Let's now clear up the main misconceptions about risk management:
1. Organizational risk management is not a function or department. It is the culture, competencies and practices that organizations integrate with the strategy development and implementation process in order to manage risk while creating, maintaining and realizing value.
2. Organizational risk management is not limited to a risk register. Organizational risk management is not only about internal control. It is also linked to strategy, corporate governance, stakeholder communication and performance management.
3. Organizational risk management is not a checklist. It includes principles in accordance with which business processes can be built and is a system for monitoring, training and improving performance.
4. Enterprise risk management is applicable to all organizations, regardless of their size.
To manage operational risks at the level of business processes, it is very important to have adequate control procedures and measures, namely:
1. Accounting and monitoring of control procedures at the level of all processes and departments
2. Automated formation of risks and controls matrices.
3. Assessment of control procedures impact on the likelihood of risk occurrence and the severity of consequences.
4. Collecting the results of control procedures execution.
5. Management of tasks within the framework of events and projects.
When automating the systems of internal control, internal audit and risk management, special attention should be paid to the quality of information, communications and reporting, including:
1. Automation of workflows for collecting risk data and performing verification activities.
2. Consolidation of data from external systems with integration into the analysis and forecasting system.
3. Availability of adequate visualization and dashboards at all levels with violation of indicators indicating.
4. Continuous audit using automation and machine learning tools.
5. Dissemination of information about risks to responsible persons.
6. Reports on various areas of control with printed forms (integrated with the EDMS).
In the following articles, we will take a closer look at the three lines of defense, the possibilities of using machine learning in internal audit and control. If you are interested in the implementation of such systems in your company, then I will be happy to help in such projects. Please contact me through my website: http://akonnov.ru/ or through my Telegram channel: https://t.me/biz_in