Risk Assessment Methodology in Public Financial Institutions

*Leon Dorozik, Tomasz Strąk and Ireneusz Miciuła*

### **Abstract**

This chapter classifies the risk and fundamental elements necessary to manage it. It presents the individual stages of the procedure and standards of conduct in risk management. In accordance with the EU accession agreement, Poland has developed and implemented a system of financial management and control standards in public finance sector units. This chapter presents the risk assessment tools that can be customized to the needs of a specific organization, including public sector entities. Information about how to manage risk in each EU country are made available because of the desire to show the stability and proper monitoring of the risks in order to fulfil the given tasks. This affects the perception of stability in the country, which has a direct impact on the economic effects.

**Keywords:** risk management, score-based risk assessment, management control, public institutions, finance

#### **1. Introduction**

Risk management concerns both public and private organizations. Recent failures in companies from the public and private sector all around the world resulted in an increased interest in effective risk identification and, most importantly, risk management. In many companies there are regular processes related to risk management, including periodic (e.g. monthly) reports for regulatory bodies. However, it turns out that such periodic reports are not sufficient for management bodies to prevent risk effectively. This is of particular importance in the public finance sector, where there is a high degree of legislation and hierarchy. Now, given the changeability of the economic situation caused by globalization processes, among other reasons, this method is no longer sufficient [1]. This method of management can be applied only in units which do not take numerous activities or when such activities do not generate unacceptable risk which may significantly deteriorate the situation. This is why risk should be considered in the tasks performed by units from the public finance sector. The possibilities of a public finance unit in terms of risk management in the course of its activities should be defined. Knowledge on how to use risk management tools will contribute to effectiveness in achieving goals, i.e. higher and more secure financial results [2]. Positive effects (opportunities) of risk management, which citizens and the administration can enjoy, are perceived by the Polish government as an added value. Thus, efforts should be made so that all employees in a public administration unit could fully understand the idea of risk management, which is not fighting risk or using it to achieve better results but managing it in line with the policy pursued by the management. It is, therefore, necessary for managers

#### *Risk Management and Assessment*

of public administration units to learn appropriate risk management methodology. The aim of the article is to analyse the process of risk management and the role of internal control in quick decision-making in public sector units. In order to achieve this aim, particular stages of risk identification and management were analysed, and the score-based risk assessment method was presented.

#### **2. Notion of risk: definition and classification**

Risk is an objectively existing possibility of failure, loss or damage as a result of an activity. As a consequence of making wrong economic decisions, there might be a decrease in potential profits, loss of financial liquidity, bankruptcy of an organization (an enterprise or a public institution) and even huge debt which entails legal liability. Risk cannot be eliminated; it can only be limited by appropriate economic, legal, organizational and HR-related prevention. The size of risk depends on numerous interrelated factors, the majority of which is independent of the activity of an organization. These include general economic, social, political, demographic and technical factors.

Financial institution risk is a danger which results from making a profit whose amount is different than expected. In terms of the main sources of risk, Jachowicz points to the following: "the lack of possibility to perfectly anticipate future states and the possibility of occurrence of unexpected states", i.e. the undisputed impossibility to predict all determinants of the future in a particular economic situation and consequences following a given activity [3]. Risk is, therefore, inherent to each and every economic activity. Moreover, risk is taken intentionally in order to make a higher profit because there is a close link between the level of income and risk [4]. A higher risk gives the possibility to achieve a higher return on investment. Taking risks, we expose ourselves to bigger losses, but at the same time, we have a chance to make a higher profit, so the spectrum of both advantages and disadvantages is wider. Risk is defined as a negative deviation of the achieved result from the previously planned figure [5]. Therefore, when striving to optimize profit, it is unavoidable to accept certain levels of risk, which are usually related to an increase in the volume of income. Each organization operates in a state of uncertainty of future events [6]. Information which is available when making a decision is usually incomplete and inaccurate, and predicting how events will unfold is not always possible.

In general terms, it is impossible to avoid risk. This results from the fact that within the general approach, the term risk refers to everything that is uncertain [7]. It is beyond any doubt that life was, is and will be unpredictable as far as future events are concerned, i.e. risky. This is why the aim of this chapter is to present new suggestions in terms of risk management and to identify deterministic activities, i.e. activities which enable determination of the consequences and scope of risk. Each activity involves risk, which is to a large extent undefined, is complex and undergoes dynamic changes. The term "risk" is ambiguous and defies a clear and synthetic definition. Risk itself follows from the very fact of making decisions concerning the future. This is because it refers to situations in which a company does not have a 100% certainty as to the course and final results of its activity. Phenomena which influence an entity's operating business activity but which are beyond the scope of its will are usually referred to as uncertainty. Risk, however, is defined as merely a possibility of failure, in particular a possibility of occurrence of events which are beyond the control of an entity and which are impossible to predict and prevent. As a consequence, a particular activity may turn out to be less effective or less beneficial. Both notions, i.e. "risk" and "uncertainty", are often treated as equivalent although they denote something entirely different. One could quote a number of definitions which define mutual relations between these categories. According to Willet "risk is the objectified uncertainty

**59**

*Risk Assessment Methodology in Public Financial Institutions*

phenomenon it is and how difficult it is to define and measure it.

concerning the occurrence of an undesirable event. Risk changes together with uncertainty and not with the level of probability" [8]. Braig et al. define risk as a combination of elements of hazard and it is measured with probability, whereas uncertainty is measured with the level of faith. "Risk is a state of the world and uncertainty is a state of the mind" [9]. Being convinced of the result of an action, one can decide not to perform such action and not to take a risk. In order to specify a general and universal definition of risk, one can refer to the PWN dictionary of foreign terms, according to which risk is an undertaking whose result is unknown, the possibility that something either works or not as well as the decision to conduct such undertaking [10]. The meaning of the word "risk" is derived from the Italian word "risco", which means reef, which ships should stay away from. The notion of risk is frequently and incorrectly equated with danger. There is a significant difference between these two terms, which should be taken into consideration. Danger is rather a direct threat, whereas risk occurs in a situation when the consequences are uncertain. Within this meaning, a certain loss is not a risk. There are many other definitions of risk as well. The approach to the category of risk varies depending on the author, and it proves how complex

As it is the case with defining risk, classifying it is also very problematic. Current categories are not unanimous and disjunctive, which means that one type of risk can be a specific example of another risk [11]. Generally, there are the following

1.Commercial risk: risk following directly from a commercial activity. It com-

a.Liquidity risk—manifests itself in the necessity to adjust maturities of assets and liabilities to make sure an entity is able to meet its obligations.

b.Credit risk—related to the failure on the part of a business partner to meet their liabilities towards a particular entity. Currently, over 80% of global trade is conducted with a deferred payment term. The term of trade credit depends on the type of goods. It is shortest for consumer goods (ca. 30 days), whereas investment goods are at the other end of the scale with payment terms of at least 1 year. Due to an increasing competition and the need to fight for clients, companies will extend the terms

2.Market risk: concerns the probability of changes in the value of market instruments, i.e. the possibility of change of financial conditions as a result of

a.Interest rate risk—results from the fact that the value of a part of assets and liabilities depends on interest rate changes (e.g. a loan bearing a variable interest rate). This results from interest rate fluctuations.

b.Foreign exchange risk—related to an unsecured open foreign currency

There also exists a market risk, which exerts indirect impact on financial results,

3.Operational risk—danger of failure to achieve objectives due to mistakes in an IT system or mistakes made by employees or inappropriate internal control of

position and unfavorable movements in exchange rates.

i.e. resource risk, price risk, business cycle risk and technological risk.

*DOI: http://dx.doi.org/10.5772/intechopen.91152*

basic types of risk [12]:

even more.

the enterprise.

changes in market prices, including

prises

#### *Risk Assessment Methodology in Public Financial Institutions DOI: http://dx.doi.org/10.5772/intechopen.91152*

*Risk Management and Assessment*

of public administration units to learn appropriate risk management methodology. The aim of the article is to analyse the process of risk management and the role of internal control in quick decision-making in public sector units. In order to achieve this aim, particular stages of risk identification and management were analysed,

Risk is an objectively existing possibility of failure, loss or damage as a result of an activity. As a consequence of making wrong economic decisions, there might be a decrease in potential profits, loss of financial liquidity, bankruptcy of an organization (an enterprise or a public institution) and even huge debt which entails legal liability. Risk cannot be eliminated; it can only be limited by appropriate economic, legal, organizational and HR-related prevention. The size of risk depends on numerous interrelated factors, the majority of which is independent of the activity of an organization. These include general economic, social, political, demographic and technical factors. Financial institution risk is a danger which results from making a profit whose amount is different than expected. In terms of the main sources of risk, Jachowicz points to the following: "the lack of possibility to perfectly anticipate future states and the possibility of occurrence of unexpected states", i.e. the undisputed impossibility to predict all determinants of the future in a particular economic situation and consequences following a given activity [3]. Risk is, therefore, inherent to each and every economic activity. Moreover, risk is taken intentionally in order to make a higher profit because there is a close link between the level of income and risk [4]. A higher risk gives the possibility to achieve a higher return on investment. Taking risks, we expose ourselves to bigger losses, but at the same time, we have a chance to make a higher profit, so the spectrum of both advantages and disadvantages is wider. Risk is defined as a negative deviation of the achieved result from the previously planned figure [5]. Therefore, when striving to optimize profit, it is unavoidable to accept certain levels of risk, which are usually related to an increase in the volume of income. Each organization operates in a state of uncertainty of future events [6]. Information which is available when making a decision is usually incomplete and inaccurate, and predicting how events will unfold is not always possible. In general terms, it is impossible to avoid risk. This results from the fact that within the general approach, the term risk refers to everything that is uncertain [7]. It is beyond any doubt that life was, is and will be unpredictable as far as future events are concerned, i.e. risky. This is why the aim of this chapter is to present new suggestions in terms of risk management and to identify deterministic activities, i.e. activities which enable determination of the consequences and scope of risk. Each activity involves risk, which is to a large extent undefined, is complex and undergoes dynamic changes. The term "risk" is ambiguous and defies a clear and synthetic definition. Risk itself follows from the very fact of making decisions concerning the future. This is because it refers to situations in which a company does not have a 100% certainty as to the course and final results of its activity. Phenomena which influence an entity's operating business activity but which are beyond the scope of its will are usually referred to as uncertainty. Risk, however, is defined as merely a possibility of failure, in particular a possibility of occurrence of events which are beyond the control of an entity and which are impossible to predict and prevent. As a consequence, a particular activity may turn out to be less effective or less beneficial. Both notions, i.e. "risk" and "uncertainty", are often treated as equivalent although they denote something entirely different. One could quote a number of definitions which define mutual relations between these categories. According to Willet "risk is the objectified uncertainty

and the score-based risk assessment method was presented.

**2. Notion of risk: definition and classification**

**58**

concerning the occurrence of an undesirable event. Risk changes together with uncertainty and not with the level of probability" [8]. Braig et al. define risk as a combination of elements of hazard and it is measured with probability, whereas uncertainty is measured with the level of faith. "Risk is a state of the world and uncertainty is a state of the mind" [9]. Being convinced of the result of an action, one can decide not to perform such action and not to take a risk. In order to specify a general and universal definition of risk, one can refer to the PWN dictionary of foreign terms, according to which risk is an undertaking whose result is unknown, the possibility that something either works or not as well as the decision to conduct such undertaking [10]. The meaning of the word "risk" is derived from the Italian word "risco", which means reef, which ships should stay away from. The notion of risk is frequently and incorrectly equated with danger. There is a significant difference between these two terms, which should be taken into consideration. Danger is rather a direct threat, whereas risk occurs in a situation when the consequences are uncertain. Within this meaning, a certain loss is not a risk. There are many other definitions of risk as well. The approach to the category of risk varies depending on the author, and it proves how complex phenomenon it is and how difficult it is to define and measure it.

As it is the case with defining risk, classifying it is also very problematic. Current categories are not unanimous and disjunctive, which means that one type of risk can be a specific example of another risk [11]. Generally, there are the following basic types of risk [12]:

	- a.Liquidity risk—manifests itself in the necessity to adjust maturities of assets and liabilities to make sure an entity is able to meet its obligations.
	- b.Credit risk—related to the failure on the part of a business partner to meet their liabilities towards a particular entity. Currently, over 80% of global trade is conducted with a deferred payment term. The term of trade credit depends on the type of goods. It is shortest for consumer goods (ca. 30 days), whereas investment goods are at the other end of the scale with payment terms of at least 1 year. Due to an increasing competition and the need to fight for clients, companies will extend the terms even more.
	- a.Interest rate risk—results from the fact that the value of a part of assets and liabilities depends on interest rate changes (e.g. a loan bearing a variable interest rate). This results from interest rate fluctuations.
	- b.Foreign exchange risk—related to an unsecured open foreign currency position and unfavorable movements in exchange rates.

There also exists a market risk, which exerts indirect impact on financial results, i.e. resource risk, price risk, business cycle risk and technological risk.

3.Operational risk—danger of failure to achieve objectives due to mistakes in an IT system or mistakes made by employees or inappropriate internal control of the enterprise.


More specific areas of risk are identified depending on the specific nature of a particular business activity. The following conclusions can be drawn from the general classification:


The list of types of risk presented above is not an exhaustive one. Given the complexity of business activity, managers of public organizations are constantly exposed to various forms of this phenomenon [7]. Although not all of the risks enumerated above can be predicted or controlled, one should be aware of their existence and limit their occurrence and impact on organization to the greatest extent possible. Since there are so many factors causing risk, it is simply impossible to avoid it. Moreover, some of these factors are beyond the control of an enterprise. There are two main groups of factors which influence risk [13]:

#### 1.External factors


**61**

*Risk Assessment Methodology in Public Financial Institutions*

• Demographic factors (structure of population) • Technological factors (technological progress)

• Internal control system (efficiency of operation)

• Structure of assets and liabilities (level of high-risk assets)

• Human resources policy and qualifications (risk management)

**3. Internal control as an element of the risk management process**

from the Minister of Finance in January 2003 [14] were introduced:

• The head of a unit conducts day-to-day assessment (monitoring) of the

completion of tasks with the use of quantifiable indicators or precisely defined

• The head of a unit systematically identifies external and internal risk related to the achievement of the unit's objectives, concerning both the entire unit's operations and particular schemes, projects or tasks undertaken by the unit. In the event of a change of conditions in which a unit operates, identification of

• The head of a unit guarantees systematic analysis of the identified risk in order to define potential consequences and the probability of the occurrence of a particular risk. The head of a unit defines the acceptable level of risk and measures which are to be taken in order to reduce a particular risk to the acceptable

Effective risk management is one of the elements of effective management of a public administration unit [15]. The Act on public finance has been in force as of 1 January 2010, with the exception of regulations concerning the obligation to plan and implement budgets in a task-based manner, which are effective as of 1 January 2012 [16]. One of the significant changes with respect to the previous Act of 30 June 2005 is the implementation of regulations concerning internal control and its coordination in units from the public finance sector and local government units. Pursuant to the Act on public finance (Article 68), internal control is a set of measures taken

Risk management is one of the basic elements (processes) of managing a unit. Its primary aim is to increase the probability of achieving goals. In order to manage risk successfully, one should establish and adopt objectives which are to be achieved in a particular time and specific objectives of particular organizational departments. Defining objectives allows for identification of risk which can endanger the achievement of goals. In the process of risk management, it is important to take measures to reduce risk to an acceptable level. Risk management undertaken by the management of a unit is a continuous process. To emphasize the importance of risk management, three standards of financial control announced in a communication

• Social factors (change in the tendency to save, customer behaviour, level of

*DOI: http://dx.doi.org/10.5772/intechopen.91152*

unemployment)

• Company strategy

• Criminal activities

criteria.

level.

risk should be resumed.

2.Internal factors

