top of page
  • Writer's pictureArvind Dang

Conducting Risk Assessments at the Organization level, Business Process & activity levels -(Corporate finance and accounts )

Updated: Jan 24



Objectives of risk –assessment

 

·      Categorise risks into High, medium, and low-risk categories to prioritize risk mitigation actions.

·      Allocate resources effectively based on impact and likelihood analysis of risk occurring to manage risks.

· Develop risk mitigation strategies

·      Enhancing compliance culture, including statutory compliance

·      Facilitate the selection of appropriate insurance policies

·      Provide valuable inputs to Financial institutes that lend money, Investors & shareholders, business associates, and customers

What can be at risk in the organization

 

·      Safety of people -customers, vendors (including suppliers, contractors, consultants, and service providers), channel partners (like dealers, distributors, after-sale service providers, agencies, etc.), employees, and all business associates (like FI/Banks, advisors ), etc.

·      Reputation of organisation

·      Profitability & Business Performance

·      Plant & machinery, equipment, buildings, IT infrastructure, and all types of fixed assets

·      End Products, all types of materials and services rendered.

·      Designs all types of business processes in various functions, information, data

And so on

 Overview of the processes & business activities performed by Corporate F&A team

 

Users can find the contents of this article in my You tube link as below.






As per the author's estimate, 140 key processes and 963 key activities are performed by the Corporate F&A team, as summarised below.


sno

Description

no of processes

no of business activities

Remarks

1

Identifying and Developing Competencies

5

16


2

Carrying out Performance Appraisal of F&A based on KPIs and KRA

3

23


3

Joint Ventures

6

91


4

Mergers &Acquisitions

6

100


5

Treasury investments

8

113


6

Intangible assets

8

30


7

Equity build-up and dividend payments

13

75


8

Borrowings-Long term and short term

27

156


9

Role of CFO in pricing decisions

9

41


10

Conducting risk assessment in the F&A function

9

51


11

Developing Financial Authority Manual

6

48


12

SOP

9

29


13

Developing Budgets

3

18


14

Performing Internal Audits

151

120


15

Corporate Governance

13

52



Total

140

963


The above excludes processes/activities performed by operational F&A teams.

 

Competent professionals must perform all these activities diligently to minimize risks of activity going wrong that may adversely impact the business, such as the following.

  ① Impacting Profitability or & sales revenue, or & Costs, or & Quality, or & End customer satisfaction   

  ② Impacting Statutory  regulations & compliances and Ethics

③ Impacting Delivery timelines/Efficiency or effectiveness of process performance

  or any combination of ①, ② or ③

Therefore, risk assessment at the business process /activity levels is also essential in addition to external risks at the organization level.

This article includes the following six(6)  aspects related to risk assessment. 

·      I) Risk assessment at the Organization along with Template 1 Using S-O-D-Concept

·      ii)Risk assessment at the Business Process/activity  level and  Template 2 (using a scoring model)

·      iii)Risk assessment at the business activity  level-  Template 3 (where scoring may not be feasible)

·      iv)Risk Assessment at the “Statutory  activity  levels.” – Template 4

·      v)Restricting access rights for business activities as per risk classification

·      vi)Activities(including unethical) that can affect business adversely in each risk assessment process 

i)Risk assessment at the Organisation level & template 1

Five (5) Activities are proposed by the author  for  carrying out the risk assessment process scientifically

1. a)Designating a risk assessment team or cross-functional team. It could comprise various heads of sub-functions within F&A such as  Purchase accounting+ Sales accounting +treasury +General ledger accounting +Forex +Taxation+ Legal and secretarial team as permanent members  

                                            and

1b) Members  of other functions as  need-based invitees  -say, Heads of Purchase, Sales, Manufacturing, IT/ERP, R&D, and so on- essential for Organisation level risks

2. Identifying aspects that can contribute to risks

3. Designing risk assessment templates  at the  vis a vis Organisation or Activity as applicable

4. Software programming of risk template and navigation for each template  

5. Populating the risk  template

 Template 1- For classifying risks at the Organisation level

                          

                         ( Illustration -1 F&A function)


Aspect

Description

1 Key Function name and code

Corporate F&A, Code to be assigned by IT/ERP team

2.Risk statements 

To be captured based on aspects stated

Risk statements are to be developed by the CFO+ cross-functional team as applicable/relevant to the corporate F&A function . This may include aspects like the economy, Govt policies, business associates, sudden outage of IT, political, social, products or services offered, competition,customer demands, and so on

3.Risk Analysis & Implications 

This is to be done vis a vis each of the aspects identified above . ie. 1. Economy:  2 Govt policies 3. business associates, 4. sudden outage of IT, 5. political, 6. social,7. products or services offered, 8.competition, 9 customer demands and so on . with a separate page devoted to each as applicable

4. Risk Level at the organization level to be assesed by CFO +CFT based on 3 above

1.Economy related- Funds availability is likely to be very limited,Risk =High, and so on 2. Govt Policy related - Corporate tax rates may go up-Risks -High 3. Business associate relate-Vendor credit period likely low - Risk=Medium  and so on

5. Countermeasures, Timelines & responsibility

CFO +CFT to capture vis a vis each aspect at point 3 above get inputs from functional heads

6. Top management Comments on points 2 to 5



The above table to have following table attached to it to ensure segregation of duties.


Description

created by

edited by

viewed by

approved by

Sub function in F&A

aa or bb, etc

CFO

cc,dd and so on

CEO/MD

User’s Level in F&A

Top or Middle. And so on

CFO

Top or Middle. And so on

CEO/MD

User’s Position in F&A

DGM, GM & so on

CFO

DGM, GM & so on

CEO/MD

Signatures

To populate

To populate

To populate

To populate

Date

To populate

To populate

To populate

To populate


Here, sub-functions like aa, bb,cc, etc, mentioned in columns 2 &4 above mean purchase accounting or sales accounting or GL maintenance or treasury and investments etc as relevant

i) The software for populating template one(1) must-have features for creating, editing, viewing & approving rights, and capturing users’ sub-function, level, position, signature, dates, etc., by having a  navigation process.

ii) Various aspects captured in this template can enhance the professional’s understanding and can be amended at the discretion of the CFO.

 

iii)This template would become an integral part of the proposed risk register or risk manual, which includes all types of organisation-level risks vis-a-vis all of the functions but would remain a confidential document

 

ii)Risk assessment at the Core Process level  and templates 2 &3

 

 11 activities are proposed to be performed, summarised below, including a template

 

1.     Making a cross-functional team-CFT comprising of F&A, legal & secretarial team & need based invitees from other functions and developing a template 2 as shown at activity number 10 below

 

2.To populate this template,  CFT asks a simple question,  vis a vis each business activity, “ What is the adverse impact on the business in case the business activity being performed goes wrong?” and analyzing answers broadly under three categories of Severity, Occurrence & Detectability as below.

 

3.CFT Identifies & analyses Severity Parameters on 10 Point scale based on  aspects such as per the following summary and assigning score 

 

 

Severity Parameters-score on 10 Point scale based on  aspects listed below.

.

·      Profitability, sales revenue, or cost

·      Statutory compliance and conformance to accounting standards

·      Satisfaction of customers,  vendors, channel partners, business associates, and employees

·      Corporate governance

·      Quality of end product or services rendered  

·      Financial statement accuracy -in terms of LODR clauses of SEBI or SOX Act (2002) -compliance in the USA

       wherein a score of 1- represents the lowest adverse impact on business;

                             Score 10 represents being highest adverse impact on business

4. CFT   Identifies & analyzes Occurrence Parameters as per the following summary and assigning a score 

 

Occurrence(or exposure)  Parameters-score on 10 Point scale based on  aspects listed below that can contribute to or lead to adverse impact:

·      1. Inadequate skills or & resources.

·       2. Improper segregation of duties initiating, modifying, editing, deleting, and approving responsibilities.

·       3. Incorrect or incomplete execution of work/activity.

·      4. Inadequate verification of work output.

·      5. Incorrect source data or input parameters.

·      6. Weak internal controls.

·      7. Non-robust system /non-implementation of SOP.

·       8. Not ensuring the availability of appropriate authority norms,

·       9. Process logic needs to be configured properly.

·      10. Process complexity, malicious intent, lack of diligence, change management, etc

wherein a

score of 1- represents the number of causes being only 1

score of 5- represents the number of causes being 5

score 10- represents the number of causes being  10

 

5. CFT identifies & analyzes Detectability parameters as per the following summary based on at what stage the effect of wrong /error is found and assigning a score.

 -

Detectability  Parameters-score on 10 Point scale based on the stage at which “wrong” is detected:

·      Stage 1: At the very early stage, by the functional user himself who initiates business activity in a function.

·      Stage 2: At the subsequent stage, i.e., the verification stage within the same function.

·      Stage 3: “Outside the initiating function i.e. in next function but “within the same Business unit.

·      Stage 4: During the internal audit stage, during a random internal audit, within the Business unit and

·      Stage 5: At the customer end, Who is  outside the business unit 

wherein 

Score 1- represents -Detectability at 1st or initial stage;

Score 6- represents -Detectability at 3rd  stage;

Score 10- represents - Detectability 5th stage, i.e., at the customer/business associate  stage

 

 

6. CFT computes  an Impact score  as shown below

·      Impact score on a 100 point scale=Severity score  out of 10 multiplied by Detectability  score  out of 10,

7. CFT develops a template to capture the Impact and Exposure scores analysis as below.

 

8. CFT Develops norms for categorizing each business activity  as High or Medium or Low risk  

 


The author proposes the criteria below for classifying business activity risks as High, medium, or low.


Parameter

High

Medium

Low

Impact score

(severity x detection)

70-100

50-70

upto 50

Exposure score

8-10

5-8

less than 5

9. Software programming of Risk template for navigation/workflow

IT/ERP team to do the programming, enabling workflow of template from one person to another

 

10)- Populating “Core Process /activity level Risks” in the template.

All activities to be populated for each core process.

 

11)Affecting Changes in above  templates 1,2 &3

Periodically, these templates are to be revisited by CFT in case of any changes happening in;

·      Core activity

·      Changes assessed in any parameter like severity, occurrence, or detectability, would impact the exposure score.

· User-level changes

·      User position changes

Two templates have been proposed for assigning risks to business activities.

 

Template 2 -where the scoring  model  shared above can be applied  easily

Template 3 -where the scoring  model  shared above cannot be applied  easily


Template 2- Illustration where the scoring  model  proposed can be used easily

The header and footer to be as below.

Header: Name of Key Core Process: Making Payment to Vendor  for material supplied to the company (includes ten key activities)

Wherein

Impact Score=  Severity score  out of 10 multiplied by Detectability  score  out of 10

Exposure  score= Occurrence score on 10 point scale

 

If the scoring Model approach does not apply to a business process, CFT may assign a score based on CFT’s experience based on judgment.

Footer: Business activities for this process are below


Activity vis a vis this Core Process

Impact score

Out of 100

Exposure scores out of 10

Risk Classification Level

Material Rate verification in the purchase order 

100

8

High

Quantity Received and accepted verification in the goods receipt note 

80

9

High

Verification of Rate and quantity in the vendor invoice

70

8

High

Computing the amount payable to the vendor based on the above in the payment voucher

80

8

High

Recovery of outstanding debit note from due amt before payment processing in payment voucher

90

8

High

Determining of Payment due date as per Purchase order

80

10

High

Determining correctness of GST payableThe

45

5

low

Capturing the Vendor/payee account to which payment to be made in the payment voucher

60

7

medium

Actual remittance of due amount

70

8

High

Making financial entries in GL

48

4

low

Details/ Description

created by

Edited by

Approved by

Subfunction/team

To be populated

To be populated

To be populated

User’s Level

To be populated

To be populated

To be populated

User’s Position

To be populated

To be populated

To be populated


 Template 3 – Illustration where the scoring  model cannot be used easily and needs professional  judgment( 13 activities listed for 1 core process)

  ( risk classification criteria remain same as at activity eight(8 ) above


Header and footer to be as below

Header: Name of Key Core Process: Financial -Negotiation aspects in JV  (includes 13 key activities as below)

Wherein

Impact Score=     Based on judgment of CFT-out of 100

Exposure score =  Based on the decision of CFT -out of 10

 

If the scoring Model approach does not apply to a business process, CFT may assign a score based on CFT’s experience based on judgment.

Footer: Business activities for this process are as follows.


Activity vis a vis this Core Process

Impact score

Out of 100

Exposure scores out of 10

Risk Classification Level

1.Lump sum knowhow Fee negotiation as per scope  on Design, drawings & specifications for:       

·      End Products

·      Manufacturing & Engineering

·      After-sale service  parts

·      Complete package

90

8

High

2.Pricing -Supply of -Inhouse produced or assembled by JV -% mark up above costs w. r. t.

·      Bought out  material

·      SKD/CKD/BOM Parts, Spares

·      Equipment, Jigs/fixtures, Gauge

·      After sale spares

·      Sales promotion materials

80

8

High

3.Pricing -supply by JV -% markup above costs   payable by company over & above costs incurred by  overseas JV partner

or Methodology/logic/Algorithm to determine prices

100

9

High

4.Free Trainings overseas /India 

·      Scope/Types 

·      No of persons

Duration/man-days

80

8

High

5.Taxes & Imports duty

 

·      Imports duty including IGST

·      Withholding taxes

·      Any taxes overseas

90

8

High

6.Royalty:

·      % Of Net sales (Net of localised items)

·      Duration

·      When due or Frequency of payment

90

9

High

7.Expatriates  emoluments :

Function wise-positions or levels and durations, reimbursements

70

7

Medium

8. Payment remittance methods( for each type of remittance):

·      LC 

·      Document through bank or

·      On line etc

And so on

80

8

High

9.Payment terms for different remittances:

·      lumpsum fee

·      Royalty

·      Imports of SKD/CKD/BOM Parts, Spares

·      Imports of Equipment, Jigs/fixtures, Gauges

·      Imports of After sale spares

Imports of Sales promotion materials

80

8

High

10.Currency :USD or as applicable

60

7

medium

11. Trainings  :Free and chargeable rates ,duration, location, India vs overseas

40

5

low

12. Man day rate beyond-free training days:

·      Level wise rates /emoluments & stay charges

40

4

low

13. Funding: Participation Plans

·      Capital

·      Working capital,

Expenses

100

10

High

Details/ Description

Created by

Edited by

Approved by

Subfunction/team

To be populated

To be populated

To be populated

User’s Level

To be populated

To be populated

To be populated

User’s Position

To be populated

To be populated

To be populated

Date

To be populated

To be populated

To be populated

iv)Risk Assessment at the “Statutory  activity  levels.” – Template 4

 

Several statutory Acts apply to organisations & hence, many processes are performed.

The five (5) activities proposed for performing risk assessment for statutory activities are summarised below.

1. Identifying Applicable Statutory Acts  and associated parameters that can influence “Statutory  activity  Level” risks by assessing adverse implications in case of the statutory activity  going wrong or its non-conformance:

2. Designing risk assessment template at the statutory activity  level

3. Software programming of Risk template for statutory processes /activities and navigation

4. Populating “Statutory  Process /activity level Risks” template ”

 5.  Affecting Changes in the above

 

The author has identified the names of 60 most commonly applicable Statutory Acts to various organisations and these are listed in the author’s book book as per the link below.

 

Paper back-amazon link: India

 

paper back-Amazon link-Global

 

 

The author proposes that all statutory activities be considered “High risk,” but readers can always amend the risk classification.

 Template 4  -For classifying Risks at the Business Activity level visa vis statutory process /statutory activity level risks

(Illustration for one statutory  process & 6 statutory activities )

Header and footer to be as below

Header

1. Key statutory  Process: Conforming to the requirements of the Company’s Act 2013,

Wherein

Impact Score=     Based on judgment of CFT-out of 100

Exposure score = Based on the judgment of CFT -out of 10

 

If the scoring Model approach does not apply to a business process, CFT may assign a score based on CFT’s experience and judgment.

Footer: Business activities for this process are as follows

The Author estimates the Impact score and Exposure score as 100 and 9, respectively, and thus risks as High, and can be tabulated vis a vis following six activities

1Meeting provisions wrt Board meetings, shareholder meetings,

Maintenance of books of accounts, etc.

2 Meeting Corporate Governance norms as per Acts.

3 Filing returns as per prescribed timelines in the prescribed form.

4 Ensuring Accuracy of returns.

5 Maintaining statutory records.

6 Paying fees, charges accurately as per Act.

 And so on for every activity performed. 

  • 1 This template has features for creating, editing, deleting, viewing & approving rights, and capturing users’ names, levels/positions, functions, dates,

  • 2. The number of  activities is illustrative only, and actual  risk activities  may be different

  • 3. Users in F&A  functions can identify applicable statutory  activities more/differently with inputs from the Legal &secretarial team

  • 4. Based on the above, Risk classification /assessment to be completed for each of the statutory activities.

  • 5 The populated  template is to be part of the risk manual and one sheet to be prepared for each of  statutory  Act /regulatory requirement-related process



Restricting access rights for business activities as per risk classification

 

Access must be restricted at the Transaction code (TC) level or workflow level depending on the type of ERP (SAP, Oracle, Microsoft Dynamics 365…) by assigning rights vis a vis the following.

·      Initiating TC and objects related to  TC at the granularity level

·      Editing TC and objects related to TC at the granularity level

·      Viewing TC and objects related to TC at the granularity level

·      Deleting TC and objects related to TC at the granularity level

·      Approving TC and objects related to TC at the granularity level

This must be done by ERP Specialists as per the advice of the CFO with inputs from the CFT and periodically reviewed

 

In the context of SAP-ERP,  examples of a few  High-risk Transaction codes (TC)  in the FI /MM (Finance &materials modules)  are as follows out of thousands of TC.


·      Entering incoming invoice from a vendor for supplies/services &TC= MIRO

·      Making payment advice or cheque and TC= F-58

·      Automating the payment process in bulk and TC= F110

·      Posting outgoing payments and TC= F-53

·      Clearing vendor account for  open items and TC= F-44

·      Generating a list of materials in various criteria and TC= MM60

·      Stock view for quantity and value for inventory purposes and TC= MMBE

·      Entering financial information for new material like valuation class, price control, cost of goods  sold account in the Material master data -in the Finance view  and TC= MM01

Activities(including unethical) that can affect business adversely in each risk assessment process 

 

·      Inappropriate composition and  levels /positions of the team members assessing risks  in the above four(4) templates  leading to incorrect assessment  of impact

 

·      Non-comprehensive review by CFT of the below  aspects” that can contribute to inaccurate capturing of scores  risks in the four  (4) template:

1 Severity

2 Occurrence

3 Detection

 

·      Inappropriate software development and workflow of risk templates, making document level risk capturing cumbersome and inefficient

 

·      Inaccurate classification of Risk in the above four(4) templates  (High, Medium, or Low) by team members vis-a-vis impact

 

·      Non-periodic/non-timely incorporating the effect of any “changes in following  ”  in the four (4) templates that might have affected risk classification.

 

·      Organisation’s  Product and service Portfolio,

·      Economic, Political, Social, Customer demand, Competition,

·      Core Process/Activity,

·      Regulatory/Statutory Acts changes.

1,655 views0 comments
bottom of page