Objectives of risk –assessment
· Categorise risks into High, medium, and low-risk categories to prioritize risk mitigation actions.
· Allocate resources effectively based on impact and likelihood analysis of risk occurring to manage risks.
· Develop risk mitigation strategies
· Enhancing compliance culture, including statutory compliance
· Facilitate the selection of appropriate insurance policies
· Provide valuable inputs to Financial institutes that lend money, Investors & shareholders, business associates, and customers
What can be at risk in the organization
· Safety of people -customers, vendors (including suppliers, contractors, consultants, and service providers), channel partners (like dealers, distributors, after-sale service providers, agencies, etc.), employees, and all business associates (like FI/Banks, advisors ), etc.
· Reputation of organisation
· Profitability & Business Performance
· Plant & machinery, equipment, buildings, IT infrastructure, and all types of fixed assets
· End Products, all types of materials and services rendered.
· Designs all types of business processes in various functions, information, data
And so on
Overview of the processes & business activities performed by Corporate F&A team
Users can find the contents of this article in my You tube link as below.
As per the author's estimate, 140 key processes and 963 key activities are performed by the Corporate F&A team, as summarised below.
sno | Description | no of processes | no of business activities | Remarks |
1 | Identifying and Developing Competencies | 5 | 16 | |
2 | Carrying out Performance Appraisal of F&A based on KPIs and KRA | 3 | 23 | |
3 | Joint Ventures | 6 | 91 | |
4 | Mergers &Acquisitions | 6 | 100 | |
5 | Treasury investments | 8 | 113 | |
6 | Intangible assets | 8 | 30 | |
7 | Equity build-up and dividend payments | 13 | 75 | |
8 | Borrowings-Long term and short term | 27 | 156 | |
9 | Role of CFO in pricing decisions | 9 | 41 | |
10 | Conducting risk assessment in the F&A function | 9 | 51 | |
11 | Developing Financial Authority Manual | 6 | 48 | |
12 | SOP | 9 | 29 | |
13 | Developing Budgets | 3 | 18 | |
14 | Performing Internal Audits | 151 | 120 | |
15 | Corporate Governance | 13 | 52 | |
Total | 140 | 963 |
The above excludes processes/activities performed by operational F&A teams.
Competent professionals must perform all these activities diligently to minimize risks of activity going wrong that may adversely impact the business, such as the following.
① Impacting Profitability or & sales revenue, or & Costs, or & Quality, or & End customer satisfaction
② Impacting Statutory regulations & compliances and Ethics
③ Impacting Delivery timelines/Efficiency or effectiveness of process performance
or any combination of ①, ② or ③
Therefore, risk assessment at the business process /activity levels is also essential in addition to external risks at the organization level.
This article includes the following six(6) aspects related to risk assessment.
· I) Risk assessment at the Organization along with Template 1 Using S-O-D-Concept
· ii)Risk assessment at the Business Process/activity level and Template 2 (using a scoring model)
· iii)Risk assessment at the business activity level- Template 3 (where scoring may not be feasible)
· iv)Risk Assessment at the “Statutory activity levels.” – Template 4
· v)Restricting access rights for business activities as per risk classification
· vi)Activities(including unethical) that can affect business adversely in each risk assessment process
i)Risk assessment at the Organisation level & template 1
Five (5) Activities are proposed by the author for carrying out the risk assessment process scientifically
1. a)Designating a risk assessment team or cross-functional team. It could comprise various heads of sub-functions within F&A such as Purchase accounting+ Sales accounting +treasury +General ledger accounting +Forex +Taxation+ Legal and secretarial team as permanent members
and
1b) Members of other functions as need-based invitees -say, Heads of Purchase, Sales, Manufacturing, IT/ERP, R&D, and so on- essential for Organisation level risks
2. Identifying aspects that can contribute to risks
3. Designing risk assessment templates at the vis a vis Organisation or Activity as applicable
4. Software programming of risk template and navigation for each template
5. Populating the risk template
Template 1- For classifying risks at the Organisation level
( Illustration -1 F&A function)
Aspect | Description |
1 Key Function name and code | Corporate F&A, Code to be assigned by IT/ERP team |
2.Risk statements To be captured based on aspects stated | Risk statements are to be developed by the CFO+ cross-functional team as applicable/relevant to the corporate F&A function . This may include aspects like the economy, Govt policies, business associates, sudden outage of IT, political, social, products or services offered, competition,customer demands, and so on |
3.Risk Analysis & Implications | This is to be done vis a vis each of the aspects identified above . ie. 1. Economy: 2 Govt policies 3. business associates, 4. sudden outage of IT, 5. political, 6. social,7. products or services offered, 8.competition, 9 customer demands and so on . with a separate page devoted to each as applicable |
4. Risk Level at the organization level to be assesed by CFO +CFT based on 3 above | 1.Economy related- Funds availability is likely to be very limited,Risk =High, and so on 2. Govt Policy related - Corporate tax rates may go up-Risks -High 3. Business associate relate-Vendor credit period likely low - Risk=Medium and so on |
5. Countermeasures, Timelines & responsibility | CFO +CFT to capture vis a vis each aspect at point 3 above get inputs from functional heads |
6. Top management Comments on points 2 to 5 |
The above table to have following table attached to it to ensure segregation of duties.
Description | created by | edited by | viewed by | approved by |
Sub function in F&A | aa or bb, etc | CFO | cc,dd and so on | CEO/MD |
User’s Level in F&A | Top or Middle. And so on | CFO | Top or Middle. And so on | CEO/MD |
User’s Position in F&A | DGM, GM & so on | CFO | DGM, GM & so on | CEO/MD |
Signatures | To populate | To populate | To populate | To populate |
Date | To populate | To populate | To populate | To populate |
Here, sub-functions like aa, bb,cc, etc, mentioned in columns 2 &4 above mean purchase accounting or sales accounting or GL maintenance or treasury and investments etc as relevant
i) The software for populating template one(1) must-have features for creating, editing, viewing & approving rights, and capturing users’ sub-function, level, position, signature, dates, etc., by having a navigation process.
ii) Various aspects captured in this template can enhance the professional’s understanding and can be amended at the discretion of the CFO.
iii)This template would become an integral part of the proposed risk register or risk manual, which includes all types of organisation-level risks vis-a-vis all of the functions but would remain a confidential document
ii)Risk assessment at the Core Process level and templates 2 &3
11 activities are proposed to be performed, summarised below, including a template
1. Making a cross-functional team-CFT comprising of F&A, legal & secretarial team & need based invitees from other functions and developing a template 2 as shown at activity number 10 below
2.To populate this template, CFT asks a simple question, vis a vis each business activity, “ What is the adverse impact on the business in case the business activity being performed goes wrong?” and analyzing answers broadly under three categories of Severity, Occurrence & Detectability as below.
3.CFT Identifies & analyses Severity Parameters on 10 Point scale based on aspects such as per the following summary and assigning score
Severity Parameters-score on 10 Point scale based on aspects listed below.
.
· Profitability, sales revenue, or cost
· Statutory compliance and conformance to accounting standards
· Satisfaction of customers, vendors, channel partners, business associates, and employees
· Corporate governance
· Quality of end product or services rendered
· Financial statement accuracy -in terms of LODR clauses of SEBI or SOX Act (2002) -compliance in the USA
wherein a score of 1- represents the lowest adverse impact on business;
Score 10 represents being highest adverse impact on business
4. CFT Identifies & analyzes Occurrence Parameters as per the following summary and assigning a score
Occurrence(or exposure) Parameters-score on 10 Point scale based on aspects listed below that can contribute to or lead to adverse impact:
· 1. Inadequate skills or & resources.
· 2. Improper segregation of duties initiating, modifying, editing, deleting, and approving responsibilities.
· 3. Incorrect or incomplete execution of work/activity.
· 4. Inadequate verification of work output.
· 5. Incorrect source data or input parameters.
· 6. Weak internal controls.
· 7. Non-robust system /non-implementation of SOP.
· 8. Not ensuring the availability of appropriate authority norms,
· 9. Process logic needs to be configured properly.
· 10. Process complexity, malicious intent, lack of diligence, change management, etc
wherein a
score of 1- represents the number of causes being only 1
score of 5- represents the number of causes being 5
score 10- represents the number of causes being 10
5. CFT identifies & analyzes Detectability parameters as per the following summary based on at what stage the effect of wrong /error is found and assigning a score.
-
Detectability Parameters-score on 10 Point scale based on the stage at which “wrong” is detected:
· Stage 1: At the very early stage, by the functional user himself who initiates business activity in a function.
· Stage 2: At the subsequent stage, i.e., the verification stage within the same function.
· Stage 3: “Outside the initiating function i.e. in next function but “within the same Business unit.
· Stage 4: During the internal audit stage, during a random internal audit, within the Business unit and
· Stage 5: At the customer end, Who is outside the business unit
wherein
Score 1- represents -Detectability at 1st or initial stage;
Score 6- represents -Detectability at 3rd stage;
Score 10- represents - Detectability 5th stage, i.e., at the customer/business associate stage
6. CFT computes an Impact score as shown below
· Impact score on a 100 point scale=Severity score out of 10 multiplied by Detectability score out of 10,
7. CFT develops a template to capture the Impact and Exposure scores analysis as below.
8. CFT Develops norms for categorizing each business activity as High or Medium or Low risk
The author proposes the criteria below for classifying business activity risks as High, medium, or low.
Parameter | High | Medium | Low |
Impact score (severity x detection) | 70-100 | 50-70 | upto 50 |
Exposure score | 8-10 | 5-8 | less than 5 |
9. Software programming of Risk template for navigation/workflow
IT/ERP team to do the programming, enabling workflow of template from one person to another
10)- Populating “Core Process /activity level Risks” in the template.
All activities to be populated for each core process.
11)Affecting Changes in above templates 1,2 &3
Periodically, these templates are to be revisited by CFT in case of any changes happening in;
· Core activity
· Changes assessed in any parameter like severity, occurrence, or detectability, would impact the exposure score.
· User-level changes
· User position changes
Two templates have been proposed for assigning risks to business activities.
Template 2 -where the scoring model shared above can be applied easily
Template 3 -where the scoring model shared above cannot be applied easily
Template 2- Illustration where the scoring model proposed can be used easily
The header and footer to be as below.
Header: Name of Key Core Process: Making Payment to Vendor for material supplied to the company (includes ten key activities)
Wherein
Impact Score= Severity score out of 10 multiplied by Detectability score out of 10
Exposure score= Occurrence score on 10 point scale
If the scoring Model approach does not apply to a business process, CFT may assign a score based on CFT’s experience based on judgment.
Footer: Business activities for this process are below
Activity vis a vis this Core Process | Impact score Out of 100 | Exposure scores out of 10 | Risk Classification Level |
Material Rate verification in the purchase order | 100 | 8 | High |
Quantity Received and accepted verification in the goods receipt note | 80 | 9 | High |
Verification of Rate and quantity in the vendor invoice | 70 | 8 | High |
Computing the amount payable to the vendor based on the above in the payment voucher | 80 | 8 | High |
Recovery of outstanding debit note from due amt before payment processing in payment voucher | 90 | 8 | High |
Determining of Payment due date as per Purchase order | 80 | 10 | High |
Determining correctness of GST payableThe | 45 | 5 | low |
Capturing the Vendor/payee account to which payment to be made in the payment voucher | 60 | 7 | medium |
Actual remittance of due amount | 70 | 8 | High |
Making financial entries in GL | 48 | 4 | low |
Details/ Description | created by | Edited by | Approved by |
Subfunction/team | To be populated | To be populated | To be populated |
User’s Level | To be populated | To be populated | To be populated |
User’s Position | To be populated | To be populated | To be populated |
Template 3 – Illustration where the scoring model cannot be used easily and needs professional judgment( 13 activities listed for 1 core process)
( risk classification criteria remain same as at activity eight(8 ) above
Header and footer to be as below
Header: Name of Key Core Process: Financial -Negotiation aspects in JV (includes 13 key activities as below)
Wherein
Impact Score= Based on judgment of CFT-out of 100
Exposure score = Based on the decision of CFT -out of 10
If the scoring Model approach does not apply to a business process, CFT may assign a score based on CFT’s experience based on judgment.
Footer: Business activities for this process are as follows.
Activity vis a vis this Core Process | Impact score Out of 100 | Exposure scores out of 10 | Risk Classification Level |
1.Lump sum knowhow Fee negotiation as per scope on Design, drawings & specifications for: · End Products · Manufacturing & Engineering · After-sale service parts · Complete package | 90 | 8 | High |
2.Pricing -Supply of -Inhouse produced or assembled by JV -% mark up above costs w. r. t. · Bought out material · SKD/CKD/BOM Parts, Spares · Equipment, Jigs/fixtures, Gauge · After sale spares · Sales promotion materials | 80 | 8 | High |
3.Pricing -supply by JV -% markup above costs payable by company over & above costs incurred by overseas JV partner or Methodology/logic/Algorithm to determine prices | 100 | 9 | High |
80 | 8 | High | |
5.Taxes & Imports duty
· Imports duty including IGST · Withholding taxes · Any taxes overseas | 90 | 8 | High |
6.Royalty: · % Of Net sales (Net of localised items) · Duration · When due or Frequency of payment | 90 | 9 | High |
7.Expatriates emoluments : Function wise-positions or levels and durations, reimbursements | 70 | 7 | Medium |
8. Payment remittance methods( for each type of remittance): · LC · Document through bank or · On line etc And so on | 80 | 8 | High |
9.Payment terms for different remittances: · lumpsum fee · Royalty · Imports of SKD/CKD/BOM Parts, Spares · Imports of Equipment, Jigs/fixtures, Gauges · Imports of After sale spares Imports of Sales promotion materials | 80 | 8 | High |
10.Currency :USD or as applicable | 60 | 7 | medium |
11. Trainings :Free and chargeable rates ,duration, location, India vs overseas | 40 | 5 | low |
12. Man day rate beyond-free training days: · Level wise rates /emoluments & stay charges | 40 | 4 | low |
13. Funding: Participation Plans · Capital · Working capital, Expenses | 100 | 10 | High |
Details/ Description | Created by | Edited by | Approved by |
Subfunction/team | To be populated | To be populated | To be populated |
User’s Level | To be populated | To be populated | To be populated |
User’s Position | To be populated | To be populated | To be populated |
Date | To be populated | To be populated | To be populated |
iv)Risk Assessment at the “Statutory activity levels.” – Template 4
Several statutory Acts apply to organisations & hence, many processes are performed.
The five (5) activities proposed for performing risk assessment for statutory activities are summarised below.
1. Identifying Applicable Statutory Acts and associated parameters that can influence “Statutory activity Level” risks by assessing adverse implications in case of the statutory activity going wrong or its non-conformance:
2. Designing risk assessment template at the statutory activity level
3. Software programming of Risk template for statutory processes /activities and navigation
4. Populating “Statutory Process /activity level Risks” template ”
5. Affecting Changes in the above
The author has identified the names of 60 most commonly applicable Statutory Acts to various organisations and these are listed in the author’s book book as per the link below.
Paper back-amazon link: India
paper back-Amazon link-Global
The author proposes that all statutory activities be considered “High risk,” but readers can always amend the risk classification.
Template 4 -For classifying Risks at the Business Activity level visa vis statutory process /statutory activity level risks
(Illustration for one statutory process & 6 statutory activities )
Header and footer to be as below
Header
1. Key statutory Process: Conforming to the requirements of the Company’s Act 2013,
Wherein
Impact Score= Based on judgment of CFT-out of 100
Exposure score = Based on the judgment of CFT -out of 10
If the scoring Model approach does not apply to a business process, CFT may assign a score based on CFT’s experience and judgment.
Footer: Business activities for this process are as follows
The Author estimates the Impact score and Exposure score as 100 and 9, respectively, and thus risks as High, and can be tabulated vis a vis following six activities
1Meeting provisions wrt Board meetings, shareholder meetings,
Maintenance of books of accounts, etc.
2 Meeting Corporate Governance norms as per Acts.
3 Filing returns as per prescribed timelines in the prescribed form.
4 Ensuring Accuracy of returns.
5 Maintaining statutory records.
6 Paying fees, charges accurately as per Act.
And so on for every activity performed.
1 This template has features for creating, editing, deleting, viewing & approving rights, and capturing users’ names, levels/positions, functions, dates,
2. The number of activities is illustrative only, and actual risk activities may be different
3. Users in F&A functions can identify applicable statutory activities more/differently with inputs from the Legal &secretarial team
4. Based on the above, Risk classification /assessment to be completed for each of the statutory activities.
5 The populated template is to be part of the risk manual and one sheet to be prepared for each of statutory Act /regulatory requirement-related process
Restricting access rights for business activities as per risk classification
Access must be restricted at the Transaction code (TC) level or workflow level depending on the type of ERP (SAP, Oracle, Microsoft Dynamics 365…) by assigning rights vis a vis the following.
· Initiating TC and objects related to TC at the granularity level
· Editing TC and objects related to TC at the granularity level
· Viewing TC and objects related to TC at the granularity level
· Deleting TC and objects related to TC at the granularity level
· Approving TC and objects related to TC at the granularity level
This must be done by ERP Specialists as per the advice of the CFO with inputs from the CFT and periodically reviewed
In the context of SAP-ERP, examples of a few High-risk Transaction codes (TC) in the FI /MM (Finance &materials modules) are as follows out of thousands of TC.
· Entering incoming invoice from a vendor for supplies/services &TC= MIRO
· Making payment advice or cheque and TC= F-58
· Automating the payment process in bulk and TC= F110
· Posting outgoing payments and TC= F-53
· Clearing vendor account for open items and TC= F-44
· Generating a list of materials in various criteria and TC= MM60
· Stock view for quantity and value for inventory purposes and TC= MMBE
· Entering financial information for new material like valuation class, price control, cost of goods sold account in the Material master data -in the Finance view and TC= MM01
Activities(including unethical) that can affect business adversely in each risk assessment process
· Inappropriate composition and levels /positions of the team members assessing risks in the above four(4) templates leading to incorrect assessment of impact
· Non-comprehensive review by CFT of the below aspects” that can contribute to inaccurate capturing of scores risks in the four (4) template:
1 Severity
2 Occurrence
3 Detection
· Inappropriate software development and workflow of risk templates, making document level risk capturing cumbersome and inefficient
· Inaccurate classification of Risk in the above four(4) templates (High, Medium, or Low) by team members vis-a-vis impact
· Non-periodic/non-timely incorporating the effect of any “changes in following ” in the four (4) templates that might have affected risk classification.
· Organisation’s Product and service Portfolio,
· Economic, Political, Social, Customer demand, Competition,
· Core Process/Activity,
· Regulatory/Statutory Acts changes.