Introduction To Risk Management Process


Published on

Risk Management is not so difficult with the right tools. This Introduction To Risk Management will get you started.

Published in: Business, Economy & Finance
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Introduction To Risk Management Process

  1. 1. Introduction to Risk Management Process Prepared by: David Currie, CPA, CIA, CISA Are You Ready for Risk Management? Managers put assets at risk to achieve objectives. This is the essence of management, and this is the reason that understanding risk and the practice of risk management is a central issue for management today and tomorrow. 1
  2. 2. Table of Content Page Number Are You Ready for Risk Management? 3 Keys to success in risk management: 4 Steps in Risk Communication Planning: The 6-Step Risk Management Implementation Process: Characteristics that improve our organization's abilities to respond to risk: Managing risk in organizations means: Identification of Risks is the Key Three Methods of Risk identification 5 Risk Measurement is the Hardest Risk-Reward Model Graph: Plan for Control Systems 6 Using the Risk-Reward Model 7 The Effect of Time on the Model Applying the Model 8 Risk Management Concepts 8, 9 How is an effective Internal Control System developed? 10 Transaction Risk 11 Reputation Risk Strategic Risks Developing a Risk-Reward Worksheet 12 Risk Management and Control 13 Examples of Areas with Potential Risks A three Step Risk Assessment Process 14 Risk Assessment Worksheet 15, 16 Completed Risk assessment Worksheet 17 18 – 22 Information Security Risk Considerations for Systems and Applications Threats and Vulnerabilities 22 Key Definitions 23, 24 Questions 25 2
  3. 3. Are You Ready for Risk Management? Managers put assets at risk to achieve objectives. This simple truth should be enough for most senior managers to understand where expertise in risk management needs to be in the organization. Effective risk management depends on an enlightened management team that understands business risk. Effective risk management also depends on manager's leadership approach (coactive, or doing it together, rather than reactive or proactive, which are solo leadership roles), as well as the manager's breadth and depth of experience, thinking style, and communication skills. To self-assess whether your organization is ready for the new risk management, answer the following questions, using the scale 1 (Never), 3 (Sometimes) to 5 (Always) and the intermediate values. Leave blank if you do not know the answer: 1. Our management team discusses risk at staff and/or board meetings. 1 2 3 4 5 2. Our management reports on major decisions refer to risks in those 1 2 3 4 5 decisions. 3. I consult others regarding risks on major projects (mark 1 if you do 1 2 3 4 5 not have a formal risk management process). 4. Risk management is a subject for discussion at our Audit Committee 1 2 3 4 5 and our Board. 5. Managers attend workshops (either in-house or public conferences) on 1 2 3 4 5 risk management practice. 6. We are not faced with many surprising difficulties. 1 2 3 4 5 7. When one of my decisions turns out poorly, the management team tries 1 2 3 4 5 to learn from this. 8. I am provided with the tools I need to assess risk. 1 2 3 4 5 9. My boss supports risk management. 1 2 3 4 5 10. My risk management results are part of my personal performance rating. 1 2 3 4 5 Scores less than 24: Work on building an appreciation for business risk. Scores 24-36: Risk management is a part of your organization, but it needs your help to become a bigger part of the corporate governance culture. Scores more than 36: Build on your success! Look over the areas in which you scored 3 or below to see what steps you need to take. 3
  4. 4. Keys to success in risk management: 1. An active risk assessment process that focuses on thinking outside the box to identify potential risks to the organization. If you cannot identify it, you cannot manage it. 2. A management commitment, including sufficient funds, to deal with the risks that are identified. Management must invest funds in managing the organization for risk mitigation. 3. Continue to develop expertise in risk management. As organizations grow and evolve, management control systems need to evolve as well. Steps in Risk Communication Planning: 1. Establish the Context (strategic, organizational, managerial, project). 2. Identify the Risks. 3. Analyze the Risks. 4. Assess and Prioritize the Risks. 5. Treat (manage) the Risks. The 6-Step Risk Management Implementation Process: 1. Support of Senior Management. 2. Develop the Organizational Policy. 3. Communicate the Policy. 4. Manage Risks at Organizational Level. 5. Manage Risks at the Program, Project and Team Level. 6. Monitor and Review. Characteristics that improve our organization's abilities to respond to risk: • The organization is a learning organization. That is, it actively seeks to monitor change in the environment and learn from it. • The organization is process-centered. The focus is on serving customer/constituent. • The focus of the organization is on the present and future together -- neither is sacrificed for the other. Managing risk in organizations means: •Active monitoring: ensuring the organization's sensitivity to detect risk. •Agile systems: ensuring its flexibility to respond to risk. •Adaptive learning: ensuring the capability of the organization's resources to mitigate risk. •The key to the risk assessment process lies in the chain of goals and objectives that permeate the organization. Identification of Risks is the Key. The key process in risk analysis is to identify all the sources of material risks which can affect all significant outputs. In times of rapid change, new sources of risk can emerge. Manager needs to assess annually the environmental changes and any changes in the nature or mix of assets for the organization. The main problem is to generate enough ideas so that all reasonable and significant risks are discovered. 4
  5. 5. Three Methods of Risk identification: 1. Environmental Assessment: Using the knowledge of the organization's operations, consider the probable changes in the environment to identify possible consequences. Examples of environments that should be considered are: •Economic: Possible changes in the general economy affecting prices and employment levels. •Constituents: Changes in constituent needs and wants as well as changes in the demographics of constituents to be served. •Competition: Competition for resources, such as managerial talent and funds, from either the private sector or from within government. •Technology: Changes in both demand and supply of technology and information and those effects on programs. •Suppliers: Changes in the labor supply that may restrict or expand opportunities and options for operations. •Government Regulation: Significant pending legislative agenda items with a probability of enactment and a material effect on operations. •Physical: Changes in site, location, weather, terrain, and access that could materially affect operations. 2. Exposure Assessment: Using the knowledge of the organization's resources, consider the possible consequences to the assets based on: • Size or Value. • Type (Financial, Physical, Human, Intangible/Information Assets). • Portability/Accessibility. • Location. 3. Threat Scenarios: Defining the difficult-to-measure low-probability and high-consequence events such as natural disasters, sabotage, terrorism, and fraud. Narrative descriptions of the likely scenario of reactions to these types of events can help pinpoint flaws in the risk management system. Risk Measurement is the Hardest. The measurement of risk remains a considerable problem. Although most practitioners use a blend of qualitative and quantitative approaches to risk evaluation, there are no simple methods that are generally accepted models of risk measurement. At the end of the day, it is professional judgment that counts. Typically, risk management has been related to financial loss or fraud...It has also been associated with doing something wrong. As a result, there has been a preoccupation with administrative processes and controls, rather than outcomes and performance focused on rewards. Managing risk is a continuing activity and not just something done once a year. To be effective, risk management requires a systematic and logical approach as well as the availability to individuals with good quality information. 5
  6. 6. Risk-Reward Model Graph: Plan for Control Systems The old planning adage goes something like this, When you are up to your armpits in alligators, it is hard to remember that your goal was to drain the swamp. Managers often spend so much time dealing with the significant risks in the short-term that they find it difficult + to deal with risk in the long-term. While we focus on the plans for draining the swamp, the alligators will have a feast on us! On the other hand, if we do not devote resources to dredging R the swamp; the alligators will never go away. How then can we discover the right mix of E plans over time that will help our organization achieve its goals? W A R D Long-term Outlook Curve E N V I O Mid-term R Outlook Curve N M E N T Short-term Outlook Curve _ R I S Risk-Reward Area between K the short-term and mid-term outlook curves represents the E change from risk to reward N V I O R N M E N T Time Line Continuum Short-term Mid-term Long-term 0-1 year 2-3 years 4-5 years 6
  7. 7. Using the Risk-Reward Model Using a risk-reward model, we may help our planning and control systems to be more effective in supporting the organization's goals and objectives. See above Risk-Reward Model page 6. The first key concept in the model is that risk and reward are part of a continuum of variation. Risk is the potential of negative results (less than expected), and reward is the potential for positive results (greater than expected). Both are deviation from system plans. The ideal system would mitigate negative risks and take advantage of positive rewards. Managers that can develop effective controls and take advantage of the rewards are worth their weight in gold! A second key concept is that the nature of risk and opportunity change over time. In the short-term, risk is largely due to system variation: errors, omissions, delays, and fraud that prevent us from achieving our goals. In the short-term, these threats loom large to the organization. Rewards in the short-term appear small. There is not enough time to exploit fully the opportunities that may exist in the short-term. The cumulative effect is a strong negative potential outcome in the short-term. This short-term outlook may cause us to erect elaborate and costly control systems to mitigate short-term negative potential. Many of our internal control systems, growing out of a focus on current financial risk, deal mainly with this short-term negative potential. What is missing from our control systems are ways to deal with mid-term and long- term risk and rewards. If we look beyond short-term system variation risks (errors, omissions, delays, and fraud), we can identify risks that become apparent only in future periods. Such risks have to do with resource effectiveness in the mid-term and customer/constituent satisfaction in the long-term. The Effect of Time on the Model We know that different opportunities exist when we consider the effect of time. For example, resource effectiveness can be improved in the mid-term; however, in the short-term we do not have enough time to feel the effects of investment or conservation decisions. In the long-term, there are many opportunities with significant rewards. We should exploit these opportunities to the extent possible. If our planning outlook includes the mid-term viewpoint for two or three periods beyond the current accounting cycle, we have greater potential to take advantage of opportunities and more time for plans to mitigate risks to our assets. Instead of being overwhelmed by a negative risk potential in the short-term outlook, we should take a mid-term outlook that allows us to see the balance as either equal or slightly biased toward the positive opportunities. The short-term variation risks still exist. However, we have more time in the mid-term outlook to design controls to deal with these risks, so there is a closer balance of risk and opportunity in this period. In the longer-term, we have more time to adjust our control system. Negative risk never completely disappears. Over the long-term, the effect of negative variation on the system diminishes considerably with vigilant management control systems. On the other hand, the number and value of opportunities grow significantly. The positive potential of new markets or new technology overwhelms the negative potential of system variation to create a large positive bias in the long run. Managers must plan, organize, direct, and control systems to reflect both risk and opportunity. Using the examples of overwhelming negative bias in the short-term, equal weighting in the mid-term, and overwhelming positive bias in the long-term, we have developed a series of curves to express the risk and rewards available to organizations over time. The risk-reward model plots the potential results from the action of risk and opportunity on the average organization, both positive and negative, over time. The area between the Short-term outlook curve and the Mid-term outlook curve represents the change in risk-reward. This Risk-Reward Area is an effective thinking model to plan control systems to deal with both risk and opportunity over multiple time horizons. 7
  8. 8. Applying the Model The natural bias of many people is to think only of risk to the current business process (short-term outlook). With this short-term view, opportunity is rarely examined at all. The result will be a plan that is too heavily weighted to areas of the business with the greatest immediate risk. This may means areas where assets such as planning, quality programs, and product development that are not at immediate risk may receive little attention. Yet these areas may be areas of great potential rewards. Thus some consideration should be given to mid-term outlook and long-term outlook that could increase the value of the business and improve the control systems. Business managers can be encouraged to develop controls that identify and take advantage of rewards or mitigate system variations over time. Using the risk-reward model provides managers a better focus on the relationship of time, control, and risk. This is the strategic thinking of senior management and if managers are to support the goals of the organization, they need to learn to think like senior management. Risk Management Concepts Managers put assets at risk to achieve objectives. This is the essence of management, and this is the reason that understanding risk and the practice of risk management is a central issue for management today and tomorrow. The organization's purpose is to create value by interacting with its environment (customers, constituents, suppliers, technology, competition, economy, government, etc.). Value is created by the conversion of resources (human, financial, physical, and intangible assets) into goods and services that fulfill the needs of the organization's customers or constituents. Simply put, managers put assets at risk to achieve objectives. Risk management is the solutions to the challenges of governing modern business. Managers should seek to understand the contingent liabilities and the possible rewards of strategic decisions and to share these insights with the senior management team. The most common misconception about risk management is that there is some way to see the future. There is no crystal ball, magic matrix or special model that predicts the future. The future is unknowable in any detail. Managing risk is actually managing the organization: planning, organizing, directing, and controlling organization systems and resources to achieve objectives. Managing risk must come from within and act to change the organization and its response to changes in the environment. Rather than try to guess what risks will affect the organization, the organization should build in certain characteristics to improve its ability to respond to change. Risk is a concept that describes uncertainty in achieving goals. Risk management's real value in predicting the future is the ability to think laterally about business decisions. Risk managers help pry the blinders off the managers. Risk management is a process of modifying operations and business decisions to respond to current and future states of the uncertain environment. That means that managers must change the way they manage and take responsibility for results. Risk management is a misleading phrase. Risk is never managed, since risk is a conceptual property. It is the organization that is managed in anticipation of the uncertainty characterized by risk. Given that the environment is always changing -- sometimes quickly, sometimes slowly -- the needs of customers (part of the environment) are at times part of that change. The challenge to the organization is managing the organization to continue fulfilling its purpose in the face of changing customer/constituent needs. Some of the most effective risk management programs operate in a culture of collective accountability for producing results. The expectation is that risk managers will operate closely with other managers in ad hoc teams to improve the organization's business processes. A decade ago, risk management focused on the hard assets of the business -- the financial and physical assets that appear on the balance sheet. The new risk management addresses both hard and soft assets. 8
  9. 9. The risks to soft assets such as human resources and intangibles are often more important to the company than the risks to the hard assets. As modern business becomes more knowledge-based, intangibles like information and the humans that create it and use it become more important than the computer or building that houses them. Reputation and trust, two of the most fragile assets of any business, may outweigh all that exists on the balance sheet. Risk is the property that causes value to vary in uncertain ways. It is not the variation that is the source of risk. Managers can and do anticipate variation and deal effectively with it. The source of risk is the uncertainty of an unexpected change in the environment. The management of risk follows the assessment of risk, just like treatment follows diagnosis. To manage risk is the essence of management. Risk management principles need to be a part of everyone's job knowledge and practiced as part of the everyday job. Integration of risk management does not require uniform tools and methods; rather, integration of risk management into everyone's job requires a common understanding and commitment in principle to manage risk. Attempts to influence and control more than a few immediate factors are often quite expensive and the results can be unpredictable. The relative value created by the organization varies as the needs of its customers change. Risk can mask the opportunity to create more value or threaten the value already being created. For example, a change takes place which is within the response capability of the organization, but the organization fails to respond (risk is not managed). Customers want one thing, but the organization keeps creating something else; and management wonders why demand is falling for its products and services. Management control systems play an important part in the perception of risk. Strong controls give the impression that risk is minimized, when in fact only the consequences of the risks are minimized. There are no practical methods for making uncertain events more certain. One tool to achieve an effective management control system is by structured planning. Through planning, managers anticipate the inherent risks in their activities and set up methods to mitigate the effects of these risks. The inherent risk of any activity is a function of the mix of assets and the nature of the activity. For example, a customer service operation has a degree of inherent business risk within the activity. The assets employed include: •Physical assets (building, furnishings, computers, etc.) •Financial assets (accounts receivable, interest, late fees, interchange fees, etc.) •Human assets (customer service operator) •Intangible assets (customer service policies and procedures, information, etc.) The biggest inherent risk in a customer service operation is the loss of the Customer that is represented by the financial assets. We can mitigate some of the business risk by access security to transactions and by installing effective policies and procedures. What the final asset mix might be in our customer service operation has a lot to do with which risks we want to mitigate and at what cost. For example, if we want to make every customer contact a public relations opportunity, then the automated voice response machine is probably less effective than a CS operator. Integrating risk assessment into all levels of planning and decision-making means that the model has to flow naturally from the strategic plan to the project level. Because it addresses both threats and opportunities, risk information is becoming an important part of decision-making at all levels of the organization. 9
  10. 10. How is an effective Internal Control System developed? No specific internal control system is endorsed. However, the company’s internal control system should be based on its complexity of operations and every effective control system should have the following:  Control environment  Risk Assessment  Control activities  Accounting, information, and communication systems  Self-assessment and monitoring Control Environment The control environment provides the structure and discipline needed to manage the control system. Objective: Determine if the company’s culture manifest the principles of strong internal controls. 1. Assess the effectiveness of the control environment. Consider:  The integrity, ethics and personnel  The organizational structure  Management’s philosophy and operating style  External Audit results  Personnel policies and procedures  Attention and direction provided by Board of Director and Committees. 2. Determine whether policies and procedures and appropriate conduct are communicated to all employees. 3. Determine if a process has been established to monitor compliance with internal control procedures and code of conduct. Conclusion: The control environment is (strong, satisfactory, or weak). Risk Assessment Risk assessment is the identification and analysis of risks, both internal and external. Risks must be assessed because they can prevent the company from achieving its objectives. Assessment helps determine what the risks are, how they should be managed, and what controls are needed. Objective: Determine if the company’s system of internal control is appropriate for the type and level of risks for activities undertaken. 1. Evaluate the plan to respond to existing and emerging risk areas. 2. Determine if the company has the appropriate operational tools to safeguard assets and ensure the integrity of operational information, accounting data, and financial reports. Conclusion: The risk assessment process is (strong, satisfactory, or weak). Quality of Risk Management Overall Conclusion: The quality of risk management, as reflected in the overall system of internal controls is (strong, satisfactory, or weak). It is expected to have an integrated approach to risk management to identify, measure and manage risks. The nine categories of risk for bank supervision purposes are: credit, compliance, foreign exchange, interest rate, liquidity, price, strategic, reputation, and transaction risk. 10
  11. 11. Transaction Risk Transaction risk is the risk to earnings or capital arising from problems with service or product delivery. This risk is a function of internal controls, information systems, employee integrity, and operating processes. Transaction risk exists in all products and services. Technology can give rise to transaction risk in many ways. Transaction risk often results from deficiencies in system design, implementation, or ongoing maintenance of systems or equipment. For example, incompatible internal and external systems and incompatible equipment and software exposes The company to transaction risk. Transaction risk can increase when a bank hires outside contractors to design products, services, delivery channels, and processes that do not fit with the company’s systems or customer demands. Similarly, when a bank uses vendors to perform core bank functions, such as loan underwriting and credit scoring, and does not have adequate controls in place to monitor the activities of those vendors, transaction risk may increase. Also, when banks merge with other banks or acquire new businesses, the company’s combined computer systems may produce inaccurate or incomplete information or otherwise fail to work properly. The failure to establish adequate security measures, contingency plans, testing, and auditing standards also increases transaction risk. Reputation Risk Reputation risk is the risk to earnings or capital arising from negative public opinion. This affects our ability to establish new relationships or services, or to continue servicing existing relationships. This risk can expose the institution to litigation, financial loss, or damage to its reputation. Reputation risk exposure is present throughout the organization and is why The company has the responsibility to exercise an abundance of caution in dealing with its customers and community. This risk is present in activities such as asset management and agency transactions. Reputation risk arises whenever technology-based banking products, services, delivery channels, or processes may generate adverse public opinion such that it seriously affects our earnings or impairs capital. Examples may include: flawed security systems that significantly compromise customer privacy; inadequate contingency and business resumption plans that affect our ability to maintain or resume operations and to provide customer services following system failures; fraud that fundamentally undermines public trust; and large-scale litigation that exposes us to significant liability and results in severe damage to our reputation. Adverse public opinion may create a lasting, negative public image of overall bank operations and thus impair a company’s ability to establish and maintain customer and business relationships. Strategic Risk Strategic risk is the risk to earnings or capital arising from adverse business decisions or improper implementation of those decisions. This risk is a function of the compatibility of an organization's strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals, and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks, and managerial capacities and capabilities. In seeking ways to check strategic risk, The company consider its overall business environment, including: the knowledge and skills of senior management and technical staff; its existing and planned resources; its ability to understand and support its technologies; the activities and plans of suppliers of technology and their ability to support the technology; and the anticipated life cycle of technology-related products and services. 11
  12. 12. Developing a Risk-Reward Worksheet In order to take the mystery out of the risk assessment process, risks that each operating area is facing should be identified in straightforward language. These identified risks can be recorded on a Risk-Reward Worksheet for that operational area. For each risk identified, questions regarding controls in place to manage the exposure can be answered. This process is the essence of risk assessment. This process is a dramatic change from our current method. For example, in this scenario the dialogue may go like this, “Here are some identified risks for your area. What controls do you have in place to manage them? …. Do you need help in designing additional controls to limit these risks?” Operating managers are responsible for reviewing their own operations and determining if and how they respond to identified risks and rewards. This imparts operating management with ownership of control issues. As operating managers and staff gain an understanding and appreciation of risks that are inherent in their operation, they acquire an ownership interest in the control process. In the future, because the control procedures in place will have been identified and evaluated as to how well they limit risk exposures, the corporate auditors should change their paradigm and work with operations to solve problems and document improvement opportunities. A Strategic Risks and Reward Worksheet are useful and can be developed. Worksheets for transaction, reputation, interest rate, liquidity, credit and compliance risks can developed in a similar manner. 12
  13. 13. Risk Management and Control What is the difference between Risk Management and Control? Risk Management processes are put in place by management to identify, evaluate, and respond to potential risks that may impact the achievement of the organization’s objectives. Control processes are the policies, procedures and activities that are part of our control framework designed to ensure risks are within the tolerable range established by the risk management process. Examples of Areas with Potential Risks Credit Card Issuer functions: Cardholder applications Application underwriting and credit scoring Account issuing and set-up Plastic production and security Account billing, payment processing, and cardholder servicing Over-limit and excess usage Account authorization Collections Bankruptcies and chargeoffs Fraudulent transactions Cardholder chargebacks Cardholder information security Settlement obligations Compliance/legal laws and rules Acquiring bank functions: Merchant application and site inspection Merchant acquisition Structure of merchant agreements Merchant pricing New merchant set-up Merchant deposit monitoring Periodic review of merchant accounts Handling of merchant chargebacks Cardholder information security Settlement obligations Compliance/legal laws and rules Third-party relationships: Due diligence process for identifying and evaluating risks associated with conducting business each party. Contractual provisions Contingency plans Cardholder information security 13
  14. 14. A Three Step Risk Assessment Process Risk is the probability that an event or action may adversely affect the organization. The risk assessment process includes identification of activities and the risk factors and assessment of their relative risk significance. The effects of risk can involve:  An erroneous decision using incorrect, untimely, incomplete, or otherwise unreliable information.  Erroneous record keeping, inappropriate accounting, financial loss and exposure.  Failure to adequately safeguard assets.  Customer dissatisfaction, negative publicity, and damage to the organization’s reputation.  Failure to adhere to organizational policies, plans, and procedures, or not complying with relevant laws and regulations.  Overpaying for resources or using them inefficiently.  Failure to accomplish established objectives and goals. The first phase of the risk assessment process is to identify and catalog activities to be considered. Activities consist of subjects, operations, units, or systems that can be defined and evaluated. Activities may include:  Policies, procedures and practices  Cost centers and profit centers  GL account balances  Information systems (manual and computerized)  Major contracts and programs  Organizational units as product or service lines  Functions such as electronic data processing, purchasing, marketing, payment processing, accounting, human resources, etc.  Transaction systems for activities such as FDR processing, collections and recovery, payroll, inventory, and capital assets.  Financial statements  Laws and regulations The second phase of the risk assessment process is to choose risk factors (criteria) used to identify the likelihood that an activity may adversely affect the organization. Risk factors may include:  Automated and/or manual controls  Ethical climate and pressure on management to meet objectives  Quality of personnel  Asset size, liquidity or transaction volume  Financial and economic conditions  Impact of customers, vendors and regulations  Degree of computerized information systems  Adequacy and effectiveness of internal control  Organizational, operational or technological changes The third phase of the risk assessment process is to weight the risk factors. The weight given to a risk factor is a matter of professional judgment. This weighting of risk factors allows for an assessment of relative risks for activities identified. See the attached Risk Assessment Worksheet and Example. 14
  15. 15. Risk Assessment Worksheet Area: ____________________ Analyzed by: ______________ Date: __________________ Significance Ranking (1-11) Descriptive Extended Value Value Comments _____ 1. Automated Controls a. Controls are nonexistent 5 ______ b. Controls are known to be weak 4 c. Controls thought to be weak 3 d. Controls adequate/no basis 2 e. Controls appear strong 1 f. No applicable 0 _____ 2. Manual Controls a. Controls are nonexistent 5 ______ b. Controls are known to be weak 4 c. Controls thought to be weak 3 d. Controls adequate/no basis 2 e. Controls appear strong 1 f. No applicable 0 _____ 3. Flow of Funds a. Substantial inflow or outflow 5 ______ b. Large inflow or outflow 4 c. Moderate inflow or outflow 3 d. Low inflow or outflow 2 e. Small or no flow 1 f. No applicable 0 _____ 4. Asset Liquidity a. Asset substantial/very liquid 5 ______ b. Asset large/very liquid 4 c. Asset moderate and liquid 3 d. Asset low and nonliquid 2 e. Asset small and nonliquid 1 f. No applicable 0 _____ 5. Account Reconciliations a. High volume/large unidentified 5 ______ b. High volume/stale items 4 c. Low volume/large unidentified 3 d. Low volume/stale items 2 e. Volume change 1 f. No applicable 0 15
  16. 16. _____ 6. Management Interest a. Strong interest or request 5 ______ b. Moderate interest 4 c. No basis for assessing 3 d. Low interest 2 e. No interest 1 f. No applicable 0 _____ 7. Operations Complexity a. High and/or 3 system interface 5 ______ b. High with limited interface 4 c. Medium with limited interface 3 d. Medium with no interface 2 e. Low with limited interface 1 f. No applicable 0 _____ 8. Administration a. Low priority on controls 5 ______ b. Average 4 c. Capable 3 d. Experienced 2 e. Capable and experienced 1 f. No applicable 0 _____ 9. Procedural Certification a. Major items reported 5 ______ b. Not reporting 4 c. Minor items reported 3 d. Late reporting 2 e. No items reported 1 f. No applicable 0 _____10. Last Audit Results a. Never been reviewed 5 ______ b. Not recently reviewed 4 c. Briefly reviewed 3 d. Consistently reviewed 2 e. Consistently and in-depth 1 f. No applicable 0 _____11. System Changes, Procedures, etc. a. Major changes (6 months) 5 ______ b. Large changes (6 months) 4 c. Moderate changes (6 months) 3 d. Limited changes (6 months) 2 e. No changes recently 1 16
  17. 17. Completed Risk Assessment Worksheet Example Activity: Planning Committee and oversight activities Risk SIGNIFICANCE DESCRIPTIVE EXTENDED Factors RANKING VALUE VALUE AUTOMATED CONTROL 10 X 2 = 20 MANUAL CONTROL 5 X 2 = 10 FUNDS FLOW(VOLUME) 8 X 5 = 40 ASSET LIQUIDITY 6 X 5 = 30 ACCOUNT RECONCILIATION 2 X 2 = 4 MANAGEMENT INTEREST 9 X 5 = 45 OPERATIONAL COMPLEXITY 7 X 5 = 35 ADMINISTRATION 3 X 1 = 3 PROCEDURAL CERTIFICATION 1 X 0 = 0 LAST AUDIT RESULTS 4 X 4 = 16 SYSTEMS CHANGES 11 X 5 = 55 TOTALS 66 258 RELATIVE RISK = 258 / 66 = 3.91 Note: The 3.91 relative risk allows this activity to be compared to any other activity on the basis of their relative importance. 17
  18. 18. Information Security Risk Considerations for Systems and Applications Management should ensure the implementation of access control Security Management: policies is based on the level of risk arising from access to programs and data. Consider the following points of potential risks: *Are security requirements appropriately defined? -Identification of data owners -Risk analysis of system and applications *Are responsibilities for security administration appropriately defined? Access to the computer system, programs, and data should be System level access: appropriately restricted. Consider the following points of potential risks: *How is access restricted (e.g., security software)? *What ensures the effectiveness of system password controls (e.g., unique user-IDs, password)? *What ensures that access granted to users and IT staff is commensurate with their job responsibilities? Consider the: -Live environment -Test environment -Development environment *What ensures that access is appropriately changed on a timely basis when employees transfer or terminate? *What periodic checks are carried out to confirm that employees' current access is commensurate with their job responsibilities? *What ensures that users are restricted to their applications (e.g., preventing users from escaping from application menus, which are provided when they sign onto the system)? *What ensures appropriate restriction of remote access (e.g., through networks or using dial-up facilities)? *How are transmissions over networks protected? Access to particular functions within applications (e.g., approving Application level access: payment of vendors) should be appropriately restricted to ensure segregation of duties and prevent unauthorized activity. Consider the following points of potential risks: *How is access restricted to appropriate functions within applications (e.g., application-based security)? *What ensures the effectiveness of application password controls (e.g., unique user-IDs, password)? *What ensures that access is commensurate with job responsibilities? *What ensures that access is appropriately changed on a timely basis when employees transfer or terminate? *What periodic checks are carried out to confirm that employees' current access is commensurate with their job responsibilities? 18
  19. 19. Physical access to computer facilities and data should be appropriately Physical access: restricted. Consider the following points of potential risks: *Is access restricted to the following: -File and communication servers -The computer room -Off-line data storage (e.g., tapes/cartridges)? *How is report distribution controlled? External network connections should be used for valid External network connections: business purposes only and controls should be in place to prevent these connections from undermining system security. Consider the following points of potential risks: *To what extent has management defined the business rationale for external network connections (e.g., Internet)? *To what extent has management outside the IT Function supported the overall direction of the organization's use of external connections? *What policies and procedures are in place to ensure the connections are used for the defined purposes only (e.g. filtering to allow specific protocols only)? *What hardware and/or software tools are used to restrict access to appropriate uses only (e.g., firewalls)? *What information does management receive on use of external network connections? *How adequate are the tools and procedures in place to ensure that attempted and actual access violations are identified? *How adequate are the policies and procedures in place for handling files received across external network connections? *How are changes to the configuration of external network connections controlled? Changes to applications: Management should monitor the level of open requests for changes to applications, their priorities, and the satisfaction of users with changes made. Consider the following points of potential risks: -Does management review appropriate reports on application performance, including information as follows: *Changes made to applications *Application problems *Emergency fixes made *Application-related help desk calls *Backlog of requests from users for application changes? -How does management obtain users' views on the functional and operational quality of applications? 19
  20. 20. Project management should ensure appropriate control over the Project management: design and implementation of new applications. Consider the following points of potential risks: *What ensures that all necessary steps are appropriately included in a project plan (e.g., use of a system development methodology)? *What ensures effective monitoring of progress toward successful completion of the plan (e.g., project structure and reporting procedures)? *What ensures that project managers are appropriately skilled? *Are users appropriately involved in project management? Program changes should be tested to ensure that they achieve Testing of program changes: the users' requirements and do not negatively impact existing processing. Consider the following points of potential risks: *Are program changes ( new releases of packages) subject to appropriate testing by IT staff and users to ensure that they will function as intended in the live environment? (Significant changes should be dealt with in the same manner as new applications.) Consider: -How management ensures that the level of testing is appropriate to the risk involved in the application change *What would prevent or detect unauthorized changes made after the completion of testing but before transfer to the live environment? Packages should be appropriately selected to achieve Selection of packaged software: business and application control requirements (including access security). Consider the following points of potential risks: *What ensures that the business and application control requirements is appropriately defined? *Are senior management, users, and IT staff appropriately involved? *What ensures that the package is appropriate for the computer hardware and operating environment? *Is the package selected well known and widely used? *Is customization of the package appropriately controlled? Consider: -The extent of customization -The definition of customization requirements Testing should ensure that the package selected achieves the Testing of packaged software: necessary business and application control requirements. Consider the following points of potential risks: *What ensures that options selected and parameters set are appropriate to achieve business and application control requirements? *Is appropriate testing carried out by the IT staff and users to ensure that the package operates as intended in the live environment? 20
  21. 21. Software transfers into the live environment should be Transfer into the live environment: authorized and coordinated. Consider the following points of potential risks: *What ensures that only properly tested, reviewed, and approved changes are transferred into the live environment? *Where applications run at multiple sites, what ensures that all copies of live programs are updated? *Where program changes are made in-house, what ensures that the source code used corresponds to the most recent version of the program? Data from the old application should be converted completely and Conversion of data: accurately, without unauthorized changes. Consider the following points of potential risks: *How is the conversion process controlled for the following: -Old transaction data (consider cutoff) -Standing data -Establishment of data not used by the old application? *What ensures that appropriate testing of data is carried out by users and IT staff? Users should be competent in the use of application User training and documentation: functions and control features. Consider the following points of potential risks: *Are users appropriately trained? *Are users provided with appropriate documentation? *Is user documentation available at implementation? Up-to-date backups of programs and data should be available in emergencies. Backup: Consider the following points of potential risks: *Are backup procedures appropriate for the following: -Data -Programs? *Are backups stored in a secure location? *What ensures that backup and recovery procedures will work when required? 21
  22. 22. There should be appropriate procedures to ensure that Recovery from operational failures: operational failures (e.g., disk drive problems, program abends, other emergencies) are identified, resolved in a timely manner, and, where appropriate, approved retrospectively by appropriate IT staff and users. Consider the following points of potential risks: *Are there appropriate escalation procedures in place to resolve operational failures in a timely manner? *Is there appropriate reporting of operational failures? *How is the point of failure identified? *What ensures that the underlying causes of operational failures are identified and addressed (as opposed to applying short-term fixes)? Disaster recovery and business continuity planning: Disaster recovery and business continuity plans should be in place to cover all aspects of the IT function. Consider the following points of potential risks: -How does management ensure that the business continuity plans are in place, current and documented adequately? -How does management ensure that these plans have been tested? -Has management assessed the requirements of vendor support for hardware and any packaged software (including system software)? -What are the arrangements should the vendor become insolvent (e.g., access to source code held in escrow?). Additional Threats and Vulnerabilities to Information: OUTSIDERS GAINING SIGHT OF PRINT-OUTS AND DOCUMENTS DISCLOSURE BY EMPLOYEES OF SENSITIVE INFORMATION TO OUTSIDERS UNAUTHORIZED ENTRY INTO PREMISES UNAUTHORIZED ACCESS TO DATA BY EMPLOYEES UNAUTHORIZED ACCESS TO DATA BY EXTERNAL PERSON CONFIDENTIALITY PROBLEMS WITH CONNECTED SYSTEMS INTERCEPTION OF COMMUNICATION LINKS INPUT ERRORS PROGRAM ERRORS OPERATOR ERRORS MANIPULATION OR SUPPRESSION OF INPUT DOCUMENTS UNAUTHORIZED MODIFICATION OF FILES INTEGRITY PROBLEMS WITH FEEDER SYSTEMS 22
  23. 23. Key Definitions Absolute Risk: Pure risk without the mitigating effects of internal controls. Accepting Risk: A risk management technique that allows management to weigh the cost of managing the risk versus the benefits of reducing the risk. Risk acceptance is a matter for the governance team of senior management and the Board. The amount of acceptable risk should be determined beforehand. Control Risk: The tendency of the internal control system to lose effectiveness over time and to expose, or fail to prevent exposure of, the assets under control. Cost/Benefit Analysis: A risk management tool used to make decisions about accepting risk or using some other risk management technique. Delphi Technique: A collaborative technique for building consensus involving independent analysis and voting by experts given perfect feedback as to how their judgment matches that of the remainder of the group as a whole. Diversify Risk: A risk management technique that seeks to spread the risk from a single task or asset to multiple tasks or assets so as to avoid losing everything at once. Eliminating Risk: An unrealistic ideal akin to perfect control. Exposure: The susceptibility to loss, perception of risk, or a threat to an asset or asset-producing process (physical, financial, human, intangible), usually quantified in dollars. An exposure is the total dollars at risk without regard to the probability of a negative event. It is a measure of importance. Exposure Approach: The approach to risk assessment from the perspective of the four classes of assets and their size, type, portability, and location. Inherent Risk: The risk found in the environment and in human activities that is part of existence. Integrated Risk Management: The consideration of risk at all levels of the organization, from the Strategic to the day-to-day job of the customer-facing employee. Integrating risk management into internal auditing means adopting risk-based auditing and using risk management tools to plan internal audits. Internal Control: All the means, tangible and intangible that can be employed or used to ensure that established objectives are met. It should functional as part of a system that provides Feedback on how the system is accomplishing its purpose or objectives. Long-Term: The planning or time horizon that deals with events beyond the short-term and mid-term, typically from two to twenty years, though most often two to five or seven years. Managed Risk: The risks and consequences after the application of internal controls. Paradigm: A view of how things work in the world. In risk scenarios or threat scenarios, paradigms are used to set the basic rules of how the world works so that the solutions can be set within some boundaries. Paradigm Shift: A significant change from one fundamental view to another. Pervasive Risk: The type of risk found throughout the environment. The focus is on the environment of the business activity instead of the activity itself. Think of it as the Corporate Culture. 23
  24. 24. Planning Risk: The risk that the planning process is flawed. In risk assessment, it is the risk that the assessment process is inappropriate or improperly implemented. Portfolio Risk: In Risk Analysis, it is the risk that a particular combination of projects, assets, units or whatever is in the portfolio will fail to meet the overall objectives of the portfolio due to poor balance of risks within the portfolio. Process Risk: The risk in a business process (as opposed to Functional Risk). The new risk paradigm for auditors focuses more on business processes and process risk. Residual Risk: The remaining risk after risk management techniques or controls has been applied. Risk: A measure of uncertainty. In the business process, the uncertainty is about the achievement of organizational objectives. May involve positive or negative consequences, although most positive risks are known as opportunities and negative risks are called simply risks. Risk Acceptance: An informed decision to suffer the consequences of likely events. Risk Analysis: The assessment, management and communication of risk. Risk Assessment: The identification of risk, the measurement of risk, and the process of prioritizing risks. Risk Identification: The method of identifying and classifying risk. Risk Management: A branch of management that deals with the consequences of risk. Risk Measurement: The evaluation of the magnitude of risk. Risk Model: A mathematical, graphical or verbal description of risk for a particular environment and set of activities within that environment. The model is useful in risk assessment for consistency, training and documentation of the assessment. Risk Response: Management's decisions and actions when risks are revealed. Risk Scenarios: A method of identifying and classifying risks through creative application of probabilistic events and their consequences. Typically a Brainstorming or other creative technique is used to stimulate what might happen. Transfer Risk: A Risk Management technique to remove risk from one area to another or one party to another. Insurance transfers risk of financial loss from insured to insurer. Partial transfers are known as Sharing Risk. 24
  25. 25. Questions? David Currie, CPA, CIA, CISA 25