The Risk Management Process
Performance Standard 2120 - ANSThe internal audit activity must evaluate the effectiveness
and contribute to the improvement of risk management processes.
Risk Management - ANS- is "a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of the
organization's objectives" (The IIA Glossary)
- Management must focus on risks at all levels of the entity and take the necessary action to
manage them.
- All risks that could affect achievement of objectives must be considered.
- processes may be formal or informal, quantitative or subjective, or embedded in business
units or centralized.
- processes are designed to fit the organization's culture, management style, and objectives.
Risk management processes include: - ANS(1) identification of context
(2) risk identification
(3) risk assessment and prioritization (i.e., risk analysis)
(4) risk response
(5) risk monitoring
Process - Step 1: Identification of Context - ANS- A precondition to risk identification is
identifying the significant contexts within which risks should be managed.
- Contexts include the following:
a. Laws and regulations
b. Capital projects
c. Business processes
d. Technology
e. Market risk (e.g., interest rates, foreign exchange rates, equity investments)
f. Organizations
Process - Step 2: Risk Identification - ANS- should be performed at every level of the entity
(entity-level, division, business unit) relevant to the identified context(s) as severity can
depend on level
- Examples of external risk factors at the entity level include technological changes and
changes in customer wants and expectations.
- Examples of internal risk factors at the entity level include interruptions in automated
systems,
the quality of personnel hired, and the level of training provided.
- should consider past events (trends) and future possibilities
Process - Step 2: Risk Identification -Methods - ANS- Event inventories: use software for
particular industries to provide lists that can be used as a starting point for event
identification.
- Questionnaires and surveys: Responses can be evaluated to identify potential events.
, - Leading event indicators: are measures that provide insight into potential events.
- Escalation/threshold triggers: is a condition that a leading event indicator must satisfy
before the potential event is escalated to management. Examples:
> Potential event: Manufacturing equipment breakdown, resulting in decreases in production.
> Leading event indicator: Maintenance requests
> Escalation trigger: Two maintenance requests outside of regularly scheduled maintenance
within a 3-month period
- Facilitated workshops & interviews: A facilitator leads a discussion group consisting of
management, staff, or other stakeholders through a structured process of conversation and
exploration about potential events.
- Process flow analysis: A single business process, such as vendor authorization and
payment, is studied in isolation to identify the events that affect its inputs, tasks,
responsibilities, and outputs.
- Loss event data methodologies: The losses associated with adverse events in the past can
be used to make predictions. An example is matching workers' compensation claims with the
frequency of accidents.
- Brainstorming
- SWOT (strengths, weaknesses, opportunities, and threats) analysis,
- Scenario/what-if analysis
Process - Step 3: Risk Assessment & Prioritization - ANS- may be formal or informal
- involves:
(a) assessing the significance of an event
(b) assessing the event's likelihood
(c) considering the means of managing the risk
- prioritize risks and produce decision-making information
- Qualitative methods include:
(1) lists of all risks
(2) risk rankings
(3) matrix risk maps - plot risks on a chart with likelihood on one axis & impact on the other
axis
(4) heat maps - present risks levels by colour with risks of the same likelihood, impact, or
severity are assigned the same colour
- Quantitative methods include probabilistic models like focus on earnings at risk by
examining how variables influence earnings
Process - Step 3: Risk Assessment & Prioritization - Risk Modeling - ANS- a method of risk
assessment and prioritization.
- ranks and validates risk priorities when setting the priorities of engagements in the audit
plan.
- when weighing risk factors on their relative significance using professional judgements they
need to be quantified
- Open channels of communication with senior management and the board are necessary to
ensure the audit plan is based on the appropriate risk assessments and audit priorities.
- The audit plan should be reevaluated as needed.
Process - Step 3: Risk Assessment & Prioritization - Risk Modeling in a consulting service -
ANSis done by ranking the engagement's potential to:
Performance Standard 2120 - ANSThe internal audit activity must evaluate the effectiveness
and contribute to the improvement of risk management processes.
Risk Management - ANS- is "a process to identify, assess, manage, and control potential
events or situations to provide reasonable assurance regarding the achievement of the
organization's objectives" (The IIA Glossary)
- Management must focus on risks at all levels of the entity and take the necessary action to
manage them.
- All risks that could affect achievement of objectives must be considered.
- processes may be formal or informal, quantitative or subjective, or embedded in business
units or centralized.
- processes are designed to fit the organization's culture, management style, and objectives.
Risk management processes include: - ANS(1) identification of context
(2) risk identification
(3) risk assessment and prioritization (i.e., risk analysis)
(4) risk response
(5) risk monitoring
Process - Step 1: Identification of Context - ANS- A precondition to risk identification is
identifying the significant contexts within which risks should be managed.
- Contexts include the following:
a. Laws and regulations
b. Capital projects
c. Business processes
d. Technology
e. Market risk (e.g., interest rates, foreign exchange rates, equity investments)
f. Organizations
Process - Step 2: Risk Identification - ANS- should be performed at every level of the entity
(entity-level, division, business unit) relevant to the identified context(s) as severity can
depend on level
- Examples of external risk factors at the entity level include technological changes and
changes in customer wants and expectations.
- Examples of internal risk factors at the entity level include interruptions in automated
systems,
the quality of personnel hired, and the level of training provided.
- should consider past events (trends) and future possibilities
Process - Step 2: Risk Identification -Methods - ANS- Event inventories: use software for
particular industries to provide lists that can be used as a starting point for event
identification.
- Questionnaires and surveys: Responses can be evaluated to identify potential events.
, - Leading event indicators: are measures that provide insight into potential events.
- Escalation/threshold triggers: is a condition that a leading event indicator must satisfy
before the potential event is escalated to management. Examples:
> Potential event: Manufacturing equipment breakdown, resulting in decreases in production.
> Leading event indicator: Maintenance requests
> Escalation trigger: Two maintenance requests outside of regularly scheduled maintenance
within a 3-month period
- Facilitated workshops & interviews: A facilitator leads a discussion group consisting of
management, staff, or other stakeholders through a structured process of conversation and
exploration about potential events.
- Process flow analysis: A single business process, such as vendor authorization and
payment, is studied in isolation to identify the events that affect its inputs, tasks,
responsibilities, and outputs.
- Loss event data methodologies: The losses associated with adverse events in the past can
be used to make predictions. An example is matching workers' compensation claims with the
frequency of accidents.
- Brainstorming
- SWOT (strengths, weaknesses, opportunities, and threats) analysis,
- Scenario/what-if analysis
Process - Step 3: Risk Assessment & Prioritization - ANS- may be formal or informal
- involves:
(a) assessing the significance of an event
(b) assessing the event's likelihood
(c) considering the means of managing the risk
- prioritize risks and produce decision-making information
- Qualitative methods include:
(1) lists of all risks
(2) risk rankings
(3) matrix risk maps - plot risks on a chart with likelihood on one axis & impact on the other
axis
(4) heat maps - present risks levels by colour with risks of the same likelihood, impact, or
severity are assigned the same colour
- Quantitative methods include probabilistic models like focus on earnings at risk by
examining how variables influence earnings
Process - Step 3: Risk Assessment & Prioritization - Risk Modeling - ANS- a method of risk
assessment and prioritization.
- ranks and validates risk priorities when setting the priorities of engagements in the audit
plan.
- when weighing risk factors on their relative significance using professional judgements they
need to be quantified
- Open channels of communication with senior management and the board are necessary to
ensure the audit plan is based on the appropriate risk assessments and audit priorities.
- The audit plan should be reevaluated as needed.
Process - Step 3: Risk Assessment & Prioritization - Risk Modeling in a consulting service -
ANSis done by ranking the engagement's potential to:
