Have you been involved in the discussion between management and the auditors regarding the point where management acceptance of risk is acceptable to the auditors? How do you define when risks are mitigated to the point that they provide reasonable assurance that risks to the mission are adequately controlled?
To begin having this conversation, management and the auditors need to have a mutual understanding of the quantification of risk. Using a common risk language facilitates understanding and can put both management and the auditors on the same page. This article will define a methodology for the creation of a common risk language. This language can be used by the auditors to support the need for additional controls and provide management with an understanding of the level of risk that they are accepting.
Definition of Risk
The development of a risk language begins with understanding the components of risk. The typical definition of risk is the chance that something bad or unpleasant may happen that may result in a loss. There is also a positive connotation to risk. Risk is also the chance that something will happen that results in benefits.
Risk is typically comprised of two components. These are risk likelihood or the probability that something will happen, and risk impact or the consequences if the risk does occur. In order to have a discussion on risk, both parties must be able to quantify the levels of risk likelihood and impact. That is, when you define risk as low, medium, or high is there enough information available so that everyone is thinking in the same relative terms.
Likelihood can be described as the frequency with which an event may occur and may also include the ease with which someone may cause the event to occur such as in a fraud risk. The following is a sample risk likelihood definition:
Impact can be described in terms of financial loss and/or loss of confidence by the public at large or key stakeholders. Stakeholders may include investors, consumers, employees, business partners, suppliers or any others that interact with the organization. Financial (dollar) loss is frequently used because dollars are a clear measurement of impact. The following is a sample risk impact definition:
The last exercise is to combine the likelihood and impact factors to arrive a definition of risk. A following is a sample risk rating scale that indicates how, for a given risk, the likelihood and impact are combined and result in a risk level.
Management’s Tolerance for Risk
Management constantly walks the line between not taking risks so that there is not a loss, but also taking risks so that that benefits are achieved and the organization’s objectives are met. In order to facilitate this discussion with management, the auditors should present their observations and findings with an associated (and defined) risk level that the risk may occur (inherent risk) and the risk remaining after the controls in place at the organization have been considered (residual risk). This results in an informed discussion and provides the information so that management can (1) understand what is presented and (2) perform a cost benefit analysis of the risk and determine if the organization should spend more money to implement additional controls.
For questions or more information on balancing the costs of risks and controls, contact us via our contact page.