other components;

perform their duties and tasks;

*3.1.2. Objective of risk management system* 

integrated risk management, as follows:

circumscribed to other activities;

through their implementation;

and the reaction to uncertainty is a constant concern.

planned.

risks and achieve the objectives set by management;

*assurance regarding the achievement of organizational objectives"*7*.*

Risk management system was structured on components of internal control/management, structured according to COSO model, namely on five elements, whose implementation





COSO defines integrated risk management as *"the process conducted by the Board*, *management and others*, *applied in setting strategy and across the organization*, *designed to identify potential events that may affect the entity and to manage risk within the risk appetite to provide a reasonable* 

From the content of this definition it follows some essential elements, characteristic to the



*The general objective of integrated risk management is to effectively manage uncertainties, risks and opportunities.* The need for risk management stems from the fact that uncertainty is a reality


ensures that the tools/internal control devices exist and function as intended.

Risk management process is considered to be a set of activities and actions carried out in a certain manner and order to prevent or reduce exposure to risk, resulting from an operation or several operations.

In practice, most commonly applied concept of risk management is that managing risks should be carried out separately within departments independently organized in the organization's functional structure. This method provides simplicity and efficiency form in making decisions on risk management, but leads to actions and multiple records of the same exposure to risk and does not address correlations between different exposures.

There are other practices too, which considers that each employee must be responsible for the risk management, having the competence to identify risks and implement appropriate internal controls to mitigate the probability of their manifestations. This mean of managing risks does not lead to results and does not ensure the guarantee of conducting activities given that they were planned, because it does not ensure the requirements for exposure on the same activities, and the process is influenced by knowledge and understanding by employees of the risk management system implemented within the organization.

These traditional risk management processes are usually fragmented, meaning they are found implemented at the operation or transaction level and are aimed at preventing losses.

Managing risks in these cases *"does not consider the fact that risks are a source of competitive advantage".*

Integrated Risk Management System – Key Factor of the Management System of the Organization 263

consequences and adopt measures depending on the level of uncertainty and the existing

Also, integrated risk management allows the foundation and decision making to lower hierarchical levels of the organization and also at the top level and ensures co-ordination of activities in order to solve current problems between certain functional structures. It helps to increase efficiency within the organization also by others administrative or managerial

The implementation of integrated risk management within the organization will provide to shareholders and potential investors, more concrete and reliable information on the risks to which it is exposed, which will allow them to base their decisions in more optimal conditions. Once with the development of organization's activities, the old risk management systems become inadequate and risk exposures, especially the risk of fraud and error increases significantly. Implementing the integrated risk management system involves the design of evaluation criteria capable of measuring all activities related risks, by considering the relationships and connections between them and thus, to determine the exposure to any

This risk management process, characterized by the development of integrated risk management methodology, shall include as steps: establishing the organizational context and risk management, identifying, analyzing and assessing risk, risk treatment, risk control,

The process should not be a linear, the risk management may impact on other risks, and measures identified as being effective in limiting a risk and keeping it within acceptable

The effectiveness of implementing an integrated risk management system, compared with traditional risk management, is determined by the fact that it reflects the integration of all activities related to risk and risk management in a single system. This system is operated and controlled from a single management level, thus eliminating duplication and disruption

The functions that the integrated risk management system meet within the organization's

a. *defining goals and setting objectives of the organization on risk.* Setting goals represents a defining requirement for the identification, assessment and risk response planning. The organization must define properly its objectives, so to be understood and carried out by

The basic role of integrated risk management is to provide to the management and organization's board a reasonable assurance regarding the achievement of objectives. In this

inherent risk that affects achieving objectives set.

ways, such as better allocation of resources.

organization's risk factor or its functional structures at any time.

communication and monitoring the risk management plan.

limits may prove beneficial in controlling other risks.

management system can be classified as follows:

people who were assigned to.

**3.3. Integrated risk management system functions** 

of communication and action that can occur within a classical system.

Recent research on models and risk management strategies focus on competitive advantages of risks if they are approached as a whole or at system level. In this case the system is considered to be composed of all processes and activities necessary to achieve the objectives.

This approach requires that all relevant functions within the organization (personnel, finance and accounting, manufacturing, commercial, procurement, IT, legal, internal control, internal audit, strategic development, marketing etc.) to participate in risk management process.

For implementing the integrated risk management is necessary that the organization to be viewed from the standpoint of system, both as the link of the industry in which it operates and as part of it, acting in accordance with certain principles, features being: the complexity, limitation of resources, factors that influence its activity, the nature of events, the possibilities for development.

In this view, it is considered that the risks should be managed in an integrated way, to eliminate multiple records on the same risk exposure and to analyze correlations between different exposures. This risk management approach is complex; it requires a large volume of information necessary for decision making and higher costs of administration. At the same time, making wrong decision can have a high impact on the business, or even on the organization.

The integrated risk management system, based on this concept, must be interdependent with the organization's development needs and to include the processes of development and establishment of elements concerning assessment, monitoring and risk management. At the same time, integrated risk management must be also approached in correlation with all types of risk management for each functional structure of the organization.

Integrated risk management system operates with broad categories of risk (personnel risk, financial risk, legal risk etc.), with different risks attached to various activities, risks associated with different operations or transactions, and also with external risks that may affect the development of the overall organization (risks related to legislative changes) or making one or more activities carried out within the organization.

In these conditions, implementing the concept of integrated risk management within the organization is more than necessary because the risk management process should be approached by all types of risk that are found and affect all functional structures of the organization.

The approach in this unitary manner, of the exposures, respectively as a righteous and coherent system of exposure to various risks, of connections and mutual conditioning between them, will enable effective management of risks that may affect achieving the objectives and will contribute to improve activities and performance growth within the organization.

The integrated risk management system can identify all risks that affect the implementation of processes and activities attached to an organizational goal; it can assess the overall consequences and adopt measures depending on the level of uncertainty and the existing inherent risk that affects achieving objectives set.

Also, integrated risk management allows the foundation and decision making to lower hierarchical levels of the organization and also at the top level and ensures co-ordination of activities in order to solve current problems between certain functional structures. It helps to increase efficiency within the organization also by others administrative or managerial ways, such as better allocation of resources.

The implementation of integrated risk management within the organization will provide to shareholders and potential investors, more concrete and reliable information on the risks to which it is exposed, which will allow them to base their decisions in more optimal conditions.

Once with the development of organization's activities, the old risk management systems become inadequate and risk exposures, especially the risk of fraud and error increases significantly. Implementing the integrated risk management system involves the design of evaluation criteria capable of measuring all activities related risks, by considering the relationships and connections between them and thus, to determine the exposure to any organization's risk factor or its functional structures at any time.

This risk management process, characterized by the development of integrated risk management methodology, shall include as steps: establishing the organizational context and risk management, identifying, analyzing and assessing risk, risk treatment, risk control, communication and monitoring the risk management plan.

The process should not be a linear, the risk management may impact on other risks, and measures identified as being effective in limiting a risk and keeping it within acceptable limits may prove beneficial in controlling other risks.

### **3.3. Integrated risk management system functions**

262 Risk Management – Current Issues and Challenges

possibilities for development.

organization.

organization.

*advantage".*

Managing risks in these cases *"does not consider the fact that risks are a source of competitive* 

Recent research on models and risk management strategies focus on competitive advantages of risks if they are approached as a whole or at system level. In this case the system is considered to be composed of all processes and activities necessary to achieve the objectives. This approach requires that all relevant functions within the organization (personnel, finance and accounting, manufacturing, commercial, procurement, IT, legal, internal control, internal audit, strategic development, marketing etc.) to participate in risk management process.

For implementing the integrated risk management is necessary that the organization to be viewed from the standpoint of system, both as the link of the industry in which it operates and as part of it, acting in accordance with certain principles, features being: the complexity, limitation of resources, factors that influence its activity, the nature of events, the

In this view, it is considered that the risks should be managed in an integrated way, to eliminate multiple records on the same risk exposure and to analyze correlations between different exposures. This risk management approach is complex; it requires a large volume of information necessary for decision making and higher costs of administration. At the same time, making wrong decision can have a high impact on the business, or even on the

The integrated risk management system, based on this concept, must be interdependent with the organization's development needs and to include the processes of development and establishment of elements concerning assessment, monitoring and risk management. At the same time, integrated risk management must be also approached in correlation with all

Integrated risk management system operates with broad categories of risk (personnel risk, financial risk, legal risk etc.), with different risks attached to various activities, risks associated with different operations or transactions, and also with external risks that may affect the development of the overall organization (risks related to legislative changes) or

In these conditions, implementing the concept of integrated risk management within the organization is more than necessary because the risk management process should be approached by all types of risk that are found and affect all functional structures of the

The approach in this unitary manner, of the exposures, respectively as a righteous and coherent system of exposure to various risks, of connections and mutual conditioning between them, will enable effective management of risks that may affect achieving the objectives and

The integrated risk management system can identify all risks that affect the implementation of processes and activities attached to an organizational goal; it can assess the overall

will contribute to improve activities and performance growth within the organization.

types of risk management for each functional structure of the organization.

making one or more activities carried out within the organization.

The effectiveness of implementing an integrated risk management system, compared with traditional risk management, is determined by the fact that it reflects the integration of all activities related to risk and risk management in a single system. This system is operated and controlled from a single management level, thus eliminating duplication and disruption of communication and action that can occur within a classical system.

The functions that the integrated risk management system meet within the organization's management system can be classified as follows:

a. *defining goals and setting objectives of the organization on risk.* Setting goals represents a defining requirement for the identification, assessment and risk response planning. The organization must define properly its objectives, so to be understood and carried out by people who were assigned to.

The basic role of integrated risk management is to provide to the management and organization's board a reasonable assurance regarding the achievement of objectives. In this

respect, COSO8 states that in order to identify associated risks it should be established in advance the organization's objectives, which shall be grouped into four categories as follows:

Integrated Risk Management System – Key Factor of the Management System of the Organization 265

Risk management process aims to identify and assess risks that can affect the objectives' achievement and to establish risk response measures. It should *"become part of the* 

Considering that the objectives concern all levels of the organization, strategic, general and operational, being defined at strategy level, functional departments and even individual level, in a post, it is required that risk management to be aware of all the relationships that

The incomplete determination of the relationship between risk management system and other subsystems of the organization, will lead to an inadequate identification and management of risks associated to the objectives with major negative consequences on the

d. *setting activities, responsibilities on risk.* Seeks to identify all activities in progress within integrated risk management process and establish responsibilities for implementing each activity. Since the process involves all functions and functional departments of the organization, it is required that the activities and responsibilities on risks, defined and agreed at their level, to be communicated to employees involved in carrying out the

e. *defining performance indicators.* For each strategic objective, operational, reporting or of compliance defined at corporate level, must establish performance indicators by which to ensure measurement of the degree of achieving goals. Also, setting goals to achieve within each indicator, will allow establishing performance resulting from the risk

f. *allocating resources necessary to carry out activities and training the staff involved.* For each activity planned to be conducted, it must be identified the necessary resources for their achievement, respectively financial, human, material and information resources. Resources necessary in order to accomplish the activities must be available and

g. *communication and consultation on the results*, performance evaluation *related to risk compared to objectives planned.* Communication involves on time and clear transmission




The consultation on the results aims to provide information on risk exposure, after their evaluation and the implementation of control measures. The role is to establish the

Performance evaluation of risk aims to determine performance obtained due to the risk response compared to the costs involved for implementing control measures taken to reduce

content and also on management decisions relating to any measure on risk;

associated to objectives established, and on how risks are managed.

*organization's functioning as the base of management approaches*9*".* 

occur or develops between them or within them.

measures imposed within each goal.

of necessary information about risk, as follows:

approved in budgets.

be achieved.

effectiveness of control measures applied.

risk and maintain its level within the risk appetite.

organization.

activities.


In order to define the objectives, the key is that, first, to define strategic objectives, and then, of these, to derive other types of goals: operational, reporting and compliance.

Also, for each goal it is necessary to establish risk tolerance, accepted materiality concerning the degree of achievement of identified indicators attached to the objectives in order to be considered achieved.


The strategy on risk must be coherent, contain how to recover losses caused by an adverse event and to integrate risk response measures.

Activities to be carried out if the risk materializes deal with the settlement of measures to address the consequences of risk, recover losses and identifying and implementing appropriate control devices to eliminate the causes that led to the risk occurrence.

To apply vigorously decisions taken in order to ensure effective functioning of integrated risk management will ensure continued operations and obtaining the expected results.

Monitoring risk at corporate level refers to observing the functioning of integrated risk management system, identifying and reporting existant weaknesses to adopt necessary remedial measures.

Updating the strategy on risk is necessary to be made whenever the organization changes its development strategy or strategic objectives, and also when management's risk policy changes.

Also, periodic review of risks involves the redistribution and concentration of resources in areas of interest.

c. *determining relations between integrated risk management system and other subsystems of the organization.* The organization's management must permanently ensure the interdependence between the objectives of the organization, its functional departments and risk management.

Risk management process aims to identify and assess risks that can affect the objectives' achievement and to establish risk response measures. It should *"become part of the organization's functioning as the base of management approaches*9*".* 

264 Risk Management – Current Issues and Challenges

considered achieved.

remedial measures.

areas of interest.

and risk management.

changes.


regulations applicable to the organization.


event and to integrate risk response measures.


respect, COSO8 states that in order to identify associated risks it should be established in advance the organization's objectives, which shall be grouped into four categories as follows:


In order to define the objectives, the key is that, first, to define strategic objectives, and then,

Also, for each goal it is necessary to establish risk tolerance, accepted materiality concerning the degree of achievement of identified indicators attached to the objectives in order to be

b. *determining courses of action to manage risk.* To achieve risk management within the

The strategy on risk must be coherent, contain how to recover losses caused by an adverse

Activities to be carried out if the risk materializes deal with the settlement of measures to address the consequences of risk, recover losses and identifying and implementing

To apply vigorously decisions taken in order to ensure effective functioning of integrated risk management will ensure continued operations and obtaining the expected results.

Monitoring risk at corporate level refers to observing the functioning of integrated risk management system, identifying and reporting existant weaknesses to adopt necessary

Updating the strategy on risk is necessary to be made whenever the organization changes its development strategy or strategic objectives, and also when management's risk policy

Also, periodic review of risks involves the redistribution and concentration of resources in

c. *determining relations between integrated risk management system and other subsystems of the organization.* The organization's management must permanently ensure the interdependence between the objectives of the organization, its functional departments

appropriate control devices to eliminate the causes that led to the risk occurrence.

of these, to derive other types of goals: operational, reporting and compliance.

organization, the lines of action of the integrated risk management are:


Considering that the objectives concern all levels of the organization, strategic, general and operational, being defined at strategy level, functional departments and even individual level, in a post, it is required that risk management to be aware of all the relationships that occur or develops between them or within them.

The incomplete determination of the relationship between risk management system and other subsystems of the organization, will lead to an inadequate identification and management of risks associated to the objectives with major negative consequences on the organization.


The consultation on the results aims to provide information on risk exposure, after their evaluation and the implementation of control measures. The role is to establish the effectiveness of control measures applied.

Performance evaluation of risk aims to determine performance obtained due to the risk response compared to the costs involved for implementing control measures taken to reduce risk and maintain its level within the risk appetite.

h. *monitoring effects and reviewing formulated strategy.* It involves evaluating the efficiency and effectiveness of risk management process within the organization and conducted according to the results obtained to carry out the appropriate review of the risk strategy, in order to ensure the minimization of adverse events and appropriate integration of measures to respond to risk.

Integrated Risk Management System – Key Factor of the Management System of the Organization 267

The decisive part in the functioning of an integrated risk management system is the plannification in order to ensure business continuity, because it contains measures of

The approach, implementation and functioning of an integrated risk management system in the organization is achieved depending on the processes undertaken, the organization situation and leadership style. However, to ensure process efficiency it needs to be taken





The role of integrated risk management system is to ensure the implementation of risk management function within the organization's management system. Its functions are activated while the organization's management system signals the existence of threat in

> Evaluation system

achieving its objectives and deliver the expected results because of their activities.

Production system

Planning system

Threats

Integrated Risk Management System

recovery for activities under risk event.

into account primarily the following:

impact, probability;

Management system

objectives and efficient use of resources;

management in making decisions.

**Figure 1.** The management system of an organization

then the operational, reporting and of compliance;

In our opinion, we believe that the implementation and operation of an integrated risk management is neccesary, it can be done through ongoing monitoring of risk and integration risk response measures, based on risk strategies, which ensure the objectives achievement and deliver the expected results, in case of an event causing loss.

The firm implementation of decision taken, as the effect of the effective operation of integrated risk management system, gives premises for further activities and obtaining performance across the organization.

Knowing threats that affect the achievement of the goals will allow their classification according to the level of materialization, the extent of impact on the objectives and costs involved for the measures necessary in order to minimize risk effects. Establishing a hierarchy of threats will lead to establish an order of priorities in resource allocation.
