Risk Management and Audit

Risk

“Often the difference between a successful person and a failure is not one has better abilities or ideas, but the courage that one has to bet on one’s ideas, to take a calculated risk and to act.”  André Malraux

As a transition risk manager we intervene often in advising large multinational companies on their treasury and risk management activities. This ranges from vision, strategy and policies definition to assessment of the control environment. A large focus has also been put on implementation of IAS accounting rules and hedge effectiveness testing advices given to some of the leading European companies in various sectors (e.g. energy, distribution, commodities).

FINBRAIN has also been demonstrated strong expertise in the development, implementation and review of Commodity Risk Management solutions within corporates mainly.

Building business case for developing the risk management function 

  • Designing and building the risk management department (Policies, Processes, People, Systems)
  • Selecting and implementing commodity risk management system (CXLTriple Point)

Risk management is the identification, assessment, and prioritization of risks (defined in
ISO 31000 (*) as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause.

Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering,industrial processes, financial portfolios, actuarial assessments, or public health and safety.

The strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).

Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk, whether the confidence in estimates and decisions seem to increase. For example, it has been shown that one in six IT projects becomes a ‘Black Swan’, with cost overruns of 200% on average, and schedule overruns of 70%.

(*) ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.

Currently, the ISO 31000 family is expected to include:

  • ISO 31000:2009 – Principles and Guidelines on Implementation
  • ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
  • ISO Guide 73:2009 – Risk Management – Vocabulary

ISO also designed its ISO 21500 Guidance on Project Management standard to align with ISO 31000:2009.