The Institute of Internal
Auditors
Risk Management Readings
INTRODUCTION
The following list of risk-related articles, books, and other
publications has been compiled to assist internal auditors and their
organizations in monitoring, evaluating, and improving the
effectiveness of risk management systems and processes. The list is
not intended to be all-inclusive or to represent all available
resources and publications on risk management; rather, it is merely
provided as a summary of some of the literature in the field.
Internal auditors are encouraged to evaluate risk management
information from a wide variety of sources, to ensure that they can
effectively add value to their organizations through monitoring and
evaluating the effectiveness of their organizations' risk management
systems.
BIBLIOGRAPHY
Against the Gods: The Remarkable Story of
Risk, Peter L Bernstein, John Wiley &
Sons Inc., 1996.
In this unique exploration of the role of risk in our society,
Peter Bernstein argues that the notion of bringing risk under
control is one of the central ideas that distinguish modern times
from the distant past. Against the Gods chronicles the
remarkable intellectual adventure that liberated humanity from
oracles and soothsayers by means of the powerful tools of risk
management that are available to us today.
Assessing Risk, David McNamee, CIA, CISA, CFE,
FIIA(M), The Institute of Internal Auditors, 1996, http://www.theiia.org/
A "how-to" tool kit that identifies the easiest, most effective
risk assessment processes in use for most common audit situations.
This kit can be easily tailored to meet specific needs. In
addition to adhering to the Standards, it includes specific
step-by-step instructions and forms for assessing risk within the
individual audit and for audit management to use in assessing risk
in the annual audit planning process. Sections include
introductory information; the three-step process of assessing
risk, implementing Standards 410 and 520; and tools and forms for
documenting and reporting risk assessment. Appendices include the
Standards for the Professional Practice of Internal
Auditing, a glossary of risk terms, and suggested readings.
Master copies of forms and spreadsheets are provided on diskettes
in Lotus 2.1 for DOS and Excel 5.0 for Windows™. Worksheets are
included, without graphics, in ASCII.
Assurance Services: Risk Assessment, A.E.
Sammon, The American Institute of Certified Public
Accountants, Jersey City, NJ, 1997, http://www.aicpa.org/
This source is a good place to start for individuals who are
just beginning a study of the subject of risk management. It was
written for independent accountants to enable them to develop and
offer a new kind of assurance service.
Business Risk Assessment, David McNamee, CIA,
CISA, CFE, CGRM, FIIA(M), The Institute of Internal Auditors,
1998, http://www.theiia.org/
Offering both the internal auditor and the general business
reader a comprehensive introduction to the topic of risk
management, this book has long been a hit at risk management
seminars and is one of the reference materials used in preparation
for the CCSA exam. Author McNamee discusses strategic, project,
and operational risk management from a manager's point of view and
identifies the core principle of risk management: managers putting
assets at risk to achieve objectives. He points out that controls
(in the form of an accurate means to measure, assess, and
prioritize risk) are a crucial factor in an organization's future
success. Promoting risk management practices that provide an
accurate lens on the future, the book uses an approach to
business-risk modeling that has proven effective for both
strategic planning and the annual audit planning process. It
provides steps for strategic, project, and operational risk
assessment; methods for identifying, measuring, and prioritizing
risk; and models for risk assessment that produce the most
credible, timely, and cost-effective results. The book tackles
implementation issues by providing a risk management
self-assessment questionnaire that involves all entities of the
organization in the process. This leads to organizationwide risk
management controls that result in the efficient and effective
response to the rapidly changing conditions of the emerging global
market.
A Conceptual Framework for Integrated Risk Management,
Members' Briefing Publication, The Conference Board of Canada,
Ottawa, 1997, http://www.conferenceboard.ca/
This report describes a conceptual framework to aid in
developing an enterprise risk management system. It asserts that
no single methodology exists for a system. Each organization's
approach to risk, risk tolerance, and management structure and
processes is linked to its own unique objectives and strategies.
The report states, however, that there are certain elements
constituting a broad conceptual framework. The document has
examples drawn from leading firms that have risk management
systems in place.
Corporate Risk: Strategies and Management, G. Brown
and D. Chew (editors), Risk Publications, 1999, http://www.riskpublications.com/
This book contains 30 articles organized around four themes:
the theory of corporate risk management, the practice of corporate
risk management, evidence on corporate risk management, and case
studies in corporate risk management. The articles represent a
wide range of views and approaches to financial risk management
for nonfinancial corporations.
"Eastern Exposure," A.
Gersten, Journal of Accountancy, August 1999,
pp. 53-58, www.aicpa.org/pubs/jofa/index.htm
This article discusses the risk management
practices of four companies that participate in Asian markets.
Political unrest, cultural differences, currency hedging, and the
Y2K computer issue are all addressed by the author. Despite recent
problems encountered in Asia, the author concludes that all
companies surveyed still believe that doing business in Asia is a
good risk. The article also discusses Asian risk management
strategies and contains many examples.
Enhancing Shareholder Wealth by Better
Managing Business Risk, prepared by PricewaterhouseCoopers, New
York, N.Y., Financial and Management Accounting Committee of
International Federation of Accountants, 1999, http://www.ifac.org/
This document presents the heart of a risk
management framework. It states that risk is seeking the upside of
opportunities while managing the downside of threats and hazards.
It sets out the concept of a firm's risk profile where risk is
divided into three components: risk as uncertainty, risk as
opportunity, and risk as hazards. It also examines management's
response to the risks identified and
assessed.
"Enterprise-wide Risk Management:
Strategies for Linking Risk and
Opportunity," J. W.
DeLoach, Financial
Times, London, U.K, 2000, http://www.business-minds.com/
This is a comprehensive book on
enterprise-wide risk management authored by a partner of Arthur
Andersen, who also co-authored the 1995 study, Managing Business Risk: An Integrated Approach, published by the
Economist Intelligence Unit. The stepping stones in the model
presented in this book include adopting a common risk language;
establishing goals, objectives, and oversight; assessing risk and
developing strategies; designing and implementing capabilities;
continuous improvement; aggregate multiple risk measures; links to
enterprise performance; and formulating an enterprise-wide risk
strategy.
Generally Accepted Risk
Principles, Coopers & Lybrand International, London,
U.K., 1996, http://www.pricewaterhousecoopers.com/
This document was developed to provide
guidance to banks, securities houses, and other financial
institutions engaged in "dealing," as to the features of good risk
management practice and proper internal control. It seeks to
distill and codify major principles developed from guidance issues
by regulators, practitioners, and other advisers, so as to
establish a comprehensive framework consisting of 89 core
principles, with accompanying explanations such as risk management
strategy, risk management function, risk measurement, reporting
and control, operations, and risk management
systems.
"How Risky Is Your
Company?", R. Simons, Harvard Business Review,
May-June 1999, pp. 85-94, http://www.hbsp.harvard.edu/
This article identifies the negative impact
that success may have on management's concern about risk. The
author created a "risk exposure calculator" that allows managers
to calculate their internal risk exposure based on certain
pressure points within their organizations. The author also
created a "levers of control" model that allows managers to align
the existing controls in the company with the business strategy.
The author stresses the importance of maintaining traditional
internal controls within the company.
"In Pursuit of the Upside: The New
Opportunity in Risk
Management", L. Puschaver
and R.G. Eccles, PwC Review, New York,
N.Y., PricewaterhouseCoopers LLP, Volume 1: 1-10,
1998, http://www.pricewaterhousecoopers.com/
This article focuses on managing risks using
a three-part definition of risk, requiring managers to evaluate
risk as both opportunity and uncertainty, in addition to
evaluating risk as a hazard. The authors created a Business Risk
Continuum that is included in the article to illustrate how
different functional areas and employees can contribute to the
risk management process under the three-part definition of risk.
The authors conclude that an integrated approach to risk
management will allow companies to obtain the best
results.
Learning About Risk: Choices,
Connections and Competencies, Canadian Institute of Chartered
Accountants, CICA Criteria of Control Board, Toronto,
Ontario, 1998, http://www.cica.ca/
This document has helped to spark thought and
discussion that will lead to better understanding of the nature of
risk and of the process of risk identification and assessment. It
does not address the measurement of risk, or the various
strategies for mitigating risk, such as avoidance, mitigation, or
transfer. It is aimed at a broad audience that includes chartered
accountants, governing board members, standard-setting bodies, and
anyone interested in learning about risk.
Managing Business Risks - An Integrated
Approach, Economist Intelligence Unit, written in
cooperation with Arthur Andersen & Co., New York, NY,
1995, http://www.eiu.com/
This report is based on research that began
with the hypotheses that businesses realize the complexity of the
risks they face and are searching for a more comprehensive
approach to managing risk.
"Managing Risk" (Professional Briefing
Note 13), Institute of Internal Auditors - UK and Ireland,
1998, http://www.iia.org.uk/
This 51-page professional briefing note has
proved to be a very popular exposition of the subject covering its
nature, relevance to corporate governance, its management, and the
interfaces with internal audit.
"Managing Risk," Business
Week, October 31, 1994, pp. 86-92, http://www.businessweek.com/
This article examines changes in risk
management techniques that were used by many large U.S.
corporations at that time. The creation of a high-level risk
manager, declining use of complex derivatives, restructuring of
foreign exchange risk, and promoting a risk-sensitive corporate
culture were identified as major changes in the risk management
arena. Several individuals are highlighted in the article for
their innovative approaches to risk management within their
companies.
No Surprises: The Case for Better Risk
Reporting, Institute of Chartered Accountants in England
and Wales, Steering Group on the Financial Reporting of Risk,
London, U.K., 1999, http://www.icaew.co.uk/
This steering group published a paper on
"Financial Report of Risk: Proposals for a Statement of Business
Risk" in December 1997, which showed that listed companies already
report much information about risk. This report is useful for
understanding the various facets of risk and for viewing how
companies are employing risk management
practices.
Operational Risk - The Next Frontier,
Risk Management Association, 2000, http://www.pricewaterhousecoopers.com/
This study, which was undertaken for the
British Bankers Association, the International Swaps and
Derivatives Association, and the Association of Lending and Credit
Risks Professionals, is based of on a survey of 55 financial
institutions. While financial institutions have focused
considerably on credit and market risks, operational risk as a
separate discipline has received attention primarily during the
past three years. This study excludes business risk such as
competitive positioning, economic cycles, changes in market profit
margins, and restructuring of a market. The study indicates that
methodologies are evolving to quantify operational risk
capital.
Operational Risk and Financial
Institutions, Arthur Andersen, 1998,
http://www.arthurandersen.com/
This book focuses on operational risks for
financial institutions only. Note that it also covers credit risk,
market risk, etc. The author presents an overall framework of risk
and shows how operational risk fits into the framework. The book
includes topics such as operational risk management, aggregating
operational risk information, integrated risk framework,
minimizing operational risk, retail banking, analysis of losses
and processing errors, and securities fraud.
Perspectives on Risk for Boards of
Directors, Audit Committees, and Management, Deloitte
Touche Tohmatsu International, 1997, http://www.deloitte.com/
This booklet is a brief, general overview of
risk assessment, ensuring actions, and monitoring systems. An
appendix provides a business risk framework sketched in succinct
descriptions that are grouped under the four categories of
risk--strategic, operating, financial, and information. The
opening pages posit that broad changes introduce new opportunities
and carry business risks. Three phenomena--increase in
globalization, increase in intangible assets (e.g. intellectual
property), and emergence of the virtual organization--are examined
from the viewpoint of these new opportunities and the kinds of new
risks they present.
Research Report, Managing Business Risks
in the Information Age, Economist
Intelligence Unit, Written in cooperation with Arthur
Andersen & Co., New York, NY, 1998, http://www.eiu.com/
This report uses the Arthur Andersen Business
Risk Model to illustrate how information technology sits at the
heart of the risk model framework. The report covers a study of
firms in North America, Europe and Asia and interviews of 50
senior executives. The objectives are to identify the types of
business risk related to information technology; to understand how
firms are identifying and managing technology-related business
risks; and to describe best practices for managing information
technology risks.
International Guide to Best Business
Practice - Risk Management, Standards Australia International
Limited, http://www.standards.com.au/
This document is a guide to establishing a
risk management system based on the AS/NZS 4360 Risk Management
Standard. The book provides generic guidance for the establishment
and implementation of risk management processes in any
organization. It demonstrates how to establish the proper context,
and then how to identify, analyze, evaluate, treat, communicate,
and monitor ongoing risk. The book provides an introduction to
risk management processes. It also provides guidance and advice on
how an organization can implement an effective risk-management
program based on the standard.
Risk Management: Changing the
Paradigm, The Institute of Internal Auditors Research
Foundation, Altamonte Springs, Florida, 1998, http://www.theiia.org/
Examining the entire business process through
the lens of risk, authors Selim and McNamee depict risk-based
auditing as a crossroads for the profession. "Focusing on controls
over transactions buried the internal auditor in details of the
past, limiting the value of any information derived," they write.
"By focusing on risks to present and future transactions, the
auditor is working at a level above details and dealing with the
obstacles for organizational success." The research report looks
at the various impacts risk management has had on the profession
and some of the strategies now in use, such as macro- and
micro-risk assessment and scenario planning for fraud and
deception, employee theft, burglary, and unlawful duplication. The
report also examines the future impact of risk management on the
structure of internal audit as it links with managerial and
strategic elements in achieving goals.
"Understanding the Skepticism about
Enterprise Risk Management," R. Banham,
CFO, April 1999, pp. 63-70, http://www.cfonet.com/
This moderately technical article explores
the use of an enterprise risk management approach in several
pioneer companies. The author defines enterprise risk management
as combination of the traditional insurable risks with other
exposures such as financial commodity, legal, and environmental
risks. The author also explains how a natural hedge is created
when these unrelated risks are combined into a basket of risks. He
also presents a step-by-step process for enterprise risk
management.
Upsiding the Downturn: A Survey Conducted
by Global Risk Management Solutions, PricewaterhouseCoopers LLP,
New York, NY 1999, http://www.pricewaterhousecoopers.com/
This article is the result of a survey of
board members of 17 companies in the United Kingdom. Those
surveyed were asked to provide insights into the current economic
downturn and how their company copes with the uncertainties that
surround the downturn. The article is not technically
challenging.
OTHER REFERENCES AND SUGGESTED READINGS
Articles
Corporate Practices and Conduct,
Business Council of Australia, Melbourne. Bosh, H.
1991.
Country Risk Analysis,
Butterworths. London, Calverley, J., 1985.
Effective Risk Communication,
the Role and Responsibilities of Government and non-Government
Organizations. Plenium Press, New York, Covello, V. T.,
MaCallum, D. B. K. & Pavlova, M. T. (eds), 1989.
Emergence of the Chief Risk
Officer, Risk Management. Sept. 1999, pp. 30-35, Lam, James C.,
and Kwamoto, Brian M.
How to Manage Risks, 2nd
Edition. LLP London, Bannister, J. 1997.
Key Attributes of
Well-Controlled Organizations: Making Control a Competitive
Advantage, In Pursuit of the Upside: Leading Thinking on Issues
of Risk. 1998, pp. 17-20, Moche, James.
Perspectives on Managing Risk
and Growth, The Journal of Lending & Credit
Risk Management. Feb. 1998, pp 22-25, Larsen,
Terrence.
The New Religion of Risk
Management, Harvard Business Review. Mar.-April 1996,
pp.
47-51, Bernstein, Peter L.
Microsoft's Universe of
Risk, CFO. March 1997, pp. 69-72, Teach, Edward.
Project Risk Management:
Processes, Techniques and Insights, John Wiley & Sons,
Chichester, Chapman, C.B. & Ward, S C. 1997.
Risk: Analysis, Assessment and
Management, Ansell, J. & Wharton, F. (Eds.,
1992).
Risk Management's Role in
Corporate Governance, Corporate Risk, vol. 4, no. 8. Boyd,
J. 1997.
Risk Management: Guideline for
Decision-Makers, CAN/CSA-Q850-97, Etobicoke, Ontario.
Canadian Standards Association 1997.
Risk Analysis for Large
Projects: Models, Methods and Cases, John Wiley & Sons.
Chichester, Cooper, D. F. & Chapman, C. B. 1987.
Society, Technology and Risk
Assessment, Academic Press, London. Conrad, J. (ed)
1980.
Uncertainty in Risk Assessment, Risk Management
and Decision Making, Plenum Press, New York. Covello, V.T.,
Lave, L. B., Moghissi, A. & Uppuluri, V. R. R. (eds),
1984.
Magazines and Web Sites
Australian CPA http://www.cpaonline.com.au/
CA
magazine http://www.cica.ca/
Center for the
Analysis of Risk and Regulation (CAFR) www.lse.ac.uk/Depts/carr/
CFO
http://www.cfonet.com/
Harvard
Business Review http://www.hbsp.harvard.edu/
Internal
Auditor http://www.theiia.org/
Journal
of Accountancy http://www.aicpa.org/
Journal
of Lending and Credit Risk Management http://www.rmaccg.org/
Management
Accounting
Nonprofit Risk Management Center http://www.nonprofitrisk.org/
Practicing
CPA
Public Entity Risk Institute http://www.riskinstitute.org/
Risk
Management http://www.rmmag.com/
The CPA
Journal
Treasury Board of Canada Secretariat's IRM
Framework http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/RiskManagement/rmf-cgr_e.htm
Other Publications
A Conceptual Framework for
Integrated Risk Management by Lucy Nottingham,
1997. http://www.conferenceboard.ca/
Australian/New Zealand Standard
4360:1999: Risk Management, 1999, Joint Technical Committee
OB/7 - Risk Management. Standards Australia and Standards New
Zealand http://www.standards.com.au/
Enhancing Shareholder Wealth by
Better Managing Business Risk, 1999, International
Federation of Accountants http://www.ifac.org/
Financial Reporting of Risk:
Proposals for a Statement of Business Risk, Discussion paper
1997, Institute of Chartered Accountants in England and Wales
http://www.icaew.co.uk/
Guidance for Directors: Dealing
with Risk in the Boardroom, April 2000, Canadian Institute of
Chartered Accountants http://www.cica.ca/
Guidance on Control,
1995, Canadian Institute of Chartered Accountants
http://www.cica.ca/
In Pursuit
of the Upside: Leading Thinking on Issues of Risk, 1998,
PricewaterhouseCoopers http://www.pricewaterhousecoopers.com/
Internal
Control — Integrated Framework, 1992, Committee of
Sponsoring Organizations of the Treadway Commission (COSO) http://www.coso.org/
Internal Control: Guidance for
Directors on the Combined Code, London, U.K. The Institute of
Chartered Accountants in England & Wales. 1999, http://www.icaew.co.uk/
Learning about Risk: Choices,
Connections and Competencies, 1998, Canadian Institute of
Chartered Accountants http://www.cica.ca/
Perspectives on Risk, 1997,
Deloitte & Touche LLP http://www.deloitte.com/
Risk Management Terminology,
Second Working Draft for Comment, 1999, International Standards
Organization, ISO/TMB Working Group on Risk Management Terminology
N23 http://www.iso.ch/
The Coopers & Lybrand Survey
of Internal Control in Corporate America: A Report on What
Corporations Are and Are Not Doing to Manage Risks, 1996, Louis
Harris and Associates, Inc. http://www.pricewaterhousecoopers.com/
RISK
MANAGEMENT GLOSSARY
_files/blank.gif){kind=spacer}