This action might not be possible to undo. Are you sure you want to continue?
BRUCE MCCUAIG – CA, CIA, CCSA VICE PRESIDENT, RISK AND COMPLIANCE PAISLEY GRC SOLUTIONS
CONTENTS CONTENTS INTRODUCTION RISK ASSESSMENTS — THE BASICS THE EMERGENCE OF RISK-BASED APPROACHES USE A RISK-FOCUSED APPROACH ADOPT A COMMON CATEGORIZATION OF RISK TYPES PARSE THE RISK JUMBLE SCENARIO ANALYSIS USE A RISK TABLE MONITOR RISKS INCREASE SELF ASSESSMENT ACHIEVE RISK CONVERGENCE BRINGING IT ALL TOGETHER — LEVERAGING TECHNOLOGY FOR RISK CONVERGENCE ABOUT THOMSON REUTERS – PAISLEY GRC SOLUTIONS ABOUT THE AUTHOR 3 3 3 4 6 7 8 8 10 10 10 11 12 12 II .
long-term systemic failures are more than just an isolated anomaly. Risk is defined as the uncertainty of an event occurring that could have an impact on the achievement of objectives. 5. groups within the same organization rely on the guidance of different professional organizations to provide a framework for conducting risk assessments. The process of organizing these risk assessments to provide organizations with a more holistic view of enterprise risk is fundamental to mastering risk assessments. and corporate fraud have highlighted that despite investment in risk assessment and risk management disciplines. RISK ASSESSMENTS — THE BASICS Risk assessments fall into the overall discipline of risk management. As these professional organizations offer disparate approaches to risk assessment. 3. they add to the jumble of risk information.INTRODUCTION The recent news headlines related to subprime mortgage crisis. offers some best practices for conducting risk assessments and provides practical guidance on mastering this business process. 5 (AS5) has been issued as a risk-based approach to auditing internal control over financial reporting COSO produced. evaluation. Often. their comparison against benchmarks or standards. While isolated incidents of one-time governance failures are bound to occur. IT and finance. The definition of risk assessment then follows as the identification. risk management is an evolving discipline that is at disparate maturity levels across organizational disciplines such as internal audit. Examples of the varying approaches to risk assessment include: • • The PCAOB Auditing Standard No. A risk assessment should answer the following five questions: 1. rogue traders. and determination of an acceptable level of risk. The failures may be the result of a clutter of risk information caused by many risk assessments from many perspectives. business operations. risk assessments are being conducted by many groups within an organization to fulfill a variety of business and regulatory requirements. 4. and estimation of the levels of risks involved in a situation. For most organizations. significant risk failures persist. This whitepaper explores approaches to risk assessment. What can go wrong? How can it go wrong? What is the potential harm? What can be done about it? How can we stop it from happening again? THE EMERGENCE OF RISK-BASED APPROACHES Increasingly. 2. Enterprise Risk Management – Integrated Framework for use in assessing a wide range of business risks .
consistent with the organization’s goals” Standard & Poor’s recently proposed scoring management’s enterprise risk assessment practices as part of the credit rating process as well as have proposed the criteria they plan to use to do so • To minimize the confusion of varying risk information. Risk management. rigorous risk identification and assessment. The primary driver of this struggle is complying with regulations. 6. is simple and direct and provides a basis for identifying and assessing business risks. Controls must be precise and carefully designed not to distract attention from running the business. 7. 3. Use a risk-focused approach Adopt a common categorization of risk types Parse the risk jumble Perform scenario analysis Use a risk table Monitor risks Increase self assessment Achieve risk convergence To minimize the confusion of varying risk information. This control bias can be highlighted by contrasting AS5 and Australia/New Zealand Standard 4360. originally developed in 1995 and one of the world’s most critically acclaimed risk management frameworks. risks assessment efforts need to converge. there is a bias towards control-focused risk assessments.• The Institute of Internal Auditors has charged chief audit executives with developing “risk-based plans to determine the priorities of the internal audit activity. and they must add value rather than exist for their own sake. Described as a risk-based approach. Even revised guidance on financial controls management. must focus on constant. The following best practice approaches will help an organization master risk assessment and minimize disjointed risk information: 1. follows a controls approach and is intended to help auditors identify and assess controls that address the risk of misstatement to financial statement assertions. 2. such as AS5 takes a very control centric view. risk assessment efforts need to converge. . 5. published in 2007. AS5. AS/NZS 4360. Risk convergence. USE A RISK-FOCUSED APPROACH Many organizations struggle to find the proper balance between a risk-focused vs. AS5 is actually directed at managing financial controls. is essential to be able to understand and organize the different types of risk information in order to promote the understanding and analysis that will add value to the organization. that originally drove the increased need for risk assessments. the ability to look across the organization and to understand all risk information from a single perspective. 4. For most organizations. such as Sarbanes Oxley. controlfocused approach to risk assessments. 8. Controls must provide essential and useful information.
Many different risk management groups use the same terminology with completely different meaning. When AS5 refers to risk.) As a result. Exhibit 1 WORD COUNT COMPARISON RISK Risk Standard ANZ/NZS 4360 Audit Standard PCAOB AS5 CONTROL 307 7 168 635 What is less apparent. risk-based approaches provide management a better perspective on significance and likelihood of risk events and enable management to prioritize the materiality of mitigating controls. One of the major reasons for the ineffective execution of risk assessments is the significant focus on controls.A simple word count of the instances of the words risk and control appearing in the two standards makes a strong point. even if the effective controls are no longer relevant to the risks they were designed to mitigate. Risk-based approaches can be described as those that provide a ratio of at least 2:1 of risks to controls and generally have the opposite bias. taken to an extreme. The end result of control-based approaches can become ensuring the continued existence of effective controls. their type. Risk assessments are much more effective when using a true risk-based approach. A control-based approach has a bias toward increasing controls until the assessor achieves a subjectively determined level of control effectiveness . it refers to one of several risk responses (reject. What stands out in Exhibit 1 is the relative use of the terms risk and control by the respective standards. the risk-based approach is used to identify and assess risk events. level. With the capture of proper risk information. or risks that could impact the achievement of business objectives. producing significant amounts of information about risk events.and control-focused perspectives. risk assessment teams find themselves accumulating vast amounts of information about risk from both risk. it is primarily referring to the risk of a missing or broken control. Control-based approaches gather and assess vastly more information about controls than about the specific risk events the controls were designed to mitigate. frequency. When AS/NZS refers to control. Because it seeks to identify missing or ineffective controls and strengthen them. accept. In fact. transfer or mitigate the risk. a control-based approach has a bias toward increasing controls until the assessor achieves a subjectively determined level of control effectiveness. impact and root cause. and possibly even more significant than the difference in frequency of the use of the two words. or more specifically the risk of missing or broken controls. is the fact that these two standards both look at risk and control differently. The control-based approach is used to identify and assess controls. control-based approaches completely lose sight of the business risk they were designed to mitigate.
risk assessment practitioners are better able to identify the organization’s risks. shown in Exhibit 2. . in their recent proposal to evaluate management’s enterprise risk management practices. The risk management community has provided numerous risk models to categorize risks into types for reporting and analysis purposes.ADOPT A COMMON CATEGORIZATION OF RISK TYPES To assist in the discipline of risk assessment. For example. it is important to have a common taxonomy and categorization of risk types. Exhibit 2 ENVIRONMENTAL RISKS Business continuity Business market environment Environmental FINANCIAL RISKS Capital availability Credit counterparty Financial market risk Inflation Interest rates Liquidity SUPPLY RISKS Commodity prices Supply chain MANAGEMENT RISKS Corporate governance Data security Employee health and safety Intellectual property Labor disputes Labor skills shortage M&A/restructuring Managing complexity Outsourcing problems Project management Reputation Technology failure With a library of common sets of categories. Standard & Poor’s suggested a list of possible risk types. risk assessment practitioners are better able to identify the organization's risks and can pull together risk information in a concise profile that helps users understand and monitor identified exposures. Liability lawsuits Natural disasters/weather Pandemic Physical damage Political risk Regulatory/legislative Terrorism With a library of common sets of risk categories.
a sprained wrist is the consequence and the downstream effect is medical bills.PARSE THE RISK JUMBLE Risk information must be organized to be understood and managed. not the root cause itself. it is recommended to parse the information into a simple model of: • • • • Root cause Risk Consequence Downstream effect Risk information can be categorized as root cause. but it is not all risk (See Exhibit 3). However. risk event. the risk is the adverse outcome of the root cause. falling is a risk. some of it is about risk events (the events the controls were designed to mitigate) and some of the information describes the primary or secondary consequences of the risk events if they occur. consequence and downstream effect. consequence and downstream effect. . In this example. In business it is important to delineate what is the root cause and what is the risk. some of the information is about controls or more accurately missing or broken controls. At first glance. In the jumble of risk information that is currently being gathered. risk event. Exhibit 4 illustrates how risk information can be categorized as root cause. The result is a mass of information that is described as risk. the broken shoelace is the root cause. many identify the broken shoelace as the risk. Exhibit 3 To assist in sorting through this information.
unauthorized trades are occurring? How often do we formally analyze this scenario? What issues have we identified in the past? What losses have our industry competitors experienced? How could trades be hidden? Effective risk assessments force one to ask. SCENARIO ANALYSIS The discipline of scenario analysis is critical to effective risk assessments because it forces one to ask. 8. the following questions need to be evaluated: 1. management should focus on those risks that have been identified as the most material to the strategy of the business and that have the highest significance or likelihood of occurring. “What could go wrong in the future?” Scenario analysis is the process of analyzing a number of possible future events and focuses attention on all possible outcomes of an event occurring and the associated impacts. 10. When conducting a risk assessment one should not assume a static relationship between a root cause and a risk event. 4. Where does trading activity take place? What kinds of trading takes place? What are all the ways unauthorized trading could take place? How up to date is our information? Have we involved everyone with relevant knowledge in risk identification? Have we involved everyone with relevant knowledge in control assessment? What would tell us if. 5. This may lead to overlooking other root causes and failing to address the risk. 7. in looking at the scenario of fraudulent trades occurring. Quantitative assessments use actual dollar amounts to provide a . in fact. 9. USE A RISK TABLE Risks and the corresponding risk assessments can be evaluated using either a quantitative or a qualitative approach. For example.Exhibit 4 There are several root causes that can create the risk Trip and fall. Proper scenario analysis improves decision-making by allowing management to more completely consider various outcomes and their implications to an organization. “What could go wrong in the future?” 2. 6. To avoid scenario analysis becoming a time consuming and burdensome activity. 3. 11.
Transfer the risk: An alternative to accepting a higher than reasonable risk when the cost of controls is too high is to purchase insurance to lower the business impact of an incident.financially-based risk value. Exhibit 5 Once the risk assessments are scored using a risk table. Although termed a qualitative approach. then it’s probably a good idea to use the budget dollars in other areas. there are essentially four ways to deal with each risk: Reject the risk: Rejecting risk is the head-in-the-sand approach. some more complex than others. This approach will rarely result in a successful defense against the risk event occurring. To assist with the qualitative risk assessments utilize an established risk table. this method typically involves assigning some numerical value that can be used to stack rank or come up with some relative ratings on the assessment of risks. Some managers tend to ignore difficult challenges with the hope that they will simply disappear. Once identified. they should be sorted from highest to lowest. the qualitative risk assessment approach is used as a best practice by most risk assessment groups. shown in Exhibit 5. There are several commonly used published risk tables. Rejecting risk is the head-in-the-sand approach. This allows organizations to address the highest risks first. One of the most frequently used risk tables is the AS/NZS 4360. This is a common risk management step. Accept the risk: A common action to take is to accept the stated risk. Mitigate the risk: Risk mitigation typically focuses on managing the areas where the organization is most vulnerable. Since determining an actual dollar value of risk is often times a very resource intensive activity. Risk mitigation involves the identification and management of risk mitigating controls. Qualitative assessments use scoring methods and the experience of employees and consultants to arrive at a risk score. For example. . if the controls necessary to eliminate or mitigate key vulnerabilities are a greater financial burden to an organization than the actual risk impact.
while empowering the process owners to take responsibility for identifying and mitigating those risks. The nature and magnitude of the consequence will drive business decisions. The behavior of KRIs should signal how well or how badly a firm is managing potentially costly operational hazards such as fraud. It differs from a KPI in that the KPI is meant as a measure of how well something is being done. If risks are understood in terms of cause/effect relationships. which can range from the simple. such as the a complex calculation for measuring operational performance. governance failures and losses should be prevented. companies must embrace the discipline of risk self assessment to delegate the workload to those closest to the risks. The idea behind the KRI is to provide a set of agreed indicators. Using risk self assessment drives the responsibility and accountability of risk management to process owners by reinforcing their responsibility and accountability for the risk areas that they own. KPI’s are made up of a direction. . Common metrics are classified as key performance indicators (KPI) and key risk indicators (KRI). A KRI is an indicator of the possibility of a future adverse impact. A KPI is part of a measurable objective and helps an organization measure progress towards goals. INCREASE SELF ASSESSMENT With the large universe of risks that must be assessed across an organization. target and time frame. especially toward difficult to quantify knowledge-based processes. to the more sophisticated. Establish standards for the consequences. ACHIEVE RISK CONVERGENCE Risk convergence is the integration of discrete risk assessment information into a unified framework in order to dramatically: • • • • • Streamline processes Increase assurance reliability Increase information quantity/quality Decrease operational cost Contribute directly to better business performance Risk-based approaches to management hold significant promise. legal risk. Established KPIs and KRIs place some established metrics on measuring these consequences and outcomes. technology failure and trade settlement errors. A KRI measures how risky an activity is. such as staff turnover. Risk self assessment is a tool for acquiring information about business process risks. If variance in expected business or process performance is viewed from a risk perspective as unmanaged risks. Companies embracing risk self-assessment often view it as a cost-effective technique for establishing touch points with the right people. Knowledge of consequences is essential for risk management decisions.MONITOR RISKS A best practice in mastering risk assessments is to establish standard metrics for the consequences and outcomes that will drive business decisions. enabling management to communicate as well as educate. An effective risk self-assessment program reports risk assertions from process owners upward in the organization and identifies matters requiring follow-up and possible disclosure. benchmark.
Paisley GRC solutions enable organizations to break down the walls between audit. Paisley GRC solutions enable organizations to consistently share definitions and terms. risk management and compliance teams. a central data repository and common functionality for risk assessment. improves accuracy and enhances collaboration. With a single data model that is shared by internal audit. risk and compliance groups and provide expanded value as organizations deploy the software across the enterprise. reporting and issue tracking across all disciplines. risk management and compliance owners. improve collaboration and reduce the time and resource costs associated with governance. proven approach to optimizing the convergence of risk assessment groups. Thomson Reuters offers a more effective. As a complete solution. Organizing the information produced through risk assessment will allow risk convergence to fulfill its potential. financial controls management. efficiency and consistency. and relationships between controls and the associated audit results. Paisley GRC solutions provide a common point of entry for audit. risk management. Paisley GRC solutions provide unique profiles for each risk assessment group. Paisley GRC solutions offer a comprehensive audit. BRINGING IT ALL TOGETHER — LEVERAGING TECHNOLOGY FOR RISK CONVERGENCE Leading organizations are leveraging technology solutions to support their risk convergence efforts. This approach minimizes data entry. Paisley GRC solutions provide a common point of entry for audit. Risk assessment is the foundation of risk management. IT governance and compliance software solution purpose-built to address integrated risk convergence requirements. redundant data entry and taking a unique holistic approach to regulatory challenges. By eliminating information silos. organizational reporting structures. . risk and compliance processes. risk management and compliance process owners.then business performance should improve or at least become less volatile. Paisley GRC solutions provide greater efficiency.
Prior to joining Paisley. 'Thomson Reuters' and the Thomson Reuters logo are registered trademarks and trademarks of Thomson Reuters and its affiliated companies. Texas.450. risk and compliance professionals. Bruce is an experienced speaker. operational risk management.ABOUT THOMSON REUTERS – PAISLEY GRC SOLUTIONS Thomson Reuters is the world’s leading source of intelligent information for businesses and professionals. and provide visibility. is the governance.4700 Email: firstname.lastname@example.org users in a wide range of industries. Paisley. hosted application deployment. All rights reserved. Over 1.com Visit: paisley. enterprise risk management. utilize Paisley GRC solutions to streamline processes. is prohibited without the prior written consent of Thomson Reuters. reduce costs of compliance.com ABOUT THE AUTHOR Bruce McCuaig. © Thomson Reuters. participating regularly in international conferences on the subject of risk and control selfassessment and publishing in professional audit and financial journals. Bruce held senior executive positions with the Gulf Canada Resources in Calgary and Toronto. including by framing or similar means. legal. IT governance.thomsonreuters. Combining Paisley’s market leading software with the comprehensive Thomson Reuter’s intelligent information solutions delivers the most comprehensive GRC solution for audit. CA. Paisley offers several software delivery options including on-premises. . and Gulf Oil Corporation in Houston.400 organizations. Bruce earned a bachelor's degree in business administration from the University of Windsor. CCSA Vice President. The Paisley GRC solutions include functionality for audit management. financial controls management. acquired by Thomson Reuters in 2008. risk-based approach to its own operations Bruce's role at Paisley also includes sharing Paisley's ORM experiences and innovations with clients seeking to implement risk-based approaches for their GRC initiatives and to drive improvements in their existing risk management processes. manage and mitigate risks. tax and accounting. risk and compliance platform business unit of Thomson Reuters. or software as a service (SaaS) delivery. scientific and healthcare markets. and compliance. CIA. in Windsor. Learn More Call: 763. Risk and Compliance – Paisley GRC Solutions With more than 20 years experience in the field of risk and control management. Ontario. spanning 60 countries and serving more than 140. oversight and assurance. presenter and award-winning author. The company combines industry expertise with innovative technology to deliver critical information for leading decision-makers in the financial. Republication or redistribution of Thomson Reuters content. Bruce McCuaig is responsible for directing an operational risk management program at Paisley as part of a company-wide effort to implement a top-down.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.