Module 3 - Risk Assessments
Module 3 - Risk Assessments
Module 3 - Risk Assessments
RISK ASSESSMENTS
ACELEC 332
Risk Assessments
A risk assessment is the process of identifying, measuring, and
analyzing risks relevant to a program or process. This assessment is
systematic, iterative, and subject to both quantitative and qualitative
inputs and factors. Furthermore, it is also dependent on the timeframe
of the review.
(1) Identification of Risks
▪ A key aspect of any risk assessment is the identification of the
relevant risks. This takes the form of a list of risks.
▪ Internal auditors sometimes fail to identify relevant risks due to their
lack of in-depth knowledge about the process being audited. This is
understandable to a certain extent because they are external
reviewers.
▪ To avoid these issues, it is useful to include in the risk identification
exercise people with an extensive knowledge of the program or
process that will be analyzed. This includes executives, employees
with specialized technical skills, and those with long tenure in the
organization.
▪ The following are some of the common risks that operational auditors
should consider during their risk assessments. Not all risks are
applicable to every organization because differences in industry,
business activities, geographic location, and size of organization make
a difference. In addition, when performing operational reviews,
auditors must examine a wider assortment of risks, and not just
financial ones.
Financial and Non-
Financial Risks
Financial Non-Financial
1) Construction Delay 1) Dynamic Risk
2) Currency Risk 2) Inherent Risk
3) Interest Rate Risk 3) Contingent Risk
4) Equity Risk 4) Customer Risk
5) Corporate Bond Risk 5) Regulatory Risk
6) Liquidity Risk 6) Reputation/Damage Risk
7) Counter-Party Risk 7) Organizational Risk
8) Maintenance Risk 8) Interpretation Risk
9) Taxation Risk
10)Reinvestment Risk
11)Country Risk
It is imperative for internal
auditors to remember that
there are internal and
external constraints
in organizations. Internal
constraints typically include
Equipment - The types of
equipment available and
the ways they are used
limit the ability of the
process to produce more
high-quality goods and
deliver services.
(2) Measurement of Risks
▪ The measurement process can be either subjective or quantitative,
and either driven by facts or not. Subjective measures are driven by
the participants’ experience and intuition about the risks involved.
• Quite often, risks are measured using a three-point scale of high–
medium–low. Using these measures, the impact (or consequence) of
the risk, if it were to materialize, and the likelihood of the risk, if it
were to occur, are rated. This can also be done using a five-point
scale, with likelihood measures of rare–unlikely–possible–likely–
almost certain. Impact (or consequence) measure may include
insignificant–minor–moderate–major–catastrophic.
✓ When calculating the impact or consequence of a fire in a warehouse,
the likelihood can be based on intuition and the level of concern over
the items being stored and worked upon in the warehouse. A more
quantitative approach would involve contacting insurance
underwriters and actuaries who have statistical information about
the incidence of fires in warehouses storing the materials in question.
✓ If we consider the likelihood of delivery trucks having a roadside
accident, the quantitative measure can be improved by looking at the
National Transportation Safety Board and insurance industry data
showing the accident rate of similar vehicles per 100,000 miles on the
road. That figure can be adjusted for area density (urban vs. suburban
vs. rural routes), weather conditions (e.g., snowy locales vs. rainy vs.
arid), topography (e.g., hilly vs. flat), time (e.g., daytime vs.
nighttime), and cargo weight (e.g., light vs. heavy loads).
✓ The impact to the organization and its operations should there be a
fire in the warehouse can be based on beliefs and assumptions, or
they can be based on the replacement value of the building and the
average (or highest) value of the inventory stored in the facility. These
figures can be adjusted periodically to make sure that the
measurements are as accurate as reasonably possible.
Risk Matrix
The risk matrix is a widely used and highly effective tool to record and
analyze the objectives, risks, and controls in the program or process that
is being audited as defined in the scope definition. The risk matrix is an
essential ingredient when conducting risk-based audits, as they provide
a means to capture and analyze these items.
Future Challenges and Risk
Implications
1) Increased outsourcing. Initially, it was touted as a great mechanism
to reduce expenses, boost productivity and efficiency, and free the
organization, so it could focus on its core activities. This practice is
consistent with the business strategy arguments posed by Michael
Porter related to competitive advantage and the ways that
organizations can beat their competition: lower cost or
differentiation.
2) Global sourcing. Whereas most companies used to work with and
obtain their raw and semifinished goods from local suppliers, it is
commonplace now for organizations to search the globe for
suppliers. This is driven by lower prices and the related savings, but
also because the quality of foreign-sourced inputs has increased in
most cases.
Future Challenges and Risk
Implications
3) Margin compression. As competition has expanded to a more global
environment, and some of the new competitors benefit from lower
costs and even subsidies and protectionist practices in some
countries, many organizations struggle to remain competitive under
such conditions.
4) Technology. The number and scale of technological changes over the
past two decades is immense. This includes, but is certainly not
limited to, ERP systems with built-in supply chain management,
product life cycle management, customer relationship management,
supplier relationship management, document management, and
project management functionality. They can also manage
transportation, warehousing, billing, collections, staffing, and payroll.
Future Challenges and Risk
Implications
5) Growth in Asia and other developing markets. The increasing
purchasing power and wealth creation in emerging markets is
opening new opportunities that many organizations cannot miss.
This is resulting in the search for customers and the related
adaptation of sales and marketing activities to address the different
conditions in these diverse markets.
6) Improved customer analytics. In the past, organizations focused on
mass production to drive down unit costs. Later, glocalization
became commonplace as organizations adopted a global approach,
while attempting to portray a local feel to their marketing of goods
and services. This information is being gathered from credit card
transactions, internet traffic, loan information, POSs devices, and
other means, resulting in the accumulation of data that is
increasingly being mined and analyzed by specialists.
Future Challenges and Risk
Implications
7) Data capture and transfer capabilities. Improvements in data
storage, lowering the costs dramatically over the past three decades,
improvements in networking capabilities (local area network [LAN],
wide area network [WAN]) and the internet, and enhancements in
wireless communications, such as radio frequency identification
(RFID), make it increasingly easy and economical for organizations to
obtain, analyze, and disseminate information real time or near real
time.
8) Environmental initiatives. Ecological considerations are increasingly
becoming a key concern for organizations. Whether it is the sourcing
of materials locally, sourcing them through fair-trade practices,
reducing the amount of inputs and packaging used, lowering the
amount of waste generated, manufacturing goods using recycled
components, or producing items from reused ingredients,
environmental considerations are affecting how organizations are
perceived and, in some cases, even steering buying decisions.
Future Challenges and Risk
Implications
9) Government involvement. While the degree of acceptance of
government involvement varies by country and changes over time,
governments in general are increasingly becoming more involved in
the support of private sector activities. This is the result of a greater
understanding of the role that governments can play to facilitate
trade, provide protection under the rule of law, educate populations,
build needed infrastructure, provide favorable tax regimes, and
reduce financial controls to facilitate the flow of capital.
10) Geo-political risks. The rise of extremism around the world threatens
organizations’ abilities to operate freely around the world. Some of
this is related to bombings on the facilities of companies in the oil
and gas and other extractive industries to attacks on the general
population that frightens tourists and affects the tourism industry
(e.g., airlines, hotels, restaurants, and museums). This also affects
organizations’ strategic plans, their strategic alliances, and their
ability to deploy workers in places where conditions can change from
peaceful to hostile almost overnight.
Future Challenges and Risk
Implications
9) Government involvement. While the degree of acceptance of
government involvement varies by country and changes over time,
governments in general are increasingly becoming more involved in
the support of private sector activities. This is the result of a greater
understanding of the role that governments can play to facilitate
trade, provide protection under the rule of law, educate populations,
build needed infrastructure, provide favorable tax regimes, and
reduce financial controls to facilitate the flow of capital.
10) Geo-political risks. The rise of extremism around the world threatens
organizations’ abilities to operate freely around the world. Some of
this is related to bombings on the facilities of companies in the oil
and gas and other extractive industries to attacks on the general
population that frightens tourists and affects the tourism industry
(e.g., airlines, hotels, restaurants, and museums). This also affects
organizations’ strategic plans, their strategic alliances, and their
ability to deploy workers in places where conditions can change from
peaceful to hostile almost overnight.
Future Challenges and Risk
Implications
11) Corruption. Organizations, indeed, entire economies, continue to
suffer from the scourge of corruption. Defined as dishonest or
unethical conduct by a person entrusted with a position of authority,
often to acquire personal benefit, it includes many activities
including bribery and embezzlement, though it may also involve
practices that are legal in many countries, such as blatant favoritism
and nepotism, discrimination, and largesse. It occurs when a
government official or private sector employee acts in an official
capacity for personal gain. It distorts the market by shifting resources
to less productive purposes and increases the cost of doing business
by forcing additional payments. It also creates skepticism and
suspicion. In the public sector, it limits the welfare of the population
and is often evidenced in substandard infrastructure, child labor,
human trafficking, high child mortality, poor education standards,
and environmental damage.
End of Module 3