1. Lead 2015 Auditor - Risk Management approach
27
Lead 2015 Auditor - Risk Management
approach
I. Objectives
II. Instructions
III. Basic concepts of risk management
IV. Understanding risk treatment
V. Processes involved in risk management
VI. Basic model of risk management
VII. Risk management standards
VIII. Self assessment
01
3. Lead 2015 Auditor - Risk Management approach
27
Objectives
03
Objectives:
Understand the basic concepts and principles of risk
management.
Understand processes involved in risk management
Understand the basic model of risk management
Understand risk treatment
5. Lead 2015 Auditor - Risk Management approach
27
05
There are important details and comments voiced over in this
course. Please enable sound, turn on volume and use
headphones or computer loudspeaker.
If you can’t hear the voice-over or a soft background music with
this first page, then you need to change your set-up.
To support a successful training, we strongly recommend you take
notes during the course. Use your trainee booklet or download it
and print it before taking the course
The course is interactive and not necessarily linear, but all pages
can be accessed directly when needed.
The course is deemed completed once the last training page is
reached.
Instructions
6. Lead 2015 Auditor - Risk Management approach
27
3. Basic concepts of risk management
06
7. Lead 2015 Auditor - Risk Management approach
27
Basic concepts of risk management
07
► Annex SL – High-level structure requirement:
• Actions to address risks and opportunities
► Impact on auditors
• Need to understand risk management concepts
• Need to understand risk different methodologies for:
Risk analysis
Risk assessment
Risk treatment
Risk-based thinking in management systems
8. Lead 2015 Auditor - Risk Management approach
27
Basic concepts of risk management
08
► Fundamental concept of tolerable risk:
• “Risk which is accepted in a given context based on the
current values of the society”
• “Risk that has been reduced to a level that can be
endured by the organisation, having regard to its legal
obligations and own risk management policy”
Tolerable risk
Unacceptable
Tolerable
Broadly
acceptable
Risk cannot be
justified except in
extraordinary
circumstances
Organization is
prepared to accept
risk in order to
secure benefits
Risk regarded as
insignificant – Further
efforts to reduce risk
not required
9. Lead 2015 Auditor - Risk Management approach
27
Basic concepts of risk management
09
► Risk source:
• “Element which, alone or in combination, has the
intrinsic potential to give rise to risk”.
► Hazard:
• “Source of potential harm”
Risk Source
10. Lead 2015 Auditor - Risk Management approach
27
Introduction to risk management
Basic concepts of risk management
10
► Risk:
• “Effect of uncertainty on objectives”.
► Uncertainty:
• “State or condition that involves a deficiency of information”
► Risk is understood as:
• “Combination of the likelihood and consequences of a
specific hazardous event occurring”
Risk
11. Lead 2015 Auditor - Risk Management approach
27
Introduction to risk management
Basic concepts of risk management
11
► Likelihood = Probability
• Likelihood is usually estimated on assumptions
• Probability is more likely to be subject to calculations
• Likelihood can be expressed qualitatively or quantitatively
• Probability is usually expressed quantitatively
► Probability:
• “Relation between the population of conducive events
and all events”
Likelihood or Probability
PROBABILITY
13. Lead 2015 Auditor - Risk Management approach
27
Introduction to risk management
Understanding risk treatment
13
► Risk treatment:
• Process to modify risk
• Manipulating of likelihood or consequences
Risk Treatment
► Which are we more likely to be able to manipulate?
Likelihood Consequences
Click on one of the buttons to continue
Of course, likelihood is more likely to be able to be manipulated, to limit consequences.
14. Lead 2015 Auditor - Risk Management approach
27
Introduction to risk management
Understanding risk treatment
14
► Inherent risk:
• “Risk that is inherently associated with a source of risk”
► Residual risk:
• “Risk remaining after risk treatment”
Inherent Risk and Residual Risk
Click on one of the buttons to continue
15. Lead 2015 Auditor - Risk Management approach
27
Introduction to risk management
Understanding risk treatment
15
Risk Treatment
► Risk treatment:
• “Process to modify risk”
► Treatment options:
• Reduce the risk
• Remove source of the risk
• Modify the consequences
• Change the probabilities
• Share the risk with others
• Retain the risk to pursue an opportunity
16. Lead 2015 Auditor - Risk Management approach
27
5. Processes involved in risk management
16
17. Lead 2015 Auditor - Risk Management approach
27
Introduction to risk management
Processes involved in risk risk assessment
17
Risk Assessment
Process to identify, analyze and evaluate risks
18. Lead 2015 Auditor - Risk Management approach
27
Risk Identification
Processes involved in risk risk assessment
Risk identification is a process that involves finding, recognizing,
and describing the risks that could affect the achievement of
an organization’s objectives. It is used to identify possible sources
of risk in addition to the events and circumstances that could affect
the achievement of objectives. It also includes the identification
of possible causes and potential consequences.
The organization can use historical data, theoretical analysis,
informed opinions, expert advice, and stakeholder input to identify
its risks.
17
19. Lead 2015 Auditor - Risk Management approach
27
Risk Analysis
Processes involved in risk risk assessment
Risk analysis is a process that is used to understand the nature,
sources and causes of the risks that the organization has identified
and to estimate the level of risk. It is also used to study impacts and
consequences and to examine the controls that currently exist.
How detailed the organization’s risk analysis ought to be will depend
upon the risk, the purpose of the analysis, the information they have
and the resources available.
2 1
4 3
LIKELIHOOD
IMPACT
17
20. Lead 2015 Auditor - Risk Management approach
27
Risk Evaluation
Processes involved in risk risk assessment
Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine
whether or not a specified level of risk is acceptable or tolerable.
17
21. Lead 2015 Auditor - Risk Management approach
27
6. Basic model of risk management
18
22. Lead 2015 Auditor - Risk Management approach
27
Introduction to risk management
Basic model of risk management
19
Risk Management Process
24. Lead 2015 Auditor - Risk Management approach
27
Introduction to risk management
Risk management standards
21
Available Risk Management Standards
► ISO 31000:2009 – Risk Management – Principles and guidelines
► ISO Guide 73:2009 – Risk management – Vocabulary
► ISO 31010:2009 – Risk management – Risk assessment techniques
25. Lead 2015 Auditor - Risk Management approach
27
Introduction to risk management
Tip for the auditor
22
Typical Flaws in Risk Management
► Focusing on spectacular risks
► Focusing only on core business processes
26. Lead 2015 Auditor - Risk Management approach
27
Self Assessment
Now it's time to practice!
Please work on the following exercises
23