Establishing the context defines the scope for the risk management process and sets the criteria against which the risks will be assessed.
The scope should be determined within the context of the firm's strategic and organisational objectives. Risks are uncertainties that affect
the achievement of business objectives, so risks cannot fully be identified if these objectives and strategies are unclear.
The selection of key objectives within the business should be driven by an evaluation of the external and internal factors that may currently impact the
firm. A review of both the external and internal context at the commencement of the risk assessment planning assists in identifying the processes which
may be subject to increased risks and, as such, would derive the greatest value from the risk assessment.
Risks can arise due to external or internal influences:
- External risks are exposures that result from environmental conditions that the firm commonly cannot influence, such as the regulatory environment and market conditions.
- Internal risks are exposures that derive from decision-making and the use of internal and external resources, including the firm's operations and its objectives.
Establish the external context
The external context is the environment in which the firm operates and seeks to achieve its objectives. Consideration should be given to the following inputs as they relate to the business, social, regulatory, legislative, cultural, competitive, financial, and political environment, including:
- Strengths, weaknesses, opportunities and threats
- Relationships with, perceptions and values of, external stakeholders such as clients.
Establish the internal context
The internal context is the internal environment in which the firm functions and seeks to achieve its objectives. Consideration should be given to factors such as:
- Objectives and strategies in place to achieve objectives
- Governance, structure, roles and accountabilities
- Capability of people, systems and processes
- Changes to firm processes or compliance obligations
- The risk tolerance and appetite of the firm.
Example
The output of this stage in the risk management process sets the scope for the risk assessment in terms of external and internal influences.
Contexts
APES 325 requires that the following key organisational risks be considered within the context of the internal and external environment and
taking into account internal and external stakeholders:
- Governance
- Business continuity, including succession planning
- Business
- Financial
- Regulatory
- Technology
- Human resources
- Stakeholder.
Business objectives
List the practice objectives for the firm and consider the key processes and sub-processes used in the operation of the business.
Assess the strengths, weaknesses, opportunities and threats that exist and how these may influence the firm achieving its objectives. Also consider
the stakeholders who may be impacted.
Risk Management Framework