Understanding Risk-Based Approach: A Comprehensive Guide

What is a Risk-Based Approach?

In recent years, the risk-based approach has gained significant traction as a method for internal controls to prevent value loss in companies, whether caused by unforeseen events, theft, fraud, or legal and regulatory non-compliance risks. This includes the risk of involvement in criminal activities or money laundering and terrorism financing.

Historical Context

This approach has its roots in the creation of self-insurance funds by companies to cover potential risks, and practices adopted by insurance companies and financial institutions to assess the likelihood of loan recovery for their clients. Between the 1970s and 2000, as businesses expanded and fraud, inefficiencies, and financial crises increased, the focus shifted towards adequate risk management and corporate governance involvement in this process.

• Initiatives like COSO (Committee of Sponsoring Organizations), Sarbanes-Oxley Act, Basel Accords I, II, and III, and the Financial Action Task Force (GAFI) emerged to establish standards for anti-money laundering and counter-terrorism financing.

In essence, the risk-based approach is a methodology for identifying and evaluating risks to prioritize resources and actions based on the probability and magnitude of identified risks, aiming to minimize impacts and maximize opportunities.

Key Steps in Risk-Based Approach

The risk-based approach follows these steps: identification, evaluation, proportionality, integration, and objective.

1. Identification: Recognizing relevant risks that may affect the company.
2. Evaluation: Analyzing the likelihood of events and their consequences for the company.
3. Proportionality: Distributing available resources to each risk based on their likelihood and consequences.
4. Integration: Ensuring the risk-based approach is integrated into strategic and planning processes of the company.
5. Objective: The ultimate goal is for the company to create value, protect its assets, and ensure compliance with applicable laws and regulations.

COSO 2017 Framework

The COSO 2017 framework defines risk management as “the culture, capabilities, and practices that organizations integrate into strategy definition and apply in executing strategies to manage risk for creating, preserving, and realizing value.”

This framework outlines five components and four principles related to risk management:

Components

1. Governance and Culture: Sets the tone from top management to define risk awareness and expected behaviors.
2. Objective Setting and Strategy: Integrates strategic decision-making with the desired risk level (risk appetite).
3. Performance: Evaluates risks impacting strategies and operations, defining appropriate responses.
4. Review and Adjustments: Reviews risk management results and responds to internal or external changes.
5. Information and Communication: Ensures relevant risk management information reaches decision-makers promptly.

Principles

1. Clear Operational, Informational, and Compliance Objectives: Specify clear objectives for operational, informational, and compliance purposes.
2. Timely Detection of Internal and External Events: Detect internal and external events that may affect objectives promptly.
3. Risk Assessment: Analyze the probability of impact to prioritize attention to events.
4. Risk Response: Avoid, accept, reduce, or transfer risks.

The COSO framework emphasizes that risk management is an integral part of strategic and operational processes, supporting value creation in the entity.