Chapter 3:

Risk
Assessments

PrE02 - Operations Auditing

 Risk
Assessments
A risk assessment is the process of identifying, measuring, and
analyzing risks relevant to a program or process. This
assessment is systematic, iterative, and subject to both
quantitative and qualitative inputs and factors. Furthermore, it
is also dependent on the timeframe of the review.
 Risk
Identification
This takes the form of a list of risks. If a risk has not been
identified, it won’t be measured or analyzed either.

Internal auditors sometimes fail to identify relevant risks due to

their lack of in-depth knowledge about the process being
audited. It highlights the importance of auditors doing
sufficient planning and research so they have familiarity about
the activities involved.
Ways to 1 Include in the risk identification
process people with extensive
knowledge of the program or process

Effectively that will be analyzed.

Identify 2 Use a prepared list. There are multiple

templates and lists available, often

Risks organized by industry. COSO, ISO,

Information Technology Infrastructure
Library (ITIL), CVNET, and others have
prepared lists that can help to
identify some of the key risks that
should be included in the
assessment.


Operational Risk Types

CAPACITY STRATEGIC

-Inability to produce as many units as -Failing to maintain beneficial relationships

required with customers
-Process generating excessive amounts of -Computer system’s inability to support
waste the operating unit’s needs
-Producing too many defective parts (i.e., -Manufacturing lines being unable to keep
error rate) pace with sales growth
-Delivering ordered goods or services past -Lack of funding to finance business
the promised date expansion
-Inability to provide high quality service to -Knowledge drain due to employee
every customer turnover
-Failure to respond to changing customer
preferences

Operational Risk Types
COMPLIANCE
-Failure to meet external
requirements (e.g., laws and
regulations)
-Failure to meet internal
standard operating procedure
(SOP) requirements
-Failure to meet combined
requirements (e.g., contracts)
NATURAL ENVIRONMENT POLITICAL
-Energy supply disruption -Changes in legislation or
-Damage from fire, water, or regulation due to government
natural disasters (e.g., floods, changes
earthquakes, hurricanes, and -Social unrest triggered by
tornadoes) changes in government
-Inability to secure needed
resources (e.g., water and
minerals)
-Dependency on carbon-based
sources of energy
-Business interruption caused
by disease
 Equipment. The types of equipment
available and the ways they are used limit
the ability of the process to produce more
Internal high quality goods and deliver services.

constraints in an
People. Lack of skilled and motivated
organization an workers limits the productive capacity of
any process. Attitudes and other mental
internal auditor models (e.g., feeling defeated, victimized,
or hopeless) embraced by workers can
should lead to behaviors that become a constraint
on the process.
remember
Policies. Written and unwritten policies
can prevent the process from producing
more of higher quality goods and services.
In addition,
when evaluating The slowest operation in a process

internal
dynamics and The synchronization of activities within or
between processes

risks, internal
auditors should Robbing materials and other resources
within or between processes or

be concerned units

about:
 Measurement of
Risks
The measurement process can be either subjective or quantitative,
and either driven by facts or not. Subjective measures are driven by
the participants’ experience and intuition about the risks involved.
Quite often, risks are measure using a three-point scale of high–
medium–low. This can also be done using a five-point scale like in the
samples below.

Likelihood of the risk: rare-unlikely-possible-likely-almost certain

Impact of the risk: insignificant-minor-moderate-major-catastrophic
Impact ratings by range
Likelihood ratings by range
Expanded impact ratings
Expanded impact ratings
Expanded impact ratings
Expanded impact ratings
Expanded likelihood ratings
 The Risk Matrix
The risk matrix is a widely used and highly effective tool to record and
analyze the objectives, risks, and controls in the program or process
that is being audited as defined in the scope definition. The risk matrix
is an essential ingredient when conducting risk-based audits, as they
provide a means to capture and analyze these items. The layout varies
by organization, but it generally shows as seen in the next page.
Risk Matrix
 Assessing Risk and
Control Types
Risk assessment is a process that is often done repeatedly. The
process begins by identifying potential hazards and analyzing those
items to determine what could happen if the hazard were to occur.

An important aspect of risk assessment is identifying and quantifying

the assets that are at risk.

The word “asset” is usually associated with monetary resources,

tangible goods (e.g., buildings, vehicles, machinery, and inventory),
reputation, and both employees’ and customers’ health and safety are
also of importance, because a poor reputation or injuries are a critical
consideration of any risk assessment.
 Vulnerability
Vulnerability as the “degree to which people, property, resources,
systems, and cultural, economic, environmental, and social activity is
susceptible to harm, degradation, or destruction on being exposed to
a hostile agent or factor."
Approaches for identifying relevant events
Objectives based. Identify events that may hinder the ability of the organization to achieve its
objectives partially or completely. In this case, brainstorming and the Adelphi method may be useful
techniques to collect the relevant information and assess the impact of these events. Note that the
event does not have to be negative in its immediate interpretation. For example, the rapid changes in
the availability of broadband, apps, and the way consumers used cellphones changed industry
dynamics limiting BlackBerry’s market share, while Apple, Samsung, and LG leveraged these dynamics
and grew rapidly. The event was the same, the impact on the organization was significantly different for
the companies mentioned.

Scenario based. Create different scenarios or alternative ways of achieving objectives and determine
how forces interact. A useful approach is to identify triggers that can start–stop different scenarios
from occurring. By identifying and understanding the triggers caused or accelerated by these scenarios,
the organization can better prepare itself to leverage opportunities and avoid negative consequences.
Approaches for identifying relevant events
Common-risk checking. Use a prefabricated list of common risks in your industry or area of
scope.

Risk charting. Combination of above approaches consists of listing resources at risk and the
threats to those resources. Identify the risk factors and the consequences. Hazards are of concern to
the extent that they can result in some kind of loss to the program, process, or organization. The
impact of these hazards and how to reduce them is the next aspect of the risk assessment process.
This is referred to as mitigation.
Organizational Hazards
Relationship of Hazards, Assets at
Risk and Organizational Impact
 Control Self-
Assessments
CSAs consist of questionnaires and other forms that process owners
complete that identify the major activities in their programs and
processes, the objectives, risks and controls, the individuals that
perform key tasks and controls, and the major challenges affecting
these programs and processes. CSAs require managers to think about
the design and condition of their areas of responsibility, and assess
the presence and quality of the related controls.
Business Activities and Their Risk Implications
Assemble to order. This is a type of production system where the material is prepared so it can be
assembled quickly upon receipt of the customer request and is usually customizable to a certain
degree. In general, the parts are already manufactured, but won’t be assembled until the order is
received. This strategy is between two other common manufacturing strategies: make to stock (MTS)
and make to order (MTO).

MTO. This methodology involves manufacturing only after a customer’s order is received, so the
process begins when demand occurs. This is a pull-type supply chain operation because manufacturing
is performed when demand is confirmed.

MTS. When using this methodology, products are manufactured based on demand forecasts. Since the
accuracy of the forecasts will prevent excess inventory on one end, and minimize the opportunity loss
due to stockouts on the other, the issue for organizations is how to forecast demands accurately.
Business Activities and Their Risk Implications
Bottleneck. This term refers to a point in a process where there is limited productive capacity and the
flow slows down. This constriction can slow or even stop the flow of work until some intervention
occurs, or time passes allowing items to move through, while other incoming items continue to
accumulate. When input comes in faster than the speed of the process, accumulation starts to occur.

Collaborative inventory management. Consists of the cooperation between a buyer and a supplier to
improve stock availability and reduce costs. This is often accomplished by sharing forecast information
and using a single plan.

Consignment. This is an inventory management and replenishment method where a buyer only
pays for the products held at a third party location when the items have been sold to the customer.
Unsold products can usually be returned to the supplier as well.
Business Activities and Their Risk Implications
Cycle time. Refers to the reduction in the time and related costs needed for a product or service to
move through part or all of a supply chain.

Distribution center (DC) bypass or drop ship. This activity refers to circumventing the DC or
entire distribution channel by routing freight directly to its destination. In other words, move
products from the manufacturer directly to the retailer or end user without going through the
typical distribution channels.

Electronic data interchange (EDI). These consist of standardized sets of data transmitted between
various business partners during business transactions. By using the same standard, two companies
can exchange documents and reduce the reliance on paper, and reduce human interaction saving time
and money. Another benefit is that with backed up electronic documents, these are more easily
retrievable and storage costs are also reduced while being protected from natural hazards (e.g., fire,
water, and deterioration).
Business Activities and Their Risk Implications
Inventory. Stock of raw materials, semifinished goods (e.g., work in process), or finished material held to
protect the organization against unpredictable, uncertain, or erratic supply or demand with the
objective of avoiding stock-out situations. While it is common practice to maintain inventory of various
quantities and types, at different locations within a facility or multiple locations within a supply chain,
managed by the owner of the items or by third parties, the concept of inventory management has
changed over time.
Future Challenges and Risk Implications
Increased outsourcing. Using offshore outsourcing firms carries risk and challenges, including different
regulations, currency exchange exposure, language barriers, cultural differences, the risk of supply chain
disruption, and poor quality. The consequences can be fines, regulatory sanctions, lawsuits, and
reputational damage.

Global sourcing. Whereas most companies used to work with, and obtain their raw and semi-finished
goods from local suppliers, it is commonplace now for organizations to search the globe for suppliers.
This is driven by lower prices and the related savings, but also because the quality of foreign-sourced
inputs has increased in most cases. While challenges remain, the quality of many foreign-sourced items
is acceptable to western companies and in many cases, it is near that of western companies, or equal
with lower production costs.

Margin compression. As competition has expanded to a more global environment, and some of the
new competitors benefit from lower costs and even subsidies and protectionist practices in some
countries, many organizations struggle to remain competitive under such conditions.
Future Challenges and Risk Implications
Technology. The number and scale of technological changes over the past two decades is immense.
This includes, but is certainly not limited to, ERP systems with built-in supply chain management,
product life cycle management, customer relationship management, supplier relationship management,
document management, and project management functionality.

Environmental initiatives. The focus is not limited to what is produced, but also how items are
produced and even under what conditions. Take for example the impact of placing solar panels on
company rooftops, or lowering the amount of water consumed in the manufacturing and support
offices, to the lower use of paper and electricity, using natural light more efficiently, increasing use of
biofuels, and obtaining energy from renewable sources.

Government involvement. This is the result of a greater understanding of the role that governments
can play to facilitate trade, provide protection under the rule of law, educate populations, build needed
infrastructure, provide favorable tax regimes, and reduce financial controls to facilitate the flow of
capital.
Future Challenges and Risk Implications
Geopolitical risks. The rise of extremism around the world threatens organizations’ abilities to operate
freely around the world. Some of this is related to bombings on the facilities of companies in the oil and
gas and other extractive industries to attacks on the general population that frightens tourists and
affects the tourism industry (e.g., airlines, hotels, restaurants, and museums). This also affects
organizations’ strategic plans, their strategic alliances, and their ability to deploy workers in places
where conditions can change from peaceful to hostile almost overnight.

Corruption. Defined as dishonest or unethical conduct by a person entrusted with a position of

authority, often to acquire personal benefit, it includes many activities including bribery and
embezzlement, though it may also involve practices that are legal in many countries, such as blatant
favoritism and nepotism, discrimination, and largesse. It occurs when a government official or private
sector employee acts in an official capacity for personal gain.
Reference:
Operational Auditing by Hernan Murdock