Conducting Risk Assessments at the Organization level, Business Process and activity levels (Corporate finance & accounts)
Preamble
This article includes the following aspects :
·????? A. Objectives of risk –assessment
·????? B. What can be at risk in the organization
·????? C. Overview of the 140 processes & 963 business activities performed by Corporate F&A team.
·????? D. Four templates for risk assessment
·????? E. Restricting access rights for business activities as per risk classification
·????? F. Activities(including unethical) that can affect business adversely in each risk assessment process
?
A)Objectives of risk –assessment
·????? Categorise risks into High, medium, and low-risk categories to prioritize risk mitigation actions.
·????? Allocate resources effectively based on impact and likelihood analysis of risk occurring to manage risks.
·????? Developing risk mitigation strategies
·????? Enhancing compliance culture, including statutory compliance
·????? Facilitate the selection of appropriate insurance policies
·????? Provide valuable inputs to Financial institutes that lend money, Investors & shareholders, business associates, and customers
B)What can be at risk in the organization
·????? Safety of people -customers, vendors (including suppliers, contractors, consultants, and service providers), channel partners (like dealers, distributors, after-sale service providers, agencies, etc.), employees, and all business associates (like FI/Banks, advisors ), etc.
·????? Reputation of organisation
·????? Profitability & Business Performance
·????? Plant & machinery, equipment, buildings, IT infrastructure, and all types of
fixed assets
·????? End Products, all types of materials and services rendered.
·????? Designs, all types of business processes in various functions, information, data
And so on
C)Overview of the processes & business activities performed by Corporate F&A team
?As per the author's estimate, 140 key processes and 963 key activities are performed by the Corporate F&A team, as summarised below.
?1. Identifying and Developing Competencies: Processes=4, Activities= 16
2. Carrying out Performance Appraisal of F&A based on KPIs and KRA: ?
??? Processes=4, Activities= 16
?3. Joint Ventures: Processes=6, Activities= 91
?4.Mergers &Acquisitions: Processes=6, Activities= 100
?5. Investment of surplus fund: Processes=8, Activities= 113
?6 Intangible assets: Processes=8 Activities= 30
?7. Equity build-up & Dividend payments: Processes=13 Activities= 75
?8. Borrowings-Long term and short term: Processes=27, Activities= 156
?9. Role of CFO in pricing decisions: Processes=9, Activities= 41
?10. Conducting risk assessment in F&A function: Processes=9 Activities= 51
?11. Developing Financial Authority Manual: Processes=6, Activities= 48
?12. SOP: Processes=9, Activities= 29
13. Developing Budgets: Processes=3, Activities= 18
?14. Performing Internal Audits: Processes=15, Activities= 120
?15. Corporate Governance: Processes=13, Activities= 52
?Total : Processes=140, Activities= 963
?The above excludes processes/activities performed by operational F&A teams.
?Competent professionals must perform all these activities diligently to minimize risks of activity going wrong that may adversely impact the business, such as the following.
① Impacting Profitability or & sales revenue, or & Costs, or & Quality, or & End customer satisfaction? ?
② Impacting Statutory? regulations & compliances and Ethics
③ Impacting Delivery timelines/Efficiency or effectiveness of process performance
or any combination of ①, ② or ③
Therefore, risk assessment at the business process /activity levels is also essential in addition to external risks at the organization level.
?D)Four templates?
?·????? Template 1 - Risk Assessment at the Organization Using S-O-D-Concept
·????? Template 2 Risk assessment at the Business Process/activity? level using a scoring model
·????? Template 3 Risk assessment at the business activity? level-? where scoring
may not be feasible
·????? Template 4 Risk Assessment at the “Statutory? process/activity? levels.”?
Template 1-Risk assessment at the Organisation level
Five (5) Activities are proposed by the author ?for? carrying out the risk assessment process scientifically
1. a)Designating a risk assessment team or cross-functional team. It could comprise various heads of sub-functions within F&A such as? Purchase accounting+ Sales accounting +treasury +General ledger accounting +Forex +Taxation+ Legal and secretarial team as permanent members ?
??????????????????????????????????????????? and
1b) Members? of other functions as? need-based invitees? -say, Heads of Purchase, Sales, Manufacturing, IT/ERP, R&D, and so on- essential for Organisation level risks
2. Identifying aspects that can contribute to risks
3. Designing risk assessment templates? at the? vis a vis Organisation or Activity as applicable
4. Software programming of risk template and navigation for each template??
5. Populating the risk? template
Design of Template 1
??? The template will have two(2) columns and? 6 rows as below and include the following
Col 1 to include “Aspect” and Col 2 to include “Description of each aspect”
Aspect 1= Key function name & Key function code:
Description 1= Corporate Finance and Accounts ?and xxx (To be assigned by IT/ERP team)
Aspect 2 = Risk statements To be captured based on aspects stated
Description 2 = Risk statements to be developed by CFO+ Cross-functional team as applicable/relevant to the Corporate F&A function
·????? Economy
·????? Government policies
·????? Business Associates
·????? Sudden Outage of IT or technical Infrastructure
·????? Political
·????? Social
·????? Products or services offered by company
·????? Competition
·????? Customer demands? And so on
Aspect 3 =? Risk Analysis & implications
(vis a vis each Risk statement developed in point 2 above? for F&A function????????????????????????
?Description 3=
1 Economy:?? Analysis/implications to be captured by CFO+
????????????????????? CFT? on Profitability, Company valuation , Good will & so on
???????????????????? ?Separate sheets to be attached for each risk statement. e.g.
·????? Availability of? funds with cos/public to invest in IPO
·????? M&A opportunities
·????? Mood of overseas cos to form JV in India
·????? Opportunities to invest surplus funds & likely rate of returns on Equity, MF and debt funds, money market instruments
?2.Govt Policies
·????? Corporate? tax rates and exemptions
·????? Likely Repo rates by RBI
·????? Availability of subsidies /concessions on co operations or products /services
·????? Import duty changes
·????? Export Restrictions
·????? GST changes
·????? SEZ policies
And so on
? 3. Business associates
·?????? Vendor credits
·?????? Receivables
·?????? Ease of Liquidity with FI for borrowing by Co
·?????? Interest rates for borrowing
·?????? Banking support?
·?????? Cash flows
And so on
??Similar analysis on other applicable aspects listed above (IT outages, political, social, co’s products, competition, customer demands etc.)to be captured
?Aspect 4=? Risk Level at the organization level, based on point 3 above vis a vis F&A? ??????????????????????????
Description 4 = CFO+CFT to classify each risk statement as below
Economy related :
Statement 1?? -Funds availability is likely to be very limited? ,Risk =High
Statement 2?? M&A opportunities may be limited?
????????????????????????? Risks -Low And so on
Govt policy-related
Statement 3-Corporate tax rates may go up & existing exemptions with drawn ?
?????? ???????????????Risks =High And so on
Business associates related
Statement 4- Vendor credit period likely low - Risk=Medium
Statement 5- Receivables may be high-Risks = High
And so on? for each aspect analysed above
Aspect 5 =?? Countermeasures, Timelines & responsibility (Based on aspect ?4 above) ?????????????????????????
Description 5= To be captured by CFO +CFT vis a vis each Risk statement
Statement 1=……………..
Statement 2=……………..
Statement 3=……………..
领英推荐
Statement 4=……………..
Statement 5 =……………..
Aspect 6=?? Top management Comments on points 2 to 5????????????????????????
Description 6 = To be provided by CEO/MD? and to be incorporated by CFO by amending the template
?After populating this template, the following are to be captured.
1.??? Created by 2 Reviewed by 3. Edited by 4. Approved by
?The names of sub-function, user level in F&A, user position , user;’s signatures and dates are to be captured
?i) The software for populating template one(1) must-have features for creating, editing, viewing & approving rights, and capturing users’ sub-function, level, position, signature, dates, etc., by having a? navigation process.
ii) Various aspects captured in this template can enhance the professional’s understanding and can be amended at the discretion of the CFO.
?iii)This template would become an integral part of the proposed risk register or risk manual, which includes all types of organisation-level risks vis-a-vis all of the functions but would remain a confidential document
?Template 2 - Risk assessment at the Core Process level ?-where the scoring? model? shared above can be applied? easily
?It contains an illustration for the key process for Making Payment to the Vendor? for material supplied to the company (includes listing of key activities)
?11 activities are proposed to be performed, summarised below.
?1.???? Making a cross-functional team-CFT comprising of F&A, legal & secretarial team & need based invitees from other functions and developing a template 2 as shown at activity number 10 below
2.To populate this template, ?CFT asks a simple question,? vis a vis each business activity, “ What is the adverse impact on the business in case the business activity being performed goes wrong?” and analyzing answers broadly under three categories of Severity, Occurrence & Detectability as below.
3.CFT Identifies & analyses Severity Parameters on 10 Point scale based on? aspects such as per the following summary and assigning score
Severity Parameters-score on 10 Point scale based on? aspects listed below.
·????? Profitability, sales revenue, or cost
·????? Statutory compliance and conformance to accounting standards
·????? Satisfaction of customers,? vendors, channel partners, business associates,
and employees
·????? Corporate governance
·????? Quality of end product or services rendered ?
·????? Financial statement accuracy -in terms of LODR clauses of SEBI or SOX Act
(2002) -compliance in the USA
?????? wherein a score of 1- represents the lowest adverse impact on business;
??????????????????????????Score 10 represents being highest adverse impact on business
4. CFT?? Identifies and analyzes Occurrence Parameters as per the following summary and assigning a score
Occurrence(or exposure) ?Parameters-score on 10 Point scale based on? aspects listed below that can contribute to or lead to adverse impact:
·????? 1. Inadequate skills or & resources.
·????? ?2. Improper segregation of duties initiating, modifying, editing, deleting, and approving responsibilities.
·????? ?3. Incorrect or incomplete execution of work/activity.
·????? 4. Inadequate verification of work output.
·????? 5. Incorrect source data or input parameters.
·????? 6. Weak internal controls.
·????? 7. Non-robust system /non-implementation of SOP.
·????? ?8. Not ensuring the availability of appropriate authority norms,
·????? ?9. Process logic needs to be configured properly.
·????? 10. Process complexity, malicious intent, lack of diligence, change management, etc
wherein a
? score of 1- represents the number of causes being only 1
score of 5- represents the number of causes being 5
score 10- represents the number of causes being? 10
?5. CFT identifies & analyzes Detectability parameters as per the following summary based on at what stage the effect of wrong /error is found and assigning a score.
Detectability? Parameters-score on 10 Point scale based on the stage at which “wrong” is detected:
·????? Stage 1: At the very early stage, by the functional user himself who initiates business activity in a function.
·????? Stage 2: At the subsequent stage, i.e., the verification stage within the same function.
·????? Stage 3: “Outside the initiating function i.e. in next function but “within the same Business unit.
·????? Stage 4: During the internal audit stage, during a random internal audit, within the Business unit and
·????? Stage 5: At the customer end, Who is? outside the business unit?
wherein
Score 1- represents -Detectability at 1st or initial stage;
Score 6- represents -Detectability at 3rd? stage;
Score 10- represents - Detectability 5th stage, i.e., at the customer/business associate? stage?
6. CFT computes ?an Impact score ?as shown below
·????? Impact score on a 100 point scale=Severity score? out of 10 multiplied by Detectability? score? out of 10,
7. CFT develops a template to capture the Impact and Exposure scores analysis as below.
?8. CFT Develops norms for categorizing each business activity ?as High or Medium or Low risk ?
?The author proposes the criteria below for classifying business activity risks as High, medium, or low.
?High in case impact score is between 70-100 and Exposure score? 8-10
Medium in case impact score is between 50-70 and Exposure score? 5-8
?Low in case impact score is 1-50 ?and Exposure score? 1-5
?9. Software programming of Risk template for navigation/workflow
IT/ERP team to do the programming, enabling workflow of template from one person to another
?10)- Populating “Core Process /activity level Risks” in the template.
All activities to be populated for each core process.
?11)Affecting Changes in above ?templates 1,2 &3
Periodically, these templates are to be revisited by CFT in case of any changes happening in;
·????? Core activity
·????? Changes assessed in any parameter like severity, occurrence, or detectability, would impact the exposure score.
·????? User level changes
·????? User position changes
?Template 2 - Risk assessment at the Core Process level ?-where the scoring? model? shared above cannot be applied? easily
It contains an illustration for the key process for Financial -Negotiation aspects in JV? (includes thirteen key activities)
?Links vis a vis ?Templates 2 &3 are as below
My Youtube presentation
?My Book -Paper back-amazon link : India
?My Book - paper back-Amazon link-Global
In each of the above templates, impact scores and exposure scores are to be determined based on following.
?Impact Score=? Severity score ?out of 10 multiplied by Detectability ?score ?out of 10
Exposure? score= Occurrence score on 10 point scale
Template 4- Risk assessment at the “Statutory? Process/activity? levels.” ?level ?
?It includes activities For classifying Risks at the Business Activity level vis a vis the process of “Conforming to the requirements of the Company’s Act 2013”
Several statutory Acts apply to organisations & hence, many processes are performed.
The five (5) activities proposed for performing risk assessment for statutory activities are summarised below.
1. Identifying Applicable Statutory Acts? and associated parameters that can influence “Statutory? activity? Level” risks by assessing adverse implications in case of the statutory activity? going wrong or its non-conformance:
2. Designing risk assessment template at the statutory activity? level
3. Software programming of Risk template for statutory processes /activities and navigation
4. Populating “Statutory? Process /activity level Risks” template ”
?5.? Affecting Changes in the above
?The author has identified the names of 60 most commonly applicable Statutory Acts to various organisations and these are listed in the author’s book as per the link given above .
?The author proposes that all statutory activities be considered “High risk,” but readers can always amend the risk classification.
?Links for template 4 is given in my book as listed above
?E) Restricting access rights for business activities as per risk classification
?Access must be restricted at the Transaction code (TC) level or workflow level depending on the type of ERP (SAP, Oracle, Microsoft Dynamics 365…) by assigning rights vis a vis following.
·????? Initiating TC and objects related to? TC at the granularity level
·????? Editing TC and objects related to TC at the granularity level
·????? Viewing TC and objects related to TC at the granularity level
·????? Deleting TC and objects related to TC at the granularity level
·????? Approving TC and objects related to TC at the granularity level
This must be done by ERP Specialists as per the advice of CFO with inputs from the CFT and periodically reviewed
?In the context of SAP-ERP, ?examples of few ?High-risk Transaction codes (TC)? in the FI /MM (Finance &materials modules)? are as follows out of thousands of TC
·????? Entering incoming invoice from a vendor for supplies/services &TC= MIRO
·????? Making payment advice or cheque and TC= F-58
·????? Automating the payment process in bulk and TC= F110
·????? Posting outgoing payments and TC= F-53
·????? Clearing vendor account for? open items and TC= F-44
·????? Generating a list of materials in various criteria and TC= MM60
·????? Stock view for quantity and value for inventory purposes and TC= MMBE
·????? Entering financial information for new material like valuation class, price control, cost of goods? sold account in the Material master data -in the Finance view ?and TC= MM01
?F)Activities(including unethical) that can affect business adversely in each risk assessment process
?·????? Inappropriate composition and? levels /positions of the team members assessing risks ?in the above four(4) templates? leading to incorrect assessment? of impact
·????? Non-comprehensive review by CFT of the below? aspects” that can contribute to inaccurate capturing of scores? risks in the four? (4) template:
i)Severity
ii)Occurrence
iii)Detection
·????? Inappropriate software development and workflow of risk templates making document level risk capturing cumbersome and inefficient
·????? Inaccurate classification of Risk in the above four(4) templates? (High, Medium, or Low) by team members vis-a-vis impact
·????? Non-periodic/non-timely incorporating the effect of any “changes in following ?” ?in the four (4) templates that might have affected risk classification.
·????? Organisation’s? Product and service Portfolio,
·????? Economic, Political, Social, Customer demand, Competition,
·????? Core Process/Activity,
·????? Regulatory/Statutory Acts changes.
?