As it is difficult to find the right approach to initiate risk assessment, despite having relevant resources like methodologies, templates, and flowcharts. We will try to find out a suitable approach for starting the risk assessment. So here are the following 5 tips.
Internal auditors should understand that those risks which have organization-wide impact are more important than any departmental or small function risk. This will help the auditors to establish the connection of strategic objectives with the risks which the Company is facing or may face.
Keeping this in mind, an auditor will plan his audit to uphold internal controls where the consequences of such risks are high.
Similarly, the departmental manager includes relevant internal controls in policies and procedures in order to mitigate the consequences of high risks.
At the outset of risk assessment, do meet with members of Senior Management and seek the answers for following questions:
Therefore, root cause which causes the risk to occur should be analyzed as they derive from events, like change in the management, laws & regulations, market dynamics, employees, etc.
Stakeholders, also known as risk owners, to be identified as complex organizational structure and processes' increases the scope of work.
Because you have to identify people, systems and data around which organization depends, to achieve its goals.
You cannot keep everyone happy and can easily be lost if try to satisfy their expectations and needs. Therefore, at the outset, the scope shall be agreed upon.
Risk owners often argue that 'x' number of internal controls are in place, hence the consequences of such risk(s) do not impact.
Hence, awareness of "What would go wrong" shall be disseminated among the risk owners, as if no controls are in place.
The criteria to rate risk depend upon its likelihood and impact and the following questions should be asked from risk owners:
Remember, impact and likelihood are independent of each other and should be assessed separately.
Risk assessment exercise can be exciting or dead boring. The use of technology and innovative ideas can help auditors and managers to automate their work processes, therefore bringing efficiencies.
Risk assessment is a continuous process and should be performed based on the dynamic nature of the business “risk profile”.
However, the blind trust of the Board and those who are charged with Governance, in the management, coupled with inadequate control functions increases the risk of management override of internal controls.
So what was your experience, share your story in the comments below and share this post.