25
Advise the board as the main business issue for ABC and the most significant risks that ABC faces Question A
Advise the board as the main business issue for ABC and the most significant risks that ABC faces
Question A
Main Business Issue for ABC ABC is a company that provide the computer system used for call centre and
customer database management. The role are to maintain and support the system used – the customer rely on
the system. However, ABC didn’t have risk management department. Only have a large
number of staff in the operation division. The most important part here is to have a proper risk management – without it
a firm cannot possibly define its objectives for the future. The company should have risk management department to identify the risk,
come out with the strategies to guard against the risks, to execute the strategies and to motivate all members in the company to cooperate in the strategy.
The main business issue for ABC on the risk management in the organization
The significant Risks that ABC Faces
Business Risk
Operational Risk
Strategic Risk
Financial Risk
Corporate Reputation
Risk
Human Resource
Risk
Litigation Risk
Legal Risk
Business Continuity
Risk
Employee Malfeasance
Risk
Product Reputation
Risk
Product Risk
Control Risk
Reporting Risk
Information
Organizational Risk
Property Risk
Business Risko ABC might faced difficulty in managing the risk since there was no risk
management department in the company.o The company also doesn’t have proper business continuity plan and disaster
in the company. Only have a large number of staff that devoted to disaster recovery-also didn’t have proper supervision from the management.
o Disaster Recovery Plan should be developed in conjunction with the business continuity plan include technology recovery strategy – to restore hardware, application and data in time to meet the need of business recovery .
o Without it, the company faced the possibility data loss or corruption from the hardware failure, human error, hacking or malware.
o Inventory system also might be crashed because of failure to provide proper disaster recovery. Also doesn’t have proven on the use of hardware facility of the company.
o The business return might be affected and potential to be loss (in term of sales and customers)
Operational Risko The company might faced a possible data loss or corruption of data
result from the business disruption if there were no disaster recovery plan taking by the company to ensure the security and data safety. Since the customer rely and depend more on the system. If the data corrupt, the big problem might occurred.
o There were no proven hardware facility used to backup the data. Backup offsite but where the place it is. It is secure, backup frequently.
o Data backup should be managed in term of tape, cartridge and large capacity USB Device with integrated data backup. Not the large amount of staff to solve the problem related to recovery plan.
o Didn’t not have a proper review by the team on the risk management in the company.
o It might affect the operation of the company if those problems didn’t overcome it quickly
Strategic Risko The company might faced a problem since they failed to identify the risk
management objectives in the company.o Risk management is an important elements in developing business strategy.
It is help the company to operate smoothly with the help of forecast and projections to make a business judgments that are set in the stone
o It help company to act more confidently on future business decision
Financial Risko The company might faced difficulty in their financial since they might
incurred a huge cost spend on managing the potential risk that come from the natural disaster like fire and flood. Cost incurred because of corruption, compromised or stolen of hardware failure, human error and hacking.
o All the staff that designated on the disaster recovery team are not provided with any training by the company. Possible to conduct or do wrongdoing is high. Business will incurred loss.
Legal Risko The company possibility to be faced a legal action since they failed to
provide proper disaster recovery plan. For example Sarbanes Oxley Act of 2002 in US and
o Federal legislation regarding the protection of corporate financial records - obligate directors and officers to evaluate a corporation’s disaster recovery and preparedness plans. The Sarbanes-Oxley Act of 2002 has caused many companies to develop disaster preparedness and recovery plans even though the law does not expressly mandate it.
o Charge on the non compliance issue seriously erode the intellectual capital
Litigation Risko The company possible to be sued by the customer because of the loss
and data corruption since they are depend on the system on their sales operation.
Human Resource Risko The possibility company faced unethical employees in the organization since there were
no guideline or supervision from the management on what they have done. For example ; sabotage or theft by the disgruntled employee
o The company should segregate and delegate their staff with certain roles. Give proper guideline and direction to them. Give training since they manage a higher quality product. Failure to conduct it properly might incurred cost.
o Possibility staff to be malfunction and de motivate – the company failed to guide them and not understand their task
o Possible to be unemployment if the business shut down . The big impact on the risk occurred in the company.
Employee Malfeasance Risko Possibility the employee act or conduct wrong doing the business. Didn’t supervise by
their management Control Risko Without proper monitoring from the management – (internal control) result of fraud and
others problem.o Should have security in the company especially in managing the data
Corporate Reputation Risko The business reputation might be affected because of the failure of the
company to provide a good job or services to the customer.o Number of sales also affected because the existing customers might give the
bad perspective to the potential customer.o The company might lose the existing and potential customers in the company.o Possibility to shut down the operation. Product Risko Product here refers to the inventory or data software. Possibility to be stolen
and loss since there were no proper backup of data. Doesn’t have proper data recovery plan.
o Possible to be hack and malware. Product Reputation Risko The product reputation will be affected and the demand and sales return with
be dropped to the losses in the company. Customers change their perspective on the quality of the product in term of data security.
Business Continuity Risko Business Continuity risk occurred when the business failed to provide
policies, standards, frameworks and procedures for ensuring that specific operations can be maintained or recovered in a timely fashion in the event of disruption. In this case, didn’t have proper risk management policy.
o The company failed to identify other possible threats not only natural disaster, but also other possible risks like stolen, fraud, human errors and others
Property Risko In term of security of assets including spoilage, theft, loss of intellectual
property.o Results from the short term profit and cash flow, continue under
investment capital equipment.
Organizational Risko There were no proper communication between the top level
management and the subordinates regarding the objective and the strategy of the company. An effective risk management process must encourage the free flow of information at and between all project levels. The process should enable formal, informal, and impromptu communication.
o The staffs didn’t get proper direction and guidance on what they should do.
Reporting Risk Informationo The problems relate with the poor quality and accessibility of
information include with the data accuracy and security.
Question b
Advice the Board as to its responsibilities for risk management and recommend a risk management system for ABC that would more effectively manage the risks of losing business continuity
Board of Director’s role:
-responsible for the company’s system of internal control
-set policies on internal control and seek assurance that the system is working effectively and is effective in managing risks
-explain that the system is designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable but not absolute assurance against material misstatement or loss
- disclose the process it has applied to deal with material internal control aspects of any significant problems disclosed in the annual report and accounts
Management’s role:
-to identify and evaluate the risks faced by the company for consideration by the Board
-implement the Board’s policies on risk and control by designing, operating and monitoring a suitable system of internal control.
Board’s responsibilities
Reviewing management reports on internal control:
■ Consider the significant risks and assess how they have been identified, evaluated and managed.■ Assess the effectiveness of internal controls in managing the significant risks, having regard to any significant weaknesses in internal control.■ Consider whether necessary actions are being taken promptly to remedy any weaknesses.■ Consider whether the findings indicate a need for more exhaustive monitoring of the system of internal control.
Consideration in determining policies for a system of internal control:
■ The nature and extent of the risks facing the company.■ The extent and types of risk which are acceptable for the company to bear.■ The likelihood of the risks materializing.■ The ability of the company to reduce the incidence and severity of risks that do materialize.■ The costs of operating controls compared with the benefit obtained in managing the risk.
-Needs to be carried out on a continuous basis-Not limited to financial controls
The Board’s annual assessment should consider:
■ Any changes since the last annual assessment in the nature and extent of significant risks, and the company’s ability to respond to changes in its business and the external environment.
■ The scope and quality of management’s ongoing monitoring of risks and of the system of internal control and the work of the internal audit function and other providers of assurance.
■ The extent and frequency of the communication of the results of the monitoring to the Board which enables it to build up a cumulative assessment of the state of control in the company and the effectiveness with which risk is being managed.
■ The incidence of significant control weaknesses that have been identified during the period and the extent to which they have resulted in unforeseen outcomes that have had, or could have, a material impact on the company’s financial performance.
■ The effectiveness of the company’s public reporting processes.
Risk management system
COSO ERM FRAMEWORK
(1) Operations objective-Reduce reliance on a single computer system and promote innovation-Establish risk management committee-Improve employee satisfaction
(2) Reporting objective-Prepare a more reliable report to assist in identifying risk and decision making-Reporting should include:
a) External financial and non-financial reportingb) Internal financial and non-financial reporting
(3) Compliance Objective-Need to understand which laws and regulations apply across the entity
CONTROL ENVIRONMENT-Is the foundation for all other components of internal controls-The Board and senior management establish the tone from the top regarding the importance of internal control and expected standards of conduct-Control environment provides discipline, process and structure
RISK ASSESSMENT-Involves a process for identifying and analyzing risks to achieve the company’s objective-Management should consider possible changes in the external environment and within its own business model that may impede its ability to achieve the objectives
CONTROL ACTIVITIES-Actions established by policies and procedures to help ensure that management’s directives to mitigate risks to achieve the company’s objectives are carried out-Control activities are performed at all levels of the entity and at various stages within business processes, and over the technology environment
INFORMATION AND COMMUNICATION-Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives-Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities-Enables all personnel to understand internal control responsibilities and their importance to the achievement of objectives
MONITORING ACTIVITIES-Ongoing evaluations, separate evaluations or some combination of the two are used to ascertain whether each of the five components of internal control including controls to effect the principles within each component are present and functioning-Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board
Question C
Evaluate the likely benefits for ABC of an effective risk management for business continuity
Management to come out with the next course of action to reduce the risk thus may reduce company costs.
If ABC has established effective risk management system and perform risk mapping, ABC may prioritise which risk will have significant impact on business continuity.Customer database very important and may have high probability and high impact. Thus managements need to think the best way to insure the database secure. And based on current technology, management may propose to use cloud computing or some technology like “google drive” which cheaper compare to a physical computer.It is not only reducing the cost to maintain the hardware, cost to maintain another location to save the database but also this technology not affected by any nature disaster.As a result, the risk management serves many purposes, not only identify the possibility of risk but also help companies to reduce the cost. And help companies to improve the cash flow.
Improvement works quality and process.Effective risk management system is an organization's first line of defence in identifying a weakness or internal failure before it occurs and in mitigating or reducing any loss after it occurs.If the risk management effective, it also has a direct impact on internal control. The good internal control may increase the work quality and process in ABC operation. Based on that improvement, ABC may establish new policies, rules, regulation and procedure to enhance the company working environment and also and to overcome the under investment in capital equipment problem. For example, ABC also may effectively evaluate reliance on insurance cover and may decide to reduce the premium cost.
Increase a compliance & attract investors. ABC is listed company and stakeholder may interested to assess the value of
the company by policy and risk management establish by the company, and as investor, they may aware the nature of the company is dealing with very sensitive databases. If company not able to secure the data, the share price may drop. Thus an effective management system and policy that may publish in financial report may help to enhance company value and attract more investor, customer and maintain its reputation with public.Third parties such as credit rating agencies, external auditors, and regulatory examiners may inquire, test, monitoring and use reporting information from risk management system establish by ABC. Therefore, ABC may save the time to provide another set of reports for compliance purpose. For example, since risk management system data involves identifying and monitoring controls and mitigations relevant to various risks across the organization, this information can provide an effective means for leveraging and reducing the effort and cost of such audits and reviews.
The End
