Summary

Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.

All entities, regardless of size, structure, nature, or industry, encounter risks at all levels. Risk is defined in the Framework as the possibility that an event will occur and adversely affect the achievement of objectives.

The use of the term “adversely” in this definition does not ignore positive variances relating to an event or series of events. Large positive variances may still create adverse impacts to objectives. For instance, consider a company that forecasts sales of 1,000 units and sets production schedules to achieve this expected demand. Management considers the possibility that actual orders will exceed this forecast. Actual orders of 1,500 units would likely not impact the sales objectives but might adversely impact production costs (through incremental overtime needed to meet increased volumes) or customer satisfaction targets (through increased back orders and wait times). Consequently, selling more units than planned may adversely impact objectives other than the sales objective.

As part of the process of identifying and assessing risks, an organization may also identify opportunities, which are the possibility that an event will occur and positively affect the achievement of objectives. These opportunities are important to capture and to communicate to the objective-setting processes. For instance, in the above example, management would channel new sales opportunities to the objective-setting processes. However, identifying and assessing potential opportunities such as new sales opportunities is not a part of internal control.

Risks affect an entity’s ability to succeed, compete within its industry, maintain its financial strength and positive reputation, and maintain the overall quality of its products, services, and people. There is no practical way to reduce risk to zero. Indeed, the decision to be in business incurs risk. Management must determine how much risk is to be prudently accepted, strive to maintain risk within these levels, and understand how much tolerance it has for exceeding its target risk levels.

Risk often increases when objectives differ from past performance and when management implements change. An entity often does not set explicit objectives when it considers its performance to be acceptable. For example, an entity might view its historical service to customers as acceptable and therefore not set specific goals on maintaining current levels of service. However, as part of the risk assessment process, the organization does need to have a common understanding of entity-level objectives relevant to operations, reporting, and compliance and how those cascade into the organization.

Risk Tolerance
Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives. Operating within risk tolerance provides management with greater confidence that the entity will achieve its objectives. Risk tolerance may be expressed in different ways to suit each category of objectives. For instance, when considering financial reporting, risk tolerance is typically expressed in terms of materiality, whereas for compliance and operations, risk tolerance is often expressed in terms of the acceptable level of variation in performance.

Risk tolerance is normally determined as part of the objective-setting process, and as with setting objectives, setting tolerance levels is a precondition for determining risk responses and related control activities. Management may exercise significant discretion in setting risk tolerance and managing risks when there are no external requirements. However, when there are external requirements, such as those relating to external reporting and compliance objectives, management considers risk tolerance within the context of established laws, rules, regulations, and external standards.

As well, senior management considers the relative importance of the competing objectives and differing priorities for pursuing these objectives. For instance, a chief operating officer may view operations objectives as requiring a higher level of precision than materiality considerations in reporting objectives, and vice versa for the chief financial officer. However, it would be problematic for public companies to overemphasize operational objectives to an extent that adversely impacts the reliability of financial reporting. These views are considered as part of the strategic-planning and objective-setting process with tolerances set accordingly. This kind of decision may also impact the level of resources allocated to pursuing the achievement of those respective objectives.

Principles relating to the Risk Assessment component

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.


7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.


8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.


9. The organization identifies and assesses changes that could significantly impact the system of internal control.

Specifies Suitable Objectives

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

A precondition to risk assessment is the establishment of objectives, linked at various levels of the entity. These objectives align with and support the entity in the pursuit of its strategic direction. While setting strategies and objectives is not part of the internal control process, objectives form the basis on which risk assessment approaches are implemented and performed and subsequent control activities are established. As part of internal control, management specifies objectives and groups them within broad categories at all levels of the entity, relating to operations, reporting, and compliance. The grouping of objectives within these categories allows for the risks to the achievement of those objectives to be identified and assessed.

In considering the suitability of objectives, management may consider such matters as:

• Alignment between established objectives and strategic priorities
• Articulation of risk tolerances for objectives
• Alignment between established objectives and established laws, rules, regulations, and standards applicable to the entity
• Articulation of objectives using terms that are specific, measurable or observable, attainable, relevant, and time-bound
• Cascading of objectives across the entity and it subunits
• Alignment of objectives to other circumstances that require specific focus by the entity
• Approval objectives within the objective-setting process

Where objectives within these categories are unclear, where it is unclear how these objectives support the strategic direction, or where there are concerns that the objectives are not suitable based on the facts, circumstances, and established laws, rules, regulations, and standards applicable to the entity, management communicates this concern for input to the strategy-setting and objective-setting process.

Operations Objectives

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Reflects Management’s Choices—Operations objectives reflect management’s choices about structure, industry considerations, and performance of the entity.
• Considers Tolerances for Risk—Management considers the acceptable levels of variation relative to the achievement of operations objectives.
• Includes Operations and Financial Performance Goals—The organization reflects the desired level of operations and financial performance for the entity within operations objectives.
• Forms a Basis for Committing of Resources—Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance.

Specifies Suitable Objectives

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

Reporting Objectives

Reporting objectives pertain to the preparation of reports that encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard-setting bodies, or by the entity’s policies. This category includes external financial reporting, external non-financial reporting, internal financial reporting, and internal non-financial reporting. External reporting objectives are driven primarily by laws, rules, regulations, and standards established by governments, regulators, standard-setting bodies, and accounting bodies. Internal reporting objectives are driven by the entity’s strategic directions, and by reporting requirements and expectations established by  management and the board of directors.

External Financial Reporting

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning as it relates to external financial reporting objectives:

• Complies with Applicable Accounting Standards—Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances.
• Considers Materiality—Management considers materiality in financial statement presentation.
• Reflects Entity Activities—External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions.

External Non-Financial Reporting

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning as it relates to external non-financial reporting objectives:

• Complies with Externally Established Standards and Frameworks—Management establishes objectives consistent with laws and regulations, or standards and frameworks of recognized external organizations.
• Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs and as based on criteria established by third parties in non-financial reporting.
• Reflects Entity Activities—External reporting reflects the underlying transactions and events within a range of acceptable limits.

Internal Reporting Objectives

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning as it relates to internal reporting objectives:

• Reflects Management’s Choices—Internal reporting provides management with accurate and complete information regarding management’s choices and information needed in managing the entity.
• Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs in non-financial reporting objectives and materiality within financial reporting objectives.
• Reflects Entity Activities—Internal reporting reflects the underlying transactions and events within a range of acceptable limits.

Specifies Suitable Objectives

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Compliance Objectives

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning as it relates to compliance objectives:

• Reflects External Laws and Regulations—Laws and regulations establish minimum standards of conduct which the entity integrates into compliance objectives.
• Considers Tolerances for Risk—Management considers the acceptable levels of variation relative to the achievement of compliance objectives.

Identifies and Analyzes Risk

Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels—The organization identifies and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives.
• Analyzes Internal and External Factors—Risk identification considers both internal and external factors and their impact on the achievement of objectives.
• Involves Appropriate Levels of Management—The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management.
• Estimates Significance of Risks Identified—Identified risks are analyzed through a process that includes estimating the potential significance of the risk.
• Determines How to Respond to Risks—Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk.

Assesses Fraud Risk

Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Considers Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
• Assesses Incentive and Pressures—The assessment of fraud risk considers incentives and pressures.
• Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate acts.
• Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.

Identifies and Analyzes Significant Change

Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

• Assesses Changes in the External Environment—The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates.
• Assesses Changes in the Business Model—The organization considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies.
• Assesses Changes in Leadership—The organization considers changes in management and respective attitudes and philosophies on the system of internal control.