Finding the right approach to initiate risk assessment is difficult, despite having relevant resources like methodologies, templates, and flowcharts. We will try to find a suitable approach for starting the risk assessment. So here are the following five tips.
Internal auditors should understand that risks with organization-wide impact are more important than any departmental or small function risk. This will help the auditors establish the connection between strategic objectives and the risks the Company faces or may face.
Keeping this in mind, an auditor will plan his audit to uphold internal controls where the consequences of such risks are high.
Similarly, the departmental manager includes relevant internal controls in policies and procedures to mitigate the consequences of high risks.
At the outset of risk assessment, do meet with members of Senior Management and seek the answers to the following questions:
Therefore, the root cause which causes the risk to occur should be analyzed as they derive from events, like changes in the management, laws & regulations, market dynamics, employees, etc.
Stakeholders, also known as risk owners, are identified as complex organizational structures and processes increase the scope of work.
Because you have to identify people, systems and data around which the organization depends to achieve its goals.
You cannot keep everyone happy and can easily be lost if you try to satisfy their expectations and needs. Therefore, at the outset, the scope shall be agreed upon.
Risk owners often argue that an 'x' number of internal controls are in place. Hence the consequences of such risk(s) do not impact.
Hence, awareness of "What would go wrong" shall be disseminated among the risk owners as if no controls exist.
The criteria to rate risk depend upon its likelihood and impact, and the following questions should be asked from the risk owners:
Remember, impact and likelihood are independent of each other and should be assessed separately.
Risk assessment exercises can be exciting or dead boring. The use of technology and innovative ideas can help auditors and managers to automate their work processes, therefore bringing efficiencies.
Risk assessment is a continuous process and should be performed based on the dynamic nature of the business “risk profile”.
However, the blind trust of the Board and those who are charged with Governance in the management, coupled with inadequate control functions, increases the risk of management override of internal controls.