Practical aspects of Risk Management beyond the theory. Edition №1

In the PFM Strategy for 2022-2025, developed with the support of EU4PFM, the importance of not only considering internal financial control as a theoretical concept but also as a practical tool for spending units is emphasised. Therefore, the role of EU4PFM is to provide recommendations for its optimal organisation, including effective risk management.

Q1: Why is risk management important?

A1: It’s a fundamental aspect of responsible and effective management. It helps to protect assets, maintain financial stability, manage reputation, ensure business continuity, identify opportunities and it facilitates managers in making better, more informed decisions. Overall, risk management supports managers by systematically analysing and prioritising events that might influence the efficient and effective achievement of organisational objectives. Formulating risk responses, given the managerial risk appetite, is part of risk management and therefore contributes to the ongoing improvement of internal control systems.

Q2: What is the legal and procedural basis for internal control in Ukraine?

A2: Budget Code of Ukraine: Internal control is a set of measures applied by the head to ensure compliance with the law and efficiency of budget funds, achieving results in accordance with the established purpose, objectives, plans and requirements for the activities of the budget manager and enterprises, institutions and organisations belonging to his management.

BASIC PRINCIPLES of internal control by budget managers (Cabinet of Ministers Resolution No. 1062 from December 12, 2018) thatare based on the COSO framework and include elements of risk management. These principles encompass control environment, risk assessment, control activities, information and communication, and monitoring.

PFM Strategy 2022-2025: “Measures should be taken to improve internal financial control, with a view to its practical application to the activities of spending units, and to provide recommendations for its optimal organisation, including effective risk management.”

Guidance: risk management (for internal auditors and for managers)

Q3: What are the relevant trends in risk management?

A3: Risk Management 1 (or conventional risk management) thrives in compliance-driven environments, relying on frameworks like COSO, COBIT, and ISO31000. It focuses on identifying, analysing, prioritising, and mitigating risks. It has an instrumental approach, with (periodically updated) risk registers, and is often separated from decision-making and “outsourced” to a risk manager or risk unit. It focuses on external stakeholders: auditors, regulators (Ministry of Finance), external accountability.

In contrast, Risk Management 2 (connecting risk management 1 with the practice) integrates risk management into existing policies and procedures, provides a wider variety of instruments beyond risk registers, and focuses on internal stakeholders that enable strong connectivity with managerial decisions and internal accountability.

Q4: How can organisational boundaries regarding risk-taking be defined through risk appetite?

A4: Organisational boundaries regarding risk-taking can be determined through existing policies, norms, and thresholds, such as safety health regulations, corruption prevention measures, and budget ceilings. Delegation limits, performance targets, and “decision criteria” for major investment projects also reflect the organisation’s risk appetite.

Q5: What is the solution to enhance the use of risk information for decision-making?

A5: The solution is to embed risk information into existing reporting processes. It should be presented in a context suitable for decision-making, such as including risk information in performance reporting and linking it with key performance indicators (KPIs). Distinguishing between internal and external risk reporting is essential.

Q6: What is the most important thing to remember about risk management information flow?

A6: Risk information should flow continuously within the organisation, accompanying every decision-making process, rather than being limited to periodic risk assessments (e.g., weekly, monthly, or annually).

Q7: What practical advice should be followed when setting risk-based KPIs?

A7: When setting risk-based KPIs, incorporate risk analysis into key stages of the managerial cycle, including strategic planning, objective setting, and budgeting. Ensure each KPI is assessed for realism considering known risk exposure. Risk managers or other second/third line functions should challenge set KPIs given on risk analysis.

Q8: How should Risk Management be embedded into decision-making processes?

A8: To embed Risk Management into decision-making processes, consider these steps:

• Require documented trails in managerial decision-making processes in which information about risks relevant to the decision is captured, analysed and disclosed;
• Determine which business decisions regularly taken by the management may benefit most from additional risk analysis;
• Develop a methodology that will allow risk assessments to be carried for every significant business decision before the decision is taken;
• Include elements like simulation, scenario-thinking and forecasting into key decision-making processes like big investment decisions, high financial impact decisions or key operational decisions.

Q9: How can accountability for Risk Management be organised within an organisation?

A9: Accountability for Risk Management can be organised by developing KPIs for risk management for different lines of governance:

• 1st line: analysing key operational risks; communicating timely risks to the second line.
• 2nd line: consolidate and communicate key risk timely to senior management; contribute to improvement of risk management entity-wide.
• 3rd line: periodically assess quality of risk management; include results of managerial risk management into audit planning.
• Senior management: comply with regulatory risk disclosures to external stakeholders, set, guard and maintain the risk management culture within the entity.

When Audit Committees are in place: use this platform as a key dashboard for the results of the risk management effort within the entity.

Q10: What are the key steps for successful implementation of Risk Management?

A10: The key steps for successful implementation of Risk Management are as follows:

• Formulate the principles and foundations for risk management: determine the scope of risk management (for example, for operational managers and supportive or control functions), the width of the risk portfolio (risk categories), risk management as a continuous process, commitment and awareness to risk management, linkage with the existing governance structure and the planning and control cycle
• Create a Risk Management policy: based on the principles and foundations, formulate the vision on risks, determine key aspects like risk appetite and tolerance levels
• Define tasks, roles and responsibilities for all organisational functions that relate to risk management: employees, management (all levels), second line functions (e.g. Planning or accounting department) and internal audit
• Analyse, identify and assess the risks: frameworks like COSO give guidance in the core process of risk management. Materialise this guidance in the internal risk management policy
• Reporting and communication: define how and when internal and external organisational stakeholders will be informed regarding the results of risk management. Connect the reporting as much as possible with the existing planning and control arrangements. Create platforms to discuss these results of the risk management process and avoid solely focusing on technicalities like the risk register.