Risk Assessment Framework

Integrated Risk Assessment

A Proposal

A Proposal for an Integrated Risk Assessment Process

Risk is the threat than an event or action may adversely affect the business and prevent it from successfully achieving its objectives.

A strong risk assessment process is:• Robust, but transparent and easily explainable.• Sufficiently detailed to identify key risks at the activity level.• Specific enough to reduce subjectivity in the assignment of risk and

control ratings.• Applicable to all business processes and allows comparison of risks

between processes and businesses.• Based on the framework components of COSO.• Reliant on Six Sigma tools.

Process Progression

Risk & Frequency

Matrix

Cause & Effect Matrix

Failure Mode and

Effects Analysis

Risk and Frequency Matrix• A component of the risk assessment process used to assess the risk of the

process universe at a relatively high level, determine the cycle of quality control activities and to validate allocation of resources.

• A consistent method for assessing risk of the process universe.

• The starting point for linkage between business unit quality control activities, Internal Audit and Enterprise Risk.– A model is completed for each department within the Company– Each model is reviewed and approved by the line of business.– Models should be updated at least annually.

Risk and Frequency Matrix

Risk Profile Analysis

Control Assessment

Compute Residual Risk

and Rank

Risk and Frequency Matrix

Risk Profile AnalysisAssessment of Inherent Risk and Business Specific Risks

• Strategic Risk– New products, lines of business.– Significant growth.– Relocation of resources.– Significant Company initiatives.

• Reputation– Confidentiality/Privacy concerns– Impact to the customer– Reputation risk/Regulatory– Public Relations/Marketing

• External Influences– Industry conditions/market trends– Competition– Social/Political/Environmental– National economy.

• Processing– Complexity– Volume– Major process changes– Degree of manual processes– Geographic (multiple locations)– Multiple systems– Reliance on vendors

• Compliance– How intensive is regulation?

Increasing or decreasing?– Regulators and rating agencies– Financial and operational impact of

regulatory issues.

Risk Profile Analysis – Technology• Strategic Alignment/Management Importance

– Core activity – Business unit activity– Local system

• Continuity– Consider: Business continuity planning, disaster recovery, manual procedures and

age/stability of systems.

• Materiality/Complexity– Consider: Budget, revenues generated, resources consumed, transaction volume,

number of users, centralized or decentralized, number of interfaces.

• System and Process Change– Consider: Number an nature of changes, level of formality of procedures.

Risk Profile Analysis – Technology(Continued)

• Project Management– Consider: In house versus outside, personnel skills, project timelines, quality and

formality of documentation and process.

• System Compliance– Full compliance with EIS standards?

• System Information Content– Ranges from no customer information to significant customer information.

• System Access– Internal Access– External access to employees, customers, vendors.

Risk Profile Analysis• Credit Risk

– Size of credit portfolio– Mix between higher and lower risk categories– Trends in uncollected balances

• Financial Impact– Annual revenues– Significance to the Company– Information provided in Company financials (e.g. 10-K, 10-Q)– Business unit subject to SOX testing

• Market Risk– Size of the portfolio– Volatility of the portfolio– Effectiveness of models– Trading volumes

Control AssessmentFor Use With Risk & Frequency Matrix

• People– Quality of management and staff.– Effectiveness of training programs.– Effects of turnover.

• Corporate Governance & Risk Management– Quality of management reporting.– Monitoring of vendor activities.– Following industry best practices.– Quality of internal risk assessment database documentation and SOX documentation.

• Process– Quality of policies and procedures.– Quality of tracking of key metrics.– Level of customer complaints.– Any issues identified.

Control AssessmentFor Use With Risk & Frequency Matrix

• Technology– Security of data.– Management’s concern over administering technology controls.– System change controls.

• Audit & External Results– Timing of last internal audit and significance of findings.– Management’s willingness to address findings.– All findings cleared.– Significant findings by the external auditors.– Significance of SOX findings.

Risk & Frequency MatrixThe rating for each process for each risk factor has specific criteria. For example:Compliance risk: The risk that the business could fail to comply with regulations, accounting standards, policies and laws.

Ratings1 – The business is not directly responsible for compliance with regulations,

accounting standards and laws.3 – The business unit is responsible for compliance with regulations, accounting

standards and laws, however their nature is not complex. Penalty for non-compliance is not material.

9 – The business unit has direct and formal responsibility for compliance with complex or high profile regulations, standards and/or laws. Penalties for non-compliance are material.

Risk & Frequency MatrixSimilarly, the rating for each process for each control factor has specificcriteria:Technology: The adequacy of controls over technology used.Ratings1 – System failures have not occurred or have not had material impact.

Controls are in place to monitor system activity.3 – The business unit’s systems have undergone recent changes resulting in

failures, but of immaterial impact. System development and change management controls are in place and functioning.

9 – The business unit’s systems have experienced material failures during the past year AND/OR there are no system development or change management controls in place OR controls are in place that are inadequate.

Cause & Effect Matrix• Provides a structured approach to determine process functions’

relationship with key risk drivers from risk and frequency matrix.

• Assists with formulating theories about causes and effects.

• Targets key processes and prioritizes items for further analysis.

• Breaks processes into activities or functions. A process may have a high correlation with a particular risk factor, but it may be that only one or two activities within that process contribute to the risk.

• Balances risk and reward.


List Key Risk Factors

Import Risk Factor Scores

From R&F Matrix

List Key Processes

Activities or Functions

Rate Relationships of Activities to Risk

Factors

Select Top Activities for

Further Analysis

Failure Mode and Effects Analysis• A systematic way to identify potential weaknesses in a process.

• Helps evaluate and prioritize/rank potential failures of a process in order to prevent them from occurring.

• Identifies areas that are over controlled.

• Sets a standard for each risk and control that is comparable across processes and businesses.

Failure Mode and Effects Analysis

Failure Mode and Effects AnalysisKey Points

• Each risk may have multiple failure modes. Each failure mode may have multiple effects.

• Severity does not incorporate volume or frequency.• The same effect may have a different severity depending on the failure

mode.• The occurrence rating combines the likelihood for the cause, failure and

effect together.• Detection rules of thumb:

– Preventive = 1– Detective = 2 or 3– Reactive = 4 or 5

Failure Mode and Effects AnalysisKey Points

• Risk Documentation– Good: Single root cause driving the risk. Brief and concise. Worded as a possibility, not

a certainty. Risks are not certain.– Bad: Compound risk, absence of controls or failed controls presented as a risk. Effects

written as risks.– The risk is not that the lock on the tiger’s cage might fail. Rather, the risk is that the tiger

will get out of the cage and injure someone.

• Control Documentation– Good: Single, brief, concise sentence. Answers the questions: Who? What? When? And

How?– Bad: Mega Controls, controls written as proposed controls, controls owned by a

different business, undefined acronyms.

Control Types & Sub-TypesPreventive Controls

• Policies and Procedures– Formally documented: Written,

approved and accessible.– Partially documented.– Informally documented: Defined

through informal documents such as emails or meeting minutes.

– Not documented: Activities driven only by common understanding.

• Approval Authority– Formally documented: Written,

approved and accessible.– Partially documented.– Informally documented.– Not documented.

Policies must be well understood and practiced.

• Due Diligence– Product: Investigation of the fit of a

product or service to expected attributes, features and characteristics.

– Vendor: Investigation of financial health and prior performance.

• Training– Classroom.– Video.– Computer-based (CBT)– Web-based (WBT)– Independent Study– On the Job

A valid training control must have well definedcontent, a specific time and a specific audience.

Control Types & Sub-TypesPreventive Controls – Control Activities

Control activities are preventive controls that ensure a given risk is mitigated. Control activities are designed to prevent a risk from occurring in all Transactions handled through a business process or system. They help ensure that necessary actions are taken to address the risks that may hinder theachievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. Control activities can be system based or non-system.• Non-System: Controls that require human intervention to prevent the

documented risk from occurring:– Segregation of duties. Activities within a process are assigned to different individuals

building checks and balances to prevent fraud and/or detect other errors.– Physical controls: Safeguard procedures or physical inspections that prevent risk.– Checklists/Questionnaires: Standard documents that must be filled out and signed.

• System: IT-based procedures and routines designed to prevent risk.

Control Types & Sub-TypesDetective

• Management Reports– Periodic and timely.– Key compliance issues and risks,

mitigation actions and monitoring results are reported.

– Deployed to appropriate levels of management.

• Regulatory and Third Party Reports– Accurate, complete and timely.

• Risk & Compliance tools.– Risk maps and other dashboard type

tools.– Aggregate and analyze information.

• Certifications– Confirm employees have read and

understand policies.– Confirm compliance with policies.

• Reconciliations– Ongoing activities built into recurring

operating activities.– Performed by line or support

managers.– Assessed and documented daily,

weekly, monthly, quarterly or annually as appropriate.

• Reviews– A “second or fresh look” performed

from time to time by business management.

– Scope and frequency are based on risk exposure and robustness of ongoing monitoring activities.

– Assessed and documented.

Inherent Risk RatingThe Inherent Risk Rating is broken down into four key components:

– Strategic Alignment– Company Alignment– Nature (Complexity) of Activity– Materiality

This risk rating approach involves the scoring of each risk across these four components. These scores are then summed and an inherent risk rating is identified according to the Rating Scale below for input in the Risk and Control database. This approach is intended to reduce subjectivity in assigning ratings.

Risk Rating Scale

Score

1 to 45 to 8

9 to 1213 to 1617 to 20

Inherent Risk Rating

Low Risk – 1Marginal – 2Moderate – 3

Considerable – 4High Risk - 5

Inherent Risk RatingComponent #1

Strategic Alignment – Range of 1 (Operations Support) to 5 (Strategic Objective Support); Consider whether activity is directly linked to achieving a strategic objective or supports business daily operations.

1. Activity supports normal course of business operational functions.2. Activity enables activities that are indirectly aligned with a strategic

objective.3. Activity enables activities that are directly aligned with a strategic

objective.4. Activity indirectly aligned with the achievement of a strategic

objective.5. Activity directly aligned with the achievement of a strategic objective.


Company Alignment – Range of 1 (local) to 5 (Company); Consider to whatextent a specific activity impacts the Company.

1. Task based activity2. Local process activity3. Business Unit activity that provides output that moves upstream to a

business unit process.4. Core organizational activity that provides output that moves

upstream to an organizational process.5. Core Company activity that provides output that moves upstream to

a corporate process.


Nature (Complexity) of Activity – Range of 1 (Simple) to 5 (Complex); consider transaction volume, number of steps/parties/hand-offs, internal versus external resource reliance.

1. Basic activity and risk. This activity maintains a minimal number of steps/hand offs and is completed within a single department. Resources are sufficient.

2. Mostly typical and/or traditional nature of the activity and risk. This activity maintains a manageable number of steps/hand offs and is completed within a single department. Resources are adequate.

3. Moderately complex activity and risk. This activity maintains an abundant number of steps/hand offs. Adequacy of resources is questionable.

4. Complex activity and risk. This activity maintains a multitude of steps/hand offs and crosses two or more departments. Resources appear inadequate.

5. Very complex activity and risk. Execution of this activity requires an excessive number of steps/hand offs and crosses several departments. Resources are insufficient.


Materiality – Range of 1 (Immaterial) to 5 (Severe); consider business unit budget, revenues generated, expenses, assets at risk.

1. If this risk was to occur, the loss could be absorbed by the organization in the normal course of business. The impact on earnings, capital and reputation would be immaterial. Financial exposure value less than $50,000.

2. If this risk was to occur, the loss for the most part could be absorbed. Financial exposure value less than $5,000,000.

3. If this risk was to occur, the loss to some extent could be absorbed in the normal course of business. The impact would be noticeable. Financial exposure value greater than $5,000,000 and less than $50,000,000.

4. If this risk was to occur, the loss could not be absorbed by the organization in the normal course of business. Negative impact would be material (greater than $50,000,000 and less than $250,000,000.

5. If this risk was to occur, the loss could not be absorbed in the normal course of business. The impact would be severe (greater than $250,000,000).

Risk ProbabilityThe risk probability ( or occurrence rating) should also be assessed based onthe expected occurrence of the root cause (trigger event) in a pre-control environment.

1. Improbable – The probability of exposure to this risk is remote. Failure is unlikely. This risk may only occur in rare or exceptional circumstances.

2. Doubtful - The probability of exposure to this risk is unlikely. Relatively few failures are expected. There is a slight possibility that the risk could occur.

3. Moderate – The probability of exposure to this risk is moderate. Occasional failures are expected. There is a possibility this may occur at some time.

4. Possible - The probability of exposure to this risk is likely. Repeated failures are expected. There is a strong possibility this risk will occur in most circumstances.

5. Probable - The probability of exposure to this risk is very high. Failure is almost inevitable. This risk is likely to occur in most circumstances.

Risk DirectionThis component is utilized to evaluate the exposure trend to a given risk within the next 12 months. It should be assessed on a pre-control basis.

• Up – Changes in volume of transactions and/or other internal or external developments are expected to increase the Inherent Risk Rating and/or the Risk Probability within the next 12 months.

• Level - Changes in volume of transactions and/or other internal or external developments are not expected to change the Inherent Risk Rating or the Risk Probability within the next 12 months.

• Down – Changes in volume of transactions and/or other internal or external developments are expected to decrease the Inherent Risk Rating and/or the Risk Probability within the next 12 months.

Control Detection RatingThe Control Detection rating is used to assess the ability of a group of controls currently in place to (in aggregate) detect a control failure prior to the effectimpacting the product or being felt by the customer. The assessment of the control detection rating should not consider proposed controls. The following guidelines are the suggested thought process for assessing the control detection rating, which is broken into four key components.

– Automation vs. Manual– Type of Control– Policies and Procedures– Scalability

This approach involves the scoring of controls across these four components. Scores are then summed. This methodology is intended to reduce subjectivity in assigning ratings.

Control Rating ScaleA Lower Number is Better

Score

1 to 45 to 8

9 to 1213 to 1617 to 20

Control Rating

Effective – 1Monitor – 2Needs Improvement – 3Impaired – 4Unsatisfactory - 5

Control Detection RatingComponent #1

Automation vs. Manual – Range of 1 (Fully Automated) to 5 (Manual); Consider extent of automation versus manual controls in business processes and testing of controls for assurance they are operating as designed.

1. Primary controls are fully automated without requiring human intervention and are tested on an automated, ongoing basis.

2. Primary controls are semi automated with minimal human intervention and touch points and are regularly tested based on a formally established schedule and procedures.

3. Primary controls are semi automated with moderate human intervention and multiple touch points within and outside the department. They are periodically tested based on informal procedures.

4. Primary controls are manual. Testing is ad hoc, perhaps after failures.5. Primary controls are manual. They are not tested.


Type of Control – Range of 1 (Preventive) to 5 (No Current Controls); Consider the type of controls currently in place.

1. Preventive: Controls are directed at preventing risks from occurring.

2. Minimizing: Controls are directed at minimizing major risk exposures.

3. Reporting: Controls are directed at reporting potential risk exposures.

4. Detective: Controls are directed at addressing exposures resulting from a risk occurrence.

5. No Current Controls: There are no controls in place to manage risk.


Policies and Procedures – Range of 1 (Formal) to 5 (Nonexistent); Considerthe extent to which policies and procedures are documented, communicated and accessible.

1. Policies and procedures are formally documented, communicated, readily accessible and are reviewed and updated on an ongoing basis. Sign off is attained.

2. Policies and procedures are formally documented, communicated, accessible on request and are reviewed and updated on a periodic basis. Sign off is not attained.

3. Policies and procedures are partially documented, informally communicated, access is restricted and are infrequently reviewed and updated. Sign off is not attained.

4. Policies and procedures are informally documented, communicated, access is restricted and they are not updated. Sign off is not attained.

5. Policies and procedures are not documented.


Scalability – Range of 1 (Flexible) to 5 (Not Flexible); Consider the scalabilityof personnel and/or systems to changes in work flow and activity.

1. Personnel and/or systems are flexible to adjust to changes in work flow.

2. Personnel and/or systems are flexible to adjust to changes in work flow with minimal lead time (<= 30 days).

3. Personnel and/or systems are partially flexible with moderate lead time (> 30 days and <=60 days)

4. Personnel and/or systems possess minimal flexibility to adjust (>60 days)

5. Personnel and/or systems are not flexible to adjust to changes.

Effective ControlsControls rated 1 – Effective and 2 – Monitor are considered acceptable levels of control quality. The main difference between a 1-Effective and a 2-Monitorcontrol structure is that, in addition to its preventive nature, the former is also capable of identifying and adapting to changes in the environment andbusiness processes. This capability is achieved through the adoption ofrobust monitoring controls in addition to sound and efficient preventive controls.

Therefore, control structures rated 1-Effective must be comprised of at least two robust controls (one of preventive and the other of monitoring in nature). Control structures rated 1-Effective are expected to be optimal structures; hence, there should be no need to improve it.

Controls That Need ImprovementThe control detection rating should be an honest assessment. Sometimes, managers acknowledge that the quality of controls in place is below desirable levels, but several factors may prevent them from implementing immediate improvements. On these occasions, managers must assess the control detection rating according to the quality of the controls currently in place (3 – Needs Improvement or lower), and document their efforts to improve quality of the control structure by recording proposed controls in the Risk and Control database. These proposed controls should be sufficient to improve the control detection rating to a 2-Monitor or a 1-Effective rating once they are implemented.

Risk Assessment Framework

Documents

Transcript of Risk Assessment Framework