In recent decades, companies around the world have invested many resources in improving the quality of their internal control systems, emphasizing the assessment of risks that allows knowing in advance all the factors that can make it difficult to comply with the objectives set by the entity.
The development of this article proposes a method that aims to facilitate the link between the objectives and the risks in them from the analysis, verification and control of the possible deviations in the jobs and / or processes, in order to determine the control objectives and prepare the Risk Prevention Plan taking into account the level of importance in order to rationally prioritize its priority for correction.
Introduction.
The term risk has become for several years a recurring word in the legislation of many countries and in documents representing problems worldwide, whether they are climate change (Berger, 2009, NC ISO 14001, 2004), occupational safety (NC 18001, 2005), technological accidents (IAEA, 1999) or natural disasters (UN, 2005). The common sense of the general public interprets the term "risk" as the result of the probability or frequency of occurrence of a defined danger (problem, failure, accident, natural catastrophe, fraud, human error, etc.) and the severity or magnitude of the consequences of this undesirable event should it occur.
This term is also applicable to the internal functioning of the management system of companies and / or institutions and, although its consequences may lead to risks such as those described, they may also lead to economic or prestige losses due to negligent or intentional acts related to the process manager staff.
The internal control system of the processes in the entities is not exclusive to the socialist system, in fact it is born from the experiences of risk analysis in large private companies in capitalist countries (Coopers and Librand, 1997). The preventive identification of these dangers is carried out through control and self-control systems that allow risk management using so-called risk maps or fraud matrices (Bueno, 2008).
Overall, the internal control system is one of the means that allows the identification, analysis, evaluation and treatment of risks, taking into account the entity's political, social, economic, legal and organizational environment, including the development of criteria, policies, strategic planning and risk minimization.
The COSO Report (Coopers and Librand, 1997) constitutes an obligatory reference material when dealing with the issue of internal control, given the broad conceptual framework that it establishes.
The purpose of identifying risks, as defined by these authors, is to determine the aspects that may compromise the achievement of the entity's objectives, based on a reasonable degree of security, which is the confidence that the management will be warned in time. of the existence of a danger (risk) that compromises the objectives. Once these risks have been identified, they are analyzed, which is based on their characterization, including the estimation of the loss or cost of each risk, its probability of occurrence and the establishment of measures for its management.
In the COSO report, however, it leaves aside the risk analysis methods, presenting an ambiguous approach to the study of the probability of occurrence, a use of non-rigorous sources for the analysis of losses, finally arriving at a qualitative classification of risks, which offer little additional information.
In our country, for example, risk analysis has become a recurring theme in the preparation of prevention plans required by current Cuban legislation, within the entities' Internal Control Systems. There are various methods to analyze the risks of the organization, but many of these do not offer the necessary information to be able to adequately prioritize the risks according to the impact or consequence that these have on the objectives of the organization.
Based on all the previous reasoning, the object of this research is "the risks associated with the aspects deduced within the prevention plans", the scientific problem being "the methodological gap related to the task of risk analysis within the framework of the plans. prevention ”.
Development.
Risk Management is the systematic application of policies, procedures and practices to identify, analyze, evaluate, treat and monitor risks, which essentially implies anticipating what can go wrong, why it can happen and what can be done to avoid or lower the risk.
The six fundamental stages of the process (Risk Management) can be shown in the following diagram:
|
||
|
Taken from Introduction to Business Risk Management by JB Madrigal, December 2004
Establish the context of the risks.
To establish the context of the risks, it is necessary to identify and define the political, social, economic, legal and organizational environment within which the activity, process or decision is carried out, in addition to determining the Objectives of the entity through a good strategic planning of the organization
At present, the method that is most used to define the objectives of a company is the SWOT Matrix, since this tool allows, according to the result achieved, to draw new strategies and therefore to set new goals, in this way the objectives themselves show the fulfillment of the mission of the organization.
Identification of Risks.
The first step is to identify all those assets and resources that the organization uses to operate and achieve its objectives. The tangible, financial assets and resources of the company, such as machinery, supplies, employees, capital and facilities or buildings, that are easy to identify. However, there are other assets and resources that may be less obvious, called intangible resources, such as: executive competence, market share, creditworthiness, client portfolio, reputation, virtues of services or outputs and the budgets of the inputs that the organization uses to produce its services or products.
Today there are many techniques to help identify risks. However, human errors are frequently the main contributors to risks, and this is especially applicable to the business environment, the most used to identify these risks are Task Analysis, Checklists, Consultation with experts of the analyzed activities and brainstorming exercises in expert groups.
Risk Analysis.
Risk analysis is the process of identifying potential effects or results on business performance.
For risk analysis, there are various techniques, but probably the most used in the business environment is "brainstorming", where from the domain of business activity, scenarios of the type "what happens if…..? ”. These scenarios will help to identify the actions that can be taken to manage these risks, subsequently moving on to the Risk Assessment stage.The disadvantages of using this tool is that it does not provide all the information necessary to identify which risk affects the most. the successful fulfillment of the objective, in order to optimize the necessary resources and guarantee the services and products with the required quality, prioritizing the key processes of the organization.
The methodology for Risk Management that we propose incorporates an intermediate stage before Evaluating the Risks, which will be identified as Hierarchical Risks (see Fig. 1), this stage allows quantifying by weighing the experts themselves. organization the potential risks and their consequences for each company objective (see Table 1).
Fig.No.1 Diagram of the stages of the Risk Management process with the incorporation of the new stage
To incorporate the data obtained at this stage into the Objectives vs Risks Matrix, the participation of a Group of experts from the different areas of the organization is necessary, who will assess the risks according to a previously proposed scale, which already allows the analysis of the impact or consequence in different dimensions, obtaining results according to the proposed analysis as shown as an example in the following Table No.2
Table No. 2 Category of Impact or Consequence
The group of experts when determining the impact or consequence of that risk with respect to the specific Objectives of the General Weighs it. The said Weighting is found as follows:
Weighting: (Total Risk score / Maximum score to be obtained).
The result of the weighting is shown in Table No. 3, where it also allows inferring then the level of importance of that risk (Table No. 4) with respect to that objective. In this way, the actions that can be taken to manage these risks can be taken.
Table No.3 Example of valuation of final result Objectives vs Risks Matrix
Table No.4 Level of Importance
Taking into account the results of the Objectives vs Risks Matrix set out in Table No.3, it is evident that risk has a greater impact on the General Objectives and this in turn prioritizes the risks identified by the Expert Group for a subsequent evaluation and pertinent incorporation into the Risk Prevention Plan according to the level of detection and the level of priority.
With the use of this method, small and medium-sized companies in general and very particularly national companies, according to the new Economic Model that is being developed in Cuba, entities will be able to draw up their strategic plan to guarantee more efficiently minimize the impact of risks in organizational management, since in this way the material and human resources would be focused on those risks that most affect the achievement of the objective.
Advantages of using this method and the need to add the Risks Hierarchy step.
- Determine a strategic plan prioritizing the measures of the risks that affect the company Optimizes the resources of the company Saves time, money and Human Capital in improving the quality of the Internal Control System Guarantees greater clarity to managers in the decision Decisions Greater benefit of the Risk Prevention Plan in organizational management.
Risk Assessment according to the proposed methodology.
Once the potential effects of the risks have been identified through the Hierarchy, the priorities for their treatment and control must be established. The two fundamental elements to assess a risk are its Probability -
Frequency of Occurrence (See Table No.5) and the Impact or Consequence (See Table No.2) that may infer in the fulfillment of the objectives and may incur in the economic loss and image of the company.
Table No.5 Probability- Frequency of Occurrence.
Determining the Probability-Frequency of Occurrence and the Impact or Consequence of this risk with respect to the objective, the risk level is then defined (see Table No.6), in order to establish the Priority level (see Table No.7) that goes to have that risk to include it in the Risk Prevention Plan. The results of the risk assessment will then be reflected in the Risk Map that will make it possible to show the Risk Level, the Priority Level and the control objective for the determined risks.
To know the priority level it is necessary to know the level of detection of that risk. The following shows the calculation method to determine the Risk Priority and Table 8 shows the meaning of the Detection Level Risk Priority = Frequency Range * Impact Range * Detection Probability
Table No.7 Priority Level.
| Priority level | NP | Ranges | |
| Extreme Priority Level | I | 101 to 125 points | |
| High Priority Level | II | 76 to 100 points | |
| Moderate Priority Level | III | 51 to 75 points | |
| Low Priority Level | IV | 26 to 50 points | |
| Negligible Priority Level | V | 0 to 25 points |
Table No.8 Risk Detection Level
| 5 | Uncertain | Existing control activities do not detect the problem or there are no control activities. |
| 4 | Low | Low chances of problem being detected
well in advance. |
| 3 | Moderate | Sometimes the problem is detected early enough. |
| two | Tall | High probability of being detected the problem with
sufficient notice. |
| one | Almost true | Usually the problem is always detected with |
Detection level Detection probability
sufficient notice.
Risk Treatment.
Based on the result given in the Risk Map and establishing the Risk Priority Level, the Strategic Risk Prevention Plan is drawn up, to treat it, applying measures to modify the risk, this includes as the main element, control or risk mitigation, for better control of it.
Some alternatives for the treatment of risks can be:
- Avoid it: abandoning the activity that generates it. Reduce probability and impact: through specific action plans and controls. Transfer it: sharing the risk with a strategic partner, underwriting insurance, contractual agreements, among others. Retain it: accepting its level of materialization by taking it to a residual level, even managing its consequences.
Continuous Monitoring and Review of the Risk Management stages.
After completing the Strategic Risk Prevention Plan, it is necessary to supervise and monitor those identified and determined by the processes / areas of the companies, since many of these may change their level of importance over time and the Senior Management of the Center will have to then determine if the internal control system designed previously continues to be relevant and capable of addressing new risks , and in this recognition, Senior Management reconsiders the design of controls when risks are modified, and that the controls designed to reduce risks to an acceptable level, they continue to function effectively.
- Case Analysis
For the analysis of Cases we will take as an example a Company the Food Industry, and from that entity we will identify the risks of the Measurement, Analysis and Improvement Process that may prevent the fulfillment of the General Objectives.
Company XXXX
General objectives.
- Ensure that production meets the demand of the domestic market and guarantees export commitments. Export 8,801 t / year of finished product of the annual plan Produce 126,141.0 t / year, of which 114,139.0 t / year for the regulated market and 22,002.0 t / year for the foreign exchange market Have less than 10 claims in the period for non-compliance with delivery in quality, quantity and timely. Maintain the Certification of the Integrated Management System. Obtain Satisfactory results in all the control actions carried out Verify compliance with the Phytosanitary Inspection Plan Verify the management of solid waste.
Once the General and Specific Objectives have been determined, the risks of the Measurement, Analysis and Improvement Process are identified and the score is given according to the Impact or Consequence that this potential risk has with respect to the Objective (see result in Table No.9), once the risk is weighted, the level of importance of the risk with respect to that objective is determined (Table 10) to include it in the Risk Map
(Table 11) and culminate with the Risk Prevention Plan (Table 12)
Example of Weighting: (Total Risk score / Maximum score to be obtained).
Losing Certification = 7/15 = 0.47
Table No. 10 Objectives vs Risks Matrix (Level of Importance)
With the result shown in the previous Table, it is evident which are the risks that most affect the fulfillment of the Work Objectives and based on the analysis of the Level of Importance, the Risk Map (Table No.11) is prepared, for later carry out the Risk Prevention Plan (Table Table No.12).
Conclusions.
- The inclusion proposal, within the traditional Risk analysis, of the Risks Hierarchy stage in companies, allows optimizing resources and working on the risks that have the greatest impact on the fulfillment of the Objectives. In the proposed methodological design as a support to risk management within the strategic prevention plan of an entity, in a hierarchical way it constitutes a valuable tool for the quantification of risks and its effectiveness is based on its approach to optimizing resources for prevention with a greater vision of the economic aspect for the organization.
Bibliography
- BERGER, M. (2009), Obama brings little to Copenhagen, Granma Newspaper, Cuba, Friday, November 27, 2009.BUENO CASTAÑEDA, L. (2008), Concepts and Experiences in Operational Risk, I Internal Audit Congress " The Role and Vision of Internal Auditing in Risk Management ”, Institute of Internal Auditors of Colombia, Colombia. COOPERS & LYBRAND (1997), The new concepts of internal control (COSO Report), Ediciones Díaz de Santos, SA, Madrid, Spain, ISBN 84-7978-295-1.MAC (2009), Law No. 107 of the Comptroller General of the Republic of Cuba.MAC (2011), Resolution 60 Standards of the Internal Control System.JB (2004), Introduction to Business Risk Management.NC ISO 14001: 2004. Environmental Management Systems. Requirements NC 18001: 2005. Occupational Health and Safety Management Systems - Requirements.International Atomic Energy Agency (IAEA) (1999), Basic Safety Principles, INSAG-3, Vienna, Austria, UN (2005), World Conference on Natural Disaster Reduction in Kobe City of Hyogo Prefecture, Kobe, Japan TORRES, A., PERDOMO, M., et al (2009), Group for Risk Analysis and Reliability of Cuba: 20 years of experience in security, reliability and maintenance analysis services. Reservoir, Córdoba, Argentina:20 years of experience in security, reliability and maintenance analysis services. Reservoir, Córdoba, Argentina:20 years of experience in security, reliability and maintenance analysis services. Reservoir, Córdoba, Argentina:
