ISSN 0798 1015
ISSN 0798 1015
Vol. 40 (Number 20) Year 2019. Page 14
LOISHYN, Anatolii A. 1; TKACH, Ivan M. 2; LIASHENKO, Ihor O. 3; ZINCHENKO, Andrii 4 & LOBANOV, Anatolii A. 5
Received: 08/03/2019 • Approved: 06/05/2019 • Published 17/06/2019
ABSTRACT: The article analyzes the international standards of risk management and the Internal Control Standards used by the Armed Forces of Ukraine. The article compares approaches to risk management of leading organizations in the field of standardization of risk management and the differences between each of the international standards considered and the preconditions for their emergence are highlighted. It is Identified issues that need to be clarified with further improvement of Internal Control Standards in the Armed Forces of Ukraine. |
RESUMEN: El artículo analiza las normas internacionales de gestión de riesgos y las Normas de control interno utilizadas por las Fuerzas Armadas de Ucrania. El artículo compara los enfoques de la gestión de riesgos de las organizaciones líderes en el campo de la estandarización de la gestión de riesgos y se destacan las diferencias entre cada uno de los estándares internacionales considerados y las condiciones previas para su aparición. Problemas identificados que deben aclararse con una mejora adicional de las Normas de Control Interno en las Fuerzas Armadas de Ucrania. |
According to the decision of the National Security and Defense Council of Ukraine dated May 20, 2016, "On the Strategic Defense Bulletin of Ukraine" approved by the Decree of the President of Ukraine No.240 / 2016 defined the operational goal of establishing an integrated risk management system as part of a defense planning system.
The system of the Ministry of Defense of Ukraine (MOD) and the Armed Forces of Ukraine introduces the system of internal control, the element of which is the establishment of a risk management system at all levels of military management. A well-established risk management system provides an opportunity to alert and timely respond to threats that arise in the course of any activity. From this process depends on the success of the planned tasks and achievement of the set goals. Risk management is a trend that has a tendency for rapid development. Scientists and organizations are constantly trying to improve the risk management process. As of today, there are a large number of diverse approaches to the risk management system in all areas. The world has worked out more standards of risk management standards, each of which gives its theoretical and practical recommendations for the organization of risk management system, offers methods of identification and risk assessment, measures for their management. Risks must necessarily be taken into account by organizations when planning their activities and the issue of risk management is at the forefront when implementing any operations at all levels.
An analysis of recent research has shown that research on the nature of risks and organization of risk management was undertaken by: the International Organization for Standardization (ISO), the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Institute of Risk Management, and others. The result of the research of the representatives of these organizations, namely: M. Everson, R. Steinberg, F. Marten and others. It was the development of effective tools for establishing an effective system for the organization and functioning of risk management. The developed standards use a systematic approach to risk management: formalized practical instructions to process participants, a large number of methods for identification, assessment and risk management are proposed. It should be noted that one of the standards offers 31 varied risk assessment methods. The specified detail is traced in each element.
The formation of the risk management system in the system of the MOD and the Armed Forces of Ukraine is carried out by such domestic scientists and managers as: I. Tkach, K. Kostrich, M. Barinina, I. Vorobyov, V. Kolesnik and others.
At the same time, today, approaches to risk management in the defense department need to be clarified. This is due to the complexity of the existing approaches to the regulation of the process and the details of its individual elements.
The aim of the study:
analysis of the main international standards on risk management and Internal Control Standards in the MOD and the Armed Forces of Ukraine;
justification of recommendations for choosing the optimal model for building a risk management system in the MOD and the Armed Forces of Ukraine with further improvement of the risk management process.
To achieve the research aim, the following research methods were used: analysis, synthesis, methods of induction and deduction.
In the process of research, the most common standards for risk management were identified. Each standard was analyzed by elements that were compared with each other. This made it possible to highlight the peculiarities of each standard and to propose an optimal set of elements for further improving approaches to risk management in the MOD and the Armed Forces of Ukraine.
The research was conducted at the Department of Economics and Financial Support of the Ivan Chernyakhovsky National Defense University of Ukraine.
In Ukraine, based on the international standards of the ISO series, which regulates risk management, the relevant national standards have been developed:
DSTU IEC / ISO 31010 "Risk Management. Methods of general risk assessment";
DSTU ISO 31000: 2014 "Risk Management. Principles and guidelines".
Both of these standards are not intended for certification and provide the opportunity to fully apply the above provisions for the effective construction of a risk management system by domestic enterprises, institutions and organizations.
Also, In the MOD and the Armed Forces of Ukraine have been developed the Internal Control Standards for the practical organization of the internal control system and risk management. It standards approved by the Minister of Defense of Ukraine on July 4, 2016.
Structurally, the Standards comprise 6 sections: general provisions, internal control standards, internal control elements standards, internal control and risk management reporting, internal control coordination and internal audit.
In addition, the content includes guidance on the application of standards. The Standards set out the purpose, principles, structure of the internal control and information on the above sections.
In Standards, risk management acts as an element of internal control. Appropriate definitions and interpretations of key terms and procedures, such as: risk management, risk identification, risk assessment, etc., are adopted and approved by the MOD and the Armed Forces of Ukraine.
According to the Standards:
Risk management is an integral part of the management and execution of tasks and functions carried out by senior management, managers at all levels and employees of the organization, which is to identify potential events that may affect the achievement of the organization's goals and objectives, risk assessment and risk response methods and control measures to prevent or reduce their negative impact on the achievement of the organization's goals and strategic objectives;
Risk identification can be done using risk-based methods at the organization level (top-down method) and at the level of specific operations or work areas (bottom-to-mountain method);
The risk assessment is based on the use of the so-called traffic light matrix, which is based on the definition of the impact of risk on the organization from low to high and the degree of likelihood of occurrence of risk;
Risk response is proposed to be implemented in well-known ways: avoidance, reduction, distribution (transfer), acceptance.
Also, it is necessary to pay attention to the application of the model of "three lines of defense" in risk management, which is based on the hierarchical construction of actors of control, supervision and audit.
An Integrated Internal Control Model developed by the Committee of Sponsor Organizations of the Tredway Commission (Kustrich and Loishyn, 2018) was used when developing the structure of the Internal Control Standards. The development of the Integrated Internal Control Model, as well as the Standards of Internal Control in the MOD and the Armed Forces of Ukraine, was mainly carried out by auditors.
Therefore, it is clear that the emphasis is on reporting in contrast to ISO standards and the Risk Management Standard (RM, AIRMIC and ALARM (FERMA RMS).
It is necessary to pay attention to the order of the General Staff of the Armed Forces of Ukraine dated August 29, 2016, No. 340 "On Approval of the Instructions for the Organization of Internal Control in the Armed Forces of Ukraine" and the Practical Guide for the organization of internal control, which are practically presented: a matrix of risk assessment, a sample of a management plan risks, the procedure for drawing up a flowchart of the risk management process, and a more detailed definition of the basic concepts and procedures for risk management.
Also, a significant increase in the regulation of issues of internal control and risk management was approved in 2018 by the ‟Provisional Procedure for the Organization of Internal Control in the MOD and the Armed Forces of Ukraine”. The specified Procedure expanded and detailed approaches to the organization of risk management process in comparison with the order of the Minister of Defense of Ukraine No. 340. The procedure determines the direct participants of the internal control with determination of their duties and algorithm of actions.
As of today, by the decree of the Cabinet of Ministers of Ukraine dated December 12, 2018, No. 1062 "On Approval of the Basic Principles for the Implementation of Internal Control by Budget Administrators and Amendment of the Decree of the Cabinet of Ministers of Ukraine dated September 28, 2011 No. 1001" regulates the procedure for the organization of internal control at the state. The decree divides internal audit and internal control.
All of the above, in our opinion, indicates the need to revise approaches to standardizing risk management and internal control both at the national level and at the level of the MOD and the Armed Forces of Ukraine.
For practical achievement of the research purpose, the analysis of the main international standards on risk management, their comparison, and the review of the Internal Control Standards in the MOD and the Armed Forces of Ukraine were carried out, according to which a comparative table is compiled (see Table 1).
The table provides an overview of the approaches to understanding the key elements and tools of the risk management system.
When analyzing and comparing the standards listed in the table, certain features were identified.
Thus, in the analysis of the Integrated Framework for Risk Management - Integrated Framework (COSO ERM), attention was drawn to the concept of risk appetite.
In accordance with the standard, risk appetite is a degree of risk that the organization as a whole considers fit for itself. Risk appetite is a reflection of the philosophy of risk management, and in turn, affects the corporate culture and style of the organization. Some organizations assess risk appetite in high quality, high, medium, or low, while others use quantifiable metrics to reflect and balance goals against growth, profitability, and risk. According to the above it can be concluded that organizations with a high risk appetite can carry out operations with a higher risk.
The definition of risk appetite is also found in the Standards of the Defense Department as the permissible level of risk that the organization is ready to go to achieve goals, goals and objectives. Other standards considered below do not have this concept.
There is no definition in the standard - identification of risks. The process of identifying risks is considered as "event definition", where an event is a case, or a situation that has arisen as a result of internal or external factors that influence the implementation of the strategy or achieve the goals of the organization. The effects of events can be positive, negative, or mixed.
It is necessary to pay attention to the importance of determining the functions and roles of participants in the risk management process, structured by the internal and external sides of the organization:
Internal side - board of directors, management, director of risk management, financial managers, internal auditors, personnel of the organization;
External side - external auditors, legislative and regulatory bodies, interacting parties with the organization, service providers, financial analysts, rating agencies, and media.
It should be emphasized that the new version of the Integrated Model of Risk Management Standard - "Enterprise Risk Managment -Integrating with Strategy and Perfomance", developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2017, has been developed to date.
The features of the new model are: the emphasis on the integration of risk management functions, conceptual bases are developed from the point of view of business, consideration of risk management issues takes place at all levels of the organization, the consideration of various advantages of risk management in the organization, a set of new graphical data to reflect the relationship between risks and efficiency of activities, taking into account the growing role of technology, great importance is given to culture.
The article examines and models the risk management standards that have already been tested and whose performance is recognized in the business world, and therefore the Integrated Risk Management Model - Enterprise Risk Management - Integration with Strategy and Performance will be considered separately, following some practical application by organizations.
The Risk Management Standard (RM, AIRMIC, and ALARM (FERMA RMS)) impresses with its compactness, at the same time, with the informative content of the material presented. The standard developers have been able to accurately and accurately convey the required information in an easy to perceive form and volumes.
Also, it should be emphasized that a successful and effective approach to defining the basic terminology of the risk management process. The standard uses the terminology of the International Organization for Standardization in the document ISO / IEC Risk Management - Vocabulary - Guidelines for use in standards, ISO Guide 73: 2009.
This provides the versatility and uniqueness of this standard and facilitates the perception of an audience familiar with ISO standards.
The Standard Risk Management - Principles and Recommendations (Risk Management - Principles and guidelines, ISO 31000: 2009) is clear and informative. The feature is the availability of lower-level standards, that is, the standards of detail. The standard is universally applicable to the risk management process and can be applied in any organization.
It should be added that in 2018 an updated version of ISO 31000: 2018 Risk Management - Guidelines was presented. This document replaces the 2009 edition.
Although according to the ISO rules, any standard should be reviewed every five years, the basic risk management standard has been in circulation for almost nine years. During this time accumulated considerable experience in the field of risk management. Yesterday's risk management practices are not adequate to deal with today's threats; these mechanisms need to be modernized. Such derivatives have become the reason for revision of the ISO 31000 standard.
ISO 31000 has been accepted as the national standard by more than 50 national standardization bodies, covering more than 70% of the world's population. The standard is adopted by some UN organizations and national government organizations as the basis for developing their own risk-oriented standards and techniques.
Risk assessment is part of a managerial process and is also fundamental to managing an organization at all levels.
ISO 31000: 2018 is a brief guide that will help organizations use risk management principles to improve their planning and make more effective decisions.
The proposed risk management structure (ISO 31000: 2018) allows the organization to build an integrated management system, created on a risk-oriented approach.
The process of risk management should become an integral part of the entire business strategy of the organization. Risk assessment is not an independent activity, it must be fully integrated into all components of the management process.
Internal control standards in the MOD and the Armed Forces of Ukraine do not provide exhaustive information on the construction of a risk management system. Standards have no autonomy in the practical organization of this process. Standards require the use of additional sources of information regarding the selection of risk assessment and identification methods, the practical demonstration of construction schemes and process organization.
In order to improve the risk management system, there is a need to develop a practical approach to risk management. Consider combining the main provisions of the existing Standard, the requirements of the Order of the MOD dated 29.08.2016 № 340 the Provisional Order on the Organization of Internal Control in the Ministry of Defense of Ukraine and the Armed Forces of Ukraine and the Practical Guide to Organizing Internal Control.
In view of the above, it is proposed:
select a reference model for building a risk management process - Risk Management Standard (RM, AIRMIC and ALARM (FERMA RMS) that will be supplemented by clarification of functional responsibilities (roles) based on the principles of the Integrated Risk Management Model (COSO ERM - Integrated Framework Enterprise Risk Management - Integrated Framework);
the conceptual apparatus uses the assurances adopted by the Armed Forces of Ukraine, or with the help of the international standard Risk Management - Dictionary - Risk Management - Vocabulary - Guidelines for using in standards, ISO Guide 73: 2009;
The methodology for identifying and assessing risks in accordance with accepted approaches in international standards Risk Management - Risk Management Methods - IEC 31010: 2009 and Risk Management - Principles and Guidelines.
We emphasize the need for a clear illustration of the main processes for a complete and clear understanding of the subjects of the process of system organization and risk management.
The driving force behind the implementation of risk management was the development of a nation-wide approach to internal control, the main element of which is risk management, identification and preventive counteraction to threats.
Prospects for further research are seen to improve the existing Standard in the MOD and the Armed Forces of Ukraine by issuing an addition to the existing standard to a lower level standard (substandard). An example is the hierarchical construction of ISO standards.
Also, the issue of standardizing the risk management process at the national level should be investigated, taking into account national peculiarities of domestic, both budget organizations and private sector organizations.
Barinina M. & Ulianov K. (2018) Evolution of views on the appointment of financial and control bodies of the Ministry of Defense of Ukraine. Social development & Security. 2(4), 59–68. DOI: http://doi.org/10.5281/zenodo.1237042
Enterprise Risk Managament – Integrating with Strategy and Perfomance. Retrieved February 15, 2019, from https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
Integrated Framework Enterprise Risk Management – Integrated Framework (COSO ERM). Retrieved February 15, 2019, from https://www.coso.org/documents/COSO_ERM_Executive Summary_Russian.pdf.
IRM's risk management standard. Retrieved February 15, 2019, from https://www.theirm.org/media/886343/rm_standard_russian_03_12_04.pdf
Кolesnyk V., Loishyn A., Servetnyk R. (2018) Study of approaches to risk assessment as an element of concept of active behavior on risk management. Social development & Security, 3(5), 34 – 47. DOI: http://doi.org/10.5281/zenodo.1297167
Kustrich K., Loishyn A. (2018) To the issue of risk management in the Ministry of Defense of Ukraine and Armed Forces of Ukraine. Social development & Security, 1(1), 27 – 36. DOI: http://doi.org/ 10.5281/zenodo.1183889
Kustrich K., Loishyn A., (2018) Development of internal control and risk management in the Ministry of Defense of Ukraine and the Armed Forces of Ukraine in the context of implementation of objectives defined by the strategic defense bulletin of Ukraine. Social development & Security, 4 (6), 14 – 28. DOI: http://doi.org/ 10.5281/zenodo.1411917
Kustrich K., Loishyn A., (2018) To issue formation the risk-management budget. Social development & Security. 5(7), 56 – 67. DOI: http://doi.org/10.5281/zenodo.1472863
Loishyn A. (2018) Research of historical development prospects and risk-management rendering. Social development & Security. 2(4), 28 – 41. DOI: http://doi.org/10.5281/zenodo.1230790
Shpytal O. & Tkach I. (2018). Justification of the validity of development internal control’s indicators in the Ministry of Defense of Ukraine and the Armed Forces of Ukraine. Social development & Security, 6(8), pp. 27–42. DOI: http://doi.org/10.5281/zenodo.2539655.
Risk Management – Vocabulary – Guidelines for use in standards, (ISO Guide 73:2009, IDT). Retrieved February 15, 2019, from https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en:en.
Risk management – Principles and guidelines (ISO 31000:2009, IDT) Retrieved February 15, 2019, from http://www.amu.kz/fotos-news/vstrecha_rectora_so_stud_31_oct/ ISO%2031000-2009.pdf.
Risk management — Guidelines (ISO 31000:2018) February 15, 2019, from https://www.iso.org/standard/65694.html
http://www.president.gov.ua. Retrieved February 15, 2019, from http://www.president.gov.ua/documents/2402016-20137.
https://www.iso.org. Retrieved February 15, 2019, from https://www.iso.org/ru/home.html
https://www.coso.org. Retrieved February 15, 2019, from https://www.coso.org/Pages/default.aspx
https://www.theirm.org. Retrieved February 15, 2019, from https://www.theirm.org/about/our-story.aspx
https://www.iso.org. Retrieved February 15, 2019, from http://www.iso.org/ru/popular-standards.html
https://zakon.rada.gov.ua. Retrieved February 15, 2019, from http://zakon.rada.gov.ua/rada/show/v1469731-13
https://zakon.rada.gov.ua. Retrieved February 15, 2019, from https://zakon.rada.gov.ua/rada/show/v1494731-14
http://www.mil.gov.ua. Retrieved February 15, 2019, from http://www.mil.gov.ua/diyalnist/vnutrishnij-kontrol.html
https://www.ferma.eu. Retrieved February 15, 2019, from http://www.ferma.eu/app/uploads/2011/11/a-risk-management-standard-russian-version.pdf
http://www.mil.gov.ua. Retrieved February 15, 2019, from http://www.mil.gov.ua/diyalnist/vnutrishnij-kontrol.html
http://www.mil.gov.ua. Retrieved February 15, 2019, from http://www.mil.gov.ua/content/pdf/vnytr_control/poradnuk.pdf
http://www.mil.gov.ua. Retrieved February 15, 2019, from http://www.mil.gov.ua/content/finance/arrangement-of-internal-control-and-risk-management-in-the-MoD.pdf
https://zakon.rada.gov.ua Retrieved February 15, 2019, from https://zakon.rada.gov.ua/laws/show/1062-2018-п
1. Ivan Chernyakhovsky National Defense University of Ukraine, Ukraine , Contact e-mail: aloishyn@gmail.com
2. Ivan Chernyakhovsky National Defense University of Ukraine, Kyiv, Ukraine, Contact e-mail: tkachivan9@gmail.com
3. National Economic University named after Vadym Hetman, Kyiv, Ukraine
4. Ivan Chernyakhovsky National Defense University of Ukraine, Kyiv, Ukraine
5. Ivan Chernyakhovsky National Defense University of Ukraine, Kyiv, Ukraine