1. Standard for Assessing the Organization’s Risk Maturity by David Currie, CPA, CIA, CISA at assurance.consultant@yahoo.com
Risk Naive Risk Aware Risk Defined Risk Managed Risk Enabled Test of Process
Characteristics
No formal Scattered silo Strategy and Enterprise Risk
approach based approach policies in place approach to management
developed for to risk and communicated. risk and internal
risk management Risk appetite management controls fully
management defined developed and embedded into
communicated the operations
Process
Objectives are defined. Possibly Yes, may not Yes Yes Yes Obtain the objectives and
have consistent determine if they are
approach approved by board and
throughout the communicated to staff.
organization. Review for consistency
with objectives.
Management has been No Some but Yes Yes Yes Interview managers to
trained to understand what limited. confirm their
risks are and their understanding of risk
responsibility for managing and the extent to which
them. they manage it.
A scoring system for No No consistent Yes Yes Yes Check the scoring system
assessing risks has been approach defined has been approved,
defined. communicate and is
being used.
The risk appetite of the No No Yes Yes Yes Review the
organization has been documentation of how
defined in terms of the the risk appetite has been
scoring system. approved. Ensure it is
consistent with the
scoring system and has
been communicated.
Risk identification No No Yes, but may not Yes Yes Examine processes to
processes have been apply to the whole ensure they are sufficient
defined and are being organization. for identification of all
followed. significant risks.
Risks are listed in a risk No Incomplete list Yes, but not for Yes Yes Review risk register for
1
2. Standard for Assessing the Organization’s Risk Maturity by David Currie, CPA, CIA, CISA at assurance.consultant@yahoo.com
register and assigned to may exist whole organization completeness and
management. assignment to managers.
Response to manage risks No Some responses Yes, but may not Yes Yes Examine the risk register
have been selected and identified apply to the whole to ensure appropriate
implemented organization responses have been
identified.
Management has process No Some monitoring Yes, but may not Yes Yes Select sample of
for monitoring key controls apply to the whole processes and responses
processes, responses and organization and ensure management
action plans would know if they were
not working or if actions
were not implemented.
Management report risks No No Yes, but no formal Yes Yes Obtain documentation of
to the board where risk process is in place board being advised on
responses have not risks above the risk
managed the risks to a appetite.
level acceptable (risk
appetite).
All significant new No No Most projects are Yes Yes Examine project
projects are assessed for risk assessed proposals for an analysis
risk. of risks that may threaten
them.
Responsibility for No No Limited Most job Yes Review job descriptions.
assessment and descriptions
management of risk is
included in job
descriptions.
Managers provide No No No Some Yes Review assurance
assurance on the managers provided and for key
effectiveness of their risk risks check for controls
management and are managing them. Examine
assessed on their risk a sample of performance
management performance appraisals for evidence
risk management is being
properly assessed.
Internal Audit’s approach Promote risk Promote Facilitate risk Audit risk Audit risk
2
3. Standard for Assessing the Organization’s Risk Maturity by David Currie, CPA, CIA, CISA at assurance.consultant@yahoo.com
management enterprise-wide management and management management
and rely on risk use management’s processes and processes and
alternative management assessment of risk use use
audit approach and where appropriate management’s management’s
planning rely on assessment of assessment of
method alternative risk where risk where
audit planning appropriate appropriate
method
Example of Key Concepts:
• The Chief Executive Officer is ultimately responsible for the organization’s risk management capabilities.
• The board provides oversight and should ensure it is appraised of the most significant risks, along with actions management is taking and how it is
ensuring effective enterprise risk management.
• Everyone in the organization has some responsibility for enterprise risk management.
• Management identifies events that will affect the organization. For example, the acquisition of one Bank by another Bank.
• The organization’s risk appetite (e.g., broad-based amount of risk an organization is willing to accept in pursuit of its mission) is defined (e.g., high,
moderate, low) by management and approved by the board. It serves as a guidepost in strategy setting and selection of related objectives at the
entity level and represents the amount of risk an entity is willing to accept in pursuit of value. Management considers it when aligning the
organization, its people, and its processes. For example, management has decided that the Bank’s Adjusted Tangible Book Value on the closing
date should equal or exceed $330 MM (e.g., Bank’s risk appetite has been defined).
• Risk tolerance is the acceptable level of variation relative to the achievement of a specific objective. Operating managers can use risk tolerance to
determine what performance measures are required to ensure actual results will be within the risk tolerance…Operating within risk tolerances
provides management greater assurance that the entity remains within its risk appetite. For example, management may decide that the number of
staff needed to provide for ordinary and usual business practices in order to help achieve the Bank’s objective is as follows:
Staff Target Tolerance –Acceptable Range
1. Overall Bank Staffing 516 departure of 40 non-key staff
2. Credit Administration 8 departure of 1 non-key staff
3. Commercial Bank 14 departure of 2 non-key staff
4. Financial Centers 233 departure of 15 non-key staff
• After risks have been identified, management determines how it will respond. Risk responses involves management assessing the effect on risk
likelihood and impact as well as costs and benefits, selecting a response that brings the residual risk (with controls) with the desired risk tolerance.
• Internal audit has performed its own assessment of risks facing the organization. It is tempting to take this assessment and start considering it as the
organization’s risk register. If this happens, the risk maturity level of the organization will not develop as intended by management as it is likely to
indicate that internal audit is responsible for risk management.
3