*5.1.2. Objectives establishment*

272 Risk Management – Current Issues and Challenges

reliable.

measures, by considering the following:

control/management.

ensure that the exposure level does not change.

organization will proceed to treat, avoid or transfer risks.

**5. The structure of integrated risk management** 

**5.1. Integrated risk management process** 

*5.1.1. The internal environment* 

Internal control system not implemented.

parallel with the activities of the entity.

Uncooperative or indifferent attitude towards internal

Regulatory framework of internal control/management is not known.

Risk management does not provide identification of significant risks. Systematic reporting on activities development, but information is not

Risk response involves establishing and implementing possible actions, selecting those appropriate to the risk appetite and the costs required to implement risk management



Achievement of the objectives of integrated risk management within an organization presupposes the meeting, in a logical sequence, of specific and required activities, as follows: setting the context, setting the objectives, risk identification, risk assessment, setting a risk response, implementation of control measures, information and communication and

Integrated risk management is structured on component elements of the COSO model, indicating that the control environment is defined by the internal environment and risk assessment consists of setting goals, identifying events, risk assessment and risk response.

It represents the theoretical and conceptual stage of risk management process, which presupposes an organizational culture on risks and knowledge of risk management operating concepts, and whether they are implemented and known at all levels within the

Internal control/management perceived as a separate activity, conducted in

NON-COMPLIANT

monitoring.

organization.

Implementing an integrated risk management system involves identifying and assessing the risks that are threatening to accomplishment of objectives.

This includes risks related to activities and actions of input and risks of actual processes undertaken within the organization, risks that prevent achieving the intended results and the risks about the impact of realized activities on organizational development.

Identification of the events that may affect achieving the expected results is only possible if objectives are set in advance and under each one were defined activities necessary to ensure their implementation which, therefore ensures, the delivery of the expected results.

If we consider the approach according to which performance is characterized as "achieving organizational objectives regardless of their nature and variety" 12, we believe that goals should be established to represent a challenge for management and employees.

Management by objectives has a beneficial effect for the organization, it facilitates the exercise of effective control over all activities, motivates employees to participate in the objectives and it creates a coherent organizational framework which stimulates the collaboration between all structures within the institution.

The control of meeting the objectives is considered necessary for the management of the organization and requires each manager to have established controls for each activity and objective for which he has responsibility. At the same time, it must be taken into account the

impact of likely risks that may jeopardize the attainment of these objectives, so it is necessary to design and implement appropriate risk management systems.

Integrated Risk Management System – Key Factor of the Management System of the Organization 275

The practical and effective risk identification is the combination of the two forms presented. Thus, employees from all levels of the organization have responsibility for identifying and reporting threats to their achievement by the specialized compartment, and it has the responsibility to assess each reported event and if it finds that the event reported is a risk to







On identifying opportunities, they are performed by employees within the organization regardless of where they are, and their recovery is the responsibility of management, to be

Achieving this step involves assessing the likelihood of risks materializing and the impact of risk when it would occur, and classification of risk on 3 levels (high, medium or low) based

After the risk assessment process is done, priorities are established so that high risks are

The purpose of risk assessment is to establish a hierarchy of risks within the organization

 *the probability of materialization of the risk* stems from the fact that, at some point in the progress of activities, there may be conditions that favor the emergence of risk. In these


In identifying and defining risks should be considered the following rules14:

an existing situation which is an existing problem and not a risk;

them, and their analysis may lead to consumption of resources;

cause is a circumstance which favors the appearance of risk;

do registration, evaluation and its treatment.

with certainty as a starting point;

could lead to failure of objectives;

were taken, uncertainty remains.

considered by management to treatment.

used to increase efficiency and effectiveness of activities.

and to establish the most appropriate ways of dealing with risk. Risk assessment process involves consideration of the following:

materialization;

*5.1.4. Risk assessment* 

on a risk analysis matrix.

### *5.1.3. Identification of events*

To ensure achievement of activities as planned, it is necessary for the management to identify all events, internal and external, positively or negatively affect the objectives, and depending on the probability of event and type of consequences that can be produced in the organization they are divided into risks and opportunities.

*Risk identification*, depending on the time in which the process takes place, involves the following stages:


An effective risk management involves identifying risks at any level, where there is a threat on the goals and taking specific measures to limit the problems caused by these risks. Risks can be identified and defined only in relation to those objectives that are affected by their materialization.

Risk identification can be achieved in two ways:


or


Application of either of two ways to identify risks can have negative consequences for the entity because, first, each employee has a certain culture and training which leads to a different understanding of risk management, making monitoring, to identify risk differ from employee to employee. Also, some employees can be more involved in current tasks and pay less attention to their risk management.

Second, establishing a specialized department, with responsibilities in risk identification ensures not always effective risk management. However, as much the staff of this department is prepared, it is very difficult to know in detail how to achieve the activities and therefore to identify all threats that may affect achievement of objectives.

The practical and effective risk identification is the combination of the two forms presented. Thus, employees from all levels of the organization have responsibility for identifying and reporting threats to their achievement by the specialized compartment, and it has the responsibility to assess each reported event and if it finds that the event reported is a risk to do registration, evaluation and its treatment.

In identifying and defining risks should be considered the following rules14:


On identifying opportunities, they are performed by employees within the organization regardless of where they are, and their recovery is the responsibility of management, to be used to increase efficiency and effectiveness of activities.

#### *5.1.4. Risk assessment*

274 Risk Management – Current Issues and Challenges

*5.1.3. Identification of events* 

following stages:

manifest13.

materialization.

or

risks they face daily,

goals set for thr employees.

pay less attention to their risk management.

impact of likely risks that may jeopardize the attainment of these objectives, so it is

To ensure achievement of activities as planned, it is necessary for the management to identify all events, internal and external, positively or negatively affect the objectives, and depending on the probability of event and type of consequences that can be produced in the

*Risk identification*, depending on the time in which the process takes place, involves the



An effective risk management involves identifying risks at any level, where there is a threat on the goals and taking specific measures to limit the problems caused by these risks. Risks can be identified and defined only in relation to those objectives that are affected by their



Application of either of two ways to identify risks can have negative consequences for the entity because, first, each employee has a certain culture and training which leads to a different understanding of risk management, making monitoring, to identify risk differ from employee to employee. Also, some employees can be more involved in current tasks and

Second, establishing a specialized department, with responsibilities in risk identification ensures not always effective risk management. However, as much the staff of this department is prepared, it is very difficult to know in detail how to achieve the activities

and therefore to identify all threats that may affect achievement of objectives.

necessary to design and implement appropriate risk management systems.

organization they are divided into risks and opportunities.

have not previously identified risks.

Risk identification can be achieved in two ways:

Achieving this step involves assessing the likelihood of risks materializing and the impact of risk when it would occur, and classification of risk on 3 levels (high, medium or low) based on a risk analysis matrix.

After the risk assessment process is done, priorities are established so that high risks are considered by management to treatment.

The purpose of risk assessment is to establish a hierarchy of risks within the organization and to establish the most appropriate ways of dealing with risk.

Risk assessment process involves consideration of the following:

 *the probability of materialization of the risk* stems from the fact that, at some point in the progress of activities, there may be conditions that favor the emergence of risk. In these conditions, analysis of the causes which favored the emergence of risk can lead to an appreciation of its opportunities to materialize;

Integrated Risk Management System – Key Factor of the Management System of the Organization 277

(combination of probability and impact) then the risk tolerance must respect the same

*treat risks,* and that will identify and implement appropriate control devices, to limit the





If the risks materialize, the cause is represented by the internal control that either has not

 *avoid risks*, risks that cannot be treated, and treatment costs are higher than assumed results, will be eliminated or kept within reasonable limits by reducing or abolishing

 *transfer risks*, risks that cannot be controlled will be transferred to other units or organizations. This option is especially beneficial for financial or economic risks. Transfer risk is a measure to help reduce exposure to a functional structure of the organization, but another functional structure or organization, which are capable or

Diversity of internal control is considerable for all aspects of activities and can be classified as: objectives, resources, information systems, organization, procedures and supervision15.

*Objectives* - grouping tools/internal control devices implemented through measures aimed at: their clear defining, their decomposition into a pyramid up to the job, convergence, measurability, association of measurable outcome indicators and monitoring information

*Means* - is the group of devices/tools of internal control implemented through measures of

*Information system* – it groups devices/an internal control instrument operationalized and aims to achieve a complete information system and steering, reliable, comprehensive and

*Organization* - grouping devices/internal controls instruments resulting from application of measures aimed at correcting anomalies detected in the procedural and structural

organization and that are circumstances favored for the manifestation of risk.

been implemented or was implemented but they not functioned properly.

specialized in managing such risks, will take the risk exposure.

In practice, for risk treatment the following categories of controls instruments are used:

probability of risk manifestation and keep it within acceptable limits.

materialize or for limiting the risks that may materialize;

materialized and is a way to recoup losses;

tolerable direction of the organization;

adequacy of resources against objectives.

risk materialized.

their activities.

system.

appropriate.

features.


The risk assessment is performed to identify the likelihood and impact of risk and thus to determine how it can be managed.

Risk assessment must be the essential component and a constant concern of management organization, as the people change, regulations change, the objectives are reviewed or new ones established. All these contribute to the continuous changing of the map risks, namely the emergence of new risks, modification of existing risks and the level that the organization accepted the risks.

#### *5.1.5. Reaction to risk*

Information collected following the risk assessment is processed and measures to diminish risk exposure identified. To limit exposure the organization should identify opportunities to reduce risk, the probability of the event, or if this it is not possible, to establish measures to eliminate risk.

Also, the organization should develop appropriate criteria for risk management to reduce the likelihood of risk and risk consequences. If risks are not well managed or costs are high relative to benefits of the activities, the criteria should be directed to transfer the risk or eliminate the risk.

The management of the organization, based on the risk assessment, will determine the response to risk, as follows:

 *accept the risks as they are*, without mitigation measures, and without devices to establish and implement internal control. Acceptance or tolerance of risk as the risk response strategy is recommended for the risks inherent with low exposure, less than the risk tolerance.

After acceptance, the risk becomes residual and will be monitored regularly, aiming as it does not change the level of acceptance.

Setting the limit for the tolerance of risk is the responsibility of management and involves the establishment of the exposure that can be assumed, in conjunction with costs and control measures to be taken. If the risk exposure is a probabilistic measure on a sized scale (combination of probability and impact) then the risk tolerance must respect the same features.

 *treat risks,* and that will identify and implement appropriate control devices, to limit the probability of risk manifestation and keep it within acceptable limits.

In practice, for risk treatment the following categories of controls instruments are used:

276 Risk Management – Current Issues and Challenges

would materialize;

determine how it can be managed.

accepted the risks.

eliminate risk.

eliminate the risk.

tolerance.

response to risk, as follows:

does not change the level of acceptance.

*5.1.5. Reaction to risk* 

appreciation of its opportunities to materialize;

how risk affected the achievement of the objective;

conditions, analysis of the causes which favored the emergence of risk can lead to an

*the impact of risk on the objectives* represents the consequence of risk materialization, and

*risk exposure* represents the extent to which risk can be accepted by the organization, if it

 *determination of the specific outcome*, involves risk assessment after deployment of control. The result may be a risk exposure exceeding the limits of acceptance, which means that risk is inherent, which involves the review of existing internal control mechanisms, or

The risk assessment is performed to identify the likelihood and impact of risk and thus to

Risk assessment must be the essential component and a constant concern of management organization, as the people change, regulations change, the objectives are reviewed or new ones established. All these contribute to the continuous changing of the map risks, namely the emergence of new risks, modification of existing risks and the level that the organization

Information collected following the risk assessment is processed and measures to diminish risk exposure identified. To limit exposure the organization should identify opportunities to reduce risk, the probability of the event, or if this it is not possible, to establish measures to

Also, the organization should develop appropriate criteria for risk management to reduce the likelihood of risk and risk consequences. If risks are not well managed or costs are high relative to benefits of the activities, the criteria should be directed to transfer the risk or

The management of the organization, based on the risk assessment, will determine the

 *accept the risks as they are*, without mitigation measures, and without devices to establish and implement internal control. Acceptance or tolerance of risk as the risk response strategy is recommended for the risks inherent with low exposure, less than the risk

After acceptance, the risk becomes residual and will be monitored regularly, aiming as it

Setting the limit for the tolerance of risk is the responsibility of management and involves the establishment of the exposure that can be assumed, in conjunction with costs and control measures to be taken. If the risk exposure is a probabilistic measure on a sized scale

exposure below the limits of acceptance, which means that the risk is residual.


If the risks materialize, the cause is represented by the internal control that either has not been implemented or was implemented but they not functioned properly.


Diversity of internal control is considerable for all aspects of activities and can be classified as: objectives, resources, information systems, organization, procedures and supervision15.

*Objectives* - grouping tools/internal control devices implemented through measures aimed at: their clear defining, their decomposition into a pyramid up to the job, convergence, measurability, association of measurable outcome indicators and monitoring information system.

*Means* - is the group of devices/tools of internal control implemented through measures of adequacy of resources against objectives.

*Information system* – it groups devices/an internal control instrument operationalized and aims to achieve a complete information system and steering, reliable, comprehensive and appropriate.

*Organization* - grouping devices/internal controls instruments resulting from application of measures aimed at correcting anomalies detected in the procedural and structural organization and that are circumstances favored for the manifestation of risk.

*Procedures* - are tools / internal control mechanisms which control the risks arising from lack of processes and rules to be observed while activities are taking place.

Integrated Risk Management System – Key Factor of the Management System of the Organization 279

The management of risk register, which contains summary information and decisions in risk analysis, attests that the organization has introduced a risk management system and that it

The process of identification, assessment and risk treatment must ensure that risk analysis is carried out periodically and are established mechanisms for information management on new or emerging risks of changes in already identified risks so that these changes to be

*Risk monitoring* is necessary to monitor progress of risk profiles and to ensure that risk

Risk monitoring is done through internal control, which must be flexible, and develop appropriate control tools in areas where the risk is not sufficiently controlled or reduce those

Risk management must consider internal control system implemented in the organization, and the expected internal controls and internal controls existing, and considering their sufficiency identifies the risks, makes them subject to the evaluation and based on results establishes the internal control necessary to be implemented in order to limit exposure.

**5.2. Internal and external environment and its influence over the integrated risk** 

The implementation of a risk management system within the organization should impose establishing relationships both within the organization and beyond. Also, the ones responsible for implementing integrated risk management have relationships with the

The management of the entity shall decide on the risk management strategy adopted in the organization and approve any measure relating to the risks. In this regard, is regularly informed of the results of risk management and carry out in order to establish ways in

The ones responsible for risk management in the organization are communicating and realizing the risk strategy and policy promoted to all the employees, and any decision taken by management on risks. Receive from the structures any information on the risks, analyst, process, and make proposals for the management on appropriate measures to be taken

Risk communication and how they are required to be managed is based starting on the



management is appropriate and is obtained by revision of the risks.

entity's management and staff of the entity's functional structures.

depending on the nature of managerial implement these measures.

management level to the level of execution and shall ensure that:

involved in achieving the objectives;

instruments where excessive risks are controlled.

works.

addressed properly.

**management** 

which the risk management is done.

*Supervision* - grouping instruments/devices of internal controls designed to control risks arising from abnormal exercise hierarchical control. Such internal control tools are aimed at the management style of the makers of different levels.
