-

1--
Topic 3.
Risk
Assessment
ASST. PROF. RYANT. LIBA, DBA
ISO 9001:2015 Lead Auditor/Trainer
Facilitator
 Unit Learning Outcomes
• L03.1 Explain the concept of risk assessment
and how to identify risks. [Cl]
• L03.2 Explain how the identified risk can be
measured . [Cl]
• L03.4 Differentiate the types of operational
risks. [Cl]
• L03.5. Identify the risks associated with
business activities. [Cl]
 Topic Outline
1. Definition of Risk
Course Outline
2. Identification of Risk
3. Measurement of Risk
4. Assessing Risk and Control Types
5. Control Self-Assessment (CSA)
6. Operational Risk Types
7. Business Activities and the Associated Risks.
A chain is only as strong as
ifs weakest link

Meaning:

One weak part will

render the whole weak
 Introduction
• The theory of constraints adopts the common idiom
"a chain is only as strong as its weakest link."
• This means that organizations1 programs1 processes1
and even departments are vulnerable because the
weakest element can a I ways damage, break, or at the
very least adversely affect the outcome.
• So, attention must be paid to performing an inventory
of all the related components, assessing their
strengths and weaknesses, performing a gap analysis,
identify appropriate responses, implementing the
best remedial action and monitoring results.
 Introduction
Types of Risk • Their consequences vary and are influenced
by the types of vulnerabilities involved, the
Strategic Operational degree to which these consequences can be
anticipated to deter or prevent their
occurrence, the sophistication of the
response mechanisms, and the flexibility of
Compliance Reporting
the organization to adapt as needed.
• This means that management must be aware,
engaged, and knowledgeable to learn from
IT Financial history, understand the present, and prepare
for the future.
Introduction
• Risk and Control Self Assessment (CSA)
are an effective mechanism to involve
those who have ownership for risks and
controls in the organization.
• By documenting processes, participants,
and influencing variables, management
can be better prepared to allocate
resources appropriately, set priorities,
establish accountabilities, and institute
monitoring procedures.
 Risk Assessments

• A risk assessment is the process of identifying, measuring, and analyzing

risks relevant to a program or process.
• This assessment is systematic, iterative, and subject to both quantitative
and qualitative inputs and factors.
• Furthermore, it is also dependent on the timeframe of the review.
Risk Assessment

• Identification of Risks. A key aspect of

any risk assessment is the identification
of the relevant risks. This takes the form
of a list of risks. Quite often this step is
not exhaustive enough or performed by
individuals with limited knowledge of
the process being assessed.
 Operational Risk Types
Type Description

Capacity • Inability to produce as many units as required

• Process generating excessive amounts of waste

• Producing too many defective parts (i.e., error rate)

• Delivering ordered goods or services past the promised date

• Inability to provide high quality service to every customer

Strategic • Failing to maintain beneficial relationships with customers'

• Computer system's inability to support the operating unit's needs

• Manufacturing lines being unable to keep pace with sales growth

• Lack of funding to finance business expansion

• Knowledge drain due to employee turnover

• Failure to respond to changing customer preferences

 Operational Risk Types
• V V .
Compliance • Failure to meet external requirements (e.g., laws and regulations)
• Failure to meet internal standard operating procedure (SOP)
requirements
• Failure to meet combined requirements (e.g., contracts)
Natural • Energy supply disruption
environment
• Damage from fire, water, or natural disasters (e.g., floods,
earthquakes, hurricanes, and tornadoes)
• Inability to secure needed resources (e.g., water and minerals)
• Dependency on carbon-based sources of energy
• Business interruption caused by disease
Political • Changes in legislation or regulation due to government changes
• Social unrest triggered by changes in government
 Internal Constraints
• Equipment. The types of equipment available and the
ways they are used limit the ability of the process to
produce more high-quality goods and deliver services.
• People. Lack of skilled and motivated workers limits the
productive capacity of any process. Attitudes and other
mental models (e.g., feeling defeated, victimized, or
hopeless) embraced by workers can lead to behaviors
that become a constraint on the process.
• Policies. Written and unwritten policies can prevent the
process from producing more of higher quality goods and
services.
Internal Auditors Considerations in Evaluating
Internal Dynamics and Risks

1. the slowest operation in a process,

2. the synchronization of activities
within or between processes, and
3. robbing materials and other
resources within or between
processes or units.
Measurement of Risks

• After risks have been identified,

they must be measured.
• The measurement process can be
either subjective or quantitative,
and either driven by facts or not.
Subjective measures are driven by
the participants' experience and
intuition about the risks involved.
 Measurement of Risks
Risk Measurement
• Quite often, risks are measure using a
three-point scale of high-medium-low.
Evaluating risk
Likelihood • Using these measures, the impact of the
1
Remote
2
Unlikely
3
Possible
4
Likely
5
Certain
risk, if it were to materialize, and the
1
Trivial
1 2 3 4 5 likelihood of the risk, if it were to occur,
·=.. are rated.
2 2 4 6 8 10
Minor
3
• This can also be done using a five-point
> Lost Time
3
4

scale, with likelihood measures of rare­

4
Maior
5

uni ikely-possi ble-1 ikely-al most certain.

Fatal
5

Impact measure may include

insignificant-minor-moderate-major­
catastrophic.
 Measurement of Risks

Impact Range($)
1 Negligible 0 to 50,000
2 Marginal 50,001 to 100,000
3 Critical 100,001 to 200,000
4 Severe 200,001 to 500,000
5 Catastrophic 1 million+

Figure 3.1 Impact ratings by range.

 Measurement of Risks

Likelihood Range(%)
1 Unlikely 0 to 20
2 Remote 21 to 40
3 Possible 41 to 60
4 Likely 61 to 80
5 Very likely 80 to 100

Figure 3.2 Likelihood ratings by range.

 Measurement of Risks
Table 3.2 Sample Nonlinear Likelihood Ratings
Level Descriptor Likelihood Over 5 Years Likelihood Over 5 Years

1 Low >0.005% >1 in 20,000 chance

2 Medium-low >0.05°/o >1 in 2000 chance

3 Medium >0.5% >1 in 200 chance

4 Medium-high >5% > 1 in 20 chance

5 High >50% >1 in 2 chance

 Measurement of Risks
Table 3.3 Expanded Impact Ratings
Impact Rating
Negligible-very low Very little damage or harm. No disruption in operations.
Insignificant number of injuries or impact on health.
Insignificant number of people displaced and insignificant
personal support required. Insignificant disruption to
community services, or to the local economy Expanded
Marginal-low-minor
damage or harm
No significant disruptions in operations. The event is less
likely to cause any significant harm to staff or others and
could be managed. Small number of people affected, no
Impact Ratings
fatalities, and small number of minor injuries treated with
first aid treatment. Minor damage to properties or
displacement of a small number of people for less than
24 h and minor personal support required. Minor localized
disruption to community services or infrastructure lasting
less than 24 h. Negligible impact on local economy and the
cost is easily absorbed. There is minor impact on
environment with no lasting effects
 Measurement of Risks
V

Critical-moderate­ Event may cause some very short disruptions to operations.

significant damage or harm Likely there is significant injury to staff and could result in
moderate loss of assets, but event is manageable.
Significant number of casualties, some requiring
hospitalization and medical treatment. Damage that is
Expanded
confined to a specific location, or to a number of locations,
but requires additional resources. Localized displacement
of more than 100 people for up to 3 days. Disruption to
Impact Ratings
infrastructure and community services. limited impact on
the local economy with some short-term loss of production
and possible additional clean-up costs. limited impact on
the local environment with short- or long-term effects
 Measurement of Risks
V

Severe-high-serious May cause significant disruption or suspension in

damage or harm operations. May cause significant injury or death of
workers or staff members. Could result in major loss of
assets and finances and seriously jeopardize the company's
abilities. Difficult to manage. Significant number of people
in the affected area impacted with multiple fatalities,
Expanded
multiple serious or extensive injuries, and significant
hospitalization. Significant damage requiring external Impact Ratings
resources to support local responders. 100-S00 people in
danger and displaced for more than 1 week. Significant
impact and possible breakdown of delivery of some local
community services. Significant impact on the local
economy with medium-term loss of production. Significant
extra cleanup and recovery costs. Significant impact on the
environment with medium- to long-term effects
 Measurement of Risks
Table 3.3 (Continued) Expanded Impact Ratings
Impact Rating

Catastrophic-very high­ May result in long-term suspension of operations and

critical-extreme damage or possible office or program closure. Concern about
harm imminent loss of life. Major loss or damage of assets and
would be difficult to recover from. Very difficult or
impossible to manage. Very large numbers of people in
affected area(s) impacted with significant numbers of Expanded
Impact Ratings
fatalities, large number of people requiring hospitalization
with serious injuries with longer-term effects. Extensive
damage to properties and infrastructure in the affected
area requiring major demolition. General and widespread
displacement of more than 500 people for a prolonged
duration and extensive personal support required. Damage
to infrastructure causes significant disruption to, or loss of,
key services for a prolonged period. The community is
unable to function without significant support and there is
serious impact on local and regional economy with some
long-term, potentially permanent, loss of production.
Extensive clean-up and recovery costs. Serious long-term
impact or permanent damage to the environment
 Measurement of Risks
Table 3.4 Expanded Likelihood Ratings
Likelihood Rating

Unlikely-very low The event is considered as not having a realistic probability of

occurring against the organization under prevailing conditions.
The organization has very little exposure lo the threat

Remote-low-
somewhat likely
The event is considered to have a reasonable probability of
occurring and affecting the organization under prevailing
conditions. The organization has some, but limited, exposure to
Expanded
Likelihood Ratings
the threat. This could also indicate some weakness in exi sting
security measures
Possible-moderate- The event is considered to have a fairly high probability of occurring
likely and affecting the organization under prevailing conditions. The
organization has a reasonable amount of exposure to the threat.
This could indicate insufficient security measures

Very likely-high The event is considered to have a very high probability of occurring
and affecting the organization under prevailing conditions. The
organization has a high amount of exposure to the threat. This
could indicate very weak security measures

Certain or The event is considered to be imminent and expected to occur. The

imminent-very high organization has an extremely high amount of exposure to the
threat. This could indicate the complete lack/absence of the
appropriate security measures
 Risk Matrix

-----
• The risk matrix is a widely used and highly

=•�-- --
IMPACT
effective tool to record and analyze the

._..... objectives, risks, and controls in the

program or process that is being audited as
�--­
�-----
defined in the scope definition.
• The risk matrix is an essential ingredient
when conducting risk-based audits, as they
provide a means to capture and analyze
these items.
 Risk Matrix
Objectives Risks Controls Audit program steps
Objectives Risks s 0 R C IT F Prob. Imp. Vet Pers. Control P/D AIM X/D/W/M/Q Audit steps
01 RI l Clll ASI (Cl11, Cll2, Cll3, Cl21)
Cll2
Cll3
Rl2 Cl21 AS2 (Cl22, Cl23)
Cl22
Cl23
Cl24 AS3 (C124)
Rl3 -

- Cl41
Assessing Risk and Control Types
• Risk assessment is a complex activity that
some confuse with risk management. Risk
assessment is a process, which means it is
dynamic, and that in and of itself begins to
highlight the lack of understanding that
some have about this.
• Risk assessment is a process that is often
done iteratively. The process begins by
identifying potential hazards and analyzing
those items to determine what could
happen if the hazard were to occur.
Assessing Risk and Control Types
• The conduct of a risk assessment means that
we should look for weaknesses (sometimes
referred to as vulnerabilities) that would make
an asset susceptible to damage or loss from
the hazard.
• The Business Dictionary defines vulnerability
as the "degree to which people, property,
resources, systems, and cultural, economic,
environmental, and social activity is
susceptible to harm, degradation, or
destruction on being exposed to a hostile
agent or factor."*
 Assessing Risk and Control Types
The process of identifying the relevant events will be driven by the scope
definition of the review, and can be done by following any of the following
approaches:
1. Objectives based. Identify events that
may hinder the ability of the organization
to achieve its objectives partially or
completely.
2. Scenario based. Create different
scenarios or alternative ways of achieving
objectives and determine how forces
interact. A useful approach is to identify
triggers that can start-stop different
scenarios from occurring.
 Assessing Risk and Control Types
The process of identifying the relevant events will be driven by the scope
definition of the review, and can be done by following any of the following
approaches:
2. Scenario based.
• External. For example, economic,
business, natural environment, political,
social, and technological factors.
• Internal. Examples include
infrastructure, personnel, processes, and
technology.
 Assessing Risk and Control Types
The process of identifying the relevant events will be driven by the scope
definition of the review, and can be done by following any of the following
approaches:

3. Common-risk checking. Use a

prefabricated list of common risks in
your industry or area of scope. This
technique is explained in more detail
below.
 Assessing Risk and Control Types
The process of identifying the relevant events will be driven by the scope
definition of the review, and can be done by following any of the following
approaches:
4. Risk charting. Combination of internal and external approaches consists
of listing resources at risk and the threats to those resources. Identify
the risk factors and the consequences.
Hazards are of concern to the extent that they can result in some kind of
loss to the program, process, or organization. The impact of these
hazards and how to reduce them is the next aspect of the risk
assessment process. This is referred to as mitigation.
 Organizational Hazard
Table 3.5 Organizational Hazards
Hazard Examples

Natural Floods, earthquakes, hurricanes, temperature, pandemic, and contamination

Human Unintentional: poorly operated equipment, unsafe work procedures,

fatigue, lack of training, and distractions

Intentional: workplace violence, strikes, arson, and fraud

Mechanical Poorly placed or installed equipment, outdated equipment, structural

failure and mechanical breakdown, and hazardous materials

Technological Loss of connectivity and corrupted data

Logistics Supplier disruption and transportation interruption

Relationship of Hazards, Assets at Risk and Organizational Impact
Hazards Assets at Risk Impact

Cyber attack Property Property darnage

Supplier failure People, property Financial loss

Mechanical breakdown Systems Loss of customers

Utility outage Machinery Personal injury

Pandernic Reputation, people Contamina�ion

Hazardous material spill Environment Fines and penalties

Terrorism Property, people Lawsuits, personal injury

Fi re, explosion, structural Property, people, Loss of confidence in the

collapse rnachinery organization, financial loss
Importance of (Control Self Assessment CSA's)

• Internal auditors have been proclaiming

that management and the board "own" the
programs and processes of the
organization, the objectives of these
programs and processes, the risks that
jeopardize the achievement of these
objectives, and the controls that mitigate
their likelihood and impact.
Business Activities and Their Risk Implications

• Organizations are engaged in a variety

of activities and use a multitude of tools
in their daily activities.
• It is essential that internal auditors have
a general understanding of these
practices, but also know how risk and
opportunity affect these tools and
actions.
Business Activities and Their Risk Implications

◊ • Assemble to order. This is a type of

◊ production system where the materia I is
prepared so it can be assembled quickly
Q◊ upon receipt of the customer request and
◊ is usually customizable to a certain
Components Assembly
◊
Products degree.
Business Activities and Their Risk Implications
Two other common manufacturing strategies:

1. Make to stock (MTS). Products are

manufactured in advance.
2. Make to order (MTO). Products are
produced after the order is received. By
combining the two strategies, organizations
can get products to the customer quickly
while allowing some flexibility to be
customizable, so customers can quickly
receive products based on their needs.
Business Activities and Their Risk Implications
• Bottleneck. This term refers to a point in a
process where there is limited productive
capacity and the flow slows down.
This constriction can slow or even stop
the flow of work until some intervention
occurs, or time passes allowing items to
move through, while other incoming
items continue to accumulate.
Business Activities and Their Risk Implications

• .... • Collaborative inventory management .

Consists of the cooperation between a
I buyer and a supplier to improve stock
availability and reduce costs. This is often
accomplished by sharing forecast
information and using a single plan.
 Business Activities and Their Risk Implications
•
--,. _,,---
. .
GoodsSent GoodsSold
-----�-...'I,�
�-- •
• .,

--- ·• ----
"•,, _ �
·.
,,,/, ',,____ _
;
___, ,-' Suyor<
,
"'

-- Remittances,,
--- --
Sale P(oceeds

�
Commission

• Consignment. This is an inventory management and replenishment

method where a buyer only pays for the products held at a third-party
location when the items have been sold to the customer.
Business Activities and Their Risk Implications

• Cycle time. Refers to the reduction in

the time and related costs needed
for a product or service to move
through part or all of a supply chain.
Business Activities and Their Risk Implications

• Distribution center (DC) bypass or drop

ship. This activity refers to circumventing
the DC or entire distribution channel by
routing freight directly to its destination.
 Business Activities and Their Risk Implications

Documents • Electronic data interchange (EDI}. These

consist of standardized sets of data
transmitted between various business
partners during business transactions.
�
Trading
EDI Your • By using the same standard, two
Partners Business
companies can exchange documents and
reduce the reliance on paper, and reduce
human interaction saving time and money.
Documents
Business Activities and Their Risk Implications

• Inventory. Stock of raw materials,

semi finished goods (e.g., work in
process}, or finished material held to
protect the organization against
unpredictable, uncertain, or erratic
supply or demand with the objective
of avoiding stock-out situations.
Future Challenges and Risk Implications

• Organizations today face a myriad of

different types of risks. While traditionally
internal auditors focused primarily on
accounting, financial, and compliance risks,
today they are expected to assist their
clients identify, assess, and properly
respond to a far wider variety of risks.
Future Challenges and Risk Implications

• Increased outsourcing. This trend, which

started getting widespread attention in
the 1980s, accelerated in the 1990s,
became commonplace in the 2000s and
continues to grow into the 2010s.
• Initially, it was touted as a great
mechanism to reduce expenses, boost
productivity and efficiency, and free the
organization, so it could focus on its core
activities.
Future Challenges and Risk Implications

• Global sourcing. Whereas most

companies used to work with and
obtain their raw and semi finished
goods from local suppliers, it is
commonplace now for organizations
to search the globe for suppliers.
Future Challenges and Risk Implications

• Margin compression. As competition has

expanded to a more global environment,
and some of the new competitors benefit
from lower costs and even subsidies and
protectionist practices in some countries,
many organizations struggle to remain
competitive under such conditions.
Future Challenges and Risk Implications

• Technology. The number and scale of

technological changes over the past two
decades is immense.
• This includes, but is certainly not limited
to, ERP systems with built-in supply chain
management, product life cycle
management, customer relationship
management, supplier relationship
management, document management,
and project management functionality.
Future Challenges and Risk Implications

• Growth in Asia and other developing

markets. The increasing purchasing
© ,----�� power and wealth creation in
© � emerging markets is opening new
opportunities that many
organizations cannot miss.
Future Challenges and Risk Implications

• The increasing purchasing power Improved

customer analytics. In the past,
organizations focused on mass production
to drive down unit costs.
• Later, glocalization became commonplace
as organizations adopted a global approach,
while attempting to portray a local feel to
their marketing of goods and services.
Future Challenges and Risk Implications
• Data capture and transfer capabilities.
Improvements in data storage, lowering the
costs dramatically over the past three
decades, improvements in networking
capabilities (local area network [LAN],
11111111 h wide area network [WAN]) and the
internet, and enhancements in wireless
communications, such as radio frequency
identification (RFID), make it increasingly
easy and economical for organizations to
obtain, analyze, and disseminate
information real time or near real time.
Future Challenges and Risk Implications

• Environmental initiatives.
Ecological considerations are
increasingly becoming a key
concern for organizations.
Future Challenges and Risk Implications

• Government involvement. While the

degree of acceptance of government
involvement varies by country and changes
over time, governments in general are
increasingly becoming more involved in
the support of private sector activities.
Future Challenges and Risk Implications
• Geo-political risks. The rise of extremism
around the world threatens organizations'
abilities to operate freely around the
world.
Future Challenges and Risk Implications
• Corruption. Organizations, indeed, entire
economies, continue to suffer from the
scourge of corruption.
• Defined as dishonest or unethical conduct
by a person entrusted with a position of
authority, often to acquire personal
benefit, it includes many activities including
bribery and embezzlement, though it may
also involve practices that are legal in many
countries, such as blatant favoritism and
nepotism, discrimination, and largesse.