FUNDAMENTALS OF GRC:

MASTERING RISK ASSESSMENT

BRUCE MCCUAIG – CA, CIA, CCSA
VICE PRESIDENT, RISK AND COMPLIANCE
PAISLEY GRC SOLUTIONS

WHITEPAPER
CONTENTS

CONTENTS
INTRODUCTION 3

RISK ASSESSMENTS — THE BASICS 3

THE EMERGENCE OF RISK-BASED APPROACHES 3

USE A RISK-FOCUSED APPROACH 4

ADOPT A COMMON CATEGORIZATION OF RISK TYPES 6

PARSE THE RISK JUMBLE 7

SCENARIO ANALYSIS 8

USE A RISK TABLE 8

MONITOR RISKS 10

INCREASE SELF ASSESSMENT 10

ACHIEVE RISK CONVERGENCE 10

BRINGING IT ALL TOGETHER — LEVERAGING TECHNOLOGY FOR RISK

CONVERGENCE 11

ABOUT THOMSON REUTERS – PAISLEY GRC SOLUTIONS 12

ABOUT THE AUTHOR 12

II
INTRODUCTION
The recent news headlines related to subprime mortgage crisis, rogue traders, and corporate
fraud have highlighted that despite investment in risk assessment and risk management
disciplines, significant risk failures persist. While isolated incidents of one-time governance
failures are bound to occur, long-term systemic failures are more than just an isolated anomaly.
The failures may be the result of a clutter of risk information caused by many risk assessments
from many perspectives. The process of organizing these risk assessments to provide
organizations with a more holistic view of enterprise risk is fundamental to mastering risk
assessments. This whitepaper explores approaches to risk assessment, offers some best
practices for conducting risk assessments and provides practical guidance on mastering this
business process.

RISK ASSESSMENTS — THE BASICS

Risk assessments fall into the overall discipline of risk management. For most organizations, risk
management is an evolving discipline that is at disparate maturity levels across organizational
disciplines such as internal audit, business operations, IT and finance. Risk is defined as the
uncertainty of an event occurring that could have an impact on the achievement of objectives.
The definition of risk assessment then follows as the identification, evaluation, and estimation of
the levels of risks involved in a situation, their comparison against benchmarks or standards, and
determination of an acceptable level of risk.
A risk assessment should answer the following five questions:
1. What can go wrong?
2. How can it go wrong?
3. What is the potential harm?
4. What can be done about it?
5. How can we stop it from happening again?

THE EMERGENCE OF RISK-BASED APPROACHES

Increasingly, risk assessments are being conducted by many groups within an organization
to fulfill a variety of business and regulatory requirements. Often, groups within the same
organization rely on the guidance of different professional organizations to provide a framework
for conducting risk assessments. As these professional organizations offer disparate approaches
to risk assessment, they add to the jumble of risk information. Examples of the varying
approaches to risk assessment include:
• The PCAOB Auditing Standard No. 5 (AS5) has been issued as a risk-based approach
to auditing internal control over financial reporting
• COSO produced, Enterprise Risk Management – Integrated Framework for use in assessing
a wide range of business risks
 • The Institute of Internal Auditors has charged chief audit executives with developing
“risk-based plans to determine the priorities of the internal audit activity, consistent with
the organization’s goals”
• Standard & Poor’s recently proposed scoring management’s enterprise risk assessment
practices as part of the credit rating process as well as have proposed the criteria they plan
to use to do so
To minimize the confusion of varying risk information, risks assessment efforts need to
converge. Risk convergence, the ability to look across the organization and to understand all
risk information from a single perspective, is essential to be able to understand and organize
the different types of risk information in order to promote the understanding and analysis that
will add value to the organization.
The following best practice approaches will help an organization master risk assessment and
minimize disjointed risk information:
1. Use a risk-focused approach
2. Adopt a common categorization of risk types
To minimize the
confusion of varying 3. Parse the risk jumble
risk information, risk 4. Perform scenario analysis
assessment efforts 5. Use a risk table
need to converge. 6. Monitor risks
7. Increase self assessment
8. Achieve risk convergence

USE A RISK-FOCUSED APPROACH

Many organizations struggle to find the proper balance between a risk-focused vs. control-
focused approach to risk assessments. Risk management, must focus on constant, rigorous risk
identification and assessment. Controls must be precise and carefully designed not to distract
attention from running the business. Controls must provide essential and useful information, and
they must add value rather than exist for their own sake.
For most organizations, there is a bias towards control-focused risk assessments. The primary
driver of this struggle is complying with regulations, such as Sarbanes Oxley, that originally drove
the increased need for risk assessments. Even revised guidance on financial controls
management, such as AS5 takes a very control centric view. This control bias can be highlighted
by contrasting AS5 and Australia/New Zealand Standard 4360. AS5, published in 2007, follows
a controls approach and is intended to help auditors identify and assess controls that address the
risk of misstatement to financial statement assertions. Described as a risk-based approach, AS5
is actually directed at managing financial controls. AS/NZS 4360, originally developed in 1995
and one of the world’s most critically acclaimed risk management frameworks, is simple and
direct and provides a basis for identifying and assessing business risks.
A simple word count of the instances of the words risk and control appearing in the two
standards makes a strong point. What stands out in Exhibit 1 is the relative use of the terms risk
and control by the respective standards.

Exhibit 1

WORD COUNT COMPARISON

RISK CONTROL

Risk Standard
307 7
ANZ/NZS 4360

Audit Standard
168 635
PCAOB AS5

What is less apparent, and possibly even more significant than the difference in frequency of the
use of the two words, is the fact that these two standards both look at risk and control differently.
When AS5 refers to risk, it is primarily referring to the risk of a missing or broken control. When
AS/NZS refers to control, it refers to one of several risk responses (reject, accept, transfer or
mitigate the risk.) As a result, risk assessment teams find themselves accumulating vast amounts
of information about risk from both risk- and control-focused perspectives. Many different risk
management groups use the same terminology with completely different meaning.
Because it seeks to identify missing or ineffective controls and strengthen them, a control-based
approach has a bias toward increasing controls until the assessor achieves a subjectively
determined level of control effectiveness. Control-based approaches gather and assess vastly
more information about controls than about the specific risk events the controls were designed to
mitigate. In fact, taken to an extreme, control-based approaches completely lose sight of the A control-based
business risk they were designed to mitigate. The end result of control-based approaches can approach has a bias
become ensuring the continued existence of effective controls, even if the effective controls are no toward increasing
longer relevant to the risks they were designed to mitigate.
controls until the
Risk-based approaches can be described as those that provide a ratio of at least 2:1 of risks to assessor achieves a
controls and generally have the opposite bias; producing significant amounts of information
subjectively
about risk events, their type, frequency, level, impact and root cause. With the capture of proper
risk information, risk-based approaches provide management a better perspective on significance determined level of
and likelihood of risk events and enable management to prioritize the materiality of control effectiveness
mitigating controls.
One of the major reasons for the ineffective execution of risk assessments is the significant focus
on controls. The control-based approach is used to identify and assess controls, or more
specifically the risk of missing or broken controls; the risk-based approach is used to identify and
assess risk events, or risks that could impact the achievement of business objectives. Risk
assessments are much more effective when using a true risk-based approach.
 ADOPT A COMMON CATEGORIZATION OF RISK TYPES
To assist in the discipline of risk assessment, it is important to have a common taxonomy and
categorization of risk types. The risk management community has provided numerous risk
models to categorize risks into types for reporting and analysis purposes. For example, in their
recent proposal to evaluate management’s enterprise risk management practices, Standard &
Poor’s suggested a list of possible risk types, shown in Exhibit 2.

Exhibit 2

ENVIRONMENTAL FINANCIAL SUPPLY MANAGEMENT

RISKS RISKS RISKS RISKS

Business continuity Capital availability Commodity Corporate

prices governance
Business market Credit counterparty
environment Supply chain Data security
Financial market risk
Environmental Employee health
Inflation
and safety
With a library of Liability lawsuits
Interest rates
common sets of Intellectual
Natural
Liquidity property
categories, risk disasters/weather
assessment Labor disputes
Pandemic
practitioners are Labor skills
Physical damage
better able to identify shortage
Political risk
the organization’s M&A/restructuring
risks. Regulatory/legislative
Managing
Terrorism complexity
Outsourcing
problems
Project management
Reputation
Technology failure

With a library of common sets of risk categories, risk assessment practitioners are better able to
identify the organization's risks and can pull together risk information in a concise profile that
helps users understand and monitor identified exposures.
PARSE THE RISK JUMBLE
Risk information must be organized to be understood and managed. In the jumble of risk
information that is currently being gathered, some of the information is about controls or more
accurately missing or broken controls, some of it is about risk events (the events the controls were
designed to mitigate) and some of the information describes the primary or secondary
consequences of the risk events if they occur. The result is a mass of information that is described
as risk, but it is not all risk (See Exhibit 3).

Exhibit 3

To assist in sorting through this information, it is recommended to parse the information into Risk information can
a simple model of: be categorized as
• Root cause root cause, risk event,
• Risk consequence and
• Consequence downstream effect.
• Downstream effect

Exhibit 4 illustrates how risk information can be categorized as root cause, risk event,
consequence and downstream effect. In this example, the broken shoelace is the root cause,
falling is a risk, a sprained wrist is the consequence and the downstream effect is medical bills. In
business it is important to delineate what is the root cause and what is the risk. At first glance,
many identify the broken shoelace as the risk. However, the risk is the adverse outcome of the
root cause, not the root cause itself.
 Exhibit 4

There are several root causes that can create the risk Trip and fall. When conducting a risk
assessment one should not assume a static relationship between a root cause and a risk event.
This may lead to overlooking other root causes and failing to address the risk.

SCENARIO ANALYSIS
The discipline of scenario analysis is critical to effective risk assessments because it forces one to
ask, “What could go wrong in the future?” Scenario analysis is the process of analyzing a number
of possible future events and focuses attention on all possible outcomes of an event occurring
and the associated impacts. Proper scenario analysis improves decision-making by allowing
management to more completely consider various outcomes and their implications to an
organization.
For example, in looking at the scenario of fraudulent trades occurring, the following questions
need to be evaluated:
1. Where does trading activity take place?
2. What kinds of trading takes place?
Effective risk
assessments force 3. What are all the ways unauthorized trading could take place?

one to ask, “What 4. How up to date is our information?

could go wrong in 5. Have we involved everyone with relevant knowledge in risk identification?
the future?” 6. Have we involved everyone with relevant knowledge in control assessment?
7. What would tell us if, in fact, unauthorized trades are occurring?
8. How often do we formally analyze this scenario?
9. What issues have we identified in the past?
10. What losses have our industry competitors experienced?
11. How could trades be hidden?

To avoid scenario analysis becoming a time consuming and burdensome activity, management
should focus on those risks that have been identified as the most material to the strategy of the
business and that have the highest significance or likelihood of occurring.

USE A RISK TABLE

Risks and the corresponding risk assessments can be evaluated using either a quantitative or a
qualitative approach. Quantitative assessments use actual dollar amounts to provide a
financially-based risk value. Qualitative assessments use scoring methods and the experience of
employees and consultants to arrive at a risk score. Since determining an actual dollar value of
risk is often times a very resource intensive activity, the qualitative risk assessment approach is
used as a best practice by most risk assessment groups. Although termed a qualitative approach,
this method typically involves assigning some numerical value that can be used to stack rank or
come up with some relative ratings on the assessment of risks.
To assist with the qualitative risk assessments utilize an established risk table. There are several
commonly used published risk tables, some more complex than others. One of the most
frequently used risk tables is the AS/NZS 4360, shown in Exhibit 5.
Exhibit 5

Once the risk assessments are scored using a risk table, they should be sorted from highest to
lowest. This allows organizations to address the highest risks first. Once identified, there are
essentially four ways to deal with each risk:
Reject the risk: Rejecting risk is the head-in-the-sand approach. Some managers tend to ignore Rejecting risk is the
difficult challenges with the hope that they will simply disappear. This approach will rarely result
head-in-the-sand
in a successful defense against the risk event occurring.
approach.
Accept the risk: A common action to take is to accept the stated risk. For example, if the controls
necessary to eliminate or mitigate key vulnerabilities are a greater financial burden to an
organization than the actual risk impact, then it’s probably a good idea to use the budget dollars
in other areas.
Transfer the risk: An alternative to accepting a higher than reasonable risk when the cost of
controls is too high is to purchase insurance to lower the business impact of an incident. This is a
common risk management step.
Mitigate the risk: Risk mitigation typically focuses on managing the areas where the
organization is most vulnerable. Risk mitigation involves the identification and management of
risk mitigating controls.
 MONITOR RISKS
A best practice in mastering risk assessments is to establish standard metrics for the
consequences and outcomes that will drive business decisions. Common metrics are classified
as key performance indicators (KPI) and key risk indicators (KRI).
A KPI is part of a measurable objective and helps an organization measure progress towards
goals, especially toward difficult to quantify knowledge-based processes. KPI’s are made up
of a direction, benchmark, target and time frame.
A KRI measures how risky an activity is. It differs from a KPI in that the KPI is meant as a measure
of how well something is being done. A KRI is an indicator of the possibility of a future adverse
impact. The idea behind the KRI is to provide a set of agreed indicators, which can range from the
simple, such as staff turnover, to the more sophisticated, such as the a complex calculation for
measuring operational performance. The behavior of KRIs should signal how well or how badly a
firm is managing potentially costly operational hazards such as fraud, legal risk, technology
failure and trade settlement errors.
Establish standards for Knowledge of consequences is essential for risk management decisions. The nature and
the consequences. magnitude of the consequence will drive business decisions. Established KPIs and KRIs place
some established metrics on measuring these consequences and outcomes.

INCREASE SELF ASSESSMENT

With the large universe of risks that must be assessed across an organization, companies must
embrace the discipline of risk self assessment to delegate the workload to those closest to the
risks. Risk self assessment is a tool for acquiring information about business process risks, while
empowering the process owners to take responsibility for identifying and mitigating those risks.
Using risk self assessment drives the responsibility and accountability of risk management to
process owners by reinforcing their responsibility and accountability for the risk areas that they
own. Companies embracing risk self-assessment often view it as a cost-effective technique for
establishing touch points with the right people, enabling management to communicate as well
as educate. An effective risk self-assessment program reports risk assertions from process owners
upward in the organization and identifies matters requiring follow-up and possible disclosure.

ACHIEVE RISK CONVERGENCE

Risk convergence is the integration of discrete risk assessment information into a unified
framework in order to dramatically:
• Streamline processes
• Increase assurance reliability
• Increase information quantity/quality
• Decrease operational cost
• Contribute directly to better business performance

Risk-based approaches to management hold significant promise. If risks are understood in terms
of cause/effect relationships, governance failures and losses should be prevented. If variance in
expected business or process performance is viewed from a risk perspective as unmanaged risks,
then business performance should improve or at least become less volatile. Risk assessment is
the foundation of risk management. Organizing the information produced through risk
assessment will allow risk convergence to fulfill its potential.

BRINGING IT ALL TOGETHER — LEVERAGING

TECHNOLOGY FOR RISK CONVERGENCE
Leading organizations are leveraging technology solutions to support their risk convergence
efforts. Thomson Reuters offers a more effective, proven approach to optimizing the convergence Paisley GRC
of risk assessment groups. Paisley GRC solutions offer a comprehensive audit, financial controls
management, risk management, IT governance and compliance software solution purpose-built solutions provide a
to address integrated risk convergence requirements. By eliminating information silos, redundant common point of
data entry and taking a unique holistic approach to regulatory challenges, Paisley GRC solutions entry for audit, risk
provide greater efficiency, improve collaboration and reduce the time and resource costs management and
associated with governance, risk and compliance processes.
compliance owners.
Paisley GRC solutions enable organizations to break down the walls between audit, risk and
compliance groups and provide expanded value as organizations deploy the software across the
enterprise. Paisley GRC solutions provide unique profiles for each risk assessment group, a
central data repository and common functionality for risk assessment, reporting and issue
tracking across all disciplines. As a complete solution, Paisley GRC solutions provide a common
point of entry for audit, risk management and compliance process owners. With a single data
model that is shared by internal audit, risk management and compliance teams, Paisley GRC
solutions enable organizations to consistently share definitions and terms, organizational
reporting structures, and relationships between controls and the associated audit results. This
approach minimizes data entry, improves accuracy and enhances collaboration, efficiency
and consistency.
ABOUT THOMSON REUTERS – PAISLEY GRC SOLUTIONS
Thomson Reuters is the world’s leading source of intelligent information for businesses and
professionals. The company combines industry expertise with innovative technology to deliver
critical information for leading decision-makers in the financial, legal, tax and accounting,
scientific and healthcare markets.

Paisley, acquired by Thomson Reuters in 2008, is the governance, risk and compliance platform
business unit of Thomson Reuters. Combining Paisley’s market leading software with the
comprehensive Thomson Reuter’s intelligent information solutions delivers the most
comprehensive GRC solution for audit, risk and compliance professionals. Over 1,400
organizations, spanning 60 countries and serving more than 140,000 users in a wide range of
industries, utilize Paisley GRC solutions to streamline processes, reduce costs of compliance,
manage and mitigate risks, and provide visibility, oversight and assurance.

The Paisley GRC solutions include functionality for audit management, financial controls
management, enterprise risk management, operational risk management, IT governance, and
compliance. Paisley offers several software delivery options including on-premises, hosted
application deployment, or software as a service (SaaS) delivery.

Learn More
Call: 763.450.4700
Email: paisleyinfo@thomsonreuters.com
Visit: paisley.thomsonreuters.com

ABOUT THE AUTHOR

Bruce McCuaig, CA, CIA, CCSA
Vice President, Risk and Compliance – Paisley GRC Solutions
With more than 20 years experience in the field of risk and control management, Bruce McCuaig
is responsible for directing an operational risk management program at Paisley as part of a
company-wide effort to implement a top-down, risk-based approach to its own operations
Bruce's role at Paisley also includes sharing Paisley's ORM experiences and innovations with
clients seeking to implement risk-based approaches for their GRC initiatives and to drive
improvements in their existing risk management processes. Prior to joining Paisley, Bruce held
senior executive positions with the Gulf Canada Resources in Calgary and Toronto, and Gulf Oil
Corporation in Houston, Texas. Bruce is an experienced speaker, presenter and award-winning
author, participating regularly in international conferences on the subject of risk and control self-
assessment and publishing in professional audit and financial journals. Bruce earned a bachelor's
degree in business administration from the University of Windsor, in Windsor, Ontario.

© Thomson Reuters. All rights reserved.

Republication or redistribution of Thomson Reuters content, including by framing or similar means, is prohibited without the prior written
consent of Thomson Reuters. 'Thomson Reuters' and the Thomson Reuters logo are registered trademarks and trademarks of Thomson
Reuters and its affiliated companies.