Methodology for Managing Business Risk. An indispensable tool for modern business
1. Summary
2. Introduction
3.
conceptual framework on risk management 4. Overall results and discussion
5. Conclusions
6. References
1. Abstract A management
efficient risk translates into untold economic impact for any organization
, constituting an essential tool for decision making
. The
of risk management
has assumed an important role in the company
modern, increasingly contributing to the fulfillment of
objectives and targets in the organization to the point that not conceived an organization seeking move forward with firm steps towards the success
without the activity of managing risks well-organized.
This work is a proposal Management Methodology of business risks
, summarized in eleven key
operations to be performed, which integrates in a manner consistent with the requirements included in Resolution 297/03 of the Ministry of Finance
and Prices, requirements management
and sequence quality
logic for the application of systems
of
hazard analysis and critical control
(HACCP), they adapted to the expectations demanded by
internal control systems. This methodology is a guide or tool of great relevance that can be applied not
only the economic and financial information of
companies but also as a tool to manage risk at the level of any organization
. Keywords: Risk management, internal control systems.
2. Introduction Managing risk effectively is now a concern of high
management, says Bernens (1997): "the biggest small crack in the armor is the
corporate risk management." Risk management is facilitated by the entities they operate on the basis of internal control systems
consistent with current requirements. Internal control systems are a fundamental premise for the
organizations operate so as to ensure compliance with the proposed objectives. Today risk management in financial and economic sphere, is inserted into a
process known as internal control. Internal control is a concept
universally known that it has lacked for a long time
a common reference framework. Formerly the internal control systems were limited to activities in the areas of
accounting and finance, without bond and relationships established, was not considered internal control as a management tool
able to achieve efficiency and effectiveness of its operations. In the late nineties in several countries around the world
created different committees or working groups of to work on this issue, proposing
internal control models advocating a new current of thought
, with a broad conception of the organization and greater involvement of management and staff
in general. (Coopers and Libranda, 1997). Evolved as fast as internal control has evolved to treat the risks; world, the trend in the 90's with respect to this phenomenon is
administration or management of the same addressed primarily by management of companies. Is now recognized
adoption of a more extended
risk, spreading the development of national standards for management
and development
multiple systems and programs
for management consulting in different areas economic activity (Koprinarov, 2005). In Cuba
resolution governing the management of risk is the 297/03. This resolution covers five key interrelated components. One of them is
risk assessment, defined by Lopez (2002) as "the identification and analysis of factors both internal and external sources which may be relevant to the achievement of the objectives." The resolution 297/03 despite the risks to be considered an essential component of internal control, so ambiguous that this theme is developed precludes effective management of them. The definitions and the variety of terms are not displayed with sufficient clarity and common definition to allow entities to apply correctly the rules
included for this activity. In the risk assessment component is emphasized primarily in identification and risk assessment, without further or facilitate
management is the most important role in developing . This resolution offers no methodology or procedures
allowing all standards covered gear that may be a common reference framework for all entities to effectively manage the risks they are exposed. This work is
general purpose design and implement a methodology for risk management on the basis of resolution 297/03 and the requirements of ISO
9000 to ensure the reliability of economic and financial information. the CENSA. The theoretical contribution of this paper is a methodology for the management of business risks that summarizes the resolutions and guidelines related to internal control systems requirements for quality management and logical sequence for implementing systems Hazard Analysis and Critical Control Point.
3.
conceptual framework on risk management of . 3.1-Components of internal control
. The
control is an integral part of the functions
general address by
he can check the status of a current system. Control in its most general consideration, prior censorship enough, given reality that approves or fixes, sometimes when it comes to control this word is associated with something negative, it is interpreted as a restriction, coercion or constraint, however
Main control objective is to ensure that the results conform as much as possible to be
planned objectives.
Given that monitoring is a basic
function within any process
of organization and administration
, which facilitates the evaluation
executive including systematic monitoring and review, resolution 297/03 with its design of internal control system divided into five interrelated components essential and involved in all aspects of an organization. The five components of internal control are: • The
control environment • Assessment of control risks • Activities • Information and Communication · Supervision and monitoring then emphasized the risk assessment
as an essential component in the system of internal control .
3.1.1-risk assessment Because of the economic, industrial, regulatory and operational are changed continuously, mechanisms are needed to identify and minimize the specific risks associated with
change, so is increasing the need for risk assessment. (Del Toro et al, 2005). Risk assessment is the identification and analysis
of factors both internal and external sources which may be relevant to the achievement of the objectives, concerns the ongoing interactive process and methodology
whereby the company
identifies the highest risk areas that warrant greater attention
and allocation of resources for the implementation control measures. (Lopez, 2002). In Resolution 297/03 states that internal control has been designed primarily to limit the risks that affect the activities of the entities. Through
research and analysis of relevant risks and the extent to which neutralizes the force control, assessing the vulnerability of the system. As stated Quirós (2003) president of the Association of Public Accountants of Costa Rica
: ¨
internal control and management of risks two elements are inseparable, that within an organization should have a similar account. "For Padilla (2002) any organization that designed to attain the success
, whether public or private, must identify, assess and manage risks to minimize them through design
and efficient implementation of internal control system. Rosés (2000), associate director of consulting Auditors Roses & Associates states that "there is zero risk, the risk is inherent in the business
, but can be reduced significantly by identifying the threats that have
and work organization to keep within the limits
marked. " There are many risk
sources both internal and external (Resolution 297/03, Coopers and Lybrand 1997) among which can highlight the following: • Development External assumed no technology that can lead to obsolescence of the organization. • Changes in needs and expectations of the population
. · Changes in legislation and standards
leading to forced changes in strategy
and procedures. · Changes in the economic - financial impact on the budget
of the entity. Internal
• The organizational structure adopted, given the existence of typical risks. * Quality of personal
built, as well as methods
for instruction and motivation
. • The self
nature of the activities of the entity. According to Coopers and Lybrand (1997), a precondition to risk assessment is the determination of objectives at each level of the organization and be consistent. Management should set objectives first before identifying the risks that may impact on their achievement and take appropriate measures to manage them. An institution must create its own
tools for risk assessment, this component must become a natural part of the strategic planning process
, which assumes that evaluation as an indispensable necessity and a key instrumental
to develop the objectives of internal control should be performed through a continuous process and basis for the organization, a constant revision, updating and improving internal control, based on a specific system for detection and risk assessment with the characteristics of the entity. In the risk assessment is considered in addition to identifying the plant level, they must be identified and analyzed the level of activity and operation department to estimate the importance of them, and establishing control activities to ensure maximum management. The correct assessment of activity level also contributes to maintaining an acceptable level of risk to the entire organization, ensuring compliance with targets. There is a monitoring tool that allows you to present an overview of the risks it is exposed any organization, this tool is the risk map. The
risk maps can be represented in various forms can be through maps (widely used for disaster relief) or through
matrices, or simply through a Cartesian plane, which symbolizes the level of risk that the organization is exposed. López (2002). Risk maps, regardless of how it is used to develop them, are just a representation
cold data, so can only serve as an effective tool as integral components
of enterprise risk management.
3.2-
Risk Management.
3.2.1-General considerations on the risks. In the past, the main hazards and risks associated with nature and natural disasters now are attributed primarily to
human choices and actions not only or not so much by the carelessness, but in most cases by the inability of humans to predict the effects far from their technological leadership and social. Ecological risk, nuclear, genetic, financial and other, are risks of civilization, many of them are difficult to discern before occurrence of the damage
. That is one reason why in recent decades the risk becomes a key category in the human condition and the social sciences
our
time. The risk is interpreted in the space of categories such as: • Uncertainty: Unable to predict or forecast the outcome of a situation at any given time. · Odds: Proportion of times a particular event occurs at a time or estimate of an event occurring or not. Level of risk: Assessing the frequency and severity of the occurrence of a risk. (Del Toro et al, 2005) Various definitions have been found in the literature
consulted shows that the risk has not been conceptualized in an integrated manner but in a piecemeal fashion, in accordance with the approach of each discipline
involved in your valuation, which has increased its complexity and the way people understand (Casas, 1998, León, 2003; Koprinarov, 2005). In the field of political
economy or neo-Marxism models have been proposed as the conceptual model pressure-release in which it is postulated that the risk is the result of the combination of conditions of vulnerability and potential threats. (Cardona, 1993). To Ambrustery (2001) risk is defined as "any condition that causes an adverse condition detrimental to the product
, the patient or health professional
." According to Quirós (2003) and SFP (2004) The risk is no more than
probability of occurrence of events or internal or external events that may affect the achievement of the objectives in the organization. Other experts link
exposure and vulnerability, ensuring that combine to provide a measure of the "strength" of a organization to avoid the loss
events based on the safeguards contemplated. (DMR-Consulting, 2005). Other authors such as Coburn et al (1991), Maskrey (1998), Percedo, MI (2004) argue that in many cases it is possible to act on the threat, or is very difficult, but under this approach is feasible to understand that to reduce risk would have no alternative but to reduce the vulnerability of exposed elements conditioning the risk to these two variables
. Toledano (2003) classifies the risk as the financial effect of a case multiplied by the probable frequency of occurrence. For Leon (2004) the risk exists when two or more possibilities from which to choose, without being able to know in advance the results that lead each. All risks involves, therefore, the possibility of winning or losing, the greater the possible loss, the greater the risk. The risks have also been classified
in different ways. In general, taking into account the bipolar effect can be classified into pure risk and speculative risk. (Del Toro et al, 2005; Koprinarov, 2005). The risk is that speculative risk where there is a chance to win or lose, such as gambling or
games of chance,
investment. In contrast, the pure risk is given in the company
and the possibility to lose or not lose, but never win. The pure risk in the company in turn is classified as: • Risk inherent. • Risk incorporated. The inherent risk is that risk which by its nature can not be separated from the situation where it exists. Is proper
work performed. Is the risk specific to each company according to their activity. The risk is that risk built is not the activity itself, but the product of some responsible behavior of a worker, who takes other risks in order to get something he thinks is good for and / or the company. Another important and controversial aspect has been to classify the types of risks at the discretion of the structure and main functions
company. The classifications used by authors such as Zorrilla (2004), Fragoso (2002), Fonseca (2000) and Baca (1997) is the risk of economic
character of
market of credit
of legality
, of a technological, legal, liquidity risk, business risk
, organizational, among others. There are other classifications related to internal control failures with the regulations of
work, ie the risk of direct or indirect loss caused by a failure or failure of
processes, people and inefficiency of the organization internal company, which is called by some authors organizational or business risk. (Koprinarov, 2005) and others, as the industry
banking operations and risk (López, Cristina, 2005). The classification of risk types, allows almost level from a specific definition of such a level of uniformity and harmony in the time of identification by eliminating or reducing the possibility of introducing different names for the same phenomenon and resulting in better organization of risk management. However in the world of finance
materials and resources to classify risks becomes a complex task for multifactoriedad causal agent. The multifactorial nature lends itself to confusion and repetition so we need to find a middle ground that annotates the problem. The trend of the 90 with regard to risk management is to
of them by the
business management at the level of divisions, departments, activities, or sub-activities, so it takes a broader view of risk, including the operational side. It has spread further the trend towards the development of national standards for the administration
of them and the development
multiple systems and
custom programs for management consulting in various areas of economic activity. The need for standardization of risk management in the economic sphere has led many countries to study the phenomenon and to issue rules that are guidelines to follow in their management. The national standards for risk management, define the framework within which they must develop the industrial and economic activities so that they do not occur. The best known are the laws of Australia and New Zealand (AS / NZS 4360: 1999), Canada (CAN / CSA - Q850-97) (Koprinarov, 2005). In our country Resolution 297/2003 establishes as an essential element of internal control risk assessment structured the same in the following rules: • Identification of risk. • Estimation of risk. · Determination of control objectives. • Detection of change. Risk identification. It is an iterative process that is integrated into the strategy and planning
. For the identification of risk is appropriate to start from scratch and not based on the pattern of risks identified in previous studies. (Arce, 2005). To define a risk is necessary to know its cause, which is what will determine the existence of this and whether it can affect the company or not. (Toledano, 2003). On many occasions entities to intuitively identify critical areas, to weigh only
value of their potential loss and not jointly considered the threat and vulnerability criteria, therefore, in some cases, the areas that institutions consider their focus care, are also those with greater strength and have more safeguards and, therefore, are sufficiently "controlled" (DMR-Consulting, 2005). The tools used to develop risk identification activity according to Del Toro et al (2005) are questionnaires, flowcharts
,
flow diagram, inspections, interviews
, et al. Risk estimation. Having identified the risks at the institution,
program or activity to proceed with its analysis. The methods used to determine the relative importance of the risks include at least an estimate of their frequency, ie the probability of occurrence and an assessment of the loss that could result. The weights of the risk variables are broken down into: Feasibility (probability of occurrence). Percentage is determined mind, considering the rate of occurrence that the risk has materialized. Significance (impact assessment). Is determined by stating the goal of leadership in the economic area analyzed and categories of internal control that impact. The risk can be quantified through the so-called exposure equation is: PE ═ F x V Where: PE: Expected loss or exposure expressed in pesos annually. F: Frequency, likely times when the risk materializes in the year. V: Estimated loss for each case in which risk is expressed in weight concrete. It is not always possible to quantify in monetary losses due to the size or characteristics that have many risks. It is difficult to apply these formulas in the risks related to internal control failures, in most cases it is impossible to quantify because it does not correspond with the objective risk analysis to be performed. For this reason there are several methods that facilitate the estimation using an qualitative ranking them according to Del Toro et al (2005) from an estimate of the frequency and financial impact that they have on the entity. The most popular methods are as listed below: Method Prouty frequency criterion, this method
classifies risks according to the criterion of frequency of loss due to the occurrence of events at: Risk rare: If the frequency of loss is almost zero (practically the event does not happen) Moderate risk: If the frequency happens After a period of time. Common risk: If the frequency happens regularly. Gravity method or financial criteria, this method classifies risks as the financial impact on the entity have: • Risk light: If the financial impact of losses can be carried against
budget expenses and assumes . • Risk Moderate: If the financial impact of losses was necessary budget authorization to cope financially. • Risk serious: If the financial impact of losses affect earnings, but maintaining continuity of the production process. • Risk catastrophic: If the financial impact of losses threatening survival of the company. Identification of control objectives
The design of the control objectives should include what each department, unit or section needs to ensure that risks materialize, responding to the strategy that management wants to continue to minimize the risks of what I want do: prevent, detect, prevent, interact, correct, segregate, then be able to analyze which tools allow you to carry out such a strategy, also considering the relationship
cost-effective. (SENA, 2004; Koprinarov, 2005). Change Detection The detection of change is not only the identification of changes in the circumstances of
environment in which the agency makes its
action. A control system may cease to be effective in changing the conditions under which it operates, so that every entity must have procedures and mechanisms to capture and report accordingly to the changes. (Arce, 2005). For Quiros (2003), president of the College of Chartered Accountants of Costa Rica, a constant revision, updating and improvement of internal control is a simple answer to what is known as change detection
risk area. Despite the risks to be considered an essential component of internal control, so ambiguous that this theme is developed
both COSO report and the resolution 297/03 precludes effective management of them. The definitions and the variety of terms are not exposed to sufficient clarity to enable authorities to properly apply the elements contained in this component. Depth risk assessment primarily on the identification and assessment of risks, not so for the management of them is the most important role in developing. Neither the COSO report, or the resolution 297/03 provide a methodology to engage all the rules included in this component may be a common reference framework for all entities to allow effective management of risks. 3.3-Methodology for Enterprise Risk Management
. Risk management is recognized as an integral part of good management practices. Is an iterative process consisting of steps, which, when executed in sequence, enable continuous improvement in the process of decision making
. Risk management is a term applied to a logical and systematic method of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risks associated with an activity, function or process in a way that enables organizations
minimize losses and maximize opportunities. It can be applied to all stages of the life of an activity, function,
project or product. (Arce, 2005). Among the experts in the field of risk management there is no unanimity in the
segmentation process, is defined in stages, but if there is agreement on key aspects of that process comprising a predominantly cognitive stage might be termed the study phase Another practical, the implementation phase and the third - the control phase and communication
. The first are made: the identification, analysis and risk assessment. In the second plan is implemented
of risk response. The third phase is formed by the activities of monitoring, control and communication
. (Koprinarov, 2005). For its part, the standard AS / NZS 4360:1999 while generally consistent with the issues presented by Resolution 297/03, emphasizes the need to develop a model for risk analysis underpinned by the requirements of systems quality management
exposed by the rules of the family
ISO 9000. The National
Service Learning SENA (2004) sets
policies on risk management in Resolution No. 01975 which proposes a methodology of eleven key steps established as a fundamental aspect
including indicators of effectiveness of the proposed actions not covered by previous methodology. Specialists and DMR-Consulting (2005) propose a method called Operational Risk Management (ARO), whose main objective is to operationalize a methodology incorporating the necessary indicators. It also proposes: To identify the risk, sort and incorporate into the base of datos.Buscar causas.Proponer change measures based on monitoring procesos.Realizar management. Pinkerton Consulting and Investigations, a consulting firm and one of the English world's largest proposed as a methodology for risk management requirements of the Turnbull Report (CSJ, 1999), summarized in the following questionnaire
: • Is your company aware of the risks of the organization, and these assess, communicate and understand clearly? • Do you have your company's organizational structure conducive to efficient management and risk mitigation? • Is there an identification of the risks associated with the acquisition of the company by directors and outside that control at all levels of your company? • Is the risk assessment system of transparent company which will enable shareholders to assess the risk? · Is considered that the risk assessment is a separate task or activity is included in your business? The basic requirements of the Turnbull Report are: o The board should maintain a sound system of internal control. o A member of the board shall conduct a review of the effectiveness
internal control system of the company at least annually. The annual review should cover all types of controls, including financial control, operational, and compliance and risk management. o Members of the board should inform shareholders that the review has been carried out - usually in the financial report and the annual
accounts. FAO implements a system that International has a great impact on its approach to risk management, which is the system of Hazard Analysis and Critical Control Points (HACCP), used for the prevention of security
of
food (FAO, 2002). From the practical results of their application referred to in the food industry, this system has been used and has become an accepted practice in other productive sectors and services
, with excellent results (Rooney, 2001; Ambrustery, 2001 .) As with most systems or methodologies to organize an activity, say management systems quality, HACCP systems, methodology for continuous improvement, among others, where there are regulations, standards or other general provisions that establish the most important guidelines and impossible to ignore, each entity should establish its own systems and methods as "custom made" by identifying and taking into account its own characteristics.
3.4-System Hazard Analysis and Critical Control Points (HACCP). HACCP is a systematic
preventive procedure, recognized internationally to address hazards through anticipation and prevention rather than inspection and Check the products
final. HACCP is science based and systematic, identifies specific hazards for the procedure to control the critical points necessary measures for its control and monitoring procedures, this system increases
responsibility and the degree of control workers the product. This analysis tool aims to detail and documentation
to ensure that the entity knows the product and the process so you can control or monitor the most important elements to produce quality products. Also report other benefits such as effective use of resources and flexibility that allows you to respond in time to
problems and changes submitted. (FAO, 2002) Principles and application of HACCP HACCP focuses its activities on 7
basic principles: (Codex Alimentarius, 1998).
1. Conduct a hazard analysis
2. Determine the critical control points (CCP).
3. Establish critical limits for each CCP.
4. Establish a system for monitoring and control of the CCP.
5. Enact corrective measures to be taken when monitoring indicates that a particular CCP is out of limits.
6. Establish procedures for verification to verify the operation of the HACCP system.
7. Structuring a system of documentation concerning all procedures and
records appropriate to these principles and their application.
The interpretation of these principles is the prerogative of each particular entity (Inda, 1999). The HACCP system offers the advantage of risk management at the individual process, however the possibility does not weigh the same to prioritize those larger. For the features and benefits that have this system believe that their use for control in the economic and financial might well be feasible to contribute to a more secure financial activity. HACCP in perfect harmony as a complementary tool to meet the standards laid down in Resolution 297/03 of the Ministry of Finance and Prices
.
3.5-internal control and quality management for Coopers and Lybrand (1997) there is a parallel between these factors and quality of systems
effective internal control, and that internal control is not only integrated into quality programs, but often essential to their success. The addition of controls affects the entity's ability to achieve its objectives, and supporting quality. The pursuit of quality is directly linked to the way they manage and control business. Controls become part of the operational structure of the company when: Top management includes
values \u200b\u200bof quality in the company's business style. • The establishment of quality objectives linked to the processes of collecting and analyzing information
. • The use of knowledge about practices
competition and customer expectations
to promote continuous quality improvement. The quality concepts emerged and were transformed in parallel with productive action. According to Crosby (1999), quality is a key element of
behavior man, that appears in the first
documents of humanity. The main approaches to quality management are that the quality is not a technical function, or a department or program
consciousness, but a systematic, customer-linked
, to be implemented in all the company, integrating suppliers (Feigenbaum, 1991). Juran (1993) states that the role of quality should encompass the entire company, which is achieved when all the specialized departments involved have a responsibility to carry out their functions properly, so that each has a quality-oriented activity simultaneously its main function. The current
quality concept most widely accepted is ¨ all the characteristics of an entity that affects their ability to satisfy stated and implied needs. "One of the most useful tools for achieving this are international standards family
ISO 9000 that proposed an organizational model focused on customer needs, and prevention of problems, they describe the components that should include quality systems, but each entity has
freedom to design and implement according to their specific conditions. These rules are independent of any industrial sector or economic and guidance on management and quality assurance. The versatility of the ISO
been proven in practice as they have been successfully employed in a wide range of industries
. Uchida, (1996) The family
ISO 9000 is made from the Technical Committee TC 176 of the International Standard Organization (ISO), summarizes the recommendations and best practices of successful companies worldwide. (Perez, Aleida, 2001). Standards ISO 9000 propose the development of a documented quality system. ISO 9000-1:2000 states that the documentation is objective evidence that the processes are defined, procedures are approved and are under control
exchange and thus ensure an accurate assessment of the suitability of the site and application system. Also as key documents are the procedures and records. The procedures, according to the concept of ISO 8402 (1994), are
description of the specific form of how to perform an activity. Should respond in general terms what the objectives of the document, who is responsible to do it, what resources are needed for the activity, and how. The records, in turn, are the documents which gathers all details of an operation. Records can describe in detail all the results of the work, see
evolution over time of each process or activity, take the traceability of the transactions giving reliability to the results among other functions (ISO 9000-1:2000) . Vocabulary ISO 9000:2001, says the implementation of a system of processes within the organization, along with the identification and interactions of these processes and their management, known as process-based approach, which defines as a process, "Joint resources and inter-related activities that transform inputs into output elements. " Such an approach type enables organizations to function effectively it identifies and manages numerous interrelated activities, emphasizes the importance of understanding and compliance with the requirements, the outcome of
performance and process efficiency and continuous improvement these financial statements based on objective measurement. The development of internal control activities of the entities on the basis of the requirements of management systems quality should be a strategic decision for all organizations as systems of quality management are a prerequisite for positive results in economic and social orders in any of the areas of development of human activity.
4. Results and discussion general methodology is designed for enterprise risk management, which integrates in a manner consistent aspects included in the new resolutions and guidelines related to internal control, based on the requirements of quality management, using for this the methods and techniques
modern. The methodology is structured in eleven key steps developed in a flexible manner that allows it to be applied not only to the processes related to financial information - financial firms but also as a tool to efficiently manage level risks across the organization. Results and discussion of the methodology steps. Figure 4-Method for enterprise risk management.
4.1-Forming a team of experts and
staff training. Assemble a team of experts who will be responsible for risk management and training of all staff in general because they are the people the real perpetrators of this process.
4.2-Description of the activity, identifying, charting and verification processes. Describe the activity, identify, graph and verify the processes are the starting point through which the expert review team shall make a complete description each operation taking into account the organizational structure, processes, procedures and resources.
4.3-Classification of Risks. Classify types of risks they are exposed to the entities as the activity allows the uniformity and harmony in the time to identify risks and eliminate the possibility that risks confusing the causes that originate and allows to assess the possible consequences. 4.4-Sort
threat level processes. Establish levels of threat to the processes based on the combination of probability and impact that they generate, to identify key business processes that involve significant risks. The processes of higher threat level is apply specific management plan.
4.5-Determining Critical Control Points (CCP) Determine PCC can separate the essential from the accessory within each process, from the PCC provides full control of the process, allowing you to set the gap of vulnerability, control activities that attenuate, outlines personal responsibilities at every step of the process and makes its own monitoring mechanism for each part of the process. We recommend the use of trees
decision as a fundamental tool for the determination of such PCC. 4.6-Establishment
gap of vulnerability (risk causes) Establish vulnerability gaps facilitates risk management and vulnerability that these gaps are the causes of the occurrence of risk analysis to be from scratch and not based on the pattern of risks identified in previous studies. It should include all factors, both internal and external.
4.7-Establish critical limits for each CCP. You must set the dividing line for judging whether an operation is operating outside the established parameters. Through critical limits defined criteria for distinguishing between acceptable and unacceptable. The establishment of these limits will respond to compliance with the provisions of the describing procedures operations, technical instructions, physical parameters, weather and other aspects, thus facilitating control of the activity.
4.8-Establishment of control activities and monitoring system to establish measures of control that can be applied for each vulnerability gap. It may be necessary to adopt more than one measure to control a specific risk, but probably more of a risk can be controlled with a certain measure of control. The proposed monitoring system must provide surveillance in time to act, detect early changes that may occur both internally and externally.
4.9-Development of the methodology documentation system. To properly manage the risks requires appropriate documentation to provide adequate control and traceability of operations.
4.10-Development of process
chips. Develop processing chips allows for the summary of each identified process and provides full information on how to run this and what is essential to understand and manage. 4.11-
Calculation risk indicator development process and the risk map. The risk indicator is a value to the process that allows for an order of priority to
supervision and monitoring. This indicator allows to rank the risks and providing information to management to make decisions about which processes are an indicator of increased risk and require immediate attention and which are of lesser importance can be addressed later. 5.-Conclusions
• The methodology for enterprise risk management from the internal control requirements and quality management is a new and simple tool that facilitates the management of risks. • The implementation of the methodology for enterprise risk management carried out in the economic, showed that this can manage risks in a timely and efficient, helping to ensure economic - financial information more reliable for making decisions.
