Chapter 3 - Risk
Assessments
INSTRUCTOR: NELSIE GRACE D. PINEDA
�Risk Assessment
In simplistic terms, risk can be defined as a function of what is at
risk and how likely is it to be at risk .
The term “exposure” in relation to risk could be defined as “an
unwanted event or outcome that management would wish to avoid”.
A risk assessment is the process of identifying, measuring, and
analyzing risks relevant to a program or process.
This assessment is systematic, iterative, and subject to both
quantitative and qualitative inputs and factors. Furthermore, it is also
dependent on the timeframe of the review.
�Identification of Risks
�Identification of Risks
�Identification of Risks
�Identification of Risks
�Internal Constraints
It is imperative for internal auditors to remember that there are internal and external constraints
in organizations. Internal constraints typically include:
Equipment. The types of equipment available and the ways they are used limit the ability of the
process to produce more high quality goods and deliver services.
People. Lack of skilled and motivated workers limits the productive capacity of any process.
Attitudes and other mental models (e.g., feeling defeated, victimized, or hopeless) embraced
by workers can lead to behaviors that become a constraint on the process.
Policies. Written and unwritten policies can prevent the process from producing more of higher
quality goods and services.
�Measurement of Risks
The measurement process can be either subjective or quantitative, and either driven by facts or
not.
Subjective measures are driven by the participants’ experience and intuition about the risks
involved.
three-point scale: high–medium–low
five-point scale: unlikely–possible–likely–almost certain
Impact measures: minor–moderate–major–catastrophic
�Sample Measurement
�Sample Measurement
�Impact Ratings
�Impact Ratings
�Impact Ratings
�Impact Ratings
���The Risk Matrix
The risk matrix is a widely used and highly effective tool to record and analyze
the objectives, risks, and controls in the program or process that is being audited
as defined in the scope definition.
The risk matrix is an essential ingredient when conducting risk-based audits, as
they provide a means to capture and analyze these items.
Layout varies by organization
�Sample Risk Matrix
�Assessing Risk and Control
Types
The conduct of a risk assessment means that we should look for weaknesses
(sometimes referred to as vulnerabilities) that would make an asset susceptible
to damage or loss from the hazard.
Vulnerability - “degree to which people, property, resources, systems, and
cultural, economic, environmental, and social activity is susceptible to harm,
degradation, or destruction on being exposed to a hostile agent or factor.”
When it comes to vulnerabilities, some common weaknesses are the age,
condition, and location of buildings, and their contents (e.g., near coastal or
seismic areas, critical systems on lower floors that are susceptible to flooding,
shared office locations).
�Approaches in Identifying
Relevant Events
1. Objectives based - Identify events that may hinder the ability of the
organization to achieve its
objectives partially or completely.
◦ In this case, brainstorming and the Delphi method* may be useful
techniques to collect the relevant information and assess the impact of
these events. Note that the event does not have to be negative in its
immediate interpretation.
*The Delphi method, also known as the estimate-talk-estimate technique (ETE), is a
systematic and qualitative method of forecasting by collecting opinions from a group of
experts through several rounds of questions.
�Approaches in Identifying
Relevant Events
2. Scenario based. Create different scenarios or alternative ways of achieving
objectives and determine how forces interact. A useful approach is to identify
triggers that can start–stop different scenarios from occurring. By identifying
and understanding the triggers caused or accelerated by these scenarios, the
organization can better prepare itself to leverage opportunities and avoid
negative consequences.
For either of these two approaches, management must consider the external and
internal factors that can affect event occurrence:
◦ External. For example, economic, business, natural environment, political, social, and
technological factors.
◦ Internal. Examples include infrastructure, personnel, processes, and technology.
�Approaches in Identifying
Relevant Events
3. Common-risk checking. Use a prefabricated list of common risks in
your industry or area of scope. This technique is explained in more
detail below.
4. Risk charting. Combination of above approaches consists of listing
resources at risk and the threats to those resources. Identify the risk
factors and the consequences. Hazards are of concern to the extent
that they can result in some kind of loss to the program, process, or
organization. The impact of these hazards and how to reduce them is
the next aspect of the risk assessment process. This is referred to as
mitigation.
��Assessing Risk
The risk assessment, with the identification of hazards, assets at risk, impact
analysis, and response activities can serve the organization well and increase the
likelihood that goals and objectives will be achieved. The challenge today is
greater than in the past, however, because in today’s dynamic and highly
competitive business and operating environment, organizations lacking the
ability to adapt, and take advantage of opportunities proactively are as likely to
fail as those that poorly manage the risk of adverse outcomes.
Organizations must be resilient, so as much as anticipating adverse outcomes is
key to success, the lack of flexibility to embrace new technologies, understand,
and capitalize on new technologies, financial products, emerging markets, and
social dynamics can be the cause of ruin.
��Business Activities and Their
Risk Implications
1. Assemble to order. This is a type of production system where the material is
prepared so it can be assembled quickly upon receipt of the customer request
and is usually customizable to a certain degree.
2. Make to Order (MTO). This methodology involves manufacturing only after a
customer’s order is received, so the process begins when demand occurs.
3. Make to Stock (MTS). This methodology means to manufacture products for
stock based on demand forecasts.
4. Bottleneck. This term refers to a point in a process where there is limited
productive capacity and the flow slows down.
�Business Activities and Their
Risk Implications
5. Collaborative inventory management. Consists of the cooperation between a
buyer and a supplier to improve stock availability and reduce costs. This is often
accomplished by sharing forecast information and using a single plan.
6. Consignment. This is an inventory management and replenishment method
where a buyer only pays for the products held at a third party location when the
items have been sold to the customer. Unsold products can usually be returned
to the supplier as well.
7. Cycle time. Refers to the reduction in the time and related costs needed for a
product or service to move through part or all of a supply chain. Internal
auditors focused on financial and many compliance risks have paid little
attention to this topic.
�Business Activities and Their
Risk Implications
8. Distribution center (DC) bypass or drop ship. This activity refers to
circumventing the DC or entire distribution channel by routing freight directly to
its destination. In other words, move products from the manufacturer directly to
the retailer or end user without going through the typical distribution channels.
This requires coordination with suppliers and customers to make sure there are
sufficient items in stock and to address delivery frequencies required by
customers.
9. Electronic data interchange (EDI). These consist of standardized sets of data
transmitted between various business partners during business transactions. An
important aspect of EDI exchanges is the need to verify that all of the required
steps were followed as the data and documents flow between trading partners.
All transactions must be tracked to make sure they are not lost.
�Business Activities and Their
Risk Implications
10. Inventory. Stock of raw materials, semi-finished goods (e.g., work in
process), or finished material held to protect the organization against
unpredictable, uncertain, or erratic supply or demand with the objective of
avoiding stock-out situations.
◦ There are a number of key aspects of inventory management that internal auditors
should focus their attention on. For example, verifying that all inventories are
accounted for and reflected accurately in the organization’s financial statements and
financial reports, making sure that inventories are still saleable, otherwise they
should be treated according to excess and obsolete (E&O) guidelines and written off.
�Future Challenges and Risk
Implications
1. Increased outsourcing. Internal auditors should make sure their organizations
are practicing effective risk management on their third party relationships,
including adequate due diligence, verifying that management has developed
and implemented processes and controls to measure, monitor, and correct any
deficiencies by these firms, and making sure that effective performance
monitoring activities are in place.
2. Global sourcing. This is driven by lower prices and the related savings, but
also because the quality of foreign-sourced inputs has increased in most cases.
While challenges remain, the quality of many foreign-sourced items is
acceptable to western companies and in many cases, it is near that of western
companies, or equal with lower production costs.
�Future Challenges and Risk
Implications
3. Margin compression. This means input costs rise faster than the
prices received from sales of the products sold leading to
decreasing margins over time. As competition has expanded to a
more global environment, and some of the new competitors benefit
from lower costs and even subsidies and protectionist practices in
some countries, many organizations struggle to remain competitive
under such conditions.
�Future Challenges and Risk
Implications
4. Technology. This includes, but is certainly not limited to, ERP systems with
built-in supply chain management, product life cycle management, customer
relationship management, supplier relationship management, document
management, and project management functionality. They can also manage
transportation, warehousing, billing, collections, staffing, and payroll. The
migration from in-house or legacy platforms to internet-based data storage and
processing, and even software as a service is transforming how data are
obtained, manipulated, disseminated, and stored. Lastly, access to fast
connectivity anywhere, anytime on ever-smaller devices using broadband and
Wi-Fi connections, is revolutionizing how organizations operate.
�Future Challenges and Risk
Implications
5. Growth in Asia and other developing markets. The increasing purchasing
power and wealth creation in emerging markets is opening new opportunities
that many organizations cannot miss.
This is resulting in the search for customers and the related adaptation of sales
and marketing activities to address the different conditions in these diverse
markets.
6. Improved customer analytics. As we move further into the twenty-first
century, it is increasingly apparent that the widespread availability and analysis
of data captured everywhere will result is a better understanding of the
customer, and continue to drive a closer identification of their needs and wants.
�Future Challenges and Risk
Implications
7. Data capture and transfer capabilities. Improvements in data storage,
lowering the costs dramatically over the past three decades, improvements in
networking capabilities (local area network [LAN], wide area network [WAN])
and the internet, and enhancements in wireless communications, such as radio
frequency identification (RFID), make it increasingly easy and economical for
organizations to obtain, analyze, and disseminate information real time or near
real time. This allows organizations to know what is happening throughout their
organizations and correct issues promptly. The widespread use of
communication standards, such as XML will also facilitate collaboration and
further reduce costs and surprises.
�Future Challenges and Risk
Implications
8. Environmental initiatives. Ecological considerations are increasingly becoming
a key concern for organizations. Whether it is the sourcing of materials locally,
sourcing them through fair-trade practices, reducing the amount of inputs and
packaging used, lowering the amount of waste generated, manufacturing goods
using recycled components, or producing items from reused ingredients,
environmental considerations are affecting how organizations are perceived and
in some cases even steering buying decisions. The focus is not limited to what is
produced, but also how items are produced and even under what conditions
�Future Challenges and Risk
Implications
9. Government involvement. While the degree of acceptance of government
involvement varies by country and changes over time, governments in general
are increasingly becoming more involved in the support of private sector
activities. This is the result of a greater understanding of the role that
governments can play to facilitate trade, provide protection under the rule of
law, educate populations, build needed infrastructure, provide favorable tax
regimes, and reduce financial controls to facilitate the flow of capital.
�Future Challenges and Risk
Implications
10. Geo-political risks. The rise of extremism around the world threatens
organizations’ abilities to operate freely around the world. Some of this is
related to bombings on the facilities of companies in the oil and gas and other
extractive industries to attacks on the general population that frightens tourists
and affects the tourism industry (e.g., airlines, hotels, restaurants, and
museums). This also affects organizations’ strategic plans, their strategic
alliances, and their ability to deploy workers in places where conditions can
change from peaceful to hostile almost overnight.
�Future Challenges and Risk
Implications
11. Corruption. Defined as dishonest or unethical conduct by a person entrusted
with a position of authority, often to acquire personal benefit, it includes many
activities including bribery and embezzlement, though it may also involve practices
that are legal in many countries, such as blatant favoritism and nepotism,
discrimination, and largesse.
It occurs when a government official or private sector employee acts in an official
capacity for personal gain. It distorts the market by shifting resources to less
productive purposes and increases the cost of doing business by forcing additional
payments. It also creates skepticism and suspicion. In the public sector, it limits the
welfare of the population and is often evidenced in substandard infrastructure,
child labor, human trafficking, high child mortality, poor education standards, and
environmental damage.
�END
