Finding the right approach to initiate risk assessment is difficult, despite having relevant resources like methodologies, templates, and flowcharts. We will try to find a suitable approach for starting the risk assessment. So here are the following five tips.

• Address strategic risks.
• Understand the business and its processes.
• Identify the stakeholders who have interests in the organization.
• Meet the stakeholders' expectations.
• Develop the criteria to rate the risks.

Tip 1: Address strategic risks.

Internal auditors should understand that risks with organization-wide impact are more important than any departmental or small function risk. This will help the auditors establish the connection between strategic objectives and the risks the Company faces or may face.

Keeping this in mind, an auditor will plan his audit to uphold internal controls where the consequences of such risks are high.

Similarly, the departmental manager includes relevant internal controls in policies and procedures to mitigate the consequences of high risks.

Tip 2: Understand the business and its processes.

At the outset of risk assessment, do meet with members of Senior Management and seek the answers to the following questions:

• Where does the Organization see itself in the next 3 to 5 years?
• What does Organization sell?
• What is the market in which the organization operates?
• Who are the key customers and competitors?
• How does the organization source its raw materials, machinery, and manpower (supply chain management)?
• What is the trend in the last five years and exceptional events resulting in losses?
• How often do laws & regulations change, affecting the organization, customers, and competitors?
• What are the ongoing and upcoming projects?
• How often has the organization failed to achieve its targets, projects, and lessons learned?

Therefore, the root cause which causes the risk to occur should be analyzed as they derive from events, like changes in the management, laws & regulations, market dynamics, employees, etc.

Tip 3: Identify the stakeholders who have interests in the organization.

Stakeholders, also known as risk owners, are identified as complex organizational structures and processes increase the scope of work.

Why?

Because you have to identify people, systems and data around which the organization depends to achieve its goals.

Tip 4: Meet the stakeholders' expectations.

You cannot keep everyone happy and can easily be lost if you try to satisfy their expectations and needs. Therefore, at the outset, the scope shall be agreed upon.

Risk owners often argue that an 'x' number of internal controls are in place. Hence the consequences of such risk(s) do not impact.

Hence, awareness of "What would go wrong" shall be disseminated among the risk owners as if no controls exist.

Tip 5: Develop the criteria to rate the risks.

The criteria to rate risk depend upon its likelihood and impact, and the following questions should be asked from the risk owners:

• Impact- How do you rate a loss, in dollar terms, from a risk event as high, medium, and low?
• Likelihood- How frequently if an event occurs, considered as high or medium or low risk?

Remember, impact and likelihood are independent of each other and should be assessed separately.

Conclusion

Risk assessment exercises can be exciting or dead boring. The use of technology and innovative ideas can help auditors and managers to automate their work processes, therefore bringing efficiencies.

Risk assessment is a continuous process and should be performed based on the dynamic nature of the business “risk profile”.

However, the blind trust of the Board and those who are charged with Governance in the management, coupled with inadequate control functions, increases the risk of management override of internal controls.

Photo by Cristian Escobar on Unsplash