Practical aspects of Risk Management beyond the theory. Edition №1

In the PFM Strategy for 2022-2025, developed with the support of EU4PFM, the importance of not only considering internal financial control as a theoretical concept but also as a practical tool for spending units is emphasised. Therefore, the role of EU4PFM is to provide recommendations for its optimal organisation, including effective risk management.

Q1: Why is risk management important?

A1: It’s a fundamental aspect of responsible and effective management. It helps to protect assets, maintain financial stability, manage reputation, ensure business continuity, identify opportunities and it facilitates managers in making better, more informed decisions. Overall, risk management supports managers by systematically analysing and prioritising events that might influence the efficient and effective achievement of organisational objectives. Formulating risk responses, given the managerial risk appetite, is part of risk management and therefore contributes to the ongoing improvement of internal control systems.

Q2: What is the legal and procedural basis for internal control in Ukraine?

A2: Budget Code of Ukraine: Internal control is a set of measures applied by the head to ensure compliance with the law and efficiency of budget funds, achieving results in accordance with the established purpose, objectives, plans and requirements for the activities of the budget manager and enterprises, institutions and organisations belonging to his management.

BASIC PRINCIPLES of internal control by budget managers (Cabinet of Ministers Resolution No. 1062 from December 12, 2018) thatare based on the COSO framework and include elements of risk management. These principles encompass control environment, risk assessment, control activities, information and communication, and monitoring.

PFM Strategy 2022-2025: “Measures should be taken to improve internal financial control, with a view to its practical application to the activities of spending units, and to provide recommendations for its optimal organisation, including effective risk management.”

Guidance: risk management (for internal auditors and for managers)

Q3: What are the relevant trends in risk management?

A3: Risk Management 1 (or conventional risk management) thrives in compliance-driven environments, relying on frameworks like COSO, COBIT, and ISO31000. It focuses on identifying, analysing, prioritising, and mitigating risks. It has an instrumental approach, with (periodically updated) risk registers, and is often separated from decision-making and “outsourced” to a risk manager or risk unit. It focuses on external stakeholders: auditors, regulators (Ministry of Finance), external accountability.

In contrast, Risk Management 2 (connecting risk management 1 with the practice) integrates risk management into existing policies and procedures, provides a wider variety of instruments beyond risk registers, and focuses on internal stakeholders that enable strong connectivity with managerial decisions and internal accountability.

Q4: How can organisational boundaries regarding risk-taking be defined through risk appetite?

A4: Organisational boundaries regarding risk-taking can be determined through existing policies, norms, and thresholds, such as safety health regulations, corruption prevention measures, and budget ceilings. Delegation limits, performance targets, and “decision criteria” for major investment projects also reflect the organisation’s risk appetite.

Q5: What is the solution to enhance the use of risk information for decision-making?

A5: The solution is to embed risk information into existing reporting processes. It should be presented in a context suitable for decision-making, such as including risk information in performance reporting and linking it with key performance indicators (KPIs). Distinguishing between internal and external risk reporting is essential.

Q6: What is the most important thing to remember about risk management information flow?

A6: Risk information should flow continuously within the organisation, accompanying every decision-making process, rather than being limited to periodic risk assessments (e.g., weekly, monthly, or annually).

Q7: What practical advice should be followed when setting risk-based KPIs?

A7: When setting risk-based KPIs, incorporate risk analysis into key stages of the managerial cycle, including strategic planning, objective setting, and budgeting. Ensure each KPI is assessed for realism considering known risk exposure. Risk managers or other second/third line functions should challenge set KPIs given on risk analysis.

Q8: How should Risk Management be embedded into decision-making processes?

A8: To embed Risk Management into decision-making processes, consider these steps:

Q9: How can accountability for Risk Management be organised within an organisation?

A9: Accountability for Risk Management can be organised by developing KPIs for risk management for different lines of governance:

When Audit Committees are in place: use this platform as a key dashboard for the results of the risk management effort within the entity.

Q10: What are the key steps for successful implementation of Risk Management?

A10: The key steps for successful implementation of Risk Management are as follows: