Risk Management and Optimisation of Internal Controls
Innovative organisations actively react to changes in an external business environment and internal processes taking account of a current situation and probable changes that they aim to assess.
Despite modern business planning models and methods that are applied by a large number of organisations, in the course of planning quite often risk assessment is performed non-systematically and intuitively, and the risk management plan is not prepared at all. As a result, problems are solved once they arise, usually rather too late.
Despite a common perception of risk as a event or condition having a potential negative impact on the organisation’s operational objectives, an integrated risk management system is to assess positive contingencies as well, i.e. opportunities.
This leads to the increase in added value of the risk management system; not only threats, but also change-related growth and development opportunities stand out more clearly.
In view of operational risks faced, organisations develop and implement systems of internal controls, which act as preventive measures. Since systems of internal controls create no direct additional value for a business and usually require extensive costs, excessive systems of internal controls encumber business processes and reduce their efficiency.
Therefore, it is essential to assess whether internal controls in place and the related risks are adequately linked.
Challenges faced by organisations
Solutions offered by PwC
- No timely and systematic assessment and management of operational risks of the organisation are carried out. As a result, problems are solved once they arise, though they could have been avoided.
- Risk management process lacks a clear definition and has a low level of formalisation, managers and individual units of the organisation have a different understanding of risks and their assessment criteria.
- Risk management is carried out by separate units, risks of a combined activity are not adequately assessed.
- No criteria are available for the management of the defined risks, no responsibility is assigned for their management and no time-limit is fixed for the implementation of respective measures.
- Process of achieving compliance with external requirements (namely, those set by supervisory bodies, a controlling company, etc.) is expensive and ineffective.
- Tools of internal control are ineffective. They do not include basic risks that a business and individual processes are exposed to.
- Costs attributed to internal controls exceed the impact of a respective risk.
- Development and implementation of the system for an integrated risk management in accordance with one of the most advanced methodologies—the COSO Enterprise Risk Management.
- Development and implementation of individual elements of the risk management system (risk identification, risk assessment, organisation of the risk management process).
- Assessment of the existing risk management system of the organisation comparing it with the COSO Enterprise Risk Management, other advanced risk management models and standards and the best practices.
- Assistance in organising and performing sessions of risk identification and assessment.
- Independent assessment of compliance with external requirements (standards, guidelines, requirement of supervisory bodies, etc.) and assistance in optimising the process of compliance ensurance.
- Assistance in developing processes and internal controls to ensure compliance with external requirements.
- Assessment of the internal control system within the scope of the entire organisation and the individual process with the aim of optimising internal control measures to ensure a suitable risk level.