Beruflich Dokumente
Kultur Dokumente
WHITEPAPER
CONTENTS
CONTENTS
INTRODUCTION 3
SCENARIO ANALYSIS 8
MONITOR RISKS 10
II
INTRODUCTION
The recent news headlines related to subprime mortgage crisis, rogue traders, and corporate
fraud have highlighted that despite investment in risk assessment and risk management
disciplines, significant risk failures persist. While isolated incidents of one-time governance
failures are bound to occur, long-term systemic failures are more than just an isolated anomaly.
The failures may be the result of a clutter of risk information caused by many risk assessments
from many perspectives. The process of organizing these risk assessments to provide
organizations with a more holistic view of enterprise risk is fundamental to mastering risk
assessments. This whitepaper explores approaches to risk assessment, offers some best
practices for conducting risk assessments and provides practical guidance on mastering this
business process.
Exhibit 1
RISK CONTROL
Risk Standard
307 7
ANZ/NZS 4360
Audit Standard
168 635
PCAOB AS5
What is less apparent, and possibly even more significant than the difference in frequency of the
use of the two words, is the fact that these two standards both look at risk and control differently.
When AS5 refers to risk, it is primarily referring to the risk of a missing or broken control. When
AS/NZS refers to control, it refers to one of several risk responses (reject, accept, transfer or
mitigate the risk.) As a result, risk assessment teams find themselves accumulating vast amounts
of information about risk from both risk- and control-focused perspectives. Many different risk
management groups use the same terminology with completely different meaning.
Because it seeks to identify missing or ineffective controls and strengthen them, a control-based
approach has a bias toward increasing controls until the assessor achieves a subjectively
determined level of control effectiveness. Control-based approaches gather and assess vastly
more information about controls than about the specific risk events the controls were designed to
mitigate. In fact, taken to an extreme, control-based approaches completely lose sight of the A control-based
business risk they were designed to mitigate. The end result of control-based approaches can approach has a bias
become ensuring the continued existence of effective controls, even if the effective controls are no toward increasing
longer relevant to the risks they were designed to mitigate.
controls until the
Risk-based approaches can be described as those that provide a ratio of at least 2:1 of risks to assessor achieves a
controls and generally have the opposite bias; producing significant amounts of information
subjectively
about risk events, their type, frequency, level, impact and root cause. With the capture of proper
risk information, risk-based approaches provide management a better perspective on significance determined level of
and likelihood of risk events and enable management to prioritize the materiality of control effectiveness
mitigating controls.
One of the major reasons for the ineffective execution of risk assessments is the significant focus
on controls. The control-based approach is used to identify and assess controls, or more
specifically the risk of missing or broken controls; the risk-based approach is used to identify and
assess risk events, or risks that could impact the achievement of business objectives. Risk
assessments are much more effective when using a true risk-based approach.
ADOPT A COMMON CATEGORIZATION OF RISK TYPES
To assist in the discipline of risk assessment, it is important to have a common taxonomy and
categorization of risk types. The risk management community has provided numerous risk
models to categorize risks into types for reporting and analysis purposes. For example, in their
recent proposal to evaluate management’s enterprise risk management practices, Standard &
Poor’s suggested a list of possible risk types, shown in Exhibit 2.
Exhibit 2
With a library of common sets of risk categories, risk assessment practitioners are better able to
identify the organization's risks and can pull together risk information in a concise profile that
helps users understand and monitor identified exposures.
PARSE THE RISK JUMBLE
Risk information must be organized to be understood and managed. In the jumble of risk
information that is currently being gathered, some of the information is about controls or more
accurately missing or broken controls, some of it is about risk events (the events the controls were
designed to mitigate) and some of the information describes the primary or secondary
consequences of the risk events if they occur. The result is a mass of information that is described
as risk, but it is not all risk (See Exhibit 3).
Exhibit 3
To assist in sorting through this information, it is recommended to parse the information into Risk information can
a simple model of: be categorized as
• Root cause root cause, risk event,
• Risk consequence and
• Consequence downstream effect.
• Downstream effect
Exhibit 4 illustrates how risk information can be categorized as root cause, risk event,
consequence and downstream effect. In this example, the broken shoelace is the root cause,
falling is a risk, a sprained wrist is the consequence and the downstream effect is medical bills. In
business it is important to delineate what is the root cause and what is the risk. At first glance,
many identify the broken shoelace as the risk. However, the risk is the adverse outcome of the
root cause, not the root cause itself.
Exhibit 4
There are several root causes that can create the risk Trip and fall. When conducting a risk
assessment one should not assume a static relationship between a root cause and a risk event.
This may lead to overlooking other root causes and failing to address the risk.
SCENARIO ANALYSIS
The discipline of scenario analysis is critical to effective risk assessments because it forces one to
ask, “What could go wrong in the future?” Scenario analysis is the process of analyzing a number
of possible future events and focuses attention on all possible outcomes of an event occurring
and the associated impacts. Proper scenario analysis improves decision-making by allowing
management to more completely consider various outcomes and their implications to an
organization.
For example, in looking at the scenario of fraudulent trades occurring, the following questions
need to be evaluated:
1. Where does trading activity take place?
2. What kinds of trading takes place?
Effective risk
assessments force 3. What are all the ways unauthorized trading could take place?
To avoid scenario analysis becoming a time consuming and burdensome activity, management
should focus on those risks that have been identified as the most material to the strategy of the
business and that have the highest significance or likelihood of occurring.
Once the risk assessments are scored using a risk table, they should be sorted from highest to
lowest. This allows organizations to address the highest risks first. Once identified, there are
essentially four ways to deal with each risk:
Reject the risk: Rejecting risk is the head-in-the-sand approach. Some managers tend to ignore Rejecting risk is the
difficult challenges with the hope that they will simply disappear. This approach will rarely result
head-in-the-sand
in a successful defense against the risk event occurring.
approach.
Accept the risk: A common action to take is to accept the stated risk. For example, if the controls
necessary to eliminate or mitigate key vulnerabilities are a greater financial burden to an
organization than the actual risk impact, then it’s probably a good idea to use the budget dollars
in other areas.
Transfer the risk: An alternative to accepting a higher than reasonable risk when the cost of
controls is too high is to purchase insurance to lower the business impact of an incident. This is a
common risk management step.
Mitigate the risk: Risk mitigation typically focuses on managing the areas where the
organization is most vulnerable. Risk mitigation involves the identification and management of
risk mitigating controls.
MONITOR RISKS
A best practice in mastering risk assessments is to establish standard metrics for the
consequences and outcomes that will drive business decisions. Common metrics are classified
as key performance indicators (KPI) and key risk indicators (KRI).
A KPI is part of a measurable objective and helps an organization measure progress towards
goals, especially toward difficult to quantify knowledge-based processes. KPI’s are made up
of a direction, benchmark, target and time frame.
A KRI measures how risky an activity is. It differs from a KPI in that the KPI is meant as a measure
of how well something is being done. A KRI is an indicator of the possibility of a future adverse
impact. The idea behind the KRI is to provide a set of agreed indicators, which can range from the
simple, such as staff turnover, to the more sophisticated, such as the a complex calculation for
measuring operational performance. The behavior of KRIs should signal how well or how badly a
firm is managing potentially costly operational hazards such as fraud, legal risk, technology
failure and trade settlement errors.
Establish standards for Knowledge of consequences is essential for risk management decisions. The nature and
the consequences. magnitude of the consequence will drive business decisions. Established KPIs and KRIs place
some established metrics on measuring these consequences and outcomes.
Risk-based approaches to management hold significant promise. If risks are understood in terms
of cause/effect relationships, governance failures and losses should be prevented. If variance in
expected business or process performance is viewed from a risk perspective as unmanaged risks,
then business performance should improve or at least become less volatile. Risk assessment is
the foundation of risk management. Organizing the information produced through risk
assessment will allow risk convergence to fulfill its potential.
Paisley, acquired by Thomson Reuters in 2008, is the governance, risk and compliance platform
business unit of Thomson Reuters. Combining Paisley’s market leading software with the
comprehensive Thomson Reuter’s intelligent information solutions delivers the most
comprehensive GRC solution for audit, risk and compliance professionals. Over 1,400
organizations, spanning 60 countries and serving more than 140,000 users in a wide range of
industries, utilize Paisley GRC solutions to streamline processes, reduce costs of compliance,
manage and mitigate risks, and provide visibility, oversight and assurance.
The Paisley GRC solutions include functionality for audit management, financial controls
management, enterprise risk management, operational risk management, IT governance, and
compliance. Paisley offers several software delivery options including on-premises, hosted
application deployment, or software as a service (SaaS) delivery.
Learn More
Call: 763.450.4700
Email: paisleyinfo@thomsonreuters.com
Visit: paisley.thomsonreuters.com