Methodology for Managing Business Risk. An indispensable tool for modern business
1. Summary
2. Introduction
3. conceptual framework on risk management
4. Overall results and discussion
5. Conclusions
6. References
1. Abstract A management efficient risk translates into untold economic impact for any organization , constituting an essential tool for decision making . The of risk management has assumed an important role in the company modern, increasingly contributing to the fulfillment of objectives and targets in the organization to the point that not conceived an organization seeking move forward with firm steps towards the success without the activity of managing risks well-organized. This work is a proposal Management Methodology of business risks , summarized in eleven key operations to be performed, which integrates in a manner consistent with the requirements included in Resolution 297/03 of the Ministry of Finance and Prices, requirements management and sequence quality logic for the application of systems of hazard analysis and critical control (HACCP), they adapted to the expectations demanded by internal control systems. This methodology is a guide or tool of great relevance that can be applied not only the economic and financial information of companies but also as a tool to manage risk at the level of any organization . Keywords: Risk management, internal control systems.
2. Introduction Managing risk effectively is now a concern of high management, says Bernens (1997): "the biggest small crack in the armor is the corporate risk management." Risk management is facilitated by the entities they operate on the basis of internal control systems consistent with current requirements. Internal control systems are a fundamental premise for the organizations operate so as to ensure compliance with the proposed objectives. Today risk management in financial and economic sphere, is inserted into a process known as internal control. Internal control is a concept universally known that it has lacked for a long time a common reference framework. Formerly the internal control systems were limited to activities in the areas of accounting and finance, without bond and relationships established, was not considered internal control as a management tool able to achieve efficiency and effectiveness of its operations. In the late nineties in several countries around the world created different committees or working groups of to work on this issue, proposing internal control models advocating a new current of thought , with a broad conception of the organization and greater involvement of management and staff in general. (Coopers and Libranda, 1997). Evolved as fast as internal control has evolved to treat the risks; world, the trend in the 90's with respect to this phenomenon is administration or management of the same addressed primarily by management of companies. Is now recognized adoption of a more extended risk, spreading the development of national standards for management and development multiple systems and programs for management consulting in different areas economic activity (Koprinarov, 2005). In Cuba resolution governing the management of risk is the 297/03. This resolution covers five key interrelated components. One of them is risk assessment, defined by Lopez (2002) as "the identification and analysis of factors both internal and external sources which may be relevant to the achievement of the objectives." The resolution 297/03 despite the risks to be considered an essential component of internal control, so ambiguous that this theme is developed precludes effective management of them. The definitions and the variety of terms are not displayed with sufficient clarity and common definition to allow entities to apply correctly the rules included for this activity. In the risk assessment component is emphasized primarily in identification and risk assessment, without further or facilitate management is the most important role in developing . This resolution offers no methodology or procedures allowing all standards covered gear that may be a common reference framework for all entities to effectively manage the risks they are exposed. This work is general purpose design and implement a methodology for risk management on the basis of resolution 297/03 and the requirements of ISO 9000 to ensure the reliability of economic and financial information. the CENSA. The theoretical contribution of this paper is a methodology for the management of business risks that summarizes the resolutions and guidelines related to internal control systems requirements for quality management and logical sequence for implementing systems Hazard Analysis and Critical Control Point.
3. conceptual framework on risk management of . 3.1-Components of internal control . The control is an integral part of the functions general address by he can check the status of a current system. Control in its most general consideration, prior censorship enough, given reality that approves or fixes, sometimes when it comes to control this word is associated with something negative, it is interpreted as a restriction, coercion or constraint, however Main control objective is to ensure that the results conform as much as possible to be planned objectives. Given that monitoring is a basic function within any process of organization and administration , which facilitates the evaluation executive including systematic monitoring and review, resolution 297/03 with its design of internal control system divided into five interrelated components essential and involved in all aspects of an organization. The five components of internal control are: • The control environment • Assessment of control risks • Activities • Information and Communication · Supervision and monitoring then emphasized the risk assessment as an essential component in the system of internal control .
3.1.1-risk assessment Because of the economic, industrial, regulatory and operational are changed continuously, mechanisms are needed to identify and minimize the specific risks associated with change, so is increasing the need for risk assessment. (Del Toro et al, 2005). Risk assessment is the identification and analysis of factors both internal and external sources which may be relevant to the achievement of the objectives, concerns the ongoing interactive process and methodology whereby the company identifies the highest risk areas that warrant greater attention and allocation of resources for the implementation control measures. (Lopez, 2002). In Resolution 297/03 states that internal control has been designed primarily to limit the risks that affect the activities of the entities. Through research and analysis of relevant risks and the extent to which neutralizes the force control, assessing the vulnerability of the system. As stated Quirós (2003) president of the Association of Public Accountants of Costa Rica : ¨ internal control and management of risks two elements are inseparable, that within an organization should have a similar account. "For Padilla (2002) any organization that designed to attain the success , whether public or private, must identify, assess and manage risks to minimize them through design and efficient implementation of internal control system. Rosés (2000), associate director of consulting Auditors Roses & Associates states that "there is zero risk, the risk is inherent in the business , but can be reduced significantly by identifying the threats that have and work organization to keep within the limits marked. " There are many risk sources both internal and external (Resolution 297/03, Coopers and Lybrand 1997) among which can highlight the following: • Development External assumed no technology that can lead to obsolescence of the organization. • Changes in needs and expectations of the population . · Changes in legislation and standards leading to forced changes in strategy and procedures. · Changes in the economic - financial impact on the budget of the entity. Internal • The organizational structure adopted, given the existence of typical risks. * Quality of personal built, as well as methods for instruction and motivation . • The self nature of the activities of the entity. According to Coopers and Lybrand (1997), a precondition to risk assessment is the determination of objectives at each level of the organization and be consistent. Management should set objectives first before identifying the risks that may impact on their achievement and take appropriate measures to manage them. An institution must create its own tools for risk assessment, this component must become a natural part of the strategic planning process , which assumes that evaluation as an indispensable necessity and a key instrumental to develop the objectives of internal control should be performed through a continuous process and basis for the organization, a constant revision, updating and improving internal control, based on a specific system for detection and risk assessment with the characteristics of the entity. In the risk assessment is considered in addition to identifying the plant level, they must be identified and analyzed the level of activity and operation department to estimate the importance of them, and establishing control activities to ensure maximum management. The correct assessment of activity level also contributes to maintaining an acceptable level of risk to the entire organization, ensuring compliance with targets. There is a monitoring tool that allows you to present an overview of the risks it is exposed any organization, this tool is the risk map. The risk maps can be represented in various forms can be through maps (widely used for disaster relief) or through matrices, or simply through a Cartesian plane, which symbolizes the level of risk that the organization is exposed. López (2002). Risk maps, regardless of how it is used to develop them, are just a representation cold data, so can only serve as an effective tool as integral components of enterprise risk management.
3.2- Risk Management.
3.2.1-General considerations on the risks. In the past, the main hazards and risks associated with nature and natural disasters now are attributed primarily to human choices and actions not only or not so much by the carelessness, but in most cases by the inability of humans to predict the effects far from their technological leadership and social. Ecological risk, nuclear, genetic, financial and other, are risks of civilization, many of them are difficult to discern before occurrence of the damage . That is one reason why in recent decades the risk becomes a key category in the human condition and the social sciences our time. The risk is interpreted in the space of categories such as: • Uncertainty: Unable to predict or forecast the outcome of a situation at any given time. · Odds: Proportion of times a particular event occurs at a time or estimate of an event occurring or not. Level of risk: Assessing the frequency and severity of the occurrence of a risk. (Del Toro et al, 2005) Various definitions have been found in the literature consulted shows that the risk has not been conceptualized in an integrated manner but in a piecemeal fashion, in accordance with the approach of each discipline involved in your valuation, which has increased its complexity and the way people understand (Casas, 1998, León, 2003; Koprinarov, 2005). In the field of political economy or neo-Marxism models have been proposed as the conceptual model pressure-release in which it is postulated that the risk is the result of the combination of conditions of vulnerability and potential threats. (Cardona, 1993). To Ambrustery (2001) risk is defined as "any condition that causes an adverse condition detrimental to the product , the patient or health professional ." According to Quirós (2003) and SFP (2004) The risk is no more than probability of occurrence of events or internal or external events that may affect the achievement of the objectives in the organization. Other experts link exposure and vulnerability, ensuring that combine to provide a measure of the "strength" of a organization to avoid the loss events based on the safeguards contemplated. (DMR-Consulting, 2005). Other authors such as Coburn et al (1991), Maskrey (1998), Percedo, MI (2004) argue that in many cases it is possible to act on the threat, or is very difficult, but under this approach is feasible to understand that to reduce risk would have no alternative but to reduce the vulnerability of exposed elements conditioning the risk to these two variables . Toledano (2003) classifies the risk as the financial effect of a case multiplied by the probable frequency of occurrence. For Leon (2004) the risk exists when two or more possibilities from which to choose, without being able to know in advance the results that lead each. All risks involves, therefore, the possibility of winning or losing, the greater the possible loss, the greater the risk. The risks have also been classified in different ways. In general, taking into account the bipolar effect can be classified into pure risk and speculative risk. (Del Toro et al, 2005; Koprinarov, 2005). The risk is that speculative risk where there is a chance to win or lose, such as gambling or games of chance, investment. In contrast, the pure risk is given in the company and the possibility to lose or not lose, but never win. The pure risk in the company in turn is classified as: • Risk inherent. • Risk incorporated. The inherent risk is that risk which by its nature can not be separated from the situation where it exists. Is proper work performed. Is the risk specific to each company according to their activity. The risk is that risk built is not the activity itself, but the product of some responsible behavior of a worker, who takes other risks in order to get something he thinks is good for and / or the company. Another important and controversial aspect has been to classify the types of risks at the discretion of the structure and main functions company. The classifications used by authors such as Zorrilla (2004), Fragoso (2002), Fonseca (2000) and Baca (1997) is the risk of economic character of market of credit of legality , of a technological, legal, liquidity risk, business risk , organizational, among others. There are other classifications related to internal control failures with the regulations of work, ie the risk of direct or indirect loss caused by a failure or failure of processes, people and inefficiency of the organization internal company, which is called by some authors organizational or business risk. (Koprinarov, 2005) and others, as the industry banking operations and risk (López, Cristina, 2005). The classification of risk types, allows almost level from a specific definition of such a level of uniformity and harmony in the time of identification by eliminating or reducing the possibility of introducing different names for the same phenomenon and resulting in better organization of risk management. However in the world of finance materials and resources to classify risks becomes a complex task for multifactoriedad causal agent. The multifactorial nature lends itself to confusion and repetition so we need to find a middle ground that annotates the problem. The trend of the 90 with regard to risk management is to of them by the business management at the level of divisions, departments, activities, or sub-activities, so it takes a broader view of risk, including the operational side. It has spread further the trend towards the development of national standards for the administration of them and the development multiple systems and custom programs for management consulting in various areas of economic activity. The need for standardization of risk management in the economic sphere has led many countries to study the phenomenon and to issue rules that are guidelines to follow in their management. The national standards for risk management, define the framework within which they must develop the industrial and economic activities so that they do not occur. The best known are the laws of Australia and New Zealand (AS / NZS 4360: 1999), Canada (CAN / CSA - Q850-97) (Koprinarov, 2005). In our country Resolution 297/2003 establishes as an essential element of internal control risk assessment structured the same in the following rules: • Identification of risk. • Estimation of risk. · Determination of control objectives. • Detection of change. Risk identification. It is an iterative process that is integrated into the strategy and planning . For the identification of risk is appropriate to start from scratch and not based on the pattern of risks identified in previous studies. (Arce, 2005). To define a risk is necessary to know its cause, which is what will determine the existence of this and whether it can affect the company or not. (Toledano, 2003). On many occasions entities to intuitively identify critical areas, to weigh only value of their potential loss and not jointly considered the threat and vulnerability criteria, therefore, in some cases, the areas that institutions consider their focus care, are also those with greater strength and have more safeguards and, therefore, are sufficiently "controlled" (DMR-Consulting, 2005). The tools used to develop risk identification activity according to Del Toro et al (2005) are questionnaires, flowcharts , flow diagram, inspections, interviews , et al. Risk estimation. Having identified the risks at the institution, program or activity to proceed with its analysis. The methods used to determine the relative importance of the risks include at least an estimate of their frequency, ie the probability of occurrence and an assessment of the loss that could result. The weights of the risk variables are broken down into: Feasibility (probability of occurrence). Percentage is determined mind, considering the rate of occurrence that the risk has materialized. Significance (impact assessment). Is determined by stating the goal of leadership in the economic area analyzed and categories of internal control that impact. The risk can be quantified through the so-called exposure equation is: PE ═ F x V Where: PE: Expected loss or exposure expressed in pesos annually. F: Frequency, likely times when the risk materializes in the year. V: Estimated loss for each case in which risk is expressed in weight concrete. It is not always possible to quantify in monetary losses due to the size or characteristics that have many risks. It is difficult to apply these formulas in the risks related to internal control failures, in most cases it is impossible to quantify because it does not correspond with the objective risk analysis to be performed. For this reason there are several methods that facilitate the estimation using an qualitative ranking them according to Del Toro et al (2005) from an estimate of the frequency and financial impact that they have on the entity. The most popular methods are as listed below: Method Prouty frequency criterion, this method classifies risks according to the criterion of frequency of loss due to the occurrence of events at: Risk rare: If the frequency of loss is almost zero (practically the event does not happen) Moderate risk: If the frequency happens After a period of time. Common risk: If the frequency happens regularly. Gravity method or financial criteria, this method classifies risks as the financial impact on the entity have: • Risk light: If the financial impact of losses can be carried against budget expenses and assumes . • Risk Moderate: If the financial impact of losses was necessary budget authorization to cope financially. • Risk serious: If the financial impact of losses affect earnings, but maintaining continuity of the production process. • Risk catastrophic: If the financial impact of losses threatening survival of the company. Identification of control objectives The design of the control objectives should include what each department, unit or section needs to ensure that risks materialize, responding to the strategy that management wants to continue to minimize the risks of what I want do: prevent, detect, prevent, interact, correct, segregate, then be able to analyze which tools allow you to carry out such a strategy, also considering the relationship cost-effective. (SENA, 2004; Koprinarov, 2005). Change Detection The detection of change is not only the identification of changes in the circumstances of environment in which the agency makes its action. A control system may cease to be effective in changing the conditions under which it operates, so that every entity must have procedures and mechanisms to capture and report accordingly to the changes. (Arce, 2005). For Quiros (2003), president of the College of Chartered Accountants of Costa Rica, a constant revision, updating and improvement of internal control is a simple answer to what is known as change detection risk area. Despite the risks to be considered an essential component of internal control, so ambiguous that this theme is developed both COSO report and the resolution 297/03 precludes effective management of them. The definitions and the variety of terms are not exposed to sufficient clarity to enable authorities to properly apply the elements contained in this component. Depth risk assessment primarily on the identification and assessment of risks, not so for the management of them is the most important role in developing. Neither the COSO report, or the resolution 297/03 provide a methodology to engage all the rules included in this component may be a common reference framework for all entities to allow effective management of risks. 3.3-Methodology for Enterprise Risk Management . Risk management is recognized as an integral part of good management practices. Is an iterative process consisting of steps, which, when executed in sequence, enable continuous improvement in the process of decision making . Risk management is a term applied to a logical and systematic method of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risks associated with an activity, function or process in a way that enables organizations minimize losses and maximize opportunities. It can be applied to all stages of the life of an activity, function, project or product. (Arce, 2005). Among the experts in the field of risk management there is no unanimity in the segmentation process, is defined in stages, but if there is agreement on key aspects of that process comprising a predominantly cognitive stage might be termed the study phase Another practical, the implementation phase and the third - the control phase and communication . The first are made: the identification, analysis and risk assessment. In the second plan is implemented of risk response. The third phase is formed by the activities of monitoring, control and communication . (Koprinarov, 2005). For its part, the standard AS / NZS 4360:1999 while generally consistent with the issues presented by Resolution 297/03, emphasizes the need to develop a model for risk analysis underpinned by the requirements of systems quality management exposed by the rules of the family ISO 9000. The National Service Learning SENA (2004) sets policies on risk management in Resolution No. 01975 which proposes a methodology of eleven key steps established as a fundamental aspect including indicators of effectiveness of the proposed actions not covered by previous methodology. Specialists and DMR-Consulting (2005) propose a method called Operational Risk Management (ARO), whose main objective is to operationalize a methodology incorporating the necessary indicators. It also proposes: To identify the risk, sort and incorporate into the base of datos.Buscar causas.Proponer change measures based on monitoring procesos.Realizar management. Pinkerton Consulting and Investigations, a consulting firm and one of the English world's largest proposed as a methodology for risk management requirements of the Turnbull Report (CSJ, 1999), summarized in the following questionnaire : • Is your company aware of the risks of the organization, and these assess, communicate and understand clearly? • Do you have your company's organizational structure conducive to efficient management and risk mitigation? • Is there an identification of the risks associated with the acquisition of the company by directors and outside that control at all levels of your company? • Is the risk assessment system of transparent company which will enable shareholders to assess the risk? · Is considered that the risk assessment is a separate task or activity is included in your business? The basic requirements of the Turnbull Report are: o The board should maintain a sound system of internal control. o A member of the board shall conduct a review of the effectiveness internal control system of the company at least annually. The annual review should cover all types of controls, including financial control, operational, and compliance and risk management. o Members of the board should inform shareholders that the review has been carried out - usually in the financial report and the annual accounts. FAO implements a system that International has a great impact on its approach to risk management, which is the system of Hazard Analysis and Critical Control Points (HACCP), used for the prevention of security of food (FAO, 2002). From the practical results of their application referred to in the food industry, this system has been used and has become an accepted practice in other productive sectors and services , with excellent results (Rooney, 2001; Ambrustery, 2001 .) As with most systems or methodologies to organize an activity, say management systems quality, HACCP systems, methodology for continuous improvement, among others, where there are regulations, standards or other general provisions that establish the most important guidelines and impossible to ignore, each entity should establish its own systems and methods as "custom made" by identifying and taking into account its own characteristics.
3.4-System Hazard Analysis and Critical Control Points (HACCP). HACCP is a systematic preventive procedure, recognized internationally to address hazards through anticipation and prevention rather than inspection and Check the products final. HACCP is science based and systematic, identifies specific hazards for the procedure to control the critical points necessary measures for its control and monitoring procedures, this system increases responsibility and the degree of control workers the product. This analysis tool aims to detail and documentation to ensure that the entity knows the product and the process so you can control or monitor the most important elements to produce quality products. Also report other benefits such as effective use of resources and flexibility that allows you to respond in time to problems and changes submitted. (FAO, 2002) Principles and application of HACCP HACCP focuses its activities on 7 basic principles: (Codex Alimentarius, 1998).
1. Conduct a hazard analysis
2. Determine the critical control points (CCP).
3. Establish critical limits for each CCP.
4. Establish a system for monitoring and control of the CCP.
5. Enact corrective measures to be taken when monitoring indicates that a particular CCP is out of limits.
6. Establish procedures for verification to verify the operation of the HACCP system.
7. Structuring a system of documentation concerning all procedures and records appropriate to these principles and their application. The interpretation of these principles is the prerogative of each particular entity (Inda, 1999). The HACCP system offers the advantage of risk management at the individual process, however the possibility does not weigh the same to prioritize those larger. For the features and benefits that have this system believe that their use for control in the economic and financial might well be feasible to contribute to a more secure financial activity. HACCP in perfect harmony as a complementary tool to meet the standards laid down in Resolution 297/03 of the Ministry of Finance and Prices .
3.5-internal control and quality management for Coopers and Lybrand (1997) there is a parallel between these factors and quality of systems effective internal control, and that internal control is not only integrated into quality programs, but often essential to their success. The addition of controls affects the entity's ability to achieve its objectives, and supporting quality. The pursuit of quality is directly linked to the way they manage and control business. Controls become part of the operational structure of the company when: Top management includes values \u200b\u200bof quality in the company's business style. • The establishment of quality objectives linked to the processes of collecting and analyzing information . • The use of knowledge about practices competition and customer expectations to promote continuous quality improvement. The quality concepts emerged and were transformed in parallel with productive action. According to Crosby (1999), quality is a key element of behavior man, that appears in the first documents of humanity. The main approaches to quality management are that the quality is not a technical function, or a department or program consciousness, but a systematic, customer-linked , to be implemented in all the company, integrating suppliers (Feigenbaum, 1991). Juran (1993) states that the role of quality should encompass the entire company, which is achieved when all the specialized departments involved have a responsibility to carry out their functions properly, so that each has a quality-oriented activity simultaneously its main function. The current quality concept most widely accepted is ¨ all the characteristics of an entity that affects their ability to satisfy stated and implied needs. "One of the most useful tools for achieving this are international standards family ISO 9000 that proposed an organizational model focused on customer needs, and prevention of problems, they describe the components that should include quality systems, but each entity has freedom to design and implement according to their specific conditions. These rules are independent of any industrial sector or economic and guidance on management and quality assurance. The versatility of the ISO been proven in practice as they have been successfully employed in a wide range of industries . Uchida, (1996) The family ISO 9000 is made from the Technical Committee TC 176 of the International Standard Organization (ISO), summarizes the recommendations and best practices of successful companies worldwide. (Perez, Aleida, 2001). Standards ISO 9000 propose the development of a documented quality system. ISO 9000-1:2000 states that the documentation is objective evidence that the processes are defined, procedures are approved and are under control exchange and thus ensure an accurate assessment of the suitability of the site and application system. Also as key documents are the procedures and records. The procedures, according to the concept of ISO 8402 (1994), are description of the specific form of how to perform an activity. Should respond in general terms what the objectives of the document, who is responsible to do it, what resources are needed for the activity, and how. The records, in turn, are the documents which gathers all details of an operation. Records can describe in detail all the results of the work, see evolution over time of each process or activity, take the traceability of the transactions giving reliability to the results among other functions (ISO 9000-1:2000) . Vocabulary ISO 9000:2001, says the implementation of a system of processes within the organization, along with the identification and interactions of these processes and their management, known as process-based approach, which defines as a process, "Joint resources and inter-related activities that transform inputs into output elements. " Such an approach type enables organizations to function effectively it identifies and manages numerous interrelated activities, emphasizes the importance of understanding and compliance with the requirements, the outcome of performance and process efficiency and continuous improvement these financial statements based on objective measurement. The development of internal control activities of the entities on the basis of the requirements of management systems quality should be a strategic decision for all organizations as systems of quality management are a prerequisite for positive results in economic and social orders in any of the areas of development of human activity.
4. Results and discussion general methodology is designed for enterprise risk management, which integrates in a manner consistent aspects included in the new resolutions and guidelines related to internal control, based on the requirements of quality management, using for this the methods and techniques modern. The methodology is structured in eleven key steps developed in a flexible manner that allows it to be applied not only to the processes related to financial information - financial firms but also as a tool to efficiently manage level risks across the organization. Results and discussion of the methodology steps. Figure 4-Method for enterprise risk management.
4.1-Forming a team of experts and staff training. Assemble a team of experts who will be responsible for risk management and training of all staff in general because they are the people the real perpetrators of this process.
4.2-Description of the activity, identifying, charting and verification processes. Describe the activity, identify, graph and verify the processes are the starting point through which the expert review team shall make a complete description each operation taking into account the organizational structure, processes, procedures and resources.
4.3-Classification of Risks. Classify types of risks they are exposed to the entities as the activity allows the uniformity and harmony in the time to identify risks and eliminate the possibility that risks confusing the causes that originate and allows to assess the possible consequences. 4.4-Sort
threat level processes. Establish levels of threat to the processes based on the combination of probability and impact that they generate, to identify key business processes that involve significant risks. The processes of higher threat level is apply specific management plan.
4.5-Determining Critical Control Points (CCP) Determine PCC can separate the essential from the accessory within each process, from the PCC provides full control of the process, allowing you to set the gap of vulnerability, control activities that attenuate, outlines personal responsibilities at every step of the process and makes its own monitoring mechanism for each part of the process. We recommend the use of trees decision as a fundamental tool for the determination of such PCC. 4.6-Establishment
gap of vulnerability (risk causes) Establish vulnerability gaps facilitates risk management and vulnerability that these gaps are the causes of the occurrence of risk analysis to be from scratch and not based on the pattern of risks identified in previous studies. It should include all factors, both internal and external.
4.7-Establish critical limits for each CCP. You must set the dividing line for judging whether an operation is operating outside the established parameters. Through critical limits defined criteria for distinguishing between acceptable and unacceptable. The establishment of these limits will respond to compliance with the provisions of the describing procedures operations, technical instructions, physical parameters, weather and other aspects, thus facilitating control of the activity.
4.8-Establishment of control activities and monitoring system to establish measures of control that can be applied for each vulnerability gap. It may be necessary to adopt more than one measure to control a specific risk, but probably more of a risk can be controlled with a certain measure of control. The proposed monitoring system must provide surveillance in time to act, detect early changes that may occur both internally and externally.
4.9-Development of the methodology documentation system. To properly manage the risks requires appropriate documentation to provide adequate control and traceability of operations.
4.10-Development of process chips. Develop processing chips allows for the summary of each identified process and provides full information on how to run this and what is essential to understand and manage. 4.11-
Calculation risk indicator development process and the risk map. The risk indicator is a value to the process that allows for an order of priority to supervision and monitoring. This indicator allows to rank the risks and providing information to management to make decisions about which processes are an indicator of increased risk and require immediate attention and which are of lesser importance can be addressed later. 5.-Conclusions
• The methodology for enterprise risk management from the internal control requirements and quality management is a new and simple tool that facilitates the management of risks. • The implementation of the methodology for enterprise risk management carried out in the economic, showed that this can manage risks in a timely and efficient, helping to ensure economic - financial information more reliable for making decisions.
1. Summary
2. Introduction
3. conceptual framework on risk management
4. Overall results and discussion
5. Conclusions
6. References
1. Abstract A management efficient risk translates into untold economic impact for any organization , constituting an essential tool for decision making . The of risk management has assumed an important role in the company modern, increasingly contributing to the fulfillment of objectives and targets in the organization to the point that not conceived an organization seeking move forward with firm steps towards the success without the activity of managing risks well-organized. This work is a proposal Management Methodology of business risks , summarized in eleven key operations to be performed, which integrates in a manner consistent with the requirements included in Resolution 297/03 of the Ministry of Finance and Prices, requirements management and sequence quality logic for the application of systems of hazard analysis and critical control (HACCP), they adapted to the expectations demanded by internal control systems. This methodology is a guide or tool of great relevance that can be applied not only the economic and financial information of companies but also as a tool to manage risk at the level of any organization . Keywords: Risk management, internal control systems.
2. Introduction Managing risk effectively is now a concern of high management, says Bernens (1997): "the biggest small crack in the armor is the corporate risk management." Risk management is facilitated by the entities they operate on the basis of internal control systems consistent with current requirements. Internal control systems are a fundamental premise for the organizations operate so as to ensure compliance with the proposed objectives. Today risk management in financial and economic sphere, is inserted into a process known as internal control. Internal control is a concept universally known that it has lacked for a long time a common reference framework. Formerly the internal control systems were limited to activities in the areas of accounting and finance, without bond and relationships established, was not considered internal control as a management tool able to achieve efficiency and effectiveness of its operations. In the late nineties in several countries around the world created different committees or working groups of to work on this issue, proposing internal control models advocating a new current of thought , with a broad conception of the organization and greater involvement of management and staff in general. (Coopers and Libranda, 1997). Evolved as fast as internal control has evolved to treat the risks; world, the trend in the 90's with respect to this phenomenon is administration or management of the same addressed primarily by management of companies. Is now recognized adoption of a more extended risk, spreading the development of national standards for management and development multiple systems and programs for management consulting in different areas economic activity (Koprinarov, 2005). In Cuba resolution governing the management of risk is the 297/03. This resolution covers five key interrelated components. One of them is risk assessment, defined by Lopez (2002) as "the identification and analysis of factors both internal and external sources which may be relevant to the achievement of the objectives." The resolution 297/03 despite the risks to be considered an essential component of internal control, so ambiguous that this theme is developed precludes effective management of them. The definitions and the variety of terms are not displayed with sufficient clarity and common definition to allow entities to apply correctly the rules included for this activity. In the risk assessment component is emphasized primarily in identification and risk assessment, without further or facilitate management is the most important role in developing . This resolution offers no methodology or procedures allowing all standards covered gear that may be a common reference framework for all entities to effectively manage the risks they are exposed. This work is general purpose design and implement a methodology for risk management on the basis of resolution 297/03 and the requirements of ISO 9000 to ensure the reliability of economic and financial information. the CENSA. The theoretical contribution of this paper is a methodology for the management of business risks that summarizes the resolutions and guidelines related to internal control systems requirements for quality management and logical sequence for implementing systems Hazard Analysis and Critical Control Point.
3. conceptual framework on risk management of . 3.1-Components of internal control . The control is an integral part of the functions general address by he can check the status of a current system. Control in its most general consideration, prior censorship enough, given reality that approves or fixes, sometimes when it comes to control this word is associated with something negative, it is interpreted as a restriction, coercion or constraint, however Main control objective is to ensure that the results conform as much as possible to be planned objectives. Given that monitoring is a basic function within any process of organization and administration , which facilitates the evaluation executive including systematic monitoring and review, resolution 297/03 with its design of internal control system divided into five interrelated components essential and involved in all aspects of an organization. The five components of internal control are: • The control environment • Assessment of control risks • Activities • Information and Communication · Supervision and monitoring then emphasized the risk assessment as an essential component in the system of internal control .
3.1.1-risk assessment Because of the economic, industrial, regulatory and operational are changed continuously, mechanisms are needed to identify and minimize the specific risks associated with change, so is increasing the need for risk assessment. (Del Toro et al, 2005). Risk assessment is the identification and analysis of factors both internal and external sources which may be relevant to the achievement of the objectives, concerns the ongoing interactive process and methodology whereby the company identifies the highest risk areas that warrant greater attention and allocation of resources for the implementation control measures. (Lopez, 2002). In Resolution 297/03 states that internal control has been designed primarily to limit the risks that affect the activities of the entities. Through research and analysis of relevant risks and the extent to which neutralizes the force control, assessing the vulnerability of the system. As stated Quirós (2003) president of the Association of Public Accountants of Costa Rica : ¨ internal control and management of risks two elements are inseparable, that within an organization should have a similar account. "For Padilla (2002) any organization that designed to attain the success , whether public or private, must identify, assess and manage risks to minimize them through design and efficient implementation of internal control system. Rosés (2000), associate director of consulting Auditors Roses & Associates states that "there is zero risk, the risk is inherent in the business , but can be reduced significantly by identifying the threats that have and work organization to keep within the limits marked. " There are many risk sources both internal and external (Resolution 297/03, Coopers and Lybrand 1997) among which can highlight the following: • Development External assumed no technology that can lead to obsolescence of the organization. • Changes in needs and expectations of the population . · Changes in legislation and standards leading to forced changes in strategy and procedures. · Changes in the economic - financial impact on the budget of the entity. Internal • The organizational structure adopted, given the existence of typical risks. * Quality of personal built, as well as methods for instruction and motivation . • The self nature of the activities of the entity. According to Coopers and Lybrand (1997), a precondition to risk assessment is the determination of objectives at each level of the organization and be consistent. Management should set objectives first before identifying the risks that may impact on their achievement and take appropriate measures to manage them. An institution must create its own tools for risk assessment, this component must become a natural part of the strategic planning process , which assumes that evaluation as an indispensable necessity and a key instrumental to develop the objectives of internal control should be performed through a continuous process and basis for the organization, a constant revision, updating and improving internal control, based on a specific system for detection and risk assessment with the characteristics of the entity. In the risk assessment is considered in addition to identifying the plant level, they must be identified and analyzed the level of activity and operation department to estimate the importance of them, and establishing control activities to ensure maximum management. The correct assessment of activity level also contributes to maintaining an acceptable level of risk to the entire organization, ensuring compliance with targets. There is a monitoring tool that allows you to present an overview of the risks it is exposed any organization, this tool is the risk map. The risk maps can be represented in various forms can be through maps (widely used for disaster relief) or through matrices, or simply through a Cartesian plane, which symbolizes the level of risk that the organization is exposed. López (2002). Risk maps, regardless of how it is used to develop them, are just a representation cold data, so can only serve as an effective tool as integral components of enterprise risk management.
3.2- Risk Management.
3.2.1-General considerations on the risks. In the past, the main hazards and risks associated with nature and natural disasters now are attributed primarily to human choices and actions not only or not so much by the carelessness, but in most cases by the inability of humans to predict the effects far from their technological leadership and social. Ecological risk, nuclear, genetic, financial and other, are risks of civilization, many of them are difficult to discern before occurrence of the damage . That is one reason why in recent decades the risk becomes a key category in the human condition and the social sciences our time. The risk is interpreted in the space of categories such as: • Uncertainty: Unable to predict or forecast the outcome of a situation at any given time. · Odds: Proportion of times a particular event occurs at a time or estimate of an event occurring or not. Level of risk: Assessing the frequency and severity of the occurrence of a risk. (Del Toro et al, 2005) Various definitions have been found in the literature consulted shows that the risk has not been conceptualized in an integrated manner but in a piecemeal fashion, in accordance with the approach of each discipline involved in your valuation, which has increased its complexity and the way people understand (Casas, 1998, León, 2003; Koprinarov, 2005). In the field of political economy or neo-Marxism models have been proposed as the conceptual model pressure-release in which it is postulated that the risk is the result of the combination of conditions of vulnerability and potential threats. (Cardona, 1993). To Ambrustery (2001) risk is defined as "any condition that causes an adverse condition detrimental to the product , the patient or health professional ." According to Quirós (2003) and SFP (2004) The risk is no more than probability of occurrence of events or internal or external events that may affect the achievement of the objectives in the organization. Other experts link exposure and vulnerability, ensuring that combine to provide a measure of the "strength" of a organization to avoid the loss events based on the safeguards contemplated. (DMR-Consulting, 2005). Other authors such as Coburn et al (1991), Maskrey (1998), Percedo, MI (2004) argue that in many cases it is possible to act on the threat, or is very difficult, but under this approach is feasible to understand that to reduce risk would have no alternative but to reduce the vulnerability of exposed elements conditioning the risk to these two variables . Toledano (2003) classifies the risk as the financial effect of a case multiplied by the probable frequency of occurrence. For Leon (2004) the risk exists when two or more possibilities from which to choose, without being able to know in advance the results that lead each. All risks involves, therefore, the possibility of winning or losing, the greater the possible loss, the greater the risk. The risks have also been classified in different ways. In general, taking into account the bipolar effect can be classified into pure risk and speculative risk. (Del Toro et al, 2005; Koprinarov, 2005). The risk is that speculative risk where there is a chance to win or lose, such as gambling or games of chance, investment. In contrast, the pure risk is given in the company and the possibility to lose or not lose, but never win. The pure risk in the company in turn is classified as: • Risk inherent. • Risk incorporated. The inherent risk is that risk which by its nature can not be separated from the situation where it exists. Is proper work performed. Is the risk specific to each company according to their activity. The risk is that risk built is not the activity itself, but the product of some responsible behavior of a worker, who takes other risks in order to get something he thinks is good for and / or the company. Another important and controversial aspect has been to classify the types of risks at the discretion of the structure and main functions company. The classifications used by authors such as Zorrilla (2004), Fragoso (2002), Fonseca (2000) and Baca (1997) is the risk of economic character of market of credit of legality , of a technological, legal, liquidity risk, business risk , organizational, among others. There are other classifications related to internal control failures with the regulations of work, ie the risk of direct or indirect loss caused by a failure or failure of processes, people and inefficiency of the organization internal company, which is called by some authors organizational or business risk. (Koprinarov, 2005) and others, as the industry banking operations and risk (López, Cristina, 2005). The classification of risk types, allows almost level from a specific definition of such a level of uniformity and harmony in the time of identification by eliminating or reducing the possibility of introducing different names for the same phenomenon and resulting in better organization of risk management. However in the world of finance materials and resources to classify risks becomes a complex task for multifactoriedad causal agent. The multifactorial nature lends itself to confusion and repetition so we need to find a middle ground that annotates the problem. The trend of the 90 with regard to risk management is to of them by the business management at the level of divisions, departments, activities, or sub-activities, so it takes a broader view of risk, including the operational side. It has spread further the trend towards the development of national standards for the administration of them and the development multiple systems and custom programs for management consulting in various areas of economic activity. The need for standardization of risk management in the economic sphere has led many countries to study the phenomenon and to issue rules that are guidelines to follow in their management. The national standards for risk management, define the framework within which they must develop the industrial and economic activities so that they do not occur. The best known are the laws of Australia and New Zealand (AS / NZS 4360: 1999), Canada (CAN / CSA - Q850-97) (Koprinarov, 2005). In our country Resolution 297/2003 establishes as an essential element of internal control risk assessment structured the same in the following rules: • Identification of risk. • Estimation of risk. · Determination of control objectives. • Detection of change. Risk identification. It is an iterative process that is integrated into the strategy and planning . For the identification of risk is appropriate to start from scratch and not based on the pattern of risks identified in previous studies. (Arce, 2005). To define a risk is necessary to know its cause, which is what will determine the existence of this and whether it can affect the company or not. (Toledano, 2003). On many occasions entities to intuitively identify critical areas, to weigh only value of their potential loss and not jointly considered the threat and vulnerability criteria, therefore, in some cases, the areas that institutions consider their focus care, are also those with greater strength and have more safeguards and, therefore, are sufficiently "controlled" (DMR-Consulting, 2005). The tools used to develop risk identification activity according to Del Toro et al (2005) are questionnaires, flowcharts , flow diagram, inspections, interviews , et al. Risk estimation. Having identified the risks at the institution, program or activity to proceed with its analysis. The methods used to determine the relative importance of the risks include at least an estimate of their frequency, ie the probability of occurrence and an assessment of the loss that could result. The weights of the risk variables are broken down into: Feasibility (probability of occurrence). Percentage is determined mind, considering the rate of occurrence that the risk has materialized. Significance (impact assessment). Is determined by stating the goal of leadership in the economic area analyzed and categories of internal control that impact. The risk can be quantified through the so-called exposure equation is: PE ═ F x V Where: PE: Expected loss or exposure expressed in pesos annually. F: Frequency, likely times when the risk materializes in the year. V: Estimated loss for each case in which risk is expressed in weight concrete. It is not always possible to quantify in monetary losses due to the size or characteristics that have many risks. It is difficult to apply these formulas in the risks related to internal control failures, in most cases it is impossible to quantify because it does not correspond with the objective risk analysis to be performed. For this reason there are several methods that facilitate the estimation using an qualitative ranking them according to Del Toro et al (2005) from an estimate of the frequency and financial impact that they have on the entity. The most popular methods are as listed below: Method Prouty frequency criterion, this method classifies risks according to the criterion of frequency of loss due to the occurrence of events at: Risk rare: If the frequency of loss is almost zero (practically the event does not happen) Moderate risk: If the frequency happens After a period of time. Common risk: If the frequency happens regularly. Gravity method or financial criteria, this method classifies risks as the financial impact on the entity have: • Risk light: If the financial impact of losses can be carried against budget expenses and assumes . • Risk Moderate: If the financial impact of losses was necessary budget authorization to cope financially. • Risk serious: If the financial impact of losses affect earnings, but maintaining continuity of the production process. • Risk catastrophic: If the financial impact of losses threatening survival of the company. Identification of control objectives The design of the control objectives should include what each department, unit or section needs to ensure that risks materialize, responding to the strategy that management wants to continue to minimize the risks of what I want do: prevent, detect, prevent, interact, correct, segregate, then be able to analyze which tools allow you to carry out such a strategy, also considering the relationship cost-effective. (SENA, 2004; Koprinarov, 2005). Change Detection The detection of change is not only the identification of changes in the circumstances of environment in which the agency makes its action. A control system may cease to be effective in changing the conditions under which it operates, so that every entity must have procedures and mechanisms to capture and report accordingly to the changes. (Arce, 2005). For Quiros (2003), president of the College of Chartered Accountants of Costa Rica, a constant revision, updating and improvement of internal control is a simple answer to what is known as change detection risk area. Despite the risks to be considered an essential component of internal control, so ambiguous that this theme is developed both COSO report and the resolution 297/03 precludes effective management of them. The definitions and the variety of terms are not exposed to sufficient clarity to enable authorities to properly apply the elements contained in this component. Depth risk assessment primarily on the identification and assessment of risks, not so for the management of them is the most important role in developing. Neither the COSO report, or the resolution 297/03 provide a methodology to engage all the rules included in this component may be a common reference framework for all entities to allow effective management of risks. 3.3-Methodology for Enterprise Risk Management . Risk management is recognized as an integral part of good management practices. Is an iterative process consisting of steps, which, when executed in sequence, enable continuous improvement in the process of decision making . Risk management is a term applied to a logical and systematic method of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risks associated with an activity, function or process in a way that enables organizations minimize losses and maximize opportunities. It can be applied to all stages of the life of an activity, function, project or product. (Arce, 2005). Among the experts in the field of risk management there is no unanimity in the segmentation process, is defined in stages, but if there is agreement on key aspects of that process comprising a predominantly cognitive stage might be termed the study phase Another practical, the implementation phase and the third - the control phase and communication . The first are made: the identification, analysis and risk assessment. In the second plan is implemented of risk response. The third phase is formed by the activities of monitoring, control and communication . (Koprinarov, 2005). For its part, the standard AS / NZS 4360:1999 while generally consistent with the issues presented by Resolution 297/03, emphasizes the need to develop a model for risk analysis underpinned by the requirements of systems quality management exposed by the rules of the family ISO 9000. The National Service Learning SENA (2004) sets policies on risk management in Resolution No. 01975 which proposes a methodology of eleven key steps established as a fundamental aspect including indicators of effectiveness of the proposed actions not covered by previous methodology. Specialists and DMR-Consulting (2005) propose a method called Operational Risk Management (ARO), whose main objective is to operationalize a methodology incorporating the necessary indicators. It also proposes: To identify the risk, sort and incorporate into the base of datos.Buscar causas.Proponer change measures based on monitoring procesos.Realizar management. Pinkerton Consulting and Investigations, a consulting firm and one of the English world's largest proposed as a methodology for risk management requirements of the Turnbull Report (CSJ, 1999), summarized in the following questionnaire : • Is your company aware of the risks of the organization, and these assess, communicate and understand clearly? • Do you have your company's organizational structure conducive to efficient management and risk mitigation? • Is there an identification of the risks associated with the acquisition of the company by directors and outside that control at all levels of your company? • Is the risk assessment system of transparent company which will enable shareholders to assess the risk? · Is considered that the risk assessment is a separate task or activity is included in your business? The basic requirements of the Turnbull Report are: o The board should maintain a sound system of internal control. o A member of the board shall conduct a review of the effectiveness internal control system of the company at least annually. The annual review should cover all types of controls, including financial control, operational, and compliance and risk management. o Members of the board should inform shareholders that the review has been carried out - usually in the financial report and the annual accounts. FAO implements a system that International has a great impact on its approach to risk management, which is the system of Hazard Analysis and Critical Control Points (HACCP), used for the prevention of security of food (FAO, 2002). From the practical results of their application referred to in the food industry, this system has been used and has become an accepted practice in other productive sectors and services , with excellent results (Rooney, 2001; Ambrustery, 2001 .) As with most systems or methodologies to organize an activity, say management systems quality, HACCP systems, methodology for continuous improvement, among others, where there are regulations, standards or other general provisions that establish the most important guidelines and impossible to ignore, each entity should establish its own systems and methods as "custom made" by identifying and taking into account its own characteristics.
3.4-System Hazard Analysis and Critical Control Points (HACCP). HACCP is a systematic preventive procedure, recognized internationally to address hazards through anticipation and prevention rather than inspection and Check the products final. HACCP is science based and systematic, identifies specific hazards for the procedure to control the critical points necessary measures for its control and monitoring procedures, this system increases responsibility and the degree of control workers the product. This analysis tool aims to detail and documentation to ensure that the entity knows the product and the process so you can control or monitor the most important elements to produce quality products. Also report other benefits such as effective use of resources and flexibility that allows you to respond in time to problems and changes submitted. (FAO, 2002) Principles and application of HACCP HACCP focuses its activities on 7 basic principles: (Codex Alimentarius, 1998).
1. Conduct a hazard analysis
2. Determine the critical control points (CCP).
3. Establish critical limits for each CCP.
4. Establish a system for monitoring and control of the CCP.
5. Enact corrective measures to be taken when monitoring indicates that a particular CCP is out of limits.
6. Establish procedures for verification to verify the operation of the HACCP system.
7. Structuring a system of documentation concerning all procedures and records appropriate to these principles and their application. The interpretation of these principles is the prerogative of each particular entity (Inda, 1999). The HACCP system offers the advantage of risk management at the individual process, however the possibility does not weigh the same to prioritize those larger. For the features and benefits that have this system believe that their use for control in the economic and financial might well be feasible to contribute to a more secure financial activity. HACCP in perfect harmony as a complementary tool to meet the standards laid down in Resolution 297/03 of the Ministry of Finance and Prices .
3.5-internal control and quality management for Coopers and Lybrand (1997) there is a parallel between these factors and quality of systems effective internal control, and that internal control is not only integrated into quality programs, but often essential to their success. The addition of controls affects the entity's ability to achieve its objectives, and supporting quality. The pursuit of quality is directly linked to the way they manage and control business. Controls become part of the operational structure of the company when: Top management includes values \u200b\u200bof quality in the company's business style. • The establishment of quality objectives linked to the processes of collecting and analyzing information . • The use of knowledge about practices competition and customer expectations to promote continuous quality improvement. The quality concepts emerged and were transformed in parallel with productive action. According to Crosby (1999), quality is a key element of behavior man, that appears in the first documents of humanity. The main approaches to quality management are that the quality is not a technical function, or a department or program consciousness, but a systematic, customer-linked , to be implemented in all the company, integrating suppliers (Feigenbaum, 1991). Juran (1993) states that the role of quality should encompass the entire company, which is achieved when all the specialized departments involved have a responsibility to carry out their functions properly, so that each has a quality-oriented activity simultaneously its main function. The current quality concept most widely accepted is ¨ all the characteristics of an entity that affects their ability to satisfy stated and implied needs. "One of the most useful tools for achieving this are international standards family ISO 9000 that proposed an organizational model focused on customer needs, and prevention of problems, they describe the components that should include quality systems, but each entity has freedom to design and implement according to their specific conditions. These rules are independent of any industrial sector or economic and guidance on management and quality assurance. The versatility of the ISO been proven in practice as they have been successfully employed in a wide range of industries . Uchida, (1996) The family ISO 9000 is made from the Technical Committee TC 176 of the International Standard Organization (ISO), summarizes the recommendations and best practices of successful companies worldwide. (Perez, Aleida, 2001). Standards ISO 9000 propose the development of a documented quality system. ISO 9000-1:2000 states that the documentation is objective evidence that the processes are defined, procedures are approved and are under control exchange and thus ensure an accurate assessment of the suitability of the site and application system. Also as key documents are the procedures and records. The procedures, according to the concept of ISO 8402 (1994), are description of the specific form of how to perform an activity. Should respond in general terms what the objectives of the document, who is responsible to do it, what resources are needed for the activity, and how. The records, in turn, are the documents which gathers all details of an operation. Records can describe in detail all the results of the work, see evolution over time of each process or activity, take the traceability of the transactions giving reliability to the results among other functions (ISO 9000-1:2000) . Vocabulary ISO 9000:2001, says the implementation of a system of processes within the organization, along with the identification and interactions of these processes and their management, known as process-based approach, which defines as a process, "Joint resources and inter-related activities that transform inputs into output elements. " Such an approach type enables organizations to function effectively it identifies and manages numerous interrelated activities, emphasizes the importance of understanding and compliance with the requirements, the outcome of performance and process efficiency and continuous improvement these financial statements based on objective measurement. The development of internal control activities of the entities on the basis of the requirements of management systems quality should be a strategic decision for all organizations as systems of quality management are a prerequisite for positive results in economic and social orders in any of the areas of development of human activity.
4. Results and discussion general methodology is designed for enterprise risk management, which integrates in a manner consistent aspects included in the new resolutions and guidelines related to internal control, based on the requirements of quality management, using for this the methods and techniques modern. The methodology is structured in eleven key steps developed in a flexible manner that allows it to be applied not only to the processes related to financial information - financial firms but also as a tool to efficiently manage level risks across the organization. Results and discussion of the methodology steps. Figure 4-Method for enterprise risk management.
4.1-Forming a team of experts and staff training. Assemble a team of experts who will be responsible for risk management and training of all staff in general because they are the people the real perpetrators of this process.
4.2-Description of the activity, identifying, charting and verification processes. Describe the activity, identify, graph and verify the processes are the starting point through which the expert review team shall make a complete description each operation taking into account the organizational structure, processes, procedures and resources.
4.3-Classification of Risks. Classify types of risks they are exposed to the entities as the activity allows the uniformity and harmony in the time to identify risks and eliminate the possibility that risks confusing the causes that originate and allows to assess the possible consequences. 4.4-Sort
threat level processes. Establish levels of threat to the processes based on the combination of probability and impact that they generate, to identify key business processes that involve significant risks. The processes of higher threat level is apply specific management plan.
4.5-Determining Critical Control Points (CCP) Determine PCC can separate the essential from the accessory within each process, from the PCC provides full control of the process, allowing you to set the gap of vulnerability, control activities that attenuate, outlines personal responsibilities at every step of the process and makes its own monitoring mechanism for each part of the process. We recommend the use of trees decision as a fundamental tool for the determination of such PCC. 4.6-Establishment
gap of vulnerability (risk causes) Establish vulnerability gaps facilitates risk management and vulnerability that these gaps are the causes of the occurrence of risk analysis to be from scratch and not based on the pattern of risks identified in previous studies. It should include all factors, both internal and external.
4.7-Establish critical limits for each CCP. You must set the dividing line for judging whether an operation is operating outside the established parameters. Through critical limits defined criteria for distinguishing between acceptable and unacceptable. The establishment of these limits will respond to compliance with the provisions of the describing procedures operations, technical instructions, physical parameters, weather and other aspects, thus facilitating control of the activity.
4.8-Establishment of control activities and monitoring system to establish measures of control that can be applied for each vulnerability gap. It may be necessary to adopt more than one measure to control a specific risk, but probably more of a risk can be controlled with a certain measure of control. The proposed monitoring system must provide surveillance in time to act, detect early changes that may occur both internally and externally.
4.9-Development of the methodology documentation system. To properly manage the risks requires appropriate documentation to provide adequate control and traceability of operations.
4.10-Development of process chips. Develop processing chips allows for the summary of each identified process and provides full information on how to run this and what is essential to understand and manage. 4.11-
Calculation risk indicator development process and the risk map. The risk indicator is a value to the process that allows for an order of priority to supervision and monitoring. This indicator allows to rank the risks and providing information to management to make decisions about which processes are an indicator of increased risk and require immediate attention and which are of lesser importance can be addressed later. 5.-Conclusions
• The methodology for enterprise risk management from the internal control requirements and quality management is a new and simple tool that facilitates the management of risks. • The implementation of the methodology for enterprise risk management carried out in the economic, showed that this can manage risks in a timely and efficient, helping to ensure economic - financial information more reliable for making decisions.
0 comments:
Post a Comment