2. Risk Assessment
In simplistic terms, risk can be defined as a function of what is at
risk and how likely is it to be at risk .
The term “exposure” in relation to risk could be defined as “an
unwanted event or outcome that management would wish to avoid”.
A risk assessment is the process of identifying, measuring, and
analyzing risks relevant to a program or process.
This assessment is systematic, iterative, and subject to both
quantitative and qualitative inputs and factors. Furthermore, it is
also dependent on the timeframe of the review.
7. Internal Constraints
It is imperative to remember that there are internal and external constraints in organizations.
Internal constraints typically include:
Equipment. The types of equipment available and the ways they are used limit the ability of the
process to produce more high quality goods and deliver services.
People. Lack of skilled and motivated workers limits the productive capacity of any process.
Attitudes and other mental models (e.g., feeling defeated, victimized, or hopeless) embraced
by workers can lead to behaviors that become a constraint on the process.
Policies. Written and unwritten policies can prevent the process from producing more of higher
quality goods and services.
8. Measurement of Risks
The measurement process can be either subjective or quantitative, and either
driven by facts or not.
Subjective measures are driven by the participants’ experience and intuition
about the risks involved.
three-point scale: high–medium–low
five-point scale: unlikely–possible–likely–almost certain
Impact measures: minor–moderate–major–catastrophic
13. The Risk Matrix
The risk matrix is a widely used and highly effective tool to record and analyze
the objectives, risks, and controls in the program or process that is being audited
as defined in the scope definition.
The risk matrix is an essential ingredient when conducting risk-based audits, as
they provide a means to capture and analyze these items.
Layout varies by organization
15. Assessing Risk and Control Types
The conduct of a risk assessment means that we should look for weaknesses
(sometimes referred to as vulnerabilities) that would make an asset susceptible
to damage or loss from the hazard.
Vulnerability - “degree to which people, property, resources, systems, and
cultural, economic, environmental, and social activity is susceptible to harm,
degradation, or destruction on being exposed to a hostile agent or factor.”
When it comes to vulnerabilities, some common weaknesses are the age,
condition, and location of buildings, and their contents (e.g., near coastal or
seismic areas, critical systems on lower floors that are susceptible to flooding,
shared office locations).
16. Approaches in Identifying Relevant
Events
1. Objectives based - Identify events that may hinder the ability of the
organization to achieve its
objectives partially or completely.
◦ In this case, brainstorming and the Delphi method* may be useful
techniques to collect the relevant information and assess the impact of
these events. Note that the event does not have to be negative in its
immediate interpretation.
*The Delphi method, also known as the estimate-talk-estimate technique (ETE), is a
systematic and qualitative method of forecasting by collecting opinions from a group of
experts through several rounds of questions.
17. Approaches in Identifying Relevant
Events
2. Scenario based. Create different scenarios or alternative ways of achieving
objectives and determine how forces interact. A useful approach is to identify
triggers that can start–stop different scenarios from occurring. By identifying
and understanding the triggers caused or accelerated by these scenarios, the
organization can better prepare itself to leverage opportunities and avoid
negative consequences.
For either of these two approaches, management must consider the external and
internal factors that can affect event occurrence:
◦ External. For example, economic, business, natural environment, political, social, and
technological factors.
◦ Internal. Examples include infrastructure, personnel, processes, and technology.
18. Approaches in Identifying Relevant
Events
3. Common-risk checking. Use a prefabricated list of common risks in
your industry or area of scope.
4. Risk charting. Combination of above approaches consists of listing
resources at risk and the threats to those resources. Identify the risk
factors and the consequences. Hazards are of concern to the extent
that they can result in some kind of loss to the program, process, or
organization. The impact of these hazards and how to reduce them is
the next aspect of the risk assessment process. This is referred to as
mitigation.
19.
20. Assessing Risk
The risk assessment, with the identification of hazards, assets at risk, impact
analysis, and response activities can serve the organization well and increase the
likelihood that goals and objectives will be achieved. The challenge today is
greater than in the past, however, because in today’s dynamic and highly
competitive business and operating environment, organizations lacking the
ability to adapt, and take advantage of opportunities proactively are as likely to
fail as those that poorly manage the risk of adverse outcomes.
Organizations must be resilient, so as much as anticipating adverse outcomes is
key to success, the lack of flexibility to embrace new technologies, understand,
and capitalize on new technologies, financial products, emerging markets, and
social dynamics can be the cause of ruin.