Successful risk awareness cultures are those in which employees at all levels of the organization recognize the crucial nature of managing risk. Too often, risk assessment and risk management initiatives die prematurely because there is a lack of ownership or committed responsibility over the process. Interestingly, this absence of commitment to the process exists because “What do we do with it?” goes unanswered by leadership. This article highlights how risk assessments can be more than a concept and become a critical component of an organization’s success strategy.
Let’s start with some basic definitions. Risks are potential internal or external events that may have an adverse effect on an organization’s objectives. Risks are, essentially, the what-could-go-wrongs (WCGWs) to which every organization is subject merely by existing and operating. Examples of some general risks may be delays, inefficiencies, or significant monetary losses encountered due to inadequate project planning. The existence of risk is no reason to panic; instead, risks should be proactively addressed to minimize the cost of disruption. Internal controls help an organization achieve these objectives by providing assurances against risk. Most internal controls rarely eliminate risk altogether, although they may in some cases. Their design does not typically entail elaborate special initiatives; they are part of day-to-day tasks. It takes a great deal of intentionality to identify day-to-day tasks that are internal controls and elevate the level of accountability tied to their execution.
There are myriad risk factors facing every going concern. Therefore, an organization must develop its own comprehensive risk library, and it is critical that all operating units and support functions are involved. The method by which this inclusive approach is implemented will depend on the size, structure, and culture of the organization. At larger organizations, questionnaires are the handiest tool to start with, while at smaller organizations, workshops and brainstorming sessions will get the ball rolling just as effectively. The goal is to get each operating unit and support services leader thinking about any risks that could keep them from achieving their objectives. Streamlining this into categories that are most relevant to the organization’s industry can be helpful in this process. Examples of categories identified as risks may include operational, financial, regulatory, strategic, etc.
Another approach that has proven effective is to pose questions to work groups about significant new initiatives undertaken by each, as well as how companywide initiatives have affected the resources within their respective areas. Ask about concerns with fraud and unethical practices, and get their interpretation of how economic conditions impact their goals and objectives. All of this will inspire leaders to think deeper and broader about what risks they are susceptible to. The deliverable from this exercise is a comprehensive list of relevant WCGWs – preferably sorted by risk category.
Adding quantitative measures to risk assessment is the next step in this process. Here, it is advisable to engage a smaller set of stakeholders. The organization’s designated risk assessment facilitator will work with a smaller group of advisers to design a risk rating scale and then rank the risks. The objective is to measure the effect on the organization should the WCGW occur (impact); how likely the WCGW is to happen (likelihood); and the effectiveness of controls in place to minimize the potential impact (assurance). Ultimately, the deliverable from this exercise is a calculation of inherent risk and residual risk.
Inherent risk is the level of risk that exists without taking into account any existing control and mitigation activities. Residual risk is the level of risk after taking into account existing controls and mitigating activities. Inherent risk is calculated as impact multiplied by likelihood. For example, using a five-point rating scale for impact and likelihood, where 5 is high impact and high likelihood, respectively; and 1 is the lowest possible score for both elements, an inherent risk score of 15 would be recorded for a risk deemed to be a 5 for impact and 3 for likelihood. Residual risk is calculated by multiplying the inherent risk by a determined assurance risk factor. Assurance risk rankings are inversely related to impact and likelihood rankings. Using the same five-point rating scale as an example, the assurance score for a risk with mature governing controls will be ranked closer to a 1 than a 5. In other words, unlike impact and likelihood, a positive assurance score will be assigned a lower ranking. The assurance risk factor applied to residual risk would be assurance risk ranking divided by the ranking scale, which in this example is 5. Inherent and residual risk scores for a risk with the rankings detailed below is as follows: With an impact of (5), a likelihood of (3), and an assurance (2), inherent risk is 15 (5 x 3) and residual risk is 6 (15 x 2/5).
Of course, a big logistical question remains: “Who should do all of this?” That depends on the type and structure of the business being reviewed. Finance and accounting leadership is a good place to start. Ideally, an individual with fiscal understanding should serve as the facilitator of the process because the measurement of risk impact typically has a bearing on financial materiality. Similarly, the definition and ranking of the assurance factor should be completed by an individual with a good understanding of internal controls. The likelihood of occurrence can be predicted based on prior experience and industry/economic factors.
To be most effective, parties that participate in the risk-ranking process must be well educated on the rating scale and the implications of each element therein. Quantitative metrics are undeniably the most objective – and the most impactful – measures to use for risk rankings. They make for a scalable and adaptable process.
With the seemingly easy part done, the more daunting challenge is how to weave the process into the organization’s fabric. Here are a few tried-and-true techniques:
- Periodically review the list of mitigating controls for completeness.
- Account for and celebrate ongoing mitigation (day-to-day activities). This could include highlighting the dollar value of issues avoided by the employees’ diligent performance of day-to-day tasks. The organization’s finance function will be critical in making such estimates.
- Periodically test controls for effectiveness. Establishing an internal audit (IA) function will be ideal for this step. Those charged with governance will ensure that the IA plan adequately addresses enterprisewide risks. Testing frequency and methodology can be determined by the IA function.
- Focus on outcomes by answering this question for each: What is this control designed to achieve? It is not enough to “check the box” during control testing. A thorough understanding of what the control exists to achieve is important. For instance, to verify that a stack of purchase orders were properly approved prior to ordering and processing a transaction, simply looking for a signature will not provide adequate assurance. An impactful next step would be an inquiry that reveals whether a thorough understanding and appreciation of the organization’s approval authority policy exists amongst management staff.
- Assign executive-management sponsors and responsibilities to each risk. These individuals will see to the design and enhancement of internal controls that mitigate the impact or likelihood of each risk. Determining where executive ownership and responsibility for risks should be placed can be a fairly straightforward process. For example, the chief information officer is typically the sponsor for information-security-related risks. At a dedicated meeting of executive management, definitions of risk sponsorship responsibilities should be discussed and agreed upon. Topics such as how the executive sponsor will go about determining risk-mitigation progress, the process for establishing new controls, and the frequency of reporting to executive management should be discussed and aligned.
- Assign risk-governance responsibilities. These should be board and/or executive-management-level decisions. A member of executive management should lead the same type of discussion described in the previous bullet point at the board level. Board committees (if applicable) will receive risk-monitoring responsibility and will have the responsibility to provide status and progress reports to the full board.
- As alluded to above, determine progress report frequency and content. Ideally, enterprisewide risk should be a standing topic on every executive team and board meeting agenda. Each of those leadership groups may elect to only address risks with the highest inherent and/or residual risk scores. Either way, the leadership teams should be requesting and reviewing reports tied to the evolution and overall outlook of their respective risk assignments, and they should be asking critical questions about status of mitigation.
To keep the process from dissipating, organizations should deliberately explore risk awareness as a lifestyle. As with all important organizational objectives, fusing risk awareness into the company DNA starts with leadership: once members of leadership own it, they will influence business unit managers and staff at all levels to own their responsibility for risk awareness and management. Business plans and annual budgets, for instance, should reflect investments in internal controls. Information technology leadership should guide business units to complete technology-specific vulnerability assessments and analyze the business impact of technology vulnerabilities. Finance leadership could incorporate scenario planning into tactical and strategic business plans to forecast the effort and resources needed to adapt and thrive in any possible future. Operations leaders should also guide their teams to consider the snowball effect that results from multiple risk exposures.
The major themes discussed here are inclusion and awareness with a great deal of intentionality. Those ingredients are critical for taking risk libraries and assessments from mere paper documents to active practice.
Adanma C. Akujieze, CPA, CISA, CIA, is chief financial officer and treasurer for Larson Design Group, and a member of the
Pennsylvania CPA Journal Editorial Board. She can be reached at firstname.lastname@example.org.