Critical Role for the Chief Audit Executive: Aligning Risk Assessment

When it comes to aligning risk assessment, the "risk intelligent" chief audit executive provides reassurance that management's reports are reliable, offers advice on improving risk mitigation, and implements value-added risk-management activities.

Risk permeates virtually every aspect of our personal and professional lives. Yet people and organizations are slow to acknowledge potential calamity and quick to believe that bad things always happen to the other guy.

For businesses, this flawed perception can be quite dangerous. In today's environment, which is marked by intensifying competition, increasing scrutiny, and growing threats, a frank and realistic assessment of the true risks a company faces is more important than ever.

Enter the chief audit executive (CAE). CAEs have a unique opportunity to make significant improvements in the efficiency and effectiveness of their organizations' risk-management initiatives. In previous columns, we've discussed the various roles of the Risk Intelligent CAE, such as keeping the organization's risk/reward picture in balance, incorporating risk-management activities into the internal audit function, and bridging silos to promote the sharing of information across organizational boundaries. All of which, in combination, can boost a company's risk-management capabilities.

This column addresses yet another critical role for the CAE: aligning risk assessment.

Aligning Risk Assessment

The traditional internal audit risk assessment starts with a blank sheet of paper as processes, systems, and individual entities are evaluated. In keeping with this typical approach, internal auditors audit those risks with the highest impact and probability of occurrence. Often, no distinction is made between inherent risk (the risk that exists before mitigation and controls are introduced) and residual risk (the risk that remains after mitigation and controls are implemented).

Furthermore, while vulnerability is certainly considered, too much weight is usually given to probability. Probability models work well when dealing with events that regularly occur, and for which reams of data have been compiled. But when dealing with more uncertain events—situations that have never occurred or perhaps can't even be imagined—probability should be subordinate to the notion of vulnerability.

Therefore, the risk intelligent enterprise adopts a different tack. In a risk intelligent organization, management also takes responsibility for:

• Assessing inherent risk—even those that are high impact, yet low probability.
• Evaluating the effectiveness of existing risk mitigation and controls.
• Determining residual risk.
• Deciding whether the risk exposure is within the appetite of the enterprise and further mitigating the risk, if necessary.
• Providing reasonable assurance to the board that the controls are both effective and efficient.

If the risk exposure is not within the corporate appetite, it's internal audit's responsibility to advise management on how risk mitigation and control might be improved.

Value-Added Risk-Assessment Activities

In addition, the risk intelligent CAE can lead a number of value-added risk assessment activities. These include providing reassurance to management and the board that:

• Key risks that affect both value preservation and value creation have been identified.
• Different scenarios have been assessed and stress-tested.
• Inherent versus residual risk has been reliably assessed.
• Residual risk appears to be within the risk appetite of the company.
• Controls are both effective and efficient.
• Management's reports can be relied on.

What's Your Risk Intelligence Quotient?

To determine if their current risk-assessment models are risk intelligent, CAEs should ask themselves the following questions:

• Are we speaking the language of management?
• Are we assessing risks to future growth or are we focused exclusively on the protection of existing assets?
• Are we assessing risks in isolation or are we looking at how these risks may interact and cascade?
• Is there a uniform framework to align the various risk specializations regarding governance, risk, and compliance assessments, which will allow us to reduce the cost burden on the business?
• Do existing risk assessments reliably and adequately assess inherent and residual risk exposures?
• Do we have the means to assess whether residual exposures are within the risk appetite of the company?
• Is there a robust risk-mitigation process?

CAEs can play a unique and important role in the risk intelligent enterprise. While recognizing that management and the board are responsible and accountable for risk, CAEs should provide both guidance and reassurance that risk is being properly and efficiently managed.

Author of this article are Mark Layton and Neil M.Brown.

To view the original article click here

Enterprise Risk Management's Components

Enterprise risk management has 8 inter-related components, derived from the way company runs an enterprise & are integrated with the management process. These components are:

Internal Environment

The internal environment includes the atmosphere of an organization, & sets the fundamental for how risk is shown & called by an entity’s people, including risk management philosophy & risk appetite, integrity & honorable values, & the environment in which they function.

Objective Setting

Objectives must exist before management can recognize potential events affecting their achievement. Enterprise risk management assures that management has in place a process to set goal & that the selected objectives support & line up with the entity’s mission and are consistent with its risk appetite.

Event Identification

Internal & external events affecting achievement of an entity’s objectives must be recognized, distinguishing between risks & opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.

Risk Assessment

Risks are examined, considering likelihood & impact, as a basis for identifying how they should be dealt. Risks are assessed on an inherent & a residual basis.

Risk Response

Management chooses risk responses – avoiding, accepting, reducing, or sharing risk – creating a set of actions to align risks with the entity’s risk tolerances & risk appetite.

Control Activities

Policies & procedures are constituted & enforced to help ensure the risk reactions are effectively finished.

Information & Communication

Relevant data is linked up, caught, & communicated in a form & period of time that enable individuals to execute their duties. Effective communication also comes along in a wider sense, moving down, across, & up the entity.

Monitoring

The totality of enterprise risk management is supervised & changes made as necessary. supervising is carried out through on-going management activities, separate evaluations, or both.

Enterprise Risk Management Framework

Two important ERM frameworks are COSO and RIMS. Each describes an approach for identifying, analyzing, responding to, and monitoring risks or opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:

1. Avoidance: exiting the activities giving rise to risk
2. Reduction: taking action to reduce the likelihood or impact related to the risk
3. Share or insure: transferring or sharing a portion of the risk, to reduce it
4. Accept: no action is taken, due to a cost/benefit decision

Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.

COSO ERM framework:

The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM as: "A process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control -Integrated Framework published in 1992 and amended in 1994. The eight components - additional components highlighted - are:

• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring

The four objectives categories - additional components highlighted - are:

• Strategy - high-level goals, aligned with and supporting the organization's mission
• Operations - effective and efficient use of resources
• Financial Reporting - reliability of operational and financial reporting
• Compliance - compliance with applicable laws and regulations

RIMS risk maturity model for enterprise risk management:

Enterprise risk management (ERM) as defined by the Risk and Insurance Management Society (RIMS) is the culture, processes and tools to identify strategic opportunities and reduce uncertainty. ERM is a comprehensive view of risk from both operational and strategic perspectives and is a process that supports the reduction of uncertainty and promotes the exploitation of opportunities.

According to the RIMS Risk Maturity Model for ERM, the following seven core competencies, or attributes, measure how well enterprise risk management is embraced by management and ingrained within the organization. A maturity level is determined for each attribute and ERM maturity is determined by the weakest link.

1. ERM-based approach - Degree of executive support for an ERM-based approach within the corporate culture. This goes beyond regulatory compliance across all processes, functions, business lines, roles and geographies. Degree of integration, communication and coordination of internal audit, information technology, compliance, control and risk management.

2. ERM process management - Degree of weaving the ERM Process into business processes and using ERM Process steps to identify, assess, evaluate, mitigate and monitor. Degree of incorporating qualitative methods supported by quantitative methods, analysis, tools.

3. Risk appetite management – Degree of understanding the risk-reward tradeoffs within the business. Accountability within leadership and policy to guide decision-making and attack gaps between perceived and actual risk. Risk appetite defines the boundary of acceptable risk and risk tolerance defines the variation of measuring risk appetite that management deems acceptable.

4. Root cause discipline - Degree of discipline applied to measuring a problem’s root cause and binding events with their process sources to drive the reduction of uncertainty, collection of information and measurement of the controls’ effectiveness. The degree of risk from people, external environment, systems, processes and relationships is explored.

5. Uncovering risks - Degree of quality and penetration coverage of risk assessment activities in documenting risks and opportunities. Degree of collecting knowledge from employee expertise, databases and other electronic files (such as Microsoft® Word, Excel®, etc) to uncover dependencies and correlation across the enterprise.

6. Performance management - Degree of executing vision and strategy, working from financial, customer, business process and learning and growth perspectives, such as Kaplan’s balanced scorecard, or similar approach. Degree of exposure to uncertainty, or potential deviations from plans or expectations.

7. Business resiliency and sustainability – Extent to which the ERM Process’s sustainability aspects are integrated into operational planning. This includes evaluating how planning supports resiliency and value. The degree of ownership and planning beyond recovering technology platforms. Examples include vendor and distribution dependencies, supply chain disruptions, dramatic market pricing changes, cash flow volatility, business liquidity, etc.