Risk Management Practices and the Role of Internal Audit - Example

Risk Management Name: Affiliation: Introduction Any organization in the current world that is focused on making a competitive advantage must be willing in any way to have a robust way of managing risks. The mechanisms, which are to be chosen, must be sort through a formal way of identifying, assessing, and effectively responding to the risks at the changing risk trends. The measures that are commonly referred to as enterprise risk management (ERM) gives the organizational chance to understand some of the risks which may be unacceptable and in thus doing, they end up being under total control (Vijesh, 2015). There is a continued demand for the organizations to have ways, which can be used to conduct internal audits and understand the vulnerabilities of the organization regarding risks assessment. The audit is yet to be well scrutinized to understand its independence and if it does well in doing the assurance role. The report done in this summary is about the risk management state at the non-financial states in UAE. This is a summary of the report of their study, which was done by many academic institutes, professional organizations, and consulting firm. The objective of this is to find how the non-financial institutions in UAE are performing while opening windows for improvement in the areas in which they have done well. It is yet to answer some question, which is to cover on; the maturity of risk management in UAE, the key drivers, and challenges, practices on risk governance and structure, the existing components, approach and processes necessary for risk management (Vijesh, 2015). The report will cover a survey that was conducted by around 90 participants, which was done online. The investigation was carried out by the UAE-IAA. It was done between September and November 2014.The analyzes of the results were done immediately after the results were received and then the report compiled. The framework of the story was majorly based on the risk assessment and management as shown below. Fig 1.The Benchmark Standards for Risk Management Risk Management State In The UAE According to Vijesh (2015) Risk Maturity happens when a combination of various factors have been combined to know how well risks are an administration in organizations. At UAE organizations, existent of risk management is evident. From the survey, quite a good number of organizations has put in measures to have the organization get the need for risk management in the organizations. The risk management in about 77% of the entities has had the risk management being implemented wholly or partly. There is another 14 % who are considering having the framework in place. However, there is a third of the organizations who have full-fledged risk management program established. The organization claims to have the full-fledged risk management program, theirs exists some critical components that have not been affected by the same organizations. 9 % of the organizations have none of the programs on the risk management and being interviewed; the employees says that even the big organizations have ignored the need to have risk management in their organizations. Given the progress in the way the UAE are handling issues with risk management, it is very admissible that many measures are being done to ensure risk management is well in place. The maturity state may not be enough, but the fact of the matter is that it is trying. With the presence of the internal audits, the risk management progress will be put in place. The existing challenges as the candidates were being interviewed show that most of the management thinks that they have management plans in place (Vijesh, 2015). The survey showed that some of the organizations have a perception that they have risk management plan in place but in real sense, it is not. The other challenge is that the organizations does not see the need or benefit to cost and effort. The other major problem that risk management faces is to get the support of the board and executive. The board and executive should, therefore, be in the forefront and to allocate budget and resources, which makes it possible to perform the risk management functions. Risk Management Framework and Governance For this framework to be understood well, the report analyzes them in two front; one that is for the organizations, which have experienced risk management. Secondly, for the organizations or entities that do not have formal risk management processes and inclusive are the organizations. When the respondents were asked what motivates risk management, they gave three key driver’s o this name (Vijesh, 2015). 1) Senior management support 2) efforts to implement risk management by internal audits, and 3) The understanding of the board and its enforcement effort of risk management. Therefore, in a bid to have measures in the organizations, which can focus on how to curb the issues if risk management and have them well out in place, different frameworks have to be put in place. The structures sought should have very binding framework such as; risk oversight authority, risk management framework, policies and procedures, risk appetite, regular communication and key risk indicators. Risk appetite in most of the organization shows the kind of the risks one should pursue while trying to meet its objectives. The risk appetite will help which risk are to be retained and which to be avoided while the organization wants to identify adequately and manage risks within an acceptance level. In the survey conducted by the report, it is evident that the risk appropriate in most of the organizations has not been carried on well. For organizations to do well in risk management, there is dire need to have a culture in the organization, which make individuals be well acquainted with risks. The only sure excessively this is to have a risk culture where the individual knows how to react to the issue of risks. The regular communication plan will be so useful in helping the organizations develop the right risk culture. In the survey done, it was realized that 58 % of the organizations have a well and regular communication program. The oversight authority has a total control over the way business is done, and how to handle risk. In the overall risks management plan by the survey conducted, it was realized, it is about 69% cases, and either the board or formal committee of the board takes the role of oversight authority for risk management. Around 14 % of the entities have other forms of surveillance that help them in making controls on risk management. Fig 2. The percentage ratios of the oversight authority To have the framework that works for the common good of the risk management, there is a need to have globally accepted methodologies, standards, and tools that play an influential role in risk management and practices. Risk Management organization The lead role in the risk management is vested in the fact that there is no clear understanding of who should take the lead role in managing risks. In the survey to understand how the respondents knew who is to take the lead role in risk management, the study showed that 36 % of the respondents chief audit executive, 25 % are the chief risk officers, 16 % being that chief finance officer and around 24 % had no exact person.The statistics are shown below; Figure 3.The lead role in Management of risks The reason we had to identify this person is to make sure that there are a clear mandate and function given to a person who could allow for the issues of risk management to be well handled. It is also evident that the conflict of interests exists but the truth of the matter is there is a need to have real risk management champion who has to in the forefront in modeling risk activities. The internal auditors can also play a role as from the UAE entities; around 59 % of them use the auditors as the leads. According to IIA Position Paper (January 2013) on “The Three Lines of Defense in Effective Risk Management and Control”, the lead function is to manage the risks effectively (Vijesh, 2015). Risks Management Implementation Practices The management of the risks entails identifying the processes, which can result in the final stage of implementation. In determining the risk management process, there is a need to have a step-to-step process that includes [Vij15]; identification, treatment, escalation of risk acceptance, periodic reporting and risk assessment. The graph below is copied for the UAE entities; Fig 4.Study of the progress of risk management process UAE organizations still have a long to go and chance to reform when it comes to issues with risk implementation. It is only around 20 % of the organizations that has put processes and procedures that will see them risk assessment or risk reporting. Most of the companies, therefore, have not taken it upon themselves to implement risk management. In risk management, the process should be made in such a way that it happens continuously. For UAE organizations, 30 % have been seen to have risk assessment updated only on an Annual basis. More assessment is being undertaken on the latest trend though happening quarterly as shown below; Fig.5.The assessment Periods The criteria for assessing the risk should be pure; quantitative, qualitative, and subjective. While reporting the risk, it should be able to cover all aspects, which are necessary for the expected change. To have an entirely valid measure to risk management, it is for the ethical issues to stand out. This is the only way in which fraud issues can be handled. In UAE, only 17 % of the companies have no formal measures, which have been undertaken to curb fraud risk. Role of Internal Audits in risk Management For some time now, it has not been so clear on what the exact role the internal audit team had on the risk management. The audit activities should always be in line with the expectation of the stakeholders. The standing expectations of the senior management on matters of audit includes; giving recommendations or advice on enhancing the process of risk management, make different reviews and give opinions of the expected programs on risk management [Vij15]. There existed distinct roles of internal auditors, but with time the characters have kept on changing. The current positions include the following; give an independent assurance on risk management processes, being the catalyst for the risk management process, being in the forefront in the risk management, implementation and lastly provide advice on risk management practices.82 % of the internal auditors perform this function for organizations. 51% does the consultation part very well. As much there exist external service providers for audits, they are rarely used by the UAE entities. The underlying reasons for this are that UAE in-house teams and financial constraints do not allow. In other enhanced cases, technology is being used for risk management on grounds of powerful capabilities for analysis, reporting, and monitoring of risks, which improves efficiency. References Vij15: , (Vijesh R., 2015), Read More