<span class="text_page_counter">Trang 1</span><div class="page_container" data-page="1">

RISK

MANAGEMENT

BASIC PRINCIPLES, FRAMEWORK, STRATEGY AND TOOL

</div><span class="text_page_counter">Trang 2</span><div class="page_container" data-page="2">

q<b>  INTRODUCTION </b>

q<b>  RISK MANAGEMENT PRINCIPLES </b>

q<b>  RISK MANAGEMNT FRAMEWORK </b>

q<b>  RISK MANAGEMENT TOOLS </b>

q<b>  POLICY AND GUIDELINES </b>

q<b>  RISK MANAGEMENT ARCHITECTURE </b>

q<b>  RISK MANAGEMENT STRATEGY </b>

q<b>  RISK MANAGEMENT PROTOCOLS </b>

q<b>  RISK REGISTER </b>

q<b>  CONCLUSION </b>

</div><span class="text_page_counter">Trang 3</span><div class="page_container" data-page="3">

<b>INTRODUCTION </b>

<b>Imagine a discipline without its own common set of assumptions, concepts, principles, standards and practices that are unique among its practitioners. </b>

<b>Does this sound familiar? Of course it’s child rearing. You got it! </b>

<b>Children reared in different parts of the world are taught different things - assumptions, concepts, principles, standards, practices, culture, beliefs, identity, race relation, gender, social conditioning – all very different </b>

</div><span class="text_page_counter">Trang 4</span><div class="page_container" data-page="4">

<b>INTRODUCTION </b>

<b>Every discipline has its own common set of assumptions, concepts, principles, standards and practices that are unique among its practitioners. </b>

<b>Risk management is without exception. It has its own common set of assumptions, concepts, principles, standards, practices and tools that together form the risk management discipline. </b>

<b>It is imperative for organizations and risk management practitioners to understand and use these fundamental </b>

</div><span class="text_page_counter">Trang 5</span><div class="page_container" data-page="5">

<b>INTRODUCTION </b>

<b>The practice of risk management will be incomplete without these tenets which provide the foundation upon which risk management is designed and implemented. There may be differences in the language used and applications of these canons due to organizational differences. </b>

<b>However, the objective remains the same: to manage risks that threaten objectives. </b>

</div><span class="text_page_counter">Trang 6</span><div class="page_container" data-page="6">

<b>INTRODUCTION </b>

<b>A risk management system is a series of coordinated organizational arrangements, structures, relationships, processes and procedures that are designed and embedded into the organization’s strategic and operational policies and practices. </b>

<b>The principles of risk management provide a sound basis (intention and purpose) for establishing and implementing an effective risk management system. </b>

</div><span class="text_page_counter">Trang 7</span><div class="page_container" data-page="7">

<b>PRINCIPLES OF RISK MANAGEMENT </b>

<b>The principles are as follows: </b>

<b>management should contribute to the demonstrable achievement of objectives and improvement of performance in, for example, tax compliance, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management; efficiency in operations, corporate governance and reputation. </b>

</div><span class="text_page_counter">Trang 8</span><div class="page_container" data-page="8">

<b>PRINCIPLES OF RISK MANAGEMENT </b>

<b>The principles are as follows: </b>

<b>organizational processes – risk management should not be a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning, project management and change management processes. </b>

</div><span class="text_page_counter">Trang 9</span><div class="page_container" data-page="9">

<b>PRINCIPLES OF RISK MANAGEMENT </b>

<b>The principles are as follows: </b>

<b>management should help decision makers make informed choices, prioritize actions and distinguish among alternative courses of actions. </b>

<b>risk management should explicitly take account of uncertainty, the nature of that uncertainty and how it can be addressed. </b>

</div><span class="text_page_counter">Trang 10</span><div class="page_container" data-page="10">

<b>PRINCIPLES OF RISK MANAGEMENT </b>

<b>The principles are as follows: </b>

<b>– risk management should be a systematic, structured and timely approach to dealing with internal and external threats and vulnerabilities to the organization’s objectives and should contribute to efficiency, and to consistent, comparable and reliable results. </b>

</div><span class="text_page_counter">Trang 11</span><div class="page_container" data-page="11">

<b>PRINCIPLES OF RISK MANAGEMENT </b>

<b>The principles are as follows: </b>

<b>information – the inputs to the risk management process are based on information sources such as historical data, experience, stakeholders’ feedback, observations, forecasts and expert judgement. However, decision makers should inform themselves of and take into account any limitations of the data or modelling used or the possibility of divergence among experts. </b>

</div><span class="text_page_counter">Trang 12</span><div class="page_container" data-page="12">

<b>PRINCIPLES OF RISK MANAGEMENT </b>

<b>The principles are as follows: </b>

<b>appropriate, full and timely involvement of all stakeholders and in particular, decision makers at all levels within and outside of the organization is required to ensure that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented, informed and to have their views taken into account in determining risk criteria and risk treatments. </b>

</div><span class="text_page_counter">Trang 13</span><div class="page_container" data-page="13">

<b>PRINCIPLES OF RISK MANAGEMENT </b>

<b>The principles are as follows: </b>

<b>should be aligned with the organization’s internal and external contexts and risk profile. </b>

<b>responsive to change – risk management should continually sense and respond to change. As external and internal events occur, context and knowledge change, monitoring and review of risk take place, new risks emerge, some change and others disappear. </b>

</div><span class="text_page_counter">Trang 14</span><div class="page_container" data-page="14">

<b>PRINCIPLES OF RISK MANAGEMENT </b>

<b>The principles are as follows: </b>

<b>of the organization – organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organizations. </b>

</div><span class="text_page_counter">Trang 15</span><div class="page_container" data-page="15">

<b>RISK MANAGEMENT FRAMEWORK </b>

<b>The risk management principles and framework are closely related. </b>

<b>While the principles provide the bases for establishing and implementing effective risk management system, the framework provides the system and structure that are integrated into the organization’s policies, processes and procedures. </b>

<b>The framework consists of risk architecture, strategy and protocols. </b>

</div><span class="text_page_counter">Trang 16</span><div class="page_container" data-page="16">

<b>RISK MANAGEMENT FRAMEWORK </b>

<b>The architecture is the schematic structure that establishes roles and responsibilities: </b>

</div><span class="text_page_counter">Trang 17</span><div class="page_container" data-page="17">

<b>RISK MANAGEMENT FRAMEWORK </b>

<b>The strategy provides a broad course of actions to achieve the risk management objectives: </b>

</div><span class="text_page_counter">Trang 18</span><div class="page_container" data-page="18">

<b>RISK MANAGEMENT FRAMEWORK </b>

<b>The protocols provide the ground rules and procedures to be carried out : </b>

</div><span class="text_page_counter">Trang 19</span><div class="page_container" data-page="19">

<b>RISK MANAGEMENT FRAMEWORK </b>

<b>Risk management framework has four inter-related stages: </b>

<b>Plan: </b>

<b>initiatives and gain board support; </b>

<b>develop common language of risk; and </b>

</div><span class="text_page_counter">Trang 20</span><div class="page_container" data-page="20">

<b>RISK MANAGEMENT FRAMEWORK </b>

<b>Implement: </b>

<b>risk classification system; </b>

<b>risk assessment; and </b>

<b>evaluate the existing controls. </b>

</div><span class="text_page_counter">Trang 21</span><div class="page_container" data-page="21">

<b>RISK MANAGEMENT FRAMEWORK </b>

<b>Measure: </b>

<b>introduce improvements; and </b>

<b>management with other activities in the organization. Learn: </b>

<b>measure risk management contribution; and </b>

<b>monitor improvement. </b>

</div><span class="text_page_counter">Trang 22</span><div class="page_container" data-page="22">

<b>RISK MANAGEMENT TOOLS </b>

<b>The most fundamental tool to risk management is the human capacity with the competences, expertise and risk-awareness culture. </b>

<b>Every risk management tool is useful in so far there is accompanying knowledge, skills, awareness and competences to adopt and use those tools. </b>

</div><span class="text_page_counter">Trang 23</span><div class="page_container" data-page="23">

<b>RISK MANAGEMENT TOOLS </b>

<b>A large proportion of risk is identified, analyzed and treated through human interactions. </b>

<b>Organizations therefore need personnel with the right knowledge, skills and attitude to effectively manage risk . </b>

<b>The lack of such knowledge, skills and attitude poses potential risk to the organization. </b>

</div><span class="text_page_counter">Trang 24</span><div class="page_container" data-page="24">

<b>RISK MANAGEMENT TOOLS </b>

<b>Risk management is based on information science (data, information and intelligence) and the creation and use of information is an essential tool for risk management. </b>

<b>Another fundamental tool for risk management is a database – a data warehouse and data extraction and analysis tools and techniques to analyze, translate and use such database. </b>

</div><span class="text_page_counter">Trang 25</span><div class="page_container" data-page="25">

<b>RISK MANAGEMENT TOOLS </b>

<b> There are many bespoke and off-the-shelf data extraction and analysis software available for use in risk management. </b>

<b>Organizations need to build data warehouse that seamlessly interfaces all data across the organization to enable data mining, matching and logical manipulations. </b>

</div><span class="text_page_counter">Trang 26</span><div class="page_container" data-page="26">

<b>RISK MANAGEMENT POLICY AND GUIDELINES </b>

<b>An organization needs to develop a common risk management language that is consistent across the entire entity. </b>

<b>The role of risk management policy is to lay the foundation for such common language. </b>

<b>A risk management policy is a statement of overall intentions, direction and scope of an organization’s risk management initiatives. </b>

</div><span class="text_page_counter">Trang 27</span><div class="page_container" data-page="27">

<b>RISK MANAGEMENT POLICY AND GUIDELINES </b>

<b>A risk management guideline specifies the step-by-step procedure for the interpretation and implementation of policy. </b>

<b>Guidelines define the implementation modalities of policy and a logical classification and proposition that are actionable within the context of the organization. </b>

</div><span class="text_page_counter">Trang 28</span><div class="page_container" data-page="28">

<b>RISK MANAGEMENT ARCHITECTURE </b>

<b>Risk management architecture consists of the following elements: </b>

<b>structured risk governing bodies at the board and executive management levels to provide oversight, direction and supervision over risk management. </b>

<b>roles and responsibilities for all responsible parties in the risk management process. </b>

</div><span class="text_page_counter">Trang 29</span><div class="page_container" data-page="29">

<b>RISK MANAGEMENT ARCHITECTURE </b>

<b>board should establish clear reporting requirement and responsibility for individuals to provide accountability of their actions and use of resources. </b>

<b>controls in place for dissimilating information to outside parties subject to confidentiality and data privacy policies. </b>

</div><span class="text_page_counter">Trang 30</span><div class="page_container" data-page="30">

<b>RISK MANAGEMENT ARCHITECTURE </b>

<b>and executive management should establish a system that provides independent check and assurance on the adequacy and effectiveness of the risk management process. </b>

</div><span class="text_page_counter">Trang 31</span><div class="page_container" data-page="31">

<b>RISK MANAGEMENT STRATEGY </b>

<b>Risk management strategy consists of the following elements: </b>

<b>executive management should form a system of shared beliefs and attitudes that characterize how risks and risk management are viewed in the organization. </b>

<b>management should be embedded into organizational processes, procedures, activities and responsibilities. </b>

</div><span class="text_page_counter">Trang 32</span><div class="page_container" data-page="32">

<b>RISK MANAGEMENT STRATEGY </b>

<b>executive management should set and communicate the organization’s risk appetite (the level of risk) that the organization is willing to accept and risk attitude ( behavior) toward risk. </b>

<b>management policy and strategy should have thresholds for determining the significance and severity of risks. </b>

</div><span class="text_page_counter">Trang 33</span><div class="page_container" data-page="33">

<b>RISK MANAGEMENT STRATEGY </b>

<b>management framework should have rules for specific risk categories. </b>

<b>framework should have established methodologies for risk identification, analysis and evaluation. </b>

<b>executive management should set and communicate risk management priorities for each year. </b>

</div><span class="text_page_counter">Trang 34</span><div class="page_container" data-page="34">

<b>RISK MANAGEMENT PROTOCOLS </b>

<b>Risk management protocols consist of the following elements: </b>

<b>appropriate risk management tools, for example, computer software applications, data mining tools and common techniques. </b>

<b>establish common risk classification system based on the nature and severity of risks. </b>

<b>establish common risk assessment procedures such </b>

</div><span class="text_page_counter">Trang 35</span><div class="page_container" data-page="35">

<b>RISK MANAGEMENT PROTOCOLS </b>

<b>polices should establish control rules and procedures for carrying out risk treatments. </b>

<b>should be clear to-do-list of activities to perform in case of emergencies, etc. </b>

<b>establish the nature and form of documents and records to be maintained, electronic or manual. </b>

</div><span class="text_page_counter">Trang 36</span><div class="page_container" data-page="36">

<b>RISK MANAGEMENT PROTOCOLS </b>

<b>entity should have periodic risk management training. Important risk management tips and massages should be communicated to all staff within the organization on a regular basis. </b>

<b>management system should have clear documented audit trail and procedures for audit and assurance should be established. </b>

</div><span class="text_page_counter">Trang 37</span><div class="page_container" data-page="37">

<b>RISK MANAGEMENT PROTOCOLS </b>

<b>should have documented reporting and disclosure policies. Risk management certification at the entity and individual levels is important. </b>

</div><span class="text_page_counter">Trang 39</span><div class="page_container" data-page="39">

<b>RISK REGISTER – Sample </b>

<b><small>ComplianceRiskRegister</small></b>

<small>102 April5,</small>

<small>2017</small> ^{Incompletetaxreturns}<small>frommanystart-ups</small> ^High ^High ^Severe ^Taxpayer<small>Services</small> ^Conducttax<small>clinics146 Aug.27,</small>

<small>2018</small> ^{Taxreturnsarenot}<small>thoroughlyanalyzedbyanalysts</small>

<small>Conductdataanalyticstrainingforanalysts76 July20,</small>

<small>2018</small> ^{MultipleTINsfor}<small>taxpayersonthetaxregister</small>

<small>project</small>

</div><span class="text_page_counter">Trang 40</span><div class="page_container" data-page="40">

<b>CONCLUSION </b>

q  <b>R e v e n u e a u t h o r i t i e s m u s t e s t a b l i s h r i s k management system which provides reasonable assurance that objectives are being achieved. </b>

<b>policies, processes and procedures. </b>

<b>necessary for effective risk management. </b>

<b>organization’s objectives and treatment strategies. </b>

</div><span class="text_page_counter">Trang 41</span><div class="page_container" data-page="41">

<b>CASE STUDY </b>

<b>A revenue authority has set up a team to develop a risk management compendium. The team needs to identify and define elements of the components of the risk management system: </b>

</div>