The Risk Management and Prevention component establishes the basis for the identification and analysis of the risks faced by the organs, agencies, organizations and other entities to achieve their objectives.
Once the internal and external risks are classified, by processes, activities and operations, and the main vulnerabilities evaluated, the control objectives are determined and the Risk Prevention Plan is formed to define the way in which they will be managed. There are risks that are regulated by legal provisions of the governing bodies, which are managed according to the planned administration models.
The component is structured in the following standards:
a) risk identification and change detection: in the identification of risks, all those that can affect the fulfillment of the objectives are typified. The identification of risks is nourished by the experience derived from events that occurred, as well as from those that may be foreseen in the future and are determined for each process, activity and operation to be developed. External factors include economic-financial, environmental, political, social and technological, and internal factors include the organizational structure, composition of human resources, production or service and technology processes, among others. The identification of risks is carried out permanently, in the external context there may be changes in the legal provisions that lead to changes in the strategy and procedures, alterations in the financial economic scenario that impact the budget and hence in its plans and programs , and technological developments that, if not adopted, would cause technical obsolescence, among others; in the internal context, variations in the levels of production or services, organizational and structure modifications or others. Every entity must have procedures capable of capturing and informing in a timely manner the changes registered or imminent in its internal and external environment, which may conspire against the possibility of achieving its objectives under the desired conditions. Once the risks have been identified, they are analyzed, applying the principle of relative importance, determining the probability of occurrence and, where possible, quantifying an estimated assessment of the affectation or loss of any kind that could be caused.
b) determination of the control objectives: the control objectives are the result or purpose that is desired to be achieved with the application of control procedures, which must verify the identified risks and be based on the organization's policy and strategy. After identifying, evaluating and quantifying, whenever possible, the risks by processes, activities and operations, the top management and other managers of the areas, with the participation of the workers, carry out a diagnosis and determine the control objectives, leaving documentary evidence of the process. The diagnosis is made in meetings by groups of areas, addresses or departments as appropriate, which are chaired by the highest authority of the place, the union leader and representatives of political organizations; At least one of the members of the group that carried out the identification and analysis of risks at the organization level, with the specific information and background of the area must be present. In these meetings a diagnosis is made between all the control objectives to be considered and the control measures or procedures to be applied are defined, they will be preceded by an information and preparation work of the workers in the assembly of affiliates where they are explained The procedure to follow for its development.
c) risk prevention: this standard constitutes a set of actions or procedures of an ethical-moral, technical-organizational and control nature, directed in a conscious way to eliminate or reduce as much as possible the causes and conditions that favor internal and external risks, as well as the facts of indiscipline’s and illegalities, which continued and in a climate of impunity, cause manifestations of administrative corruption or the occurrence of alleged criminal acts. Based on the control objectives determined in accordance with the risks identified by the workers of each area or activity and the necessary control measures or actions, the Risk Prevention Plan is prepared, whose most relevant aspects are taxed to that of the organ, agency, organization or entity, which generally includes the risks that jeopardize the fulfillment of the objectives and the mission. The plans drawn up are evaluated by the Prevention and Control Committee and approved by the collegiate management body. The Risk Prevention Plan constitutes a working instrument of the management to systematically monitor the control objectives determined, is updated and analyzed periodically with the active participation of workers and in the presence of events that require it. It is necessary that the results of the analysis of causes and conditions carried out, on the facts presented and the assessments made as to the effectiveness of the Risk Prevention Plan, be disclosed, in the interest of transmitting the experience, and the alert that can be derived from it, to the whole system. The Risk Prevention Plan is structured by areas or activity and that of the entity. In its elaboration the risks are identified, possible negative manifestations; measures to apply; responsible; performer and date of compliance with the measures. Self-control is considered as one of the measures of the Risk Prevention Plan to measure the effectiveness of these and the proposed control objectives.