1. Risk identification: the application of process analysis method + assumption analysis method from the system level to analyze the key control measures to prevent the risk points; the application of brainstorming method + fishbone diagram method based on experience or has formed the risk of risky facts of the risk points found in the system missing risk points, the formation of a cycle from the system to the risk, from the risk to the system.
The process analysis method refers to the establishment of a series of flow charts or process lists for each business activity or management activity in accordance with its intrinsic logical connection, and the investigation, research and analysis of each link in the process to discover the potential risks of a risk identification method.
The process analysis method requires that for each three-level process, according to the current management status quo (such as rules and systems, flow charts, business status, process planning, etc.), combined with the internal control guidelines, the chronological decomposition of the N links with a strong correlation, each link should be the smallest relatively independent unit of events. Using the hypothesis analysis method, the risk factors and consequences that may occur if a certain process link is not taken are assumed visually and figuratively. Through the hypothesis analysis method can be found, some of the process link whether there is a real risk, whether there is redundancy and can be optimized to improve management efficiency.
Brainstorming + Fishbone Diagram Method: Simply using process analysis and hypothesis analysis for risk identification, there may be uncovered risk points that need to be further supplemented. Focusing on the specific business processes, the relevant experts will hold thematic meetings to brainstorm and ensure the comprehensiveness of the risks. Using the fishbone diagram method, the risks proposed by the brainstorming are summarized and integrated to form all the risk points for the three-level process. Risk points based on experience or historical cases that have developed risk facts can be raised during the brainstorming process.
2. Risk assessment: Risk analysis and evaluation of the identified risk points. To this end, Article 24 of the Basic Standard for Internal Control of Enterprises stipulates that enterprises should use a combination of qualitative and quantitative methods to analyze and rank the identified risks according to the likelihood of their occurrence and the degree of their impact, and to determine the focus of attention and prioritize the risks to be controlled.
Through the risk assessment, the risks are graded and managed, and different levels of risks are implemented with differentiated control strategies, thus realizing the improvement of management efficiency. The so-called risk classification management refers to the possibility of risk and the degree of impact of the risk is divided into high-risk, medium-risk, low-risk three categories.
3. Key control measures match
Control measures generally include: incompatible job separation control, authorization and approval control, accounting system control, property protection control, budgetary control, operational analysis control, performance appraisal control, standardization/restriction of behavior, systematic and automatic control, monitoring and early warning, auditing/verification control, and internal reporting control.
Several principles in selecting measures:
1) When choosing specific control measures, an enterprise is not a key control point can only correspond to one type of control measures, and can use a variety of control measures in a comprehensive manner; it can also innovate other types of control measures on its own according to the actual business situation.
2) From the effectiveness of control, automatic control is better than manual control, multiple interrelated control is better than single control, control performed by senior personnel is better than control performed by grassroots personnel, preventive control is better than discovery control, 100% control is better than control using sampling methods, and real-time control is better than lagging control.
3) Enterprises in the choice of the above control measures, in addition to consider the intensity of control, but also need to implement the principle of cost-effectiveness, and strive to minimize the control or the lowest management costs to obtain the maximum economic benefits.