Risk refers to the identifiable and controllable uncertainty that exists objectively in a certain environment and within a certain period, resulting in expenses and losses. Many people tend to confuse risk with uncertainty when they understand risk. In fact, the definition of risk can only be related to the goal. The simplest definition of risk is "uncertainty at work". Through this definition, we can realize that the uncertainty unrelated to the goal should be excluded from the risk management process.
Risk assessment is an important part of risk management, which refers to the process of identifying and scientifically analyzing all kinds of uncertain factors affecting the realization of internal control objectives of enterprises in time and taking countermeasures. In practice, the process of enterprise risk assessment can be roughly divided into three steps: risk identification, risk analysis and risk assessment. Risk identification is to identify and classify the risks faced by enterprises; Risk analysis is to put the identified risks into a unified model for analysis, quantitative or qualitative analysis; And risk assessment is to assess the impact of risk on enterprise goals, and the risk with the greatest impact will become the focus of enterprise risk management.
According to COSO's enterprise risk management framework in the United States, enterprise risk management refers to the process that the board of directors, management and other employees of an enterprise participate in and apply to the formulation of enterprise strategy, aiming at identifying matters that may affect the enterprise, managing risks within its risk preference and ensuring the reasonable realization of enterprise goals. Therefore, risk management tends to take risk prevention on the basis of risk analysis, that is, take measures to deal with risks.
Second, the risk of goal setting
Goal setting is the premise of risk identification and risk analysis. Enterprises should set relevant business indicators, financial reporting indicators and asset safety indicators according to long-term and short-term business objectives and strategic development objectives, and set targets and indicators according to the risk preference of enterprises, so as to reasonably determine the overall risk tolerance and acceptable risk level at specific business levels. When setting risk appetite, it is usually formulated by the management of the enterprise and approved by the board of directors. In addition to setting risk tolerance, it can also be evaluated by the percentage of "worst case" risk borne by available capital. Risk tolerance refers to the acceptable deviation from achieving a specific goal, which is measured by those units that are the same as the measurement goal. Risk tolerance usually takes into account the tolerance of Et to frequent business risks, emergencies and extreme endurance. In the setting of business indicators, financial reporting indicators and asset safety indicators, we should consider their industry characteristics and the effectiveness of indicators. At the same time, while considering the non-systematic risk indicators, we should also consider the systematic risks such as national policy changes, exchange rate changes and financial crises, and set corresponding indicators for them.
Third, risk identification.
Through the analysis of various indicators reflecting the operating conditions, such as the current ratio and quick ratio in the solvency index; Return on net assets in the debt capacity index; Accounts receivable turnover rate and inventory turnover rate in asset management indicators; The ratio of debt service to income in the investment risk index can be used to judge whether an enterprise has unsystematic risks such as operational risks and financial risks. Generally speaking, if the enterprise fails to reach the predetermined above-mentioned index value or the return on net assets is negative and the current ratio is low, it indicates that the enterprise may have internal operating risks or financial risks.
Risk identification needs to analyze the individual indicators and comprehensive indicators of the evaluated unit through daily information collection or when carrying out risk management matters and enterprise investment in new projects, estimate the possible risks and their possibilities, judge the influence degree of risks and corresponding countermeasures, and report the indicators exceeding the warning level to enterprise leaders regularly or irregularly, so as to achieve the role of early warning. In daily business activities, enterprises should attach importance to external market risk analysis, such as social, economic, technological and natural risks, and prepare risk analysis reports. Time can be divided into regular and irregular according to different matters. Periodic report is to analyze the risks that exist or may exist in a specific period; Irregular reporting refers to the disclosure of existing or potential risks at the end of each work and timely reporting.
Fourth, risk analysis.
Risk analysis is a deeper understanding of risk on the basis of risk identification. The purpose of risk analysis is to accurately estimate and measure the risk loss and serve as the basis for choosing countermeasures. Risk analysis includes considering the source of risk, evaluating the effectiveness of existing control measures, the probability and impact of risk, and analyzing and pointing out various factors leading to risk consequences and risk probability. Specifically, if risk management measures are not taken to deal with inherent risks and new risks, it is necessary to estimate the possibility and impact of each risk in the form of scoring from the two dimensions of the probability and impact of the risk, and distinguish the risk levels, so as to take different countermeasures for different levels of risks. If measures have been taken to control inherent risks, it is necessary to analyze whether the existing risk control measures have played an effective role in identifying, preventing risks and mitigating losses, and record the effectiveness of each measure involved and implemented in the risk list.
Five, improve enterprise risk prevention and management countermeasures
risk aversion
Risk avoidance refers to voluntarily giving up or refusing to implement some schemes that may cause risk losses, and it is also the most thorough method to deal with risks, which can completely eliminate the losses caused by risks before the occurrence of risk events. However, the method of avoiding risks also has its limitations. Only when the loss frequency and amplitude caused by a specific risk is quite high, and the cost of adopting other risk management methods is greater than the income, can it be used, otherwise the implementation of the project will be denied because of avoiding risks, thus losing the possibility of project profit. Therefore, a risk accident database should be established, which is an effective tool for risk early warning. By analyzing the external and internal risk accidents and testing the enterprise's own risk management procedures, the management can be encouraged and vigilant, so as to strengthen the implementation of risk management measures and prevent the occurrence of internal risks. At the same time, a risk accident database can be established, and risk prevention measures can be determined according to the frequency and amplitude of losses.
(2) Risk control
Risk control refers to the method of consciously taking actions to minimize the probability and degree of loss, which is mainly applicable to risks that are neither abandoned nor passed on. Risk control includes loss prevention control and loss reduction control. In terms of risk control, a comprehensive and effective internal control mechanism can be established, not only in business processes, but also to ensure the effective implementation of risk management mechanisms. Mainly to deal with the situation that there are many and scattered branches of enterprises, because the existence of the above phenomenon leads to asymmetric information within enterprises, which cannot truly reflect the business risks of branches. At the same time, in order to strengthen the internal risk management and control of enterprises, an internal audit system can be established, and the focus of the internal audit system at this stage is risk audit.
(3) Risk transfer
Risk transfer is the act of transferring the loss risk you face to others. When the loss frequency and amplitude of such risks are greater than taking risk control measures, there are two main ways: insurance and non-insurance. The main way of risk insurance is to transfer the risk to the insurance company. When adopting this method, it is necessary to analyze the insurance scheme, choose the insurance type and fully inspect the insurance company, and comprehensively consider the scale, rate and reputation of the insurance company. The transfer of risks by non-insurance means mostly transfers the legal liability and financial consequences of losses to others by means of loan contracts or agreements. Measures can be taken, such as signing an exemption agreement and transferring the loss to others by using the transfer responsibility clause in the contract. In addition, you can also sell the risky assets of the enterprise and transfer the risks related to the corresponding assets to the buyers of the assets.
(d) risk retention and commitment
Risk retention and self-bearing, also known as self-bearing, refers to a way for enterprises to make up for existing risk losses by relying on their own financial strength, and also a way to deal with residual risks. Generally applicable to inevitable risks, the cost of dealing with risks is higher than the cost of taking risks, and enterprises can bear the risk losses with confidence. Generally speaking, an enterprise can set up an emergency fund, which means that the enterprise can separately identify and measure the risks it faces and withdraw them in advance according to its own financial ability. You can transfer a sum of money at one time or accumulate fixed payment for a long time to make up for the losses caused by risk events. Usually, this method is used to deal with risks that may cause huge losses, but these losses cannot be directly shared with operating costs.