Monday, June 15, 2015

Cerita Strategic Audit - Execution of Risk Management

Assalamualaikum wbt.. Lamanya Patung Beruang tak update blog ni. Rindu pula. 

Maaf lah sebab Patung Beruang lama senyap. Lately ni so many things happened, plus keadaan kesihatan Patung Beruang juga tidak memuaskan. Jadi banyaklah aktiviti-aktiviti kegemaran Patung Beruang terhenti buat seketika. 

La ni ada 3 buah buku yg Patung Beruang tengah baca. 1 buku Investment & Financial Management, 1 buku pasal sejarah and the last one buku agama. Ketiga-tiganya sgt menarik but, again, I can't finish it due to many constraints. So sad lah... I wish I can finish it by this month.

Recently, ada sahabat Patung Beruang minta pendapat mengenai audit yang beliau sedang jalankan. Currently, her Audit Firm received a job from Board of Directors (BOD) in 1 company to review the effectiveness of Risk Management Framework and the implementation. The reason of this engagement is because the BOD is not satisfy with the execution of Risk Management in that public listed company. 

Sahabat Patung Beruang minta pendapat how to do audit on Risk Management? What are the things that she need to look? and so on...

Mesti ada orang tertanya-tanya, penting sgt ke Risk Management (RM) tu? Wajib ke RM function tu diwujudkan di Company.. Untuk public listed company di Malaysia, kita terikat dengan Malaysian Code of Corporate Governance (MCCG) yang dikeluarkan oleh Suruhanjaya Sekuriti Malaysia (Securities Commission Malaysia - SC).

Jadi, seperti yang termaktub dlm Malaysian Code of Corporate Governance 2012, Principle 6.1 states that the Board (BOD) should establish a sound framework to manage risks. 

Jadi, apa maksudnya dengan Principle 6.1 diatas?

Basically, it means that the Board should determine the company's level of risk tolerance and actively identify, assess and monitor key business risks to safeguard shareholders' investment and the company's assets. Internal control are important for risk management and the Board should be committed to articulating, implementing and reviewing the company's internal control system. Periodic testing of the effectiveness and efficiency of the internal controls procedures and process must be conducted to ensure that the system is viable and robust. The Board should disclose in the annual report the main features of the company's risk management framework and internal control system. (petikan dari MCCG 2012)

Since dlm MCCG dah cakap psl RM, nak tak nak, company kena ada that RM functions. Now, apa yang auditor kena tengok utk RM area ni? 

Let's start: 
  • RM Framework. Did the company established their RM Framework. Certain company they just take MS ISO 31000 Risk Management, modify sket2 to accommodate their business and operation, and tada... it become RM Framework for ABC Bhd. or XYZ Bhd., hehehe..  Mana nak dapat MS ISO 31000 tu Patung Beruang? hm.. pi lah beli ye.. Sorry, softcopy tak de kat internet. 
  • RM Framework dah ada, but are they follow it? Jeng jeng jeng.. so, pls lah check untk tgk apa yang mereka letak dlm Framework tu, adakah sekadar janji manis atau memang mereka betul2 buat. Contohnya, ada Risk Management Committee, siapa members dia? Apa Terms of Reference (TOR) for RM Committee. How frequent the Committee will meet in a year? Ada Minutes of Meetings (MOM) tak? Apa ceritanya dlm MOM tu.. 
  • Now, kita tengok pula macam mana RM process mereka ye.. Ok, basically, RM process ini lebih kurang mcm ni: 
    • Risk Identification: Identify risk yang berkaitan dengan area mereka. Siapa yang sesuai utk identify risk? Adakah process owner, Risk Management Department or Internal Auditor? Kalau ikutkan the best practices, process owner adalah orang yang paling sesuai dan tepat untuk identify risk. Kenapa?? Sebab process owner adalah orang yang paling expert berkenaan area atau process tersebut. Cuma, peranan Risk Management Department adalah untuk lihat adakah ia benar-benar risk atau effect, atau maybe it actually a cause.   
    • Risk Evaluation: Now, they need to evaluate the risk, to get degree of probability and impact. Probability adalah kebarangkalian risk tersebut berlaku, dan impact pula kesan jika risk tersebut berlaku. Dan biasanya, kita akan pecahkan kepada beberapa quadrant, low, medium and high. Ada juga yang pecahkan lebih detail seperti very low, low, medium, high and very high. Again, terpulang pada company tersebut untuk guna method yg bagaimana. 
    • Risk Mitigation: Risk mitigation bermaksud bagaimana kita nak menguruskan risk tersebut. Adakah kita nak Accept (agree with the risk without doing anything to control it), Avoid (kita adjust work process/project/business decision etc. supaya kita tak perlu berdepan dengan risk tersebut), Control (kita implement certain control untuk minimise the risk), Transfer (kita pindahkan risk tersebut kepada pihak yang lain, yang sanggup take accountability and responsibility on the risk contohnya Insurance) dan Watch/Monitor (kita monitor environment/process yang boleh memberi kesan kepada risk tersebut).
    • Risk Monitoring: Bagaimana kita boleh monitor risk tersebut? Basically kita akan monitor likelihood risk tersebut, ensure execution of risk plans and evaluate the risk after implementing the plans. Disini, kita akan lihat gross risk rating and residual risk rating. Dan dalam prosess Risk Monitoring, kita akan lihat juga jika wujudnya new risk yang relevant dgn that particular project or areas. 
    • Risk Review: Risk review lebih kepada kita buat periodic review on risk yang record dalam Risk Register. Kebiasaannya, company akan buat bi-annual review. This is to ensure all information stated in Risk Register are accurate and updated. 
So Patung Beruang, adakah auditor perlu review semua process diatas? Practical ke untuk review???
  • Auditor tak perlu lah nak review semua process tu. Biasanya, auditor hanya ambil Risk Register and check the completeness and accuracy of the Register. Selain itu, check juga implementation and effectiveness of control stated in the Register. Untuk part ni, auditor kena buat testing. 
  • If dlm Risk Register ada states list of mitigation plan, mintalah confirmation on the latest status of that mitigation plan. If it works according to the plan don't forget to request relevant supporting documents from clients. Review Risk Register sangat senang and this step selalunya kita bagi je kat junior auditor untuk buat, heheh.. 
  • Now, the critical part is to review the effectiveness in execution of Risk Management in that Company. So, apa yang kita nak tengok untuk part ini ye?? Maybe kita boleh start disini.... 
    • Adakah strategic risk properly identified and captured in Risk Register. If yes, how they monitor? Maybe orang akan terfikir, strategic risk tu apa ye??? Setiap company akan ada expansion strategy, 5 years strategy, business plan or whatever they call it lah.. So, kita lihat utk setiap strategy yg mereka ada, apa risk yang berkaitan. Adakah risk tersebut benar-benar relevant dgn strategy mereka. Ada tak risk yang tertinggal. Disini, auditor kena work harder dimana auditor kena banyak membaca n buat research berkenaan industry tersebut. Once auditor dah familiar dgn that industry, baru lah kita boleh nampak strategy mereka, viable atau tidak, risk mereka relevant atau tidak. 
    • Siapa pula owner strategic risk ni? Some company, mereka letak CEO as a risk owner. Some, they put relevant department such as strategic planning department (SPD) or respective Strategic Business Unit (SBU). In my opinion, for strategic risk, it is better to put the CEO as owner. Why CEO? As orang no. 1 dlm company, CEO ada ultimate power to instruct any department/unit/SBU to help him/her in managing the risk. Nak get the buy-in or cooperation from various department/unit/SBU pun senang. Ia lebih practical banding kalau kita letak SPD or SBU sebagai risk owner for strategic risk. 
    • Is there any major incident happened in that particular company or that particular industry recently? If yes, is there any risks relevant to that particular major incident are being identified and captured by the company prior to that incident? 
    • Contohnya, sebuah syarikat pembuat automatif, Company ABC terpaksa menarik balik model keluaran mereka kerana terdapat kerosakan airbag. Kerosakan itu menyebabkan airbag untuk kenderaan model tertentu tidak berfungsi, dan akhirnya menyebabkan peningkatan kematian kepada pemandu dan penumpang kenderaan model tersebut akibat kemalangan jalan raya. Tindakan penarikan semula model kenderaan tersebut amat menggemparkan industri automotif kerana ia adalah yang pertama kali berlaku di negara ini. Kesannya, reputation Company ABC merudum, customers hilang kepercayaan pada product keluarannya, banyak tempahan dibatalkan dan harga saham sykt jatuh merudum. So, auditor yang bertanggungjwb utk audit Company ABC must look whether this reputation risk & operational risk telah dikenalpasti oleh Company ABC sebagai 1 of their risk sebelum incident tersebut berlaku? If yes, apa control yg ada? Mereka betul2 implement ke control tersebut?? 
    • Pesaing terdekat Company ABC adalah Company XYZ. Company XYZ juga ada mengeluarkan kenderaan dalam segment yg sama seperti Company ABC. Jadi, auditor Company XYZ juga kena lihat adakah this kind of risk ada dalam Risk Register Company XYZ. Jika ada, is there any control in place and how effective the controls for mitigating the risk?  
    • Katalah, risk ini tiada dlm Risk Register kedua-dua company iaitu Company ABC dan Company XYZ dgn andaian ia tidak akan pernah berlaku kerana mereka ni sgt perfectionist. So, auditor boleh recommend pada BOD untuk masukkan risk ini sbg salah satu key business risk berikutan insiden yang berlaku recently. See, nampak tak? Any major incident yang berlaku bukan sahaja dlm company kita, tetapi dlm industry juga, kita kena pay attention. Because, it is the best for us to prevent or mitigate the risk before it really occurs and resulted major losses to company.  
    • Now, kita lihat pula reporting line, who managing the risk and cooperation from the whole organisation on managing the risk. Chief Risk Officer (CRO) adalah partner kepada management and business units. CRO sepatutnya ada access kepada BOD. Responsibility for managing the risk bukanlah tanggungjwb CRO seorang, but ia adalah tanggungjwb the whole organisation. CRO lebih kepada coordinate sahaja. 
Apa kesilapan yang paling besar yang sering berlaku dlm Company ye?? Ada beberapa contoh common mistakes such as: 
  • Only Risk Management Department atau CRO sahaja yang bertungkus-lumus manage risk.
  • CRO tiada access kepada BOD. Reporting line hanya setakat CEO sahaja. 
  • Dan lebih malang bila CRO dijadikan owner untuk Strategic Risk. Dengan authority yang limit, it is very difficult for CRO to manage all those Strategic Risk. 
  • Very less cooperation from other department and Business Unit in terms of identifying, evaluating and updating their risk. 
  • Shallow understanding amongst the staff (sometimes including senior management also) on risk management, differences between risk, impact and causes,; as well as control and mitigation plans.  
  • Risk Register solely prepared by Risk Management Department, not the process owner. Although the input can be provided by the process owner, but it is the best if they are the one who prepared the Register. The Risk Management Department should acts as reviewer. 
  • Outdated Risk Register maintained by the Company. It is not practical for Company to update the Register on weekly or monthly basis. The best is on bi-annual. But, there are also certain company that not bother to update their Register in years, with assumptions that there is no changes in their Company's risks or industrial risks. 
  • Inadequate knowledge on business, operation and industry by CRO or Risk Management Department. Dalam kata lain, Risk Management Department or CRO tidak familiar langsung dgn operasi sykt atau nature industry. Input dari process owner diterima bulat2 tanpa soal selidik, no challenges session and lack of initiative to enhance understanding. Jika ini berlaku, it will be difficult for CRO or Risk Management Department to detect if there is any risks yang sengaja atau tidak sengaja disorokkan oleh process owner, dari capture dlm Risk Register sedangkan risk tersebut adalah major. 
Oklah, kesimpulannya itu adalah serba sedikit idea kalau kita nak review Risk Management dlm Company. Terpulang pada auditor untuk buat secara simple i.e. review Risk Register, check completeness and accuracy and finally test control yg ada. Ataupun auditor nak buat cara strategic iaitu lebih kepada effectiveness in execution of Risk Management. Lebih leceh dan banyak kerja, but it will add value to RM functions in our organisation. Tepuk dada tanyalah CIA, heheh..

Hari pun dah lewat malam ni.. Mata Patung Beruang pun dah tak mampu nak angkat lagi. Oklah, hopefully perkongsian yang tidak seberapa ini memberi manfaat pada orang yang membacanya, Aamin... 

No comments:

Post a Comment

About Me

My photo
A simple girl who love books and teddy bear namely Bibi...