Internal control systems

INTRODUCTION

Internal control and risk management are fundamental components of good corporate governance.
Good corporate governance means that the board must identify and manage all risks for a
company. In terms of risk management, internal control systems span finance, operations,
compliance and other areas, i.e. all the activities of the company.
Controls attempt to ensure that risks, those factors which stop the achievement of company
objectives, are minimised.
An internal control system comprises the whole network of systems established in an
organisation to provide reasonable assurance that organisational objectives will be achieved.
Internal management control refers to the procedures and policies in place to ensure that
company objectives are achieved.
The control procedures and policies provide the detailed controls implemented within the
company.
An internal control system
 A company may fail to achieve its objectives because of failures or weaknesses within its systems

and operating procedures, or due to human error.

 These failures and weaknesses could be avoided, or the consequences of failures could be
restricted, by means of controls.
 Internal control risks are the risks of failures in systems and procedures to achieve their intended
purpose. Internal controls are measures or arrangements that are intended to prevent failures from
happening, limiting their potential effect, or identifying when a failure has occurred so that
corrective measures can be taken.
 Internal control is an aspect of corporate governance, because the board of directors has a
responsibility to ensure that the assets of the company are not threatened, and the interests of the
shareholders (and other stakeholders) are not damaged, by making sure that an effective system of
internal control is in place.
Elements of an internal control system
 Strategic risks are risks that arise in the business environment and markets in which a
company operates.
 Operating risks are risks that arise within an organisation because of weaknesses in its
systems, procedures, management or personnel.
 Unless there are controls to deal with them, operating risks can lead to losses because of
operational failures, errors or fraud.
 The controls for these risks are ‘internal controls’ and internal controls are applied within
an internal control system.
 It is the responsibility of the board of directors of a company to ensure that the internal
control system (and the internal controls within this system) is effective in preventing
losses from risk events, or identifying risk events and taking corrective action when they
occur
Definitions of internal control and an internal control system

Internal control systems are concerned with the management of business risks other than strategic
risks. These are risks which can be controlled by measures taken internally by the organisation. A
useful definition of internal control has been suggested by Committee of Sponsoring Organisations
(COSO:) ‘Internal control is broadly defined as a process, effected by an entity’s board of
directors, management and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives in the following categories:
1 Effectiveness and efficiency of operations.
2 Reliability of financial reporting.
Risk Management

The board should maintain sound risk management and internal control
systems'.
 The Cadbury Report noted that risk management should be systematic and
also embedded in company procedures.
 Furthermore there should be a culture of risk awareness.
 The report's initial definition of risk management was 'the process by which
executive management, under board supervision, identifies the risk arising
from business and establishes the priorities for control and particular
objectives'.
 While Cadbury recognised the need for internal control systems for risk
management, detailed advice on application of those controls was provided
by the Committee of Sponsoring Organisations, (COSO) and the Turnbull
Report
Internal controls and COSO

In COSO, internal control is seen to apply to three aspects of the

business:
(1)Effectiveness and efficiency of operations - that is the basic
business objectives including performance goals and safe
guarding resources.
(2)Reliability of financial reporting - including the preparation of
any published financial information.
(3)Compliance with applicable laws and regulations to which the
company is subject.
Internal controls and Turnbull

The Turnbull committee was established after the publication of the 1998 Combined Code in
the UK to provide advice to listed companies on how to implement the internal control
principles of the code.
The overriding requirement of their report was that the directors should:
(a) implement a sound system of internal controls, and
(b) that this system should be checked on a regular basis.
The Turnbull Report requires:
(a) That internal controls should be established using a risk-based approach. Specifically a
company should:
•Establish business objectives.
•Identify the associated key risks.
•Decide upon the controls to address the risks.
•Set up a system to implement the required controls, including regular feedback
Internal controls and Turnbull: Cont..d
b) That the system should be reviewed on a regular
basis. The UK Corporate Governance Code (2010)
contains the statement that:
'The directors should, at least annually, conduct a
review of the effectiveness of the group's system of
internal control and should report to shareholders that
they have done so. The review should cover all
controls, including financial, operational and
compliance controls and risk management.'
Definitions of internal control and an internal
control system

An internal control system consists of all the procedures,

methods and measures (control measures) instituted by the
Board of Directors and executive management to ensure that
operational activities progress in a proper fashion.

Organisational measures for internal control are integrated into

operations, which means that they are performed
simultaneously with working processes or performed directly
before or after work is carried out’ (PwC).
Objectives of internal control systems

A popular misconception is that the internal control system is implemented simply to stop fraud and
error. As the points below show, this is not the case.
A lack of internal control implies that directors have not met their obligations under corporate
governance. It specifically means that the risk management strategy of the company will be
defective.
The main objectives of an internal control system are summarised in the Auditing Practices Board
(APB) and the COSO guidelines (detail provided below). An internal control system is to ensure, as
far as practicable:
 the orderly and efficient conduct of its business, including adherence to internal policies.
 the safeguarding of assets of the business
 the prevention and detection of fraud and error
 the accuracy and completeness of the accounting records, and
 the timely preparation of financial information
Benefits of Internal control system
Benefits of an internal control system are therefore:
 Effectiveness and efficiency of operations.
 Reliability of financial reporting.
 Compliance with applicable laws and regulations.
These may further give rise to improved investor
confidence.
Categories of risks
Categories of risks The risks that are managed by an internal control system can be categorised
into three broad types.
1 Financial risks. These are risks of errors or fraud in accounting systems, and in accounting and
finance activities. Errors or fraud could lead to losses for the organisation, or to incorrect financial
statements. Weak controls may also mean that financial assets are not properly protected.
Examples of financial risks include the risk of:
 failure to record financial transactions in the book-keeping system;
 failure to collect money owed by customers;
 failure to protect cash;
 financial transactions (such as payments) occurring without proper authorisation; and
 mis-reporting (deliberate or unintentional) in the financial statements.
Operational risks
2. Operational risks. A helpful definition of ‘operational risk’ is given by the Basel
Committee for banking supervision. Although this definition applies to risks in the banking
industry, it has a wider application. Operational risk is ‘the risk of losses resulting from
inadequate or failed internal processes, people and systems, or external events’.

Operational risks include:

 the risk of a breakdown in a system due to machine failures or software
errors;
 the risk of losing information from computer files or having confidential
information stolen;
 the risk of a terrorist attack;
 losses arising from mistakes or omissions by staff; and
 inefficient or ineffective use of resources.
Compliance risks.
Compliance risks. These are risks that important laws or regulations will not be complied with
properly. Failure to comply with the law could result in legal action against the company and/or
fines.

The purpose of an internal control system and internal controls

An internal control system is the system that an organisation has for identifying operational,
financial and compliance risks, applying controls to reduce the risk of losses from these risks
and taking corrective action when losses occur.
■ There should be controls to ensure that the organisation, its systems and procedures
operate in the way that is intended, without disruption or disturbance.
■ There should be controls to ensure that assets are safeguarded. For example, there should
be controls to ensure that money received is banked and is not stolen, and that operating
assets such as items of equipment and computers are not damaged or lost.
The purpose of an internal control system and internal controls

■ Controls should include measures to reduce the risk of fraud.

■ Financial controls should ensure the completeness and accuracy of accounting
records, and the timely preparation of financial information. Controls should be in
place to ensure compliance with key regulations, such as health and safety
regulations or, in the case of banks, anti-money laundering regulations. Internal
controls can be classified into three main types:
■ Preventive controls. These are controls that are intended to prevent an adverse
risk event from occurring; for example to prevent opportunities for fraud by
employees.
■ Detective controls. These are controls for detecting risk events when they occur,
so that the appropriate person is alerted and corrective measures taken.
■ Corrective controls. These are measures for dealing with risk events that have
occurred, and their consequences.
Internal controls: financial, operational and
compliance controls
Financial controls

Financial controls are internal accounting controls that are sufficient to provide reasonable assurance that:
■ transactions are made only in accordance with the general or specific authorisation of management;
■ transactions are recorded so that financial statements can be prepared in accordance with accounting standards
and generally accepted accounting principles;
■ transactions are recorded so that assets can be accounted for;
■ access to assets is only allowed in accordance with the general or specific authorisation of management;
■ the accounting records for assets are compared with actual assets at reasonable intervals of time; and
■ appropriate action is taken whenever there are found to be differences. The maintenance of proper accounting
records is an important element of internal control. Effective financial controls should ensure:
■ the quality of external and internal financial reporting, so that there are no material errors in the accounting
records and financial statements;
■ that no fraud is committed (or that fraud is detected when it occurs); an
■ that the financial assets of the company are not stolen, lost or needlessly damaged, or that these risks are
reduced.
Operational controls

Operational controls are controls that help to reduce operational risks, or identify failures in
operational systems when these occur. They are designed to prevent failures in operational procedures,
or to detect and correct operational failures if they do occur. Operational failures may be caused by:
 machine breakdowns;
 human error;
 failures in IT systems;
 failures in the performance of systems (possibly due to human error);
 weaknesses in procedures; and
 poor management.
Operational controls are measures designed to prevent these failures from happening, or identifying
and correcting problems that do occur. Regular equipment maintenance, better training of staff,
automation of standard procedures, and reporting systems that make managers accountable for their
actions are all examples of operational controls.
Compliance controls

Compliance controls are concerned with making sure that an entity complies
with all the requirements of relevant legislation and regulations.
 The potential consequences of failure to comply with laws and regulations
vary according to the nature of the industry and the regulations.
 For a manufacturer of food products, for example, food hygiene regulations
are important. For a bank, regulations to protect consumers against mis-
selling and regulations for detecting and reporting suspicions of money
laundering are important.
 It can be difficult to understand the nature of internal control risks and
internal controls to deal with them. There are many different risks and many
Internal control risks
Internal control risks’ are risks that internal controls will fail to achieve
their intended purpose, and will fail to prevent, detect or correct adverse
risk events.
These risks can occur because:
■ they are badly designed, and so not capable of achieving their purpose as
a control; or
■ they are well-designed, but are not applied properly, due to human error
or oversight, or deliberately ignoring or circumvention of the control (a
form of operational risk event).
An internal control system needs to have procedures for identifying weak
or ineffective internal controls. This is one of the functions of monitoring
Elements of an internal control system
A control environment
A control environment describes the awareness of (and attitude to) internal controls in the
organisation, shown by the directors, management and employees generally. It therefore encompasses
corporate culture, management style and employee attitudes to control procedures. The control
environment is determined by the example given by the company’s leaders to control and their
expectations that employees should also be risk-conscious. Factors in the control environment
include:
– integrity and ethical values within the organisation, such as the existence of a code of ethics;
– a commitment to competence in performance;
– the commitment of the board of directors and the audit committee to monitoring management, and
their independence from management; and
– human resources policies and practices, such as the company’s policies on performance evaluation
and rewarding employees for performance.
A control environment
Control environment
This is sometimes referred to as the 'tone at the top' of the organisation. It describes the ethics and culture
of the organisation, which provide a framework within which other aspects of internal control operate.
The control environment is set by the tone of management, its philosophy and management style, the way
in which authority is delegated, the way in which staff are organised and developed, and the commitment
of the board of directors.
The control environment has been defined by the Institute of Internal Auditors as: 'The attitude and
actions of the board and management regarding the significance of control within the organisation. The
control environment provides the discipline and structure for the achievement of the primary objectives of
the system of internal control.
The control environment includes the following elements:
•Management's philosophy and operating style.
•Organisational structure.
•Assignment of authority and responsibility.
•Human resource policies and practices.
Risk identification and assessment.

There should be a system or procedures for identifying the risks facing the company (and how
these are changing) and assessing their significance. Controls or management initiatives should be
devised to deal with significant risks. Internal control risks can be categorised as financial risks,
operational risks and compliance risks.

There is a connection between the objectives of an organisation and the risks to which it is
exposed. In order to make an assessment of risks, objectives for the organisation must be
established. Having established the objectives, the risks involved in achieving those objectives
should be identified and assessed, and this assessment should form the basis for deciding how
the risks should be managed.
Risk identification and assessment
The risk assessment should be conducted for each business within the organisation, and should
consider, for example:
•internal factors, such as the complexity of the organisation, organisational changes, staff
turnover levels, and the quality of staff
•external factors, such as changes in the industry and economic conditions, technological
changes, and so on.
The risk assessment process should also distinguish between:
•risks that are controllable: management should decide whether to accept the risk, or to take
measures to control or reduce the risk
•risks that are not controllable: management should decide whether to accept the risk, or
whether to withdraw partially or entirely from the business activity, so as to avoid the risk.
Internal controls
Internal controls. Controls should be devised and
implemented to eliminate, reduce or control risks.
Internal controls can be categorised as financial
controls, operational controls and compliance controls,
to deal respectively with financial risks, operational
risks and compliance risks
Monitoring
Monitoring. The effectiveness of the internal control
system should be monitored regularly. Internal audit is
one method of monitoring the internal control system.
Internal controls are also monitored by executive
management and (as part of their annual audit) by the
external auditors. The board of directors also has a
responsibility to review the effectiveness of the system.
Information and communication
All employees who are responsible for the management of risks
should receive information that enables them to fulfil this task.
More generally, there should be a system of information provision
and communication within the organisation so that individuals are
aware of what is expected of them. It can be described as providing
the right people in sufficient detail and on time with information to
let them do their job well. Communication within an internal
control system also includes the existence and use of a
whistleblowing procedure.
Maintaining a sound system of internal control
The board of directors is responsible for maintaining a sound system of internal control. The
Turnbull Guidance stated that the board of directors should:
 set appropriate policies on internal control;
 seek regular assurance to satisfy itself that the system is operating effectively; and
 ensure that the system of internal control is effective in managing risks in the way that it has
approved. In deciding its policies for internal control and assessing what constitutes an effective
system of internal control, the board should consider:
 the nature and extent of the risks facing the company;
 the amount of risk and types of risk that it regards as acceptable for the company to bear;
 the likelihood that the risks will materialise;
 the company’s ability to reduce the impact on the business of the risks that do materialise;
 the costs of operating particular controls relative to the benefits to be obtained from managing
the risks they control. Controls are not worth having if they cost more than the expected benefits
or savings they will provide.
Having identified the responsibilities of the board for maintaining a sound system of internal control, the
Turnbull Guidance added the following comments.
■ It is the job of management to implement the board’s policies on control. To do this, management must
have procedures for identifying and evaluating the risks faced by the company, and designing,
implementing and monitoring a control system to deal with these risks in a way that is consistent with the
board’s policies.
■ In addition, all employees have some responsibility for internal control; for example, to avoid making
mistakes in their work and also to ensure that the control procedures for which they are responsible are
properly performed.
Elements of a sound system of internal control

A sound system of internal control should:

 ‘be embedded in the operations of the company and form part of its culture’;
 be capable of responding quickly to risks to the business as they emerge and develop; and

 include procedures for reporting immediately to the management responsible and control failings that
have been identified and any corrective action that has been undertaken. The Turnbull Guidance
emphasised that a sound system of internal control cannot provide certain protection against a
company suffering losses or breaches of laws or regulations or failing to meet its business objectives.
Reviewing the effectiveness of internal control

In order to review the effectiveness of the system of internal control, there must be procedures for
monitoring and review. The Turnbull Guidance provided some suggestions. It suggests that
‘reviewing the effectiveness of internal control is an essential part of the board’s responsibilities’. The
board or audit committee needs to form its own view about the effectiveness of the system, based on
the information and assurances it receives. The sources of information about internal control are:

 management;
 the internal auditors, if the company has an internal audit function; and

 the external auditors, who notify management and the audit committee about weaknesses in
internal controls that they have discovered in their audit. The board of directors and the audit
committee do not have the time to carry out a detailed review themselves, and they must therefore
rely on information provided to them by management and internal auditors.
The board’s statement on internal control

This information is provided within the annual report as a section on

internal control. Although the review of the effectiveness of internal
control may be delegated to the audit committee, the board as a
whole is responsible for the statement on internal control in the
company’s annual report and accounts. The Turnbull Guidance
stated: ‘The annual report and accounts should include such
meaningful, high-level information as the board considers necessary
to assist shareholders’ understanding of the main features of the
company’s risk management processes and system of internal
control, and should not give a misleading impression.
 In its statement the board should, as a minimum, disclose that there is a system for identifying,
evaluating and managing significant risks.
 The report should acknowledge the board’s responsibility for the system of internal control and
reviewing its effectiveness. The report should explain that the system is designed to manage
risks rather than eliminate them entirely and can only provide reasonable assurance, not
absolute assurance, against material losses or mis-statements in the accounts.
 The report should summarise the process that the board has applied for reviewing the
effectiveness of the system of internal control, and confirm that action has been taken to deal
with any significant weaknesses or failings identified from the review.
 If a significant problem is disclosed in the company’s annual report and accounts, the internal
control report should disclose the process that has been applied to deal with the material
internal control aspects of the problem.
Carrying out an annual evaluation: questions to ask

The Turnbull Guidance included in an Appendix a list of questions that the board should consider
when conducting its annual review of the effectiveness of internal control system. There should be
satisfactory answers to each question. The list of questions is not reproduced in full here, but
several questions are shown to demonstrate the approach to evaluation that the directors should
take.
On risk assessment
■ Does the company have clear objectives? Have these been communicated in a way that
provides effective direction to employees on risk management and internal control issues?
■ Are significant risks assessed regularly? Significant risks are likely to include all the
risks identified in the annual business review.
■ Do management and others have a clear understanding of what risks are acceptable to the
board? On the control environment and control activities
■ Do employees understand what is expected of them, and the scope of their freedom to act?
 Are authority, responsibility and accountability clearly defined, so that decisions are
made and actions taken by the appropriate people?
■ How are processes and controls adjusted to adapt to new risks or operational deficiencies?
On information and communication
■ Do the management and the board receive regular and relevant reports on actual
performance compared with business objectives and the related risks, suitable for decision-
making and management review purposes?
■ Are periodic reporting procedures effective in communicating a proper account of the
company’s performance and prospects?
On monitoring
■ Are processes embedded within the company’s operations for monitoring
the effective application of internal control and risk management?

■ Is there appropriate communication to the board (or board committees)

on the monitoring of risk and control matters?
■ Are there specific arrangements for management monitoring and
reporting to the board on risk and control matters of particular importance,
including fraud and other illegal acts that could adversely affect the
company’s reputation or financial position?
Internal audit

The UK Corporate Governance Code states that the audit committee

should monitor and review the effectiveness of the activities of the
company’s internal audit activities. If the company does not have an
internal audit function:

■ the committee should consider annually whether there is a need for

an internal audit function, and make a recommendation to the board;
and

■ the reasons why there is no internal audit function should be

explained in the ‘relevant section’ of the annual report.
Function and scope of internal audit

Internal audit is defined as ‘an independent appraisal activity

established within an organisation as a service to it. It is a control,
which functions by examining and evaluating the adequacy and
effectiveness of other controls’ (Chartered Institute of Management
Accountants (CIMA) official terminology). ‘The objective of internal
auditing is to assist members of the organisation in the effective
discharge of their responsibilities. To this end internal auditing
furnishes them with analyses, appraisals, recommendations, counsel
and information concerning the activities reviewed.’

An organisation might have an internal audit unit or section, which

carries out investigative work.
■ An internal audit function should act independently of executive managers, but

normally reports to a senior executive manager such as the finance director.

■ Additionally, internal auditors may report to the board itself or the audit committee.
The FRC Guidance on Audit Committees suggests that the audit committee should
ensure that the internal auditor has direct access to the board chairman and the audit
committee, and is also responsible to the audit committee.

■ This means that the internal auditors may be in an unusual position within the
company.

■ For operational reasons, they may have a line-reporting responsibility to a senior

executive manager such as the finance director. Executive managers may also ask the
internal auditors to carry out audits or reviews of the systems or procedures (and
internal controls) for which they are responsible.
TASKS OF INTERNAL AUDIT
The possible tasks of internal audit include the following.

 Reviewing the internal control system. Traditionally, an internal audit department has
carried out independent checks on the financial controls in an organisation, or in a particular
process or system. The checks would be to establish whether suitable financial controls
exist, and if so, whether they are applied properly and are effective. It is not the function of
internal auditors to manage risks, only to monitor and report them, and to check that risk
controls are efficient and cost-effective.

 Special investigations. Internal auditors might conduct special investigations into particular
aspects of the organisation’s operations (systems and procedures), to check the effectiveness
of operational controls.

 Examination of financial and operating information. Internal auditors might be asked to

investigate the timeliness of reporting and the accuracy of the information in reports.
 Tasks of internal
■ Reviewing compliance by the organisation with particular
laws or regulations. This is an investigation into the
effectiveness of compliance controls.

■ Risk assessment. Internal auditors might be asked to

investigate aspects of risk management, and in particular the
adequacy of the mechanisms for identifying, assessing and
controlling significant risks to the organisation, from both
internal and external sources.
Risk assessment
Mark Zuckerberg, the founder of Facebook, once said, “The biggest risk is not taking any risk. In a
world that's changing really quickly, the only strategy that is guaranteed to fail is not taking risks.”

While this advice isn't new, we think you’ll agree that there are some risks your company doesn’t
want to take: Risks that put the health and well-being of your employees in danger.

These are risks that aren’t worth taking. But it’s not always clear what actions, policies, or
procedures are high-risk.
That’s where a risk assessment comes in.

With a risk assessment, companies can identify and prepare for

potential risks in order to avoid catastrophic consequences down
the road and keep their personnel safe.
Risk assessment steps
During the risk assessment process, employers review and evaluate their organizations to:

 Identify processes and situations that may cause harm, particularly to people (hazard identification).

 Determine how likely it is that each hazard will occur and how severe the consequences would be
(risk analysis and evaluation).

 Decide what steps the organization can take to stop these hazards from occurring or to control the
risk when the hazard can't be eliminated (risk control).

It’s important to note the difference between hazards and risks. A hazard is anything that can cause
harm, including work accidents, emergency situations, toxic chemicals, employee conflicts, stress, and
more. A risk, on the other hand, is the chance that a hazard will cause harm. As part of your risk
assessment plan, you will first identify potential hazards and then calculate the risk or likelihood of
those hazards occurring.
The goal of a risk assessment will vary across industries, but overall, the goal is to help organizations
prepare for and combat risk. Other goals include:

 Providing an analysis of possible threats

 Preventing injuries or illnesses

 Meeting legal requirements

 Creating awareness about hazards and risk

 Creating an accurate inventory of available assets

 Justifying the costs of managing risks

 Determining the budget to remediate risks

 Understanding the return on investment

Businesses should perform a risk assessment before introducing new processes or activities, before
introducing changes to existing processes or activities (such as changing machinery), or when the
company identifies a new hazard.
The steps used in risk assessment form an integral part of your organization’s health and safety
management plan and ensure that your organization is prepared to handle any risk.
Preparing for your risk assessment

Before you start the risk management process, you should determine the scope of the
assessment, necessary resources, stakeholders involved, and laws and regulations that you’ll
need to follow.

Scope: Define the processes, activities, functions, and physical locations included within
your risk assessment. The scope of your assessment impacts the time and resources you will
need to complete it, so it’s important to clearly outline what is included (and what isn’t) to
accurately plan and budget.

Resources: What resources will you need to conduct the risk assessment? This includes the
time, personnel, and financial resources required to develop, implement, and manage the
risk assessment.
Stakeholders: Who is involved in the risk assessment? In addition to senior leaders that
need to be kept in the loop, you’ll also need to organize an assessment team. Designate who
will fill key roles such as risk manager, assessment team leader, risk assessors, and any
subject matter experts.
Laws and regulations: Different industries will have specific regulations and legal
requirements governing risk and work hazards. For instance, the Occupational Safety and
Health
2. Determine who might be harmed and how
As you look around your organization, think about how your employees could be harmed by business
activities or external factors. For every hazard that you identify in step one, think about who will be harmed
should the hazard take place.

3. Evaluate the risks and take precautions

Now that you have gathered a list of potential hazards, you need to consider how likely it is that the hazard
will occur and how severe the consequences will be if that hazard occurs. This evaluation will help you
determine where you should reduce the level of risk and which hazards you should prioritize first.

Later in this article, you'll learn how you can create a risk assessment chart to help you through this process.

4. Record your findings

If you have more than five employees in your office, you are required by law to write down your risk
assessment process. Your plan should include the hazards you’ve found, the people they affect, and how you
plan to mitigate them. The record—or the risk assessment plan—should show that you:
steps in the risk assessment process
Once you've planned and allocated the necessary resources, you can begin the risk assessment
process.
Proceed with these five steps.

1. Identify the hazards

The first step to creating your risk assessment is determining what hazards your employees and
your business face, including:
 Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.)
 Biological hazards (pandemic diseases, foodborne illnesses, etc.)
 Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical
breakdowns, etc.)
 Intentional acts (labor strikes, demonstrations, bomb threats, robbery, arson, etc.)
 Technological hazards (lost Internet connection, power outage, etc.)
 Chemical hazards (asbestos, cleaning fluids, etc.)
 Mental hazards (excess workload, bullying, etc.)
 Interruptions in the supply chain
THANK YOU